Signature verification added for kapp-controller artifacts

Signed-off-by: rcmadhankumar <[email protected]>
carvel-dev · Jan 18, 2024 · 0530798 · 0530798
1 parent d4125e1
commit 0530798
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 2 deletions.
diff --git a/.github/workflows/release-process.yml b/.github/workflows/release-process.yml
@@ -10,6 +10,10 @@ jobs:
   kapp-controller-release:
     name: kapp-controller release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
       - name: Check out code
         uses: actions/[email protected]
@@ -37,6 +41,9 @@ jobs:
         with:
           go-version: 1.21.1
 
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Run release script
         run: |
           set -e -x
@@ -50,13 +57,39 @@ jobs:
           ./hack/build-binaries.sh
           cp ./kctrl-* ../release/
 
+      - name: Sign kapp-controller OCI image
+        run: |
+          image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
+          cosign sign --yes "$image_url"
+
+      - name: Verify signature on Kapp-controller OCI image
+        run: |
+          image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
+          cosign verify \
+            $image_url \
+            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+
       - name: Run Package build
         run: |
           constraintVersion="${{ github.ref_name }}"
           ./cli/kctrl-linux-amd64 pkg release -y -v ${constraintVersion:1} --debug
           mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/metadata.yml ./carvel-artifacts/packages/kapp-controller.carvel.dev/package-metadata.yml
           mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/* release/
 
+      - name: Sign kapp-controller-package-bundle OCI image
+        run: |
+          image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
+          cosign sign --yes "$image_url"
+
+      - name: Verify signature on kapp-controller-package-bundle OCI image
+        run: |
+          image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
+          cosign verify \
+            $image_url \
+            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+
       - name: Add to formatted checksum
         run: |
           pushd release
@@ -67,6 +100,18 @@ jobs:
           cat ./tmp/checksums.txt | tee -a ./tmp/checksums-formatted.txt
           echo '```' | tee -a ./tmp/checksums-formatted.txt
 
+      - name: Sign checksums.txt
+        run: |
+          cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem  --output-signature release/checksums.txt.sig
+
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+            --cert release/checksums.txt.pem \
+            --signature release/checksums.txt.sig \
+            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
+
       - name: Create release draft and upload release yaml
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
         with:
@@ -141,3 +186,118 @@ jobs:
           ${{steps.get-checksums-from-draft-release.outputs.result}}
           EOF
           )
+
+      - name: Updating release notes
+        run: |
+          RELEASE_TAG=$(git describe --tags --abbrev=0)
+          KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml)
+          KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
+
+          RELEASE_NOTES="
+          <details>
+          <summary><h2>Installation and signature verification</h2></summary>
+
+          ## Installation of kctrl
+
+          #### By downloading binary from the release
+          For instance, if you are using Linux on an AMD64 architecture:
+
+          \`\`\`shell
+          # Download the binary
+          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64
+          # Move the binary in to your PATH
+          mv kctrl-linux-amd64 /usr/local/bin/kctrl
+          # Make the binary executable
+          chmod +x /usr/local/bin/kctrl
+          \`\`\`
+
+          #### Via Homebrew (macOS or Linux)
+          \`\`\`shell
+          $ brew tap carvel-dev/carvel
+          $ brew install kctrl
+          $ kctrl version
+          \`\`\`
+
+          ## Verify checksums file signature
+
+          Install cosign on your system https://docs.sigstore.dev/system_config/installation/
+
+          The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
+
+          \`\`\`shell
+          # Download the checksums file, certificate, and signature
+          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
+          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
+          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
+
+          ### Verify the checksums file
+          cosign verify-blob checksums.txt \
+          --certificate checksums.txt.pem \
+          --signature checksums.txt.sig \
+          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com 
+          \`\`\`
+
+          ### Verify binary integrity
+
+          To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
+
+          \`\`\`shell
+          # Verify the binary using the checksums file
+          sha256sum -c checksums.txt --ignore-missing
+          \`\`\`
+
+          ## Installation of kapp-controller
+
+          kapp-controller can be installed by using kapp 
+
+          \`\`\`shell
+          kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
+          \`\`\`
+
+          or by using kubectl
+          \`\`\`shell
+          kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
+          \`\`\`
+
+          ### Container Images
+
+          Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.
+
+          ### OCI Image URLs
+
+          - $KAPP_CONTROLLER_IMAGE
+          - $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE
+
+          ### Verify container image signature
+
+          The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
+
+          \`\`\`shell
+          # Verifying kapp-controller image
+          cosign verify $KAPP_CONTROLLER_IMAGE \
+          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          -o text
+
+          # Verifying kapp-controller-package-bundle image
+          cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
+          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          -o text
+          \`\`\`
+          </summary>
+          </details>
+
+          "
+
+          RELEASE_NOTES_UPLOADED=$(gh release view $RELEASE_TAG --json body | jq -r '.body')
+          RELEASE_NOTES+=$RELEASE_NOTES_UPLOADED
+          echo "$RELEASE_NOTES" > release_notes.txt
+          gh release edit $RELEASE_TAG --notes-file release_notes.txt
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+
+
diff --git a/config-release/values-schema.yml b/config-release/values-schema.yml
@@ -5,7 +5,7 @@
 #@schema/desc "Configuration explicitly for developing kapp-controller"
 dev:
   #@schema/desc "Location of kapp-controller image"
-  image_repo: ghcr.io/carvel-dev/kapp-controller
+  image_repo: ghcr.io/rcmadhankumar/kapp-controller
   #@schema/desc "Development version"
   version: develop
   #@schema/desc "Comma separated list of supported architectures"

diff --git a/package-build.yml b/package-build.yml
@@ -22,7 +22,7 @@ spec:
               - .imgpkg/images.yml
       export:
       - imgpkgBundle:
-          image: ghcr.io/carvel-dev/kapp-controller-package-bundle
+          image: ghcr.io/rcmadhankumar/kapp-controller-package-bundle
           useKbldImagesLock: false
         includePaths:
         - config