Sign release artefacts using cosign

.circleci/config.yml

@@ -2,13 +2,13 @@ version: 2.1
 executors:
   default:
     docker:
-    - image: cimg/go:1.17.4
+    - image: cimg/go:1.17.6
 
 install_buildx: &install_buildx
   name: Install Docker buildx
   command: |
     mkdir -p ~/.docker/cli-plugins
-    curl -sSL -o ~/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-amd64
+    curl -sSL -o ~/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-amd64
     chmod a+x ~/.docker/cli-plugins/docker-buildx
 
 setup_docker_multiarch: &setup_docker_multiarch
@@ -25,15 +25,16 @@ setup_docker_multiarch: &setup_docker_multiarch
 install_goreleaser: &install_goreleaser
   name: Install goreleaser
   command: |
-    GORELEASER_URL="https://github.com/goreleaser/goreleaser/releases/download/v1.1.0/goreleaser_Linux_x86_64.tar.gz"
+    GORELEASER_URL="https://github.com/goreleaser/goreleaser/releases/download/v1.4.1/goreleaser_Linux_x86_64.tar.gz"
 
     curl --output goreleaser_Linux_x86_64.tar.gz \
       --silent --show-error --location --fail --retry 3 \
       "$GORELEASER_URL"
 
-    sudo mkdir -p /usr/local/goreleaser
-    sudo tar -C /usr/local/goreleaser -xzf goreleaser_Linux_x86_64.tar.gz
-    export PATH=$PATH:/usr/local/goreleaser
+    sudo mkdir -p /tmp/goreleaser
+    sudo tar -C /tmp/goreleaser -xzf goreleaser_Linux_x86_64.tar.gz
+    sudo mv /tmp/goreleaser/goreleaser /usr/local/bin/
+    rm -f goreleaser_Linux_x86_64.tar.gz
     goreleaser --version
 
 install_awscli: &install_awscli
@@ -45,6 +46,33 @@ install_awscli: &install_awscli
     ./aws/install -i $HOME/.local/aws-cli -b $HOME/.local/bin
     popd && rm -r $DIR
 
+install_cosign: &install_cosign
+  name: Install cosign
+  command: |
+    COSIGN_URL="https://github.com/sigstore/cosign/releases/download/v1.5.0/cosign-linux-amd64"
+
+    curl --output cosign \
+      --silent --show-error --location --fail --retry 3 \
+      "$COSIGN_URL"
+
+    sudo chmod +x cosign
+    sudo mv cosign /usr/local/bin/
+    cosign version
+
+install_syft: &install_syft
+  name: Install syft
+  command: |
+    SYFT_URL="https://github.com/anchore/syft/releases/download/v0.36.0/syft_0.36.0_linux_amd64.tar.gz"
+
+    curl --output syft_0.36.0_linux_amd64.tar.gz \
+      --silent --show-error --location --fail --retry 3 \
+      "$SYFT_URL"
+
+    sudo tar -C /tmp -xzf syft_0.36.0_linux_amd64.tar.gz
+    sudo mv /tmp/syft /usr/local/bin/
+    rm -f syft_0.36.0_linux_amd64.tar.gz
+    syft version
+
 jobs:
   lint:
     executor:
@@ -72,11 +100,12 @@ jobs:
     - setup_remote_docker
     - run: *install_buildx
     - run: *setup_docker_multiarch
+    - run: *install_cosign
+    - run: *install_syft
     - run: *install_goreleaser
     - run:
         no_output_timeout: 30m
         command: |
-          export PATH=$PATH:/usr/local/goreleaser
           make goreleaser-snapshot
           docker images
           docker run falcosecurity/falcosidekick:latest-amd64 --version
@@ -90,10 +119,11 @@ jobs:
     - run: *install_buildx
     - run: *setup_docker_multiarch
     - run: *install_goreleaser
+    - run: *install_cosign
+    - run: *install_syft
     - run:
         no_output_timeout: 30m
         command: |
-          export PATH=$PATH:/usr/local/goreleaser
           make goreleaser-snapshot
           docker run falcosecurity/falcosidekick:latest-amd64 --version
     - run:
@@ -118,10 +148,11 @@ jobs:
     - run: *setup_docker_multiarch
     - run: *install_goreleaser
     - run: *install_awscli
+    - run: *install_cosign
+    - run: *install_syft
     - run:
         no_output_timeout: 30m
         command: |
-          export PATH=$PATH:/usr/local/goreleaser
           make goreleaser-snapshot
           docker run public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 --version
     - run:
@@ -150,13 +181,15 @@ jobs:
     - run: *install_buildx
     - run: *setup_docker_multiarch
     - run: *install_goreleaser
+    - run: *install_cosign
+    - run: *install_syft
     - run: *install_awscli
     - run:
         name: Login Registries
         command: |
           echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
           aws ecr-public get-login-password --region us-east-1 | \
-            docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+          docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
     - run:
         name: Release
         no_output_timeout: 30m
@@ -202,6 +235,7 @@ workflows:
           context:
             - falco
             - test-infra
+            - cosign
           requires:
             - test
             - lint

.goreleaser.yml

@@ -1,11 +1,27 @@
 project_name: falcosidekick
 
+env:
+  - GO111MODULE=on
+  - DOCKER_CLI_EXPERIMENTAL=enabled
+  - COSIGN_EXPERIMENTAL=true
+
 snapshot:
   name_template: 'latest'
 
 checksum:
   name_template: 'checksums.txt'
 
+# Prevents parallel builds from stepping on each others toes downloading modules
+before:
+  hooks:
+  - go mod tidy
+
+gomod:
+  proxy: true
+
+sboms:
+- artifacts: archive
+
 builds:
   - id: "falcosidekick"
     goos:
@@ -109,6 +125,30 @@ docker_manifests:
   - 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-arm64'
   - 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-armv7'
 
+signs:
+  - id: falcosidekick
+    signature: "${artifact}.sig"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key=./release/cosign.key", "${artifact}"]
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    artifacts: archive
+  - id: checksum
+    signature: "${artifact}.sig"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key=./release/cosign.key", "${artifact}"]
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    artifacts: checksum
+
+docker_signs:
+- id: falcosidekick
+  cmd: cosign
+  args: ["sign", "--key=./release/cosign.key", "--recursive", "${artifact}" ]
+  artifacts: manifests
+  stdin: '{{ .Env.COSIGN_PASSWORD }}'
+  output: true
+
 release:
   github:
   prerelease: auto
+  extra_files:
+    - glob: ./release/cosign.pub

Makefile

@@ -95,7 +95,7 @@ goreleaser: ## Release using goreleaser
 
 .PHONY: goreleaser-snapshot
 goreleaser-snapshot: ## Release snapshot using goreleaser
-	LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --rm-dist
+	LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --skip-sign --rm-dist
 
 ## --------------------------------------
 ## Tooling Binaries

release/cosign.key

@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiJ2Y3cxM1lCQStjejN1TmRLdFNDNWxPbStDSi9KQnhs
+YUlyd1UvbW9XcUpNPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJIYlEybUhzNzRCQXBtTlJWTVkzY0pzV0p5L3ZFOTI5dyJ9LCJj
+aXBoZXJ0ZXh0IjoiYVlDOUhaWG5YVzJIVjdyd1IwSktxZ05kOGhuNHFBbUF6djFG
+M2lVazhSMlNNMFVlQWZ5L0Y4K0VqWFVtbTVIbGJqeU5NWUs5VTZKdno1ejZ3WmZD
+NUtEOVViZWRqWU9SdTRzK3pvTFgrWW1OT0JiTkR5TUxqU2EzNXFmQ3JFbEh4Rnpv
+ellhc3MzN3pPdUFQcmtBaVd5bUM5bGFMUmRYNDVwaHJJU0J4SFc5djBTQUh2dzVY
+aG5WWTFucXZYK0s0dnZKYkc2K2Q4RHFjWGc9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----

release/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4On2JManZI8A075+bB3fCV/pDDG9
+6Wfsw0hRHz4HJK6XM257wvT3+/7v2WaXDeaVo/lbVGKsBKM/JKY3aEY0Aw==
+-----END PUBLIC KEY-----