build: add release image signing

akashsinghal · akashsinghal · commit 6f23195ade0b · 2024-12-06T00:27:02.000Z
Signed-off-by: Akash Singhal &lt;akashsinghal@microsoft.com&gt;
diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -37,6 +37,10 @@ jobs:
           az version
           # Key Vault: 
           az account get-access-token --scope https://vault.azure.net/.default --output none
+      - name: Prepare notation certificate
+        run: |
+          mkdir -p truststore/x509/ca/ratify-verify
+          cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
       - name: prepare
         id: prepare
         run: |
@@ -138,6 +142,44 @@ jobs:
           cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
           cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
           cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+      - name: Verify with Notation
+        uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+        with:
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+          trust_policy: ./.well-known/pki-validation/trustpolicy.json
+          trust_store: truststore
+      - name: Verify with Cosign
+        run: |
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
       - name: clear
         if: always()
         run: |
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -14,13 +14,34 @@ jobs:
     permissions:
       packages: write
       contents: read
+      id-token: write
+    environment: azure-publish
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Install Notation
+        uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: Az CLI login
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Cache AAD tokens
+        run: |
+          az version
+          # Key Vault: 
+          az account get-access-token --scope https://vault.azure.net/.default --output none
+      - name: Prepare notation certificate
+        run: |
+          mkdir -p truststore/x509/ca/ratify-verify
+          cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
       - name: prepare
         id: prepare
         run: |
@@ -83,6 +104,49 @@ jobs:
             --label org.opencontainers.image.revision=${{ github.sha }} \
             -t ${{ steps.prepare.outputs.ref }} \
             --push .
+      - name: Sign with Notation
+        uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+        with:
+          plugin_name: azure-kv
+          plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
+          plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
+          key_id: ${{ secrets.AZURE_KV_KEY_ID }}
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}
+            ${{ steps.prepare.outputs.baseref }}
+            ${{ steps.prepare.outputs.ref }}
+          signature_format: cose
+      - name: Sign with Cosign
+        run: |
+          cosign sign --yes ${{ steps.prepare.outputs.crdref }}
+          cosign sign --yes ${{ steps.prepare.outputs.baseref }}
+          cosign sign --yes ${{ steps.prepare.outputs.ref }}
+      - name: Verify with Notation
+        uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+        with:
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}
+            ${{ steps.prepare.outputs.baseref }}
+            ${{ steps.prepare.outputs.ref }}
+          trust_policy: ./.well-known/pki-validation/trustpolicy.json
+          trust_store: truststore
+      - name: Verify with Cosign
+        run: |
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.crdref }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.baseref }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.ref }}
       - name: clear
         if: always()
         run: |
diff --git a/.well-known/pki-validation/trustpolicy.json b/.well-known/pki-validation/trustpolicy.json
@@ -0,0 +1,24 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "ratify-images",
+            "registryScopes": [
+                "ghcr.io/ratify-project/ratify",
+                "ghcr.io/ratify-project/ratify-base",
+                "ghcr.io/ratify-project/ratify-crds",
+                "ghcr.io/ratify-project/ratify-dev",
+                "ghcr.io/ratify-project/ratify-base-dev",
+                "ghcr.io/ratify-project/ratify-crds-dev",
+                "ghcr.io/ratify-project/ratify-chart-dev/ratify"
+            ],
+            "signatureVerification": {
+                "level" : "strict" 
+            },
+            "trustStores": [ "ca:ratify-verify" ],
+            "trustedIdentities": [
+                "x509.subject: CN=ratify.dev,O=ratify-project,L=Seattle,ST=WA,C=US"
+            ]
+        }
+    ]
+}
