Sign images with cosign (#166)

* Sign images with cosign * bump alpine for binary * fix arg count
home-assistant · Jun 9, 2023 · 8e9a0ec · 8e9a0ec
1 parent 5e45afa
commit 8e9a0ec
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 11 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -28,6 +28,9 @@ jobs:
  name: Publish builder
  needs: init
  runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ id-token: write
  strategy:
  fail-fast: False
  matrix:
@@ -58,6 +61,7 @@ jobs:
  with:
  args: |
  --${{ matrix.architecture }} \
+ --cosign \
  --target /data \
  --generic $GIT_TAG_NAME
  env:

diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,8 @@ FROM $BUILD_FROM
 ARG \
  BUILD_ARCH \
  CAS_VERSION \
- YQ_VERSION
+ YQ_VERSION \
+ COSIGN_VERSION
 
 RUN \
  set -x \
@@ -24,16 +25,21 @@ RUN \
  && mv cas /usr/bin/cas \
  && if [ "${BUILD_ARCH}" = "armhf" ] || [ "${BUILD_ARCH}" = "armv7" ]; then \
  wget -q -O /usr/bin/yq "https:/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_arm"; \
+ wget -q -O /usr/bin/cosign "https:/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_armhf"; \
  elif [ "${BUILD_ARCH}" = "aarch64" ]; then \
  wget -q -O /usr/bin/yq "https:/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_arm64"; \
+ wget -q -O /usr/bin/cosign "https:/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_aarch64"; \
  elif [ "${BUILD_ARCH}" = "i386" ]; then \
  wget -q -O /usr/bin/yq "https:/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_386"; \
+ wget -q -O /usr/bin/cosign "https:/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_i386"; \
  elif [ "${BUILD_ARCH}" = "amd64" ]; then \
  wget -q -O /usr/bin/yq "https:/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64"; \
+ wget -q -O /usr/bin/cosign "https:/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_amd64"; \
  else \
  exit 1; \
  fi \
  && chmod +x /usr/bin/yq \
+ && chmod +x /usr/bin/cosign \
  \
  && apk del .build-dependencies \
  && rm -rf /root/go /root/.cache \

diff --git a/build.yaml b/build.yaml
@@ -1,17 +1,18 @@
 image: "homeassistant/{arch}-builder"
 shadow_repository: "ghcr.io/home-assistant"
 build_from:
- aarch64: "ghcr.io/home-assistant/aarch64-base:3.16"
- armv7: "ghcr.io/home-assistant/armv7-base:3.16"
- armhf: "ghcr.io/home-assistant/armhf-base:3.16"
- amd64: "ghcr.io/home-assistant/amd64-base:3.16"
- i386: "ghcr.io/home-assistant/i386-base:3.16"
+ aarch64: "ghcr.io/home-assistant/aarch64-base:3.18"
+ armv7: "ghcr.io/home-assistant/armv7-base:3.18"
+ armhf: "ghcr.io/home-assistant/armhf-base:3.18"
+ amd64: "ghcr.io/home-assistant/amd64-base:3.18"
+ i386: "ghcr.io/home-assistant/i386-base:3.18"
 codenotary:
  signer: [email protected]
  base_image: [email protected]
 args:
  CAS_VERSION: "1.0.1"
  YQ_VERSION: "v4.13.2"
+ COSIGN_VERSION: "2.0.2"
 labels:
  io.hass.type: builder
  org.opencontainers.image.title: "Home Assistant Builder"

diff --git a/builder.sh b/builder.sh
@@ -19,6 +19,7 @@ DOCKER_PASSWORD=
 DOCKER_LOCAL=false
 SELF_CACHE=false
 CUSTOM_CACHE_TAG=
+COSIGN=false
 RELEASE_TAG=false
 GIT_REPOSITORY=
 GIT_BRANCH="master"
@@ -137,8 +138,8 @@ Options:
  Build the machine based image for a release/landingpage.
 
  Security:
- Enable signing images with Codenotary. Need set follow env:
- - CAS_API_KEY
+ --cosign
+  Enable signing images with cosign.
 EOF
 
  bashio::exit.nok
@@ -349,7 +350,7 @@ function run_build() {
  push_images+=("${shadow_repository}/${image}:${version}")
  fi
 
- # Singing image
+ # Singing image (cas)
  codenotary_sign "${codenotary_sign}" "${repository}/${image}:${version}"
 
  # Push images
@@ -370,6 +371,9 @@ function run_build() {
  done
  done
  fi
+
+ # Singing image (cosign)
+ cosign_sign "${repository}/${image}:${version}"
 }
 
 function convert_to_json() {
@@ -767,9 +771,9 @@ function codenotary_sign() {
  done
 
  if bashio::var.false "${success}"; then
- bashio::exit.nok "Failed to sign the image"
+ bashio::exit.nok "Failed to sign the image (cas)"
  fi
- bashio::log.info "Signed ${image} with ${trust}"
+ bashio::log.info "Signed ${image} with ${trust} (cas)"
 }
 
 function codenotary_validate() {
@@ -810,6 +814,32 @@ function codenotary_validate() {
 }
 
 
+#### Security cosign ####
+
+function cosign_sign() {
+ local image=$1
+
+ local success=false
+
+ if bashio::var.false "${DOCKER_PUSH}" || bashio::var.false "${COSIGN}"; then
+ return 0
+ fi
+
+ for j in {1..15}; do
+ if cosign sign --yes "${image}"; then
+ success=true
+ break
+ fi
+ sleep $((5 * j))
+ done
+
+ if bashio::var.false "${success}"; then
+ bashio::exit.nok "Failed to sign the image (cosign)"
+ fi
+ bashio::log.info "Signed ${image} with ${trust} (cosign)"
+}
+
+
 #### Error handling ####
 
 function error_handling() {
@@ -866,6 +896,9 @@ while [[ $# -gt 0 ]]; do
  --self-cache)
  SELF_CACHE=true
  ;;
+ --cosign)
+ COSIGN=true
+ ;;
  --cache-tag)
  CUSTOM_CACHE_TAG=$2
  shift