Skip to content

Commit 5b9ae00

Browse files
anthony-nhsanthony-nhs
committed
add cosign
1 parent 0364bf8 commit 5b9ae00

3 files changed

Lines changed: 39 additions & 9 deletions

File tree

.devcontainer/Dockerfile

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -66,9 +66,9 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
6666

6767
USER vscode
6868

69-
ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
69+
ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"
7070
RUN \
71-
echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \
71+
echo 'PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \
7272
echo '. <(asdf completion bash)' >> ~/.bashrc; \
7373
echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \
7474
echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \
@@ -83,7 +83,8 @@ RUN asdf plugin add python; \
8383
asdf plugin add actionlint; \
8484
asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \
8585
asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \
86-
asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
86+
asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; \
87+
asdf plugin add golang
8788

8889

8990
WORKDIR /workspaces/eps-devcontainers
@@ -94,5 +95,8 @@ COPY .tool-versions /home/vscode/.tool-versions
9495
RUN asdf install python; \
9596
asdf install
9697

98+
COPY scripts/install_cosign.sh /tmp/install_cosign.sh
99+
RUN INSTALL_DIR=/home/vscode/.local/bin /tmp/install_cosign.sh
100+
97101
RUN git-secrets --register-aws --global && \
98102
git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt

.tool-versions

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,4 @@ actionlint 1.7.10
77
ruby 3.3.0
88
trivy 0.69.3
99
yq 4.52.2
10+
golang 1.24.13

scripts/install_cosign.sh

Lines changed: 31 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ set -euo pipefail
33

44
DEFAULT_INSTALL_DIR="/usr/local/bin"
55
INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
6+
mkdir -p "$INSTALL_DIR"
67
REQUESTED_VERSION="${1:-latest}"
78
OS="$(uname -s)"
89
ARCH="$(uname -m)"
@@ -13,7 +14,7 @@ usage() {
1314
Usage: install_cosign.sh [version]
1415
1516
Downloads the requested cosign release (default: latest) for Linux amd64, verifies
16-
its SHA256 checksum, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var).
17+
its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var).
1718
EOF
1819
}
1920

@@ -37,15 +38,17 @@ case "$ARCH" in
3738
;;
3839
esac
3940

40-
for cmd in curl sha256sum install; do
41+
for cmd in curl openssl install go asdf; do
4142
if ! command -v "$cmd" >/dev/null 2>&1; then
4243
echo "Error: $cmd is required but not found in PATH" >&2
4344
exit 1
4445
fi
4546
done
4647

4748
get_latest_tag() {
48-
curl -fsSL "$API_URL/latest" | awk -F'"' '/tag_name/ {print $4; exit}'
49+
local response
50+
response="$(curl -fsSL "$API_URL/latest")"
51+
awk -F'"' '/tag_name/ {print $4; exit}' <<<"$response"
4952
}
5053

5154
VERSION="$REQUESTED_VERSION"
@@ -63,15 +66,37 @@ TMP_DIR="$(mktemp -d)"
6366
trap 'rm -rf "$TMP_DIR"' EXIT
6467

6568
BIN_PATH="$TMP_DIR/${BINARY_NAME}"
66-
SHA_PATH="$TMP_DIR/${BINARY_NAME}.sha256"
69+
SIGSTORE_PATH="$TMP_DIR/${BINARY_NAME}-kms.sigstore.json"
70+
ARTIFACT_PATH="$TMP_DIR/artifact.pub"
71+
DECODED_SIGSTORE_PATH="$TMP_DIR/cosign-kms.sig.decoded"
6772

73+
echo "downloading ${BINARY_NAME} version ${VERSION} from ${BASE_URL}"
6874
curl -fsSL "${BASE_URL}/${BINARY_NAME}" -o "$BIN_PATH"
69-
curl -fsSL "${BASE_URL}/${BINARY_NAME}.sha256" -o "$SHA_PATH"
75+
echo "downloading sigstore signature"
76+
curl -fsSL "${BASE_URL}/${BINARY_NAME}-kms.sigstore.json" -o "$SIGSTORE_PATH"
7077

78+
# install tuf-client
79+
go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest
80+
asdf reshim golang
81+
82+
# setup tuf-client
83+
SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json"
84+
curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json
85+
tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH"
86+
87+
tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH"
88+
89+
cat "$SIGSTORE_PATH" | jq -r .messageSignature.signature | base64 -d > "$DECODED_SIGSTORE_PATH"
7190
pushd "$TMP_DIR" >/dev/null
72-
sha256sum -c "${BINARY_NAME}.sha256"
91+
echo "verifying signature with artifact.pub"
92+
openssl dgst -sha256 -verify "$ARTIFACT_PATH" -signature "$DECODED_SIGSTORE_PATH" "$BIN_PATH"
7393
popd >/dev/null
7494

95+
echo "verifying signature with cosign verify-blob"
96+
chmod +x "$BIN_PATH"
97+
${BIN_PATH} verify-blob --bundle "${SIGSTORE_PATH}" --key "$ARTIFACT_PATH" "$BIN_PATH"
98+
99+
75100
install -m 0755 "$BIN_PATH" "${INSTALL_DIR}/cosign"
76101

77102
"${INSTALL_DIR}/cosign" version

0 commit comments

Comments
 (0)