generate SBOM for binaries and container images and use cosign for si…

…gning images
buildpacks · Nov 18, 2024 · 209b788 · 209b788
1 parent 92bc87b
commit 209b788
Show file tree

Hide file tree

Showing 2 changed files with 120 additions and 16 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -226,47 +226,99 @@ jobs:
           echo "PACK_MILESTONE=${milestone}" >> $GITHUB_ENV
       - name: Download artifacts
         uses: actions/download-artifact@v4
-      - name: Package artifacts - macos
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: Package artifacts and Generate SBOM JSON file - macos
         run: |
           chmod +x pack-macos/pack
           filename=pack-v${{ env.PACK_VERSION }}-macos.tgz
           tar -C pack-macos -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - linux-arm64
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - linux-arm64
         run: |
           chmod +x pack-linux-arm64/pack
           filename=pack-v${{ env.PACK_VERSION }}-linux-arm64.tgz
           tar -C pack-linux-arm64 -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - linux-s390x
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - linux-s390x
         run: |
           chmod +x pack-linux-s390x/pack
           filename=pack-v${{ env.PACK_VERSION }}-linux-s390x.tgz
           tar -C pack-linux-s390x -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - linux-ppc64le
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - linux-ppc64le
         run: |
           chmod +x pack-linux-ppc64le/pack
           filename=pack-v${{ env.PACK_VERSION }}-linux-ppc64le.tgz
           tar -C pack-linux-ppc64le -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - macos-arm64
+        
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - macos-arm64
         run: |
           chmod +x pack-macos-arm64/pack
           filename=pack-v${{ env.PACK_VERSION }}-macos-arm64.tgz
           tar -C pack-macos-arm64 -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - linux
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - linux
         run: |
           chmod +x pack-linux/pack
           filename=pack-v${{ env.PACK_VERSION }}-linux.tgz
           tar -C pack-linux -vzcf $filename pack
           shasum -a 256 $filename > $filename.sha256
-      - name: Package artifacts - windows
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          tar -xzf $filename -C $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
+      - name: Package artifacts and Generate SBOM JSON file - windows
         run: |
           filename=pack-v${{ env.PACK_VERSION }}-windows.zip
           zip -j $filename pack-windows/pack.exe
           shasum -a 256 $filename > $filename.sha256
+
+          temp_dir=$(mktemp -d)
+          trap 'rm -rf "$temp_dir"' EXIT
+
+          unzip $filename -d $temp_dir
+          syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json"
+          shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256"
       - name: Extract lifecycle version
         id: lifecycle_version
         run: |

diff --git a/.github/workflows/delivery-docker.yml b/.github/workflows/delivery-docker.yml
@@ -19,6 +19,7 @@ env:
   REGISTRY_NAME: 'docker.io'
   USER_NAME: 'buildpacksio'
   IMG_NAME: 'pack'
+  ARCHITECTURES: ["arm64", "amd64", "s390x", "ppc64le"]
 
 jobs:
   deliver-docker:
@@ -33,6 +34,8 @@ jobs:
             base_image: ubuntu:jammy
             suffix: -base
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Determine version
         uses: actions/github-script@v7
@@ -52,8 +55,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: v${{ steps.version.outputs.result }}
-      - name: Determine App Name
-        run: 'echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV'
+      - name: Setup Docker Build Environment
+        run: |
+          echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV
+          echo "${{ env.ARCHITECTURES }}" | jq -r '.[]' > architectures.txt
       - name: Login to Dockerhub
         uses: docker/login-action@v3
         with:
@@ -71,11 +76,58 @@ jobs:
             --build-arg base_image=${{ matrix.base_image }} \
             --provenance=false \
             --push
-      - name: Tag Image as Base
-        if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config == 'base' }}
-        run: |
-          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:base
-      - name: Tag Image as Latest
-        if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config != 'base' }}
+          echo "IMG_DIGEST=$(crane digest ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }})" >> $GITHUB_ENV
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Download and Attach SBOMs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:latest
+          while IFS= read -r arch; do
+            pattern=$([ "$arch" = "amd64" ] && echo "pack-v${{ steps.version.outputs.result }}-linux-sbom.cdx.json" || echo "pack-v${{ steps.version.outputs.result }}-linux-${arch}-sbom.cdx.json")
+            gh release download --pattern "${pattern}" ${{ github.event.release.tag_name }} &
+          done < architectures.txt
+          wait
+
+          sign_and_verify() {
+            local tag=$1
+            local alias=${2:-}
+
+            while IFS= read -r arch; do
+              sbom_json_file=$([ "$arch" = "amd64" ] && echo "pack-v${{ steps.version.outputs.result }}-linux-sbom.cdx.json" || echo "pack-v${{ steps.version.outputs.result }}-linux-${arch}-sbom.cdx.json")
+
+              cosign attach sbom --sbom "$sbom_json_file" \
+                --platform "linux/${arch}" \
+                "$tag@${IMG_DIGEST}"
+            done < architectures.txt
+
+            cosign sign -r -y \
+              -a version=${{ steps.version.outputs.result }} \
+              -a config=${{ matrix.config }} \
+              ${alias:+-a alias=$alias} \
+              --attachment sbom \
+              "$tag@${IMG_DIGEST}"
+
+            cosign verify \
+              --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/pack/.github/workflows/delivery-docker.yml" \
+              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+              -a version=${{ steps.version.outputs.result }} \
+              -a config=${{ matrix.config }} \
+              ${alias:+-a alias=$alias} \
+              --attachment sbom \
+              "$tag@${IMG_DIGEST}"
+          }
+
+          sign_and_verify "${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }}"
+
+          # Conditionally tag and sign as base
+          if [[ ("${{ github.event.release }}" != "" || "${{ github.event.inputs.tag_latest }}" == "true") && "${{ matrix.config }}" == "base" ]]; then
+            crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:base
+            sign_and_verify "${{ env.IMG_NAME }}:base" "base"
+          fi
+
+          # Conditionally tag and sign as latest
+          if [[ ("${{ github.event.release }}" != "" || "${{ github.event.inputs.tag_latest }}" == "true") && "${{ matrix.config }}" != "base" ]]; then
+            crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:latest
+            sign_and_verify "${{ env.IMG_NAME }}:latest" "latest"
+          fi