cd
/
j7s-ci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch to signing with cosign instead of skopeo.

This commit is contained in:
James Pace 2023-08-08 21:36:15 -04:00
parent b4270ae3ff
commit ac36eaa647
2 changed files with 12 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
generic-tasks/j7s-buildah.yaml
View File

@ -28,29 +28,20 @@ spec:
set -x set -x
# Login # Login
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry) buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
# Setup cosign. cosign login --username=$USERNAME --password=$PASSWORD $(params.registry)
mkdir -p ~/.sigstore
cp /etc/cosign-credentials/* ~/.sigstore
cat <<EOF > ~/.sigstore/param-file.yaml
privateKeyFile: "$HOME/.sigstore/cosign.key"
privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
EOF
mkdir -p /etc/containers/registries.d/
cat <<EOF > /etc/containers/registries.d/james-registry.yaml
docker:
$(params.registry):
use-sigstore-attachments: true
EOF
# Build # Build
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \ buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
-f $(params.containerfile) -t $(params.name):$(params.version) . -f $(params.containerfile) -t $(params.name):$(params.version) .
# Push # Push
skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \ skopeo copy --debug --dest-tls-verify=false \
containers-storage:localhost/$(params.name):$(params.version) \ containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):$(params.version) docker://$(params.registry)/$(params.name):$(params.version)
skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \ skopeo copy --debug --dest-tls-verify=false \
containers-storage:localhost/$(params.name):$(params.version) \ containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):latest docker://$(params.registry)/$(params.name):latest
export COSIGN_PASSWORD=$(cat /etc/cosign-credentials/cosign.password)
cosign sign --allow-insecure-registry --key /etc/cosign-credentials/cosign.key $(params.registry)/$(params.name):$(params.version)
env: env:
- name: USERNAME - name: USERNAME
valueFrom: valueFrom:

5
images/Dockerfile_buildah
View File

@ -4,3 +4,8 @@ FROM quay.io/buildah/upstream:latest
RUN dnf install -y skopeo \ RUN dnf install -y skopeo \
--exclude container-selinux \ --exclude container-selinux \
--enablerepo=updates-testing --enablerepo=updates-testing
# Add wget, use it to install cosign.
RUN dnf install -y wget && \
wget https://github.com/sigstore/cosign/releases/download/v2.1.1/cosign-2.1.1.x86_64.rpm && \
rpm -ivh cosign*.rpm