feat(signature): Checksum signature verification (anchore#1670)

* feat(signature): Checksum signature verification

Signed-off-by: Shubham Hibare <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>

* Update message

Signed-off-by: Shubham Hibare <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>

* address comments

Signed-off-by: Shubham Hibare <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>

* consider -v flag across supported releases

Signed-off-by: Alex Goodman <[email protected]>

* add tests for install.sh signature verification

Signed-off-by: Alex Goodman <[email protected]>

* check that release is run from main

Signed-off-by: Alex Goodman <[email protected]>

* summarize install.sh flags and recommendations

Signed-off-by: Alex Goodman <[email protected]>

* remove regex use on cosign verify-blob

Co-authored-by: Dominique Martinet <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>

* simplify the compare_semver install function

Co-authored-by: Dominique Martinet <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>

* add more tests to compare_semver

Signed-off-by: Alex Goodman <[email protected]>

* nit copy change for install help

Signed-off-by: Alex Goodman <[email protected]>

* keep original compare_semver implementation

Signed-off-by: Alex Goodman <[email protected]>

* update copy to include default install path

Signed-off-by: Alex Goodman <[email protected]>

---------

Signed-off-by: Shubham Hibare <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Co-authored-by: Alex Goodman <[email protected]>
Co-authored-by: Dominique Martinet <[email protected]>

.github/workflows/release.yaml

@@ -14,6 +14,16 @@ jobs:
     environment: release
     runs-on: ubuntu-20.04
     steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Check if running on main
+        if: github.ref != 'refs/heads/main'
+        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
+        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
+        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
+        # at the time of when the OIDC token was issued on the Github Actions runner.
+        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Check if pinned syft is a release version

.github/workflows/validations.yaml

@@ -177,6 +177,9 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: macos-latest
     steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Download snapshot build

README.md

@@ -60,12 +60,10 @@ If you encounter an issue, please [let us know using the issue tracker](https://
 ```bash
 curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 ```
-
-You can also choose another destination directory and release version for the installation. The destination directory doesn't need to be `/usr/local/bin`, it just needs to be a location found in the user's PATH and writable by the user that's installing Grype.
-
-```
-curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
-```
+Install script options:
+-	`-b`: Specify a custom installation directory (defaults to `./bin`)
+-	`-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)
+-	`-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)
 
 ### Chocolatey