diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9e5a926a1a0a8..9237d28b433d7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -95,7 +95,7 @@ jobs: args: release --clean --timeout 55m env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} + KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }} - name: Generate subject for provenance @@ -127,13 +127,14 @@ jobs: upload-assets: true generate-sbom: - name: Create Sbom and sign assets + name: Create SBOM and generate hash needs: - argocd-image - goreleaser permissions: contents: write # Needed for release uploads - id-token: write # Needed for signing Sbom + outputs: + hashes: ${{ steps.sbom-hash.outputs.hashes}} if: github.repository == 'argoproj/argo-cd' runs-on: ubuntu-22.04 steps: @@ -148,11 +149,6 @@ jobs: with: go-version: ${{ env.GOLANG_VERSION }} - - name: Install cosign - uses: sigstore/cosign-installer@d13028333d784fcc802b67ec924bcebe75aa0a5f # v3.1.0 - with: - cosign-release: 'v2.0.0' - - name: Generate SBOM (spdx) id: spdx-builder env: @@ -183,21 +179,36 @@ jobs: cd /tmp && tar -zcf sbom.tar.gz *.spdx - - name: Sign SBOM + - name: Generate SBOM hash + shell: bash + id: sbom-hash run: | - cosign sign-blob \ - --output-certificate=/tmp/sbom.tar.gz.pem \ - --output-signature=/tmp/sbom.tar.gz.sig \ - -y \ - /tmp/sbom.tar.gz + # sha256sum generates sha256 hash for sbom. + # base64 -w0 encodes to base64 and outputs on a single line. + # sha256sum /tmp/sbom.tar.gz ... | base64 -w0 + echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - - name: Upload SBOM and signature assets + - name: Upload SBOM uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: files: | - /tmp/sbom.tar.* + /tmp/sbom.tar.gz + + sbom-provenance: + needs: [generate-sbom] + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + if: github.repository == 'argoproj/argo-cd' + # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}" + provenance-name: "argocd-sbom.intoto.jsonl" + upload-assets: true post-release: needs: diff --git a/docs/operator-manual/signed-release-assets.md b/docs/operator-manual/signed-release-assets.md index 4944f70ac1cb8..1cd8636edf5a3 100644 --- a/docs/operator-manual/signed-release-assets.md +++ b/docs/operator-manual/signed-release-assets.md @@ -136,11 +136,13 @@ slsa-verifier verify-artifact argocd-linux-amd64 \ ## Verification of Sbom +A single attestation (`argocd-sbom.intoto.jsonl`) from each release is provided along with the sbom (`sbom.tar.gz`). This can be used with [slsa-verifier](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) to verify that the SBOM was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed. + ```bash -cosign verify-blob --signature sbom.tar.gz.sig --certificate sbom.tar.gz.pem \ ---certificate-identity-regexp ^https://github.com/argoproj/argo-cd/.github/workflows/release.yaml@refs/tags/v \ ---certificate-oidc-issuer https://token.actions.githubusercontent.com \ - ~/Downloads/sbom.tar.gz | jq +slsa-verifier verify-artifact sbom.tar.gz \ + --provenance-path argocd-sbom.intoto.jsonl \ + --source-uri github.com/argoproj/argo-cd \ + --source-tag v2.8.0 ``` ***