feat: Use GitHub's OIDC for signing images

This change will follow the patter that was established with the GitLab pipeline. Users will be able to have their images signed by GitHub's OIDC. This will allow users to rebase directly onto a signed image and forego using the siging module.
blue-build · Feb 14, 2024 · b7e77b5 · b7e77b5
1 parent 9d242e7
commit b7e77b5
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/src/commands/build.rs b/src/commands/build.rs
@@ -26,7 +26,7 @@ use tokio::runtime::Runtime;
 
 use crate::{
     commands::template::TemplateCommand,
-    constants::RECIPE_PATH,
+    constants::{GITHUB_TOKEN_ISSUER_URL, RECIPE_PATH},
     module_recipe::Recipe,
     ops::{self, ARCHIVE_SUFFIX},
 };
@@ -552,6 +552,8 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
         env::var("SIGSTORE_ID_TOKEN"),
         env::var("GITHUB_EVENT_NAME"),
         env::var("GITHUB_REF_NAME"),
+        env::var("GITHUB_WORKFLOW_REF"),
+        env::var("GITHUB_SERVER_URL"),
         env::var("COSIGN_PRIVATE_KEY"),
     ) {
         (
@@ -564,6 +566,8 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
             _,
             _,
             _,
+            _,
+            _,
         ) if ci_default_branch == ci_commit_ref => {
             trace!("CI_PROJECT_URL={ci_project_url}, CI_DEFAULT_BRANCH={ci_default_branch}, CI_COMMIT_REF_NAME={ci_commit_ref}, CI_SERVER_PROTOCOL={ci_server_protocol}, CI_SERVER_HOST={ci_server_host}");
 
@@ -604,7 +608,53 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
                 bail!("Failed to verify image!");
             }
         }
-        (_, _, _, _, _, _, Ok(github_event_name), Ok(github_ref_name), Ok(_))
+        (
+            _,
+            _,
+            _,
+            _,
+            _,
+            Ok(_),
+            Ok(github_event_name),
+            Ok(github_ref_name),
+            Ok(github_worflow_ref),
+            Ok(github_server_url),
+            _,
+        ) if github_event_name != "pull_request"
+            && (github_ref_name == "live" || github_ref_name == "main") =>
+        {
+            trace!("GITHUB_EVENT_NAME={github_event_name}, GITHUB_REF_NAME={github_ref_name}, GITHUB_WORKFLOW_REF={github_worflow_ref}, GITHUB_SERVER_URL={github_server_url}");
+
+            debug!("On {github_ref_name} branch");
+
+            info!("Signing image {image_digest}");
+
+            trace!("cosign sign {image_digest}");
+            if Command::new("cosign")
+                .arg("sign")
+                .arg(&image_digest)
+                .status()?
+                .success()
+            {
+                info!("Successfully signed image!");
+            } else {
+                bail!("Failed to sign image: {image_digest}");
+            }
+
+            if !Command::new("cosign")
+                .arg("verify")
+                .arg("--certificate-github-workflow-ref")
+                .arg(&github_worflow_ref)
+                .arg("--certificate-oidc-issuer")
+                .arg(GITHUB_TOKEN_ISSUER_URL)
+                .arg(&image_name_tag)
+                .status()?
+                .success()
+            {
+                bail!("Failed to verify image!");
+            }
+        }
+        (_, _, _, _, _, _, Ok(github_event_name), Ok(github_ref_name), _, _, Ok(_))
             if github_event_name != "pull_request"
                 && (github_ref_name == "live" || github_ref_name == "main") =>
         {

diff --git a/src/constants.rs b/src/constants.rs
@@ -1,3 +1,4 @@
 pub const COSIGN_PATH: &str = "./cosign.pub";
 pub const MODULES_PATH: &str = "./config/modules";
 pub const RECIPE_PATH: &str = "./config/recipe.yml";
+pub const GITHUB_TOKEN_ISSUER_URL: &str = "https://token.actions.githubusercontent.com";