adding keyless (#1073)

Signed-off-by: Carlos Panato <[email protected]>
sigstore · Nov 18, 2021 · 857d9a5 · 857d9a5
1 parent 01b6c8f
commit 857d9a5
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 10 deletions.
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -38,10 +38,10 @@ steps:
   - 'verify'
   - '--key'
   - 'https://raw.githubusercontent.com/gythialy/golang-cross/master/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a'
 
 # maybe we can build our own image and use that to be more in a safe side
-- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
+- name: ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a
   entrypoint: /bin/sh
   dir: "go/src/sigstore/cosign"
   env:
@@ -53,6 +53,7 @@ steps:
   - KEY_NAME=${_KEY_NAME}
   - KEY_VERSION=${_KEY_VERSION}
   - GIT_TAG=${_GIT_TAG}
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
   secretEnv:
   - GITHUB_TOKEN
   args:
@@ -61,7 +62,7 @@ steps:
       git tag ${_GIT_TAG}
       make release
 
-- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
+- name: ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a
   entrypoint: 'bash'
   dir: "go/src/sigstore/cosign"
   env:
@@ -74,13 +75,16 @@ steps:
   - KEY_VERSION=${_KEY_VERSION}
   - GIT_TAG=${_GIT_TAG}
   - KO_PREFIX=gcr.io/${PROJECT_ID}
+  - COSIGN_EXPERIMENTAL=true
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
   secretEnv:
   - GITHUB_TOKEN
   args:
-    - '-c'
-    - |
-      gcloud auth configure-docker \
-      && make sign-container-release
+  - '-c'
+  - |
+    gcloud auth configure-docker \
+    && make sign-container-release \
+    && make sign-keyless-release
 
 availableSecrets:
   secretManager:

diff --git a/release/release.mk b/release/release.mk
@@ -7,21 +7,45 @@
 release:
 	LDFLAGS="$(LDFLAGS)" goreleaser release
 
+
+###########################
+# sign with GCP KMS section
+###########################
+
 .PHONY: sign-cosign-release
 sign-cosign-release:
-	cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
+	cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
 
 .PHONY: sign-cosigned-release
 sign-cosigned-release:
-	cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
+	cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
 
 .PHONY: sign-sget-release
 sign-sget-release:
-	cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)
+	cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)
 
 .PHONY: sign-container-release
 sign-container-release: ko sign-cosign-release sign-cosigned-release sign-sget-release
 
+######################
+# sign keyless section
+######################
+
+.PHONY: sign-keyless-cosign-release
+sign-keyless-cosign-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
+
+.PHONY: sign-keyless-cosigned-release
+sign-keyless-cosigned-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
+
+.PHONY: sign-keyless-sget-release
+sign-keyless-sget-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)
+
+.PHONY: sign-keyless-release
+sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release sign-keyless-sget-release
+
 # used when need to validate the goreleaser
 .PHONY: snapshot
 snapshot: