From b3af15b249615260e98a0ed8175eaf8f88303fc7 Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Thu, 23 Jun 2022 10:12:41 +0100 Subject: [PATCH 1/2] Add container signing Signed-off-by: Somtochi Onyekwere --- .github/workflows/build.yaml | 23 ++++++++ .github/workflows/release.yaml | 99 ++++++++++++---------------------- .gitignore | 3 ++ .goreleaser.yml | 40 ++++++++++++++ README.md | 20 +++++++ 5 files changed, 121 insertions(+), 64 deletions(-) create mode 100644 .goreleaser.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6184fed..33b706c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -14,6 +14,7 @@ on: permissions: packages: write # needed for ghcr access + id-token: write # needed for keyless signing jobs: @@ -48,6 +49,8 @@ jobs: uses: actions/checkout@v2 - name: Unshallow run: git fetch --prune --unshallow + - name: Setup Cosign + uses: sigstore/cosign-installer@main - name: Set up QEMU id: qemu uses: docker/setup-qemu-action@v1 @@ -148,6 +151,16 @@ jobs: tags: ${{ steps.meta_libgit2_all.outputs.tags }} labels: ${{ steps.meta_libgit2_all.outputs.labels }} cache-from: type=local,src=/tmp/.buildx-cache + - name: Sign images + env: + COSIGN_EXPERIMENTAL: 1 + run: | + array=($(echo ${{ steps.meta_libgit2_all.outputs.tags }} | tr '\n' " ")) + for image in "${array[@]}" + do + echo "Signing $image" + cosign sign $image + done - name: Compose release candidate metadata - golang-with-libgit2-only id: meta_libgit2_only @@ -174,3 +187,13 @@ jobs: tags: ${{ steps.meta_libgit2_only.outputs.tags }} labels: ${{ steps.meta_libgit2_only.outputs.labels }} cache-from: type=local,src=/tmp/.buildx-cache + - name: Sign images + env: + COSIGN_EXPERIMENTAL: 1 + run: | + array=($(echo ${{ steps.meta_libgit2_all.outputs.tags }} | tr '\n' " ")) + for element in "${array[@]}" + do + echo ${element} + cosign sign $element + done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 33f1ba2..ae2cb11 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,36 +15,12 @@ on: permissions: contents: write # needed to write releases + id-token: write # needed for keyless signing jobs: - github_release: - runs-on: ubuntu-latest - outputs: - release_upload_url: ${{ steps.create_release.outputs.upload_url }} - steps: - - name: Prepare - id: prep - run: | - VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" - if [[ $GITHUB_REF == refs/tags/* ]]; then - VERSION=${GITHUB_REF/refs\/tags\//} - fi - echo ::set-output name=VERSION::${VERSION} - - name: Create Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - release_name: ${{ steps.prep.outputs.VERSION }} - tag_name: ${{ steps.prep.outputs.VERSION }} - draft: false - prerelease: true - linux-amd64-release: runs-on: ubuntu-latest - needs: github_release steps: - name: Checkout uses: actions/checkout@v2 @@ -62,16 +38,6 @@ jobs: tar -zcvf linux-x86_64-libgit2-all-libs.tar.gz libgit2-linux-libgit2-all rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2 - - name: Upload Release Asset - id: upload-release-asset-libgit2-all - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - upload_url: ${{ needs.github_release.outputs.release_upload_url }} - asset_path: ./linux-x86_64-libgit2-all-libs.tar.gz - asset_name: linux-x86_64-libgit2-all-libs.tar.gz - asset_content_type: application/gzip - name: Build static libraries - libgit2 only run: | @@ -85,16 +51,11 @@ jobs: tar -zcvf linux-x86_64-libgit2-only-lib.tar.gz libgit2-linux-libgit2-only rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2 - - name: Upload Release Asset - id: upload-release-asset-libgit2-only - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ github.token }} + - uses: actions/upload-artifact@v3 with: - upload_url: ${{ needs.github_release.outputs.release_upload_url }} - asset_path: ./linux-x86_64-libgit2-only-lib.tar.gz - asset_name: linux-x86_64-libgit2-only-lib.tar.gz - asset_content_type: application/gzip + name: release-artifact + path: '*.tar.gz' + if-no-files-found: error darwin-release: # This job builds and releases "universal libraries" that are @@ -108,7 +69,6 @@ jobs: # of testing, GitHub's macos-10.15 did not seem to. # Cross-compiling to arm64 on that runner consistently failed. runs-on: macos-11 - needs: github_release steps: - name: Checkout uses: actions/checkout@v2 @@ -156,16 +116,6 @@ jobs: rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2 env: MACOSX_DEPLOYMENT_TARGET: 10.15 - - name: Upload Release Asset - id: upload-release-asset-libgit2-all - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - upload_url: ${{ needs.github_release.outputs.release_upload_url }} - asset_path: ./darwin-libgit2-all-libs.tar.gz - asset_name: darwin-libgit2-all-libs.tar.gz - asset_content_type: application/gzip - name: Build universal static libraries for Darwin - libgit2 only run: | @@ -191,13 +141,34 @@ jobs: rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2 env: MACOSX_DEPLOYMENT_TARGET: 10.15 - - name: Upload Release Asset - id: upload-release-asset-libgit2-only - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ github.token }} + - uses: actions/upload-artifact@v3 + with: + name: release-artifact + path: '*.tar.gz' + if-no-files-found: error + + goreleaser: + runs-on: ubuntu-latest + needs: [linux-amd64-release, darwin-release] + if: ${{ always() && contains(join(needs.*.result, ','), 'success') }} + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: actions/setup-go@v2 + with: + go-version: 1.17.x + - name: Setup Cosign + uses: sigstore/cosign-installer@main + - name: Setup Syft + uses: anchore/sbom-action/download-syft@v0 + - name: Download Files + uses: actions/download-artifact@v3 with: - upload_url: ${{ needs.github_release.outputs.release_upload_url }} - asset_path: ./darwin-libs-libgit2-only.tar.gz - asset_name: darwin-libs-libgit2-only.tar.gz - asset_content_type: application/gzip + name: release-artifact + - uses: goreleaser/goreleaser-action@v2 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index e9418d0..72ff7a2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ build/ vendor/ + +# Built library files +*.tar.gz diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..c296d91 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,40 @@ +project_name: golang-with-libgit2 + +builds: +- skip: true + +release: + prerelease: auto + extra_files: + - glob: '*.tar.gz' + +changelog: + use: github-native + +sboms: + - artifacts: archive + - id: source + artifacts: source + documents: + - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json" + +checksum: + name_template: 'checksums.txt' + extra_files: + - glob: '*.tar.gz' + +source: + enabled: true + +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: checksum + output: true diff --git a/README.md b/README.md index 62b1066..cbd738c 100644 --- a/README.md +++ b/README.md @@ -139,3 +139,23 @@ $ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libz.a | grep Machine | so [libssh2-1-misconfiguration]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 [mbedtls-ed25519]: https://github.com/ARMmbed/mbedtls/issues/2452 [libgit2-5750]: https://github.com/libgit2/libgit2/pull/5750 + +## To verify artefacts + +Download the following files from the releases section: +1. checksum.txt +2. checksum.txt.pem +3. checksum.txt.sig +4. The compressed library files + +You can verify that the `checksum.txt` wasn't tampered with using `cosign` and the downloaded certificate and signature. + +``` +cosign verify-blob --cert checksums.txt.pem --signature checksums.txt.sig checksums.txt +``` + +Verify the hashes of the other files using `checksum.txt`: + +``` +sha256sum --ignore-missing -c checksums.txt +``` \ No newline at end of file From 7ff667d6cf14804049b1535aee4c62aecd7b1bdc Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Wed, 6 Jul 2022 17:22:01 +0100 Subject: [PATCH 2/2] Fix darwin release Signed-off-by: Somtochi Onyekwere --- .github/workflows/release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ae2cb11..9c7c549 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -129,9 +129,8 @@ jobs: CMAKE_APPLE_SILICON_PROCESSOR=arm64 \ ./hack/static.sh build_libgit2_only - mkdir -p ./libgit2-darwin-libgit2-only + mkdir -p ./libgit2-darwin-libgit2-only/lib mv ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/include ./libgit2-darwin-libgit2-only/ - mv ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/lib ./libgit2-darwin-libgit2-only/ libtool -static -o ./libgit2-darwin-libgit2-only/lib/libgit2.a \ ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/lib/libgit2.a \