enable the sbom for rekor releases (sigstore#586)

cpanato · web-flow · commit 9be5a847be18 · 2022-01-06T15:28:17.000-06:00
Signed-off-by: Carlos Panato &lt;ctadeu@gmail.com&gt;
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -45,6 +45,7 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: ${{ env.GOVERSION }}
+      - uses: anchore/sbom-action/download-syft@v0.6.0 # installs syft
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -14,6 +14,9 @@ before:
 gomod:
   proxy: true
 
+sboms:
+- artifacts: binary
+
 builds:
   - id: rekor-server-linux
     binary: rekor-server-linux-{{ .Arch }}
@@ -72,11 +75,18 @@ signs:
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
   # Keyless
-  - id: cosign-keyless
+  - id: rekor-keyless
     signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
     cmd: cosign
-    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "${artifact}"]
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
     artifacts: binary
+  - id: checksum-keyless
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
+    artifacts: checksum
 
 archives:
   - format: binary
@@ -97,5 +107,3 @@ release:
     name: rekor
   footer: |
     ### Thanks for all contributors!
-  extra_files:
-    - glob: "./release/release-cosign.pub"
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -34,13 +34,16 @@ steps:
 
 - name: 'gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb'
   dir: "go/src/sigstore/rekor"
+  env:
+  - COSIGN_EXPERIMENTAL=true
+  - TUF_ROOT=/tmp
   args:
   - 'verify'
   - '--key'
   - 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a'
 
-- name: ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a
   entrypoint: /bin/sh
   dir: "go/src/sigstore/rekor"
   env:
@@ -61,7 +64,7 @@ steps:
     - |
       make release
 
-- name: ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a
   entrypoint: 'bash'
   dir: "go/src/sigstore/rekor"
   env:
