Merge pull request #76 from krancour/image-signing

krancour · web-flow · commit cbac34b83745 · 2022-03-25T18:33:46.000-04:00
release: sign images
diff --git a/.brigade/brigade.ts b/.brigade/brigade.ts
@@ -78,6 +78,8 @@ class BuildImageJob extends JobWithSource {
     let registryOrg: string
     let registryUsername: string
     let registryPassword: string
+    let signingSetupCommands = ""
+    let signingCommand = ""
     if (!version) { // This is where we'll push potentially unstable images
       registry = secrets.unstableImageRegistry
       registryOrg = secrets.unstableImageRegistryOrg
@@ -90,6 +92,16 @@ class BuildImageJob extends JobWithSource {
       registryPassword = secrets.stableImageRegistryPassword
       // Since it's defined, the make target will want this env var
       env["VERSION"] = version
+      env["BASE64_IMAGE_SIGNING_KEY"] = secrets.base64ImageSigningKey
+      // This env var is documented here:
+      // https://docs.docker.com/engine/security/trust/trust_automation/
+      env["DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"] = secrets.imageSigningKeyPassphrase
+      const keyDir = "~/.docker/trust/private"
+      const keyFile = `${keyDir}/${secrets.imageSigningKeyHash}.key`
+      signingSetupCommands = `mkdir -p ${keyDir} && chmod 700 ${keyDir} && ` +
+        `printf $BASE64_IMAGE_SIGNING_KEY | base64 -d > ${keyFile} && chmod 600 ${keyFile} && ` +
+        `docker trust key load --name ${registryUsername} ${keyFile} && `
+      signingCommand = ` && make sign-${image}`
     }
     if (registry) {
       // Since it's defined, the make target will want this env var
@@ -118,9 +130,11 @@ class BuildImageJob extends JobWithSource {
       // probably up and running.
       "sleep 20 && " +
         `${registriesLoginCmd} && ` +
+        signingSetupCommands +
         "docker buildx create --name builder --use && " +
         "docker info && " +
-        `make push-${image}`
+        `make push-${image}` +
+        signingCommand
     ]
     this.sidecarContainers.dind = new Container(dindImg)
     this.sidecarContainers.dind.privileged = true
diff --git a/Makefile b/Makefile
@@ -180,6 +180,15 @@ push-%:
 		--push \
 		.
 
+.PHONY: sign-%
+sign-%:
+	docker pull $(DOCKER_IMAGE_PREFIX)$*:$(IMMUTABLE_DOCKER_TAG)
+	docker pull $(DOCKER_IMAGE_PREFIX)$*:$(MUTABLE_DOCKER_TAG)
+	docker trust sign $(DOCKER_IMAGE_PREFIX)$*:$(IMMUTABLE_DOCKER_TAG)
+	docker trust sign $(DOCKER_IMAGE_PREFIX)$*:$(MUTABLE_DOCKER_TAG)
+	docker trust inspect --pretty $(DOCKER_IMAGE_PREFIX)$*:$(IMMUTABLE_DOCKER_TAG)
+	docker trust inspect --pretty $(DOCKER_IMAGE_PREFIX)$*:$(MUTABLE_DOCKER_TAG)
+
 .PHONY: publish-chart
 publish-chart:
 	$(HELM_DOCKER_CMD) sh	-c ' \
