From 564efb8ff33891528135be4c8eb89671f34dd5cf Mon Sep 17 00:00:00 2001 From: Charles Nguyen Date: Fri, 26 Jul 2024 02:16:27 +0200 Subject: [PATCH 1/5] CI/Scripts: sign and verify released docker images --- scripts/ci/docker_release.sh | 3 ++ scripts/ci/docker_sign_verify.sh | 49 ++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100755 scripts/ci/docker_sign_verify.sh diff --git a/scripts/ci/docker_release.sh b/scripts/ci/docker_release.sh index aeab7f733160..5cd213ba3b40 100755 --- a/scripts/ci/docker_release.sh +++ b/scripts/ci/docker_release.sh @@ -46,3 +46,6 @@ OCTEZ_EXECUTABLES="$(cat $EXECUTABLE_FILES)" # Push minimal, bare and debug images ./scripts/ci/docker_push_all.sh + +# Sign and verify image signatures +./scripts/ci/docker_sign_verify.sh diff --git a/scripts/ci/docker_sign_verify.sh b/scripts/ci/docker_sign_verify.sh new file mode 100755 index 000000000000..5c43e6d8c560 --- /dev/null +++ b/scripts/ci/docker_sign_verify.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Sign and verify the signature of the releasing docker images using Cosign +# +# Reads the following environment variables: +# - 'GCP_SIGNER_SERVICE_ACCOUNT': signer service account key file encoded +# in base64, set by GitLab CI +# - 'GCP_SIGN_KEY': key used for signing, format: +# `gcpkms://projects//locations//keyRings//cryptoKeys//versions/`, +# set by GitLab CI + +set -eu + +current_dir=$(cd "$(dirname "${0}")" && pwd) + +# shellcheck source=./scripts/ci/docker.sh +. "${current_dir}/docker.sh" + +# Auth signer service account +echo "${GCP_SIGNER_SERVICE_ACCOUNT}" | base64 -d > signer_sa.json +gcloud auth activate-service-account --key-file=signer_sa.json +gcloud auth configure-docker us-central1-docker.pkg.dev +gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev +export GOOGLE_APPLICATION_CREDENTIALS=signer_sa.json + +# Install cosign +apk add --update cosign +cosign version + +# Loop over images +for docker_image in ${docker_images}; do + + # Get image digest + IMAGE_DIGEST="${docker_image}@$(docker buildx imagetools inspect "${docker_image}:${DOCKER_IMAGE_TAG}" --format "{{json .Manifest}}" | jq -r '.digest')" + echo "Image digest: ${IMAGE_DIGEST}" + + # Sign image with cosign + cosign sign --key "${GCP_SIGN_KEY}" "${IMAGE_DIGEST}" -y + + # Get the location of image signature as reference + IMAGE_SIGNATURE_LOCATION=$(cosign triangulate "${IMAGE_DIGEST}") + echo "Image signature location: ${IMAGE_SIGNATURE_LOCATION}" + + # Verify the signature + cosign verify --key "${GCP_SIGN_KEY}" "${IMAGE_DIGEST}" | jq +done + +# Remove credentials +rm signer_sa.json -- GitLab From bffeda3f86b2a8a434832bf19c912c8f58696caa Mon Sep 17 00:00:00 2001 From: Charles Nguyen Date: Wed, 31 Jul 2024 19:59:48 +0200 Subject: [PATCH 2/5] CI/Scripts: Separate sign and verify --- scripts/ci/docker_release.sh | 4 +-- .../{docker_sign_verify.sh => docker_sign.sh} | 5 +-- scripts/ci/docker_verify_signature.sh | 36 +++++++++++++++++++ 3 files changed, 39 insertions(+), 6 deletions(-) rename scripts/ci/{docker_sign_verify.sh => docker_sign.sh} (90%) create mode 100644 scripts/ci/docker_verify_signature.sh diff --git a/scripts/ci/docker_release.sh b/scripts/ci/docker_release.sh index 5cd213ba3b40..e33569659f9d 100755 --- a/scripts/ci/docker_release.sh +++ b/scripts/ci/docker_release.sh @@ -47,5 +47,5 @@ OCTEZ_EXECUTABLES="$(cat $EXECUTABLE_FILES)" # Push minimal, bare and debug images ./scripts/ci/docker_push_all.sh -# Sign and verify image signatures -./scripts/ci/docker_sign_verify.sh +# Sign image signatures +./scripts/ci/docker_sign.sh diff --git a/scripts/ci/docker_sign_verify.sh b/scripts/ci/docker_sign.sh similarity index 90% rename from scripts/ci/docker_sign_verify.sh rename to scripts/ci/docker_sign.sh index 5c43e6d8c560..53121cffc983 100755 --- a/scripts/ci/docker_sign_verify.sh +++ b/scripts/ci/docker_sign.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Sign and verify the signature of the releasing docker images using Cosign +# Sign the releasing docker images using Cosign # # Reads the following environment variables: # - 'GCP_SIGNER_SERVICE_ACCOUNT': signer service account key file encoded @@ -40,9 +40,6 @@ for docker_image in ${docker_images}; do # Get the location of image signature as reference IMAGE_SIGNATURE_LOCATION=$(cosign triangulate "${IMAGE_DIGEST}") echo "Image signature location: ${IMAGE_SIGNATURE_LOCATION}" - - # Verify the signature - cosign verify --key "${GCP_SIGN_KEY}" "${IMAGE_DIGEST}" | jq done # Remove credentials diff --git a/scripts/ci/docker_verify_signature.sh b/scripts/ci/docker_verify_signature.sh new file mode 100644 index 000000000000..d9cc206d5079 --- /dev/null +++ b/scripts/ci/docker_verify_signature.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# Verify the signature of the releasing docker images using Cosign +# +# Reads the following environment variables: +# - 'GCP_SIGN_KEY_URL': key URL used to verify released Docker image signatures, set by GitLab CI + +set -eu + +current_dir=$(cd "$(dirname "${0}")" && pwd) + +# shellcheck source=./scripts/ci/docker.sh +. "${current_dir}/docker.sh" + +# Install cosign +apk add --update cosign +cosign version + +# Get public key +wget -O publickey.pem "${GCP_SIGN_KEY_URL}" +cat publickey.pem + +# Loop over images +for docker_image in ${docker_images}; do + + # Get image digest + IMAGE_DIGEST="${docker_image}@$(docker buildx imagetools inspect "${docker_image}:${DOCKER_IMAGE_TAG}" --format "{{json .Manifest}}" | jq -r '.digest')" + echo "Image digest: ${IMAGE_DIGEST}" + + # Get the location of image signature as reference + IMAGE_SIGNATURE_LOCATION=$(cosign triangulate "${IMAGE_DIGEST}") + echo "Image signature location: ${IMAGE_SIGNATURE_LOCATION}" + + # Verify the signature + cosign verify --key publickey.pem "${IMAGE_DIGEST}" | jq +done -- GitLab From 2165b0825a63eda89691b6650dfebd7f8c03132e Mon Sep 17 00:00:00 2001 From: Pietro Abate Date: Thu, 1 Aug 2024 12:31:28 +0200 Subject: [PATCH 3/5] CIAO: add docker_sign_verify.sh as separate job --- .gitlab/ci/pipelines/before_merging.yml | 18 ++++++++++++++++++ .gitlab/ci/pipelines/merge_train.yml | 18 ++++++++++++++++++ ci/bin/code_verification.ml | 11 +++++++++++ scripts/ci/docker_verify_signature.sh | 4 ++++ 4 files changed, 51 insertions(+) mode change 100644 => 100755 scripts/ci/docker_verify_signature.sh diff --git a/.gitlab/ci/pipelines/before_merging.yml b/.gitlab/ci/pipelines/before_merging.yml index 020492c98c33..23725ed75883 100644 --- a/.gitlab/ci/pipelines/before_merging.yml +++ b/.gitlab/ci/pipelines/before_merging.yml @@ -3991,3 +3991,21 @@ trigger:debian_repository_partial: needs: [] trigger: include: .gitlab/ci/pipelines/debian_repository_partial.yml + +oc.script.docker_verify_image: + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 + stage: test + tags: + - gcp + rules: [] + needs: + - oc.docker:amd64 + dependencies: [] + before_script: + - ./scripts/ci/docker_initialize.sh + script: + - ./scripts/ci/docker_verify_signature.sh + services: + - docker:${DOCKER_VERSION}-dind + variables: + DOCKER_VERSION: 24.0.7 diff --git a/.gitlab/ci/pipelines/merge_train.yml b/.gitlab/ci/pipelines/merge_train.yml index 020492c98c33..23725ed75883 100644 --- a/.gitlab/ci/pipelines/merge_train.yml +++ b/.gitlab/ci/pipelines/merge_train.yml @@ -3991,3 +3991,21 @@ trigger:debian_repository_partial: needs: [] trigger: include: .gitlab/ci/pipelines/debian_repository_partial.yml + +oc.script.docker_verify_image: + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 + stage: test + tags: + - gcp + rules: [] + needs: + - oc.docker:amd64 + dependencies: [] + before_script: + - ./scripts/ci/docker_initialize.sh + script: + - ./scripts/ci/docker_verify_signature.sh + services: + - docker:${DOCKER_VERSION}-dind + variables: + DOCKER_VERSION: 24.0.7 diff --git a/ci/bin/code_verification.ml b/ci/bin/code_verification.ml index 291a4242ec86..b88fb4595774 100644 --- a/ci/bin/code_verification.ml +++ b/ci/bin/code_verification.ml @@ -1694,6 +1694,16 @@ let jobs pipeline_type = ~stage:Stages.manual () in + let job_docker_verify_test : tezos_job = + job_docker_authenticated + ~__POS__ + ~name:"oc.script.docker_verify_image" + ~stage:Stages.test + ~dependencies:(Dependent [Job job_docker_amd64_test_manual]) + ~rules:(make_rules ()) + ["./scripts/ci/docker_verify_signature.sh"] + in + [ job_docker_amd64_test_manual; job_docker_arm64_test_manual; @@ -1701,6 +1711,7 @@ let jobs pipeline_type = job_build_homebrew_manual; job_debian_repository_trigger; ] + @ [job_docker_verify_test] (* No manual jobs on the scheduled pipeline *) | Schedule_extended_test -> [job_debian_repository_trigger] in diff --git a/scripts/ci/docker_verify_signature.sh b/scripts/ci/docker_verify_signature.sh old mode 100644 new mode 100755 index d9cc206d5079..801ffec2f237 --- a/scripts/ci/docker_verify_signature.sh +++ b/scripts/ci/docker_verify_signature.sh @@ -7,6 +7,10 @@ set -eu +# Read environment variables written by 'docker_registry_auth.sh' in +# 'before_script'. +. scripts/ci/docker.env + current_dir=$(cd "$(dirname "${0}")" && pwd) # shellcheck source=./scripts/ci/docker.sh -- GitLab From b8de84f4374ea8d47a2eed2f84315542db7bb3f7 Mon Sep 17 00:00:00 2001 From: Charles Nguyen Date: Thu, 1 Aug 2024 14:04:45 +0200 Subject: [PATCH 4/5] CI/Scripts: change image digest getting method --- scripts/ci/docker_verify_signature.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/ci/docker_verify_signature.sh b/scripts/ci/docker_verify_signature.sh index 801ffec2f237..d36b3be54a57 100755 --- a/scripts/ci/docker_verify_signature.sh +++ b/scripts/ci/docker_verify_signature.sh @@ -27,8 +27,11 @@ cat publickey.pem # Loop over images for docker_image in ${docker_images}; do + # Pull images + docker pull "${docker_image}:${DOCKER_IMAGE_TAG}" + # Get image digest - IMAGE_DIGEST="${docker_image}@$(docker buildx imagetools inspect "${docker_image}:${DOCKER_IMAGE_TAG}" --format "{{json .Manifest}}" | jq -r '.digest')" + IMAGE_DIGEST="$(docker image inspect "${docker_image}:${DOCKER_IMAGE_TAG}" --format="{{index .RepoDigests 0}}")" echo "Image digest: ${IMAGE_DIGEST}" # Get the location of image signature as reference -- GitLab From ffa6da2e94ce3430f7065a51f7ba5e0c74289179 Mon Sep 17 00:00:00 2001 From: Pietro Abate Date: Thu, 1 Aug 2024 14:16:27 +0200 Subject: [PATCH 5/5] CI: add co-sign verification job --- .gitlab/ci/pipelines/before_merging.yml | 32 ++++++++++++++++++++++--- .gitlab/ci/pipelines/merge_train.yml | 32 ++++++++++++++++++++++--- ci/bin/code_verification.ml | 21 ++++++++++++---- 3 files changed, 74 insertions(+), 11 deletions(-) diff --git a/.gitlab/ci/pipelines/before_merging.yml b/.gitlab/ci/pipelines/before_merging.yml index 23725ed75883..5c6b02741e78 100644 --- a/.gitlab/ci/pipelines/before_merging.yml +++ b/.gitlab/ci/pipelines/before_merging.yml @@ -3992,15 +3992,40 @@ trigger:debian_repository_partial: trigger: include: .gitlab/ci/pipelines/debian_repository_partial.yml -oc.script.docker_verify_image: +oc.script.docker_verify_image_arm64: image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 - stage: test + stage: manual tags: - gcp - rules: [] + rules: + - when: manual + allow_failure: true + needs: + - oc.docker:arm64 + dependencies: [] + timeout: 60 minutes + before_script: + - ./scripts/ci/docker_initialize.sh + script: + - ./scripts/ci/docker_verify_signature.sh + services: + - docker:${DOCKER_VERSION}-dind + variables: + DOCKER_VERSION: 24.0.7 + IMAGE_ARCH_PREFIX: arm64_ + +oc.script.docker_verify_image_amd64: + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 + stage: manual + tags: + - gcp + rules: + - when: manual + allow_failure: true needs: - oc.docker:amd64 dependencies: [] + timeout: 60 minutes before_script: - ./scripts/ci/docker_initialize.sh script: @@ -4009,3 +4034,4 @@ oc.script.docker_verify_image: - docker:${DOCKER_VERSION}-dind variables: DOCKER_VERSION: 24.0.7 + IMAGE_ARCH_PREFIX: amd64_ diff --git a/.gitlab/ci/pipelines/merge_train.yml b/.gitlab/ci/pipelines/merge_train.yml index 23725ed75883..5c6b02741e78 100644 --- a/.gitlab/ci/pipelines/merge_train.yml +++ b/.gitlab/ci/pipelines/merge_train.yml @@ -3992,15 +3992,40 @@ trigger:debian_repository_partial: trigger: include: .gitlab/ci/pipelines/debian_repository_partial.yml -oc.script.docker_verify_image: +oc.script.docker_verify_image_arm64: image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 - stage: test + stage: manual tags: - gcp - rules: [] + rules: + - when: manual + allow_failure: true + needs: + - oc.docker:arm64 + dependencies: [] + timeout: 60 minutes + before_script: + - ./scripts/ci/docker_initialize.sh + script: + - ./scripts/ci/docker_verify_signature.sh + services: + - docker:${DOCKER_VERSION}-dind + variables: + DOCKER_VERSION: 24.0.7 + IMAGE_ARCH_PREFIX: arm64_ + +oc.script.docker_verify_image_amd64: + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 + stage: manual + tags: + - gcp + rules: + - when: manual + allow_failure: true needs: - oc.docker:amd64 dependencies: [] + timeout: 60 minutes before_script: - ./scripts/ci/docker_initialize.sh script: @@ -4009,3 +4034,4 @@ oc.script.docker_verify_image: - docker:${DOCKER_VERSION}-dind variables: DOCKER_VERSION: 24.0.7 + IMAGE_ARCH_PREFIX: amd64_ diff --git a/ci/bin/code_verification.ml b/ci/bin/code_verification.ml index b88fb4595774..7928ca49e246 100644 --- a/ci/bin/code_verification.ml +++ b/ci/bin/code_verification.ml @@ -1694,13 +1694,24 @@ let jobs pipeline_type = ~stage:Stages.manual () in - let job_docker_verify_test : tezos_job = + let job_docker_verify_test_amd64 : tezos_job = job_docker_authenticated ~__POS__ - ~name:"oc.script.docker_verify_image" - ~stage:Stages.test + ~name:"oc.script.docker_verify_image_amd64" + ~stage:Stages.manual + ~variables:[("IMAGE_ARCH_PREFIX", "amd64_")] + ~rules:(make_rules ~manual:Yes ()) ~dependencies:(Dependent [Job job_docker_amd64_test_manual]) - ~rules:(make_rules ()) + ["./scripts/ci/docker_verify_signature.sh"] + in + let job_docker_verify_test_arm64 : tezos_job = + job_docker_authenticated + ~__POS__ + ~name:"oc.script.docker_verify_image_arm64" + ~stage:Stages.manual + ~variables:[("IMAGE_ARCH_PREFIX", "arm64_")] + ~rules:(make_rules ~manual:Yes ()) + ~dependencies:(Dependent [Job job_docker_arm64_test_manual]) ["./scripts/ci/docker_verify_signature.sh"] in @@ -1711,7 +1722,7 @@ let jobs pipeline_type = job_build_homebrew_manual; job_debian_repository_trigger; ] - @ [job_docker_verify_test] + @ [job_docker_verify_test_arm64; job_docker_verify_test_amd64] (* No manual jobs on the scheduled pipeline *) | Schedule_extended_test -> [job_debian_repository_trigger] in -- GitLab