From 1097e7a25f91e678ad1cf003a45d6418817cf4c7 Mon Sep 17 00:00:00 2001 From: Sebastien Duthil Date: Sun, 6 Oct 2024 23:19:28 -0400 Subject: [PATCH] goreleaser: remove checksums.{txt,pem,sig} artifacts Why: * SLSA verification implies integrity verification, making the checksums file redundant * The checksums file is lacking entries for package files Signed-off-by: Sebastien Duthil --- .goreleaser.yaml | 55 ++---------------------------------------------- 1 file changed, 2 insertions(+), 53 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b28f8d52c..abe5021f4 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -129,15 +129,6 @@ archives: # Before v3.8.0, this used to be _just_ the AMD64 binary. name_template: '{{ .ProjectName }}-v{{ .Version }}.darwin' -# xref: https://goreleaser.com/customization/checksum/ -checksum: - name_template: "{{ .ProjectName }}-v{{ .Version }}.checksums.txt" - algorithm: sha256 - ids: - - archive-unix - - archive-windows - - archive-darwin-universal - # xref: https://goreleaser.com/customization/sbom/ sboms: - id: binary-sbom @@ -145,21 +136,6 @@ sboms: documents: - "{{ .ArtifactName }}.spdx.sbom.json" -# xref: https://goreleaser.com/customization/sign/ -signs: - - cmd: cosign - artifacts: checksum - signature: '{{ trimsuffix .Env.artifact ".txt" }}.sig' - certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem' - args: - - "sign-blob" - - "--output-signature" - - "${signature}" - - "--output-certificate" - - "${certificate}" - - "${artifact}" - output: true - # xref: https://goreleaser.com/customization/docker/ dockers: - image_templates: @@ -292,36 +268,9 @@ release: chmod +x /usr/local/bin/{{ .ProjectName }} ``` - ### Verify checksums file signature - - The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: - - ```shell - # Download the checksums file, certificate and signature - curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.txt - curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.pem - curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sig - - # Verify the checksums file - cosign verify-blob {{ .ProjectName }}-v{{ .Version }}.checksums.txt \ - --certificate {{ .ProjectName }}-v{{ .Version }}.checksums.pem \ - --signature {{ .ProjectName }}-v{{ .Version }}.checksums.sig \ - --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com - ``` - - ### Verify binary integrity - - To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature: - - ```shell - # Verify the binary using the checksums file - sha256sum -c {{ .ProjectName }}-v{{ .Version }}.checksums.txt --ignore-missing - ``` - - ### Verify artifact provenance + ### Verify artifact provenance and integrity - The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `sops-v{{ .Version }}.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool: + The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `sops-v{{ .Version }}.intoto.jsonl`. Since SLSA provenance verification implies checksum verification, no extra checksum file is provided. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool: ```shell # Download the metadata file