From 7e1d9c13192a1847221480cd6151d15e960669d9 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Wed, 7 Aug 2024 11:50:58 -0400 Subject: [PATCH] pin public key used for verification (#169) * pin public key used for verification Signed-off-by: Bob Callaway * don't test on macos-latest as we didn't publish arm64 in cosign-0.5.0 Signed-off-by: Bob Callaway * add explicit failure flag to curl to ensure we bail on a non-200 response Signed-off-by: Bob Callaway --------- Signed-off-by: Bob Callaway --- .github/workflows/test-action.yml | 25 +++++++++++++++++++++++++ action.yml | 20 +++++++++++++++----- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 702ae8d..25635d6 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -78,6 +78,31 @@ jobs: fi shell: bash + test_cosign_action_0_5_0: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, windows-latest] + permissions: {} + name: Install Cosign v0.5.0 and test presence in path + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Install Cosign + uses: ./ + with: + cosign-release: 'v0.5.0' + - name: Check install! + run: cosign version + - name: Check root directory + run: | + if [[ $(git diff --stat) != '' ]]; then + echo 'should be clean' + exit 1 + else + exit 0 + fi + shell: bash + test_cosign_action_0_6_0: runs-on: ${{ matrix.os }} strategy: diff --git a/action.yml b/action.yml index 6ac9c26..3bc3467 100644 --- a/action.yml +++ b/action.yml @@ -182,7 +182,7 @@ runs: expected_bootstrap_version_digest=${bootstrap_sha} log_info "Downloading bootstrap version '${bootstrap_version}' of cosign to verify version to be installed...\n https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename}" - $SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename} -o ${cosign_executable_name} + $SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/${bootstrap_filename} -o ${cosign_executable_name} shaBootstrap=$(shaprog ${cosign_executable_name}); if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then log_error "Unable to validate cosign version: '${{ inputs.cosign-release }}'" @@ -206,7 +206,7 @@ runs: # Download custom cosign log_info "Downloading platform-specific version '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}" - $SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }} + $SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }} shaCustom=$(shaprog cosign_${{ inputs.cosign-release }}); # same hash means it is the same release @@ -228,22 +228,32 @@ runs: if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature}" - $SUDO curl -sL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig + $SUDO curl -fsL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig else log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig" - $SUDO curl -sLO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig + $SUDO curl -fsLO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig fi if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then log_info "Downloading cosign public key '${{ inputs.cosign-release }}' of cosign...\n https://github.com/raw/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub" RELEASE_COSIGN_PUB_KEY=https://github.com/raw/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub + RELEASE_COSIGN_PUB_KEY_SHA='4aa4bd19530a4929d758a9896255aef2c82f1a3a9f4b000034c6df4307c14f9e' else log_info "Downloading cosign public key '${{ inputs.cosign-release }}' of cosign...\n https://github.com/raw/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub" RELEASE_COSIGN_PUB_KEY=https://github.com/raw/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub + RELEASE_COSIGN_PUB_KEY_SHA='f4cea466e5e887a45da5031757fa1d32655d83420639dc1758749b744179f126' + fi + + log_info "Verifying public key matches expected value" + $SUDO curl -fsL $RELEASE_COSIGN_PUB_KEY -o public.key + sha_fetched_key=$(shaprog public.key) + if [[ $sha_fetched_key != $RELEASE_COSIGN_PUB_KEY_SHA ]]; then + log_error "Fetched public key does not match expected digest, exiting" + exit 1 fi log_info "Using bootstrap cosign to verify signature of desired cosign version" - ./cosign verify-blob --insecure-ignore-tlog --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }} + ./cosign verify-blob --insecure-ignore-tlog --key public.key --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }} $SUDO rm cosign $SUDO mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}