Skip to content

Updating the cosign library for Github Actions #1752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 10, 2025
Merged

Updating the cosign library for Github Actions #1752

merged 3 commits into from
Mar 10, 2025

Conversation

jtuchscherer
Copy link
Contributor

Fixing the following issue:
SBOM generation and signing is broken Error [sc-77445]

@jtuchscherer jtuchscherer requested a review from a team as a code owner March 6, 2025 02:24
@CLAassistant
Copy link

CLAassistant commented Mar 6, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

emosbaugh
emosbaugh reviewed Mar 6, 2025
View reviewed changes
.github/workflows/build-test-deploy.yaml Outdated
@@ -233,10 +233,10 @@ jobs:
with:
go-version: "1.23"

- uses: sigstore/cosign-installer@v3
- uses: sigstore/[email protected]
with:
# DO NOT USE v2 until we decide on whether to use Rekor or not
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this comment is no longer relevant. Are we choosing to use Rekor now? @St0rmz1 ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the concern about it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure. I can track this comment back to @banjoh 944da45#diff-3d24298139377d0eb98efea65804db3916b0ec40761eb89bf0a25de8c3fb9a87R290

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. There is a privacy concern for private repos as the log can divulge info, but I think we are ok. But also would love to hear from @banjoh

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The concern was on cosign sending information to Rekor's transparency log. From above comment, it looks like this is OK.

.github/workflows/build-test-deploy.yaml
with:
# DO NOT USE v2 until we decide on whether to use Rekor or not
cosign-release: "v1.13.1" # Binary version to install
cosign-release: "v2.4.3" # Binary version to install
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we remove this now and use the latest but continue to pin the action version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to have this version pinned because it makes the builds predictable and stable (e.g. we are safe from a bad cosign-release version that got pushed). Why do you want to use latest?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have a valid point, but I'm also concerned that there is nothing automated to update this or notify this of updates. I would argue that the implications of this falling out of date can also introduce instability as they have here. Additionally, security is a concern.

@laverya
Copy link
Member

laverya commented Mar 10, 2025

From a test run here

mkdir -p sbom/spdx sbom/assets
./scripts/initialize-sbom-build.sh
Writing cosign key to file
Installing spdx-sbom-generator
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

  0 11.9M    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[10](https://github.com/replicatedhq/troubleshoot/actions/runs/13774217770/job/38519903273#step:8:11)0 11.9M  100 11.9M    0     0  11.6M      0  0:00:01  0:00:01 --:--:-- 54.0M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

100    33  100    33    0     0     48      0 --:--:-- --:--:-- --:--:--    48
100    33  100    33    0     0     48      0 --:--:-- --:--:-- --:--:--     0
spdx-sbom-generator
./sbom/spdx-sbom-generator -o ./sbom/spdx
INFO[2025-03-10T20:36:46Z] Starting to generate SPDX ...                
INFO[2025-03-10T20:36:46Z] Running generator for Module Manager: `go-mod` with output `sbom/spdx/bom-go-mod.spdx` 
INFO[2025-03-10T20:36:46Z] Current Language Version go version go1.23.6 linux/amd64 
INFO[2025-03-10T20:37:19Z] Command completed successful for below package managers 
INFO[2025-03-10T20:37:19Z] Plugin go-mod generated output at sbom/spdx/bom-go-mod.spdx 
tar -czf sbom/assets/troubleshoot-sbom.tgz sbom/spdx/*.spdx
cosign sign-blob \
	--key ./cosign.key \
	--tlog-upload \
	--yes \
	--rekor-url=https://rekor.sigstore.dev \
	sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
Using payload from: sbom/assets/troubleshoot-sbom.tgz

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 17985[16](https://github.com/replicatedhq/troubleshoot/actions/runs/13774217770/job/38519903273#step:8:17)57
cosign public-key --key cosign.key --outfile sbom/assets/key.pub
Public key written to sbom/assets/key.pub

Looks successful!

@laverya laverya enabled auto-merge (squash) March 10, 2025 20:40
@laverya laverya merged commit 69889c3 into main Mar 10, 2025
20 checks passed
@laverya laverya deleted the fixing-cosign branch March 10, 2025 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emosbaugh emosbaugh emosbaugh left review comments

@banjoh banjoh banjoh left review comments

@St0rmz1 St0rmz1 St0rmz1 left review comments

@laverya laverya laverya approved these changes

Assignees
No one assigned
Labels
type::chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jtuchscherer @CLAassistant @laverya @emosbaugh @banjoh @St0rmz1