Skip to content

Commit

Permalink
pin public key used for verification (#169)
Browse files Browse the repository at this point in the history
* pin public key used for verification

Signed-off-by: Bob Callaway <bcallaway@google.com>

* don't test on macos-latest as we didn't publish arm64 in cosign-0.5.0

Signed-off-by: Bob Callaway <bcallaway@google.com>

* add explicit failure flag to curl to ensure we bail on a non-200 response

Signed-off-by: Bob Callaway <bcallaway@google.com>

---------

Signed-off-by: Bob Callaway <bcallaway@google.com>
  • Loading branch information
bobcallaway authored Aug 7, 2024
1 parent cc23fe1 commit 7e1d9c1
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 5 deletions.
25 changes: 25 additions & 0 deletions .github/workflows/test-action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,31 @@ jobs:
fi
shell: bash

test_cosign_action_0_5_0:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest]
permissions: {}
name: Install Cosign v0.5.0 and test presence in path
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install Cosign
uses: ./
with:
cosign-release: 'v0.5.0'
- name: Check install!
run: cosign version
- name: Check root directory
run: |
if [[ $(git diff --stat) != '' ]]; then
echo 'should be clean'
exit 1
else
exit 0
fi
shell: bash

test_cosign_action_0_6_0:
runs-on: ${{ matrix.os }}
strategy:
Expand Down
20 changes: 15 additions & 5 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ runs:
expected_bootstrap_version_digest=${bootstrap_sha}
log_info "Downloading bootstrap version '${bootstrap_version}' of cosign to verify version to be installed...\n https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename}"
$SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename} -o ${cosign_executable_name}
$SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename} -o ${cosign_executable_name}
shaBootstrap=$(shaprog ${cosign_executable_name});
if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then
log_error "Unable to validate cosign version: '${{ inputs.cosign-release }}'"
Expand All @@ -206,7 +206,7 @@ runs:
# Download custom cosign
log_info "Downloading platform-specific version '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}"
$SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }}
$SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }}
shaCustom=$(shaprog cosign_${{ inputs.cosign-release }});
# same hash means it is the same release
Expand All @@ -228,22 +228,32 @@ runs:
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature}"
$SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig
$SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig
else
log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig"
$SUDO curl -sLO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig
$SUDO curl -fsLO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig
fi
if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then
log_info "Downloading cosign public key '${{ inputs.cosign-release }}' of cosign...\n https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub"
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub
RELEASE_COSIGN_PUB_KEY_SHA='4aa4bd19530a4929d758a9896255aef2c82f1a3a9f4b000034c6df4307c14f9e'
else
log_info "Downloading cosign public key '${{ inputs.cosign-release }}' of cosign...\n https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub"
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub
RELEASE_COSIGN_PUB_KEY_SHA='f4cea466e5e887a45da5031757fa1d32655d83420639dc1758749b744179f126'
fi
log_info "Verifying public key matches expected value"
$SUDO curl -fsL $RELEASE_COSIGN_PUB_KEY -o public.key
sha_fetched_key=$(shaprog public.key)
if [[ $sha_fetched_key != $RELEASE_COSIGN_PUB_KEY_SHA ]]; then
log_error "Fetched public key does not match expected digest, exiting"
exit 1
fi
log_info "Using bootstrap cosign to verify signature of desired cosign version"
./cosign verify-blob --insecure-ignore-tlog --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
./cosign verify-blob --insecure-ignore-tlog --key public.key --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
$SUDO rm cosign
$SUDO mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}
Expand Down

0 comments on commit 7e1d9c1

Please sign in to comment.