Skip to content

Commit

Permalink
fix(CLOUDDST-25034): run rh-sign-image-cosign signing in parallel
Browse files Browse the repository at this point in the history
- export SIGSTORE_REKOR_PUBLIC_KEY for verification
- fixed bash array argument

Signed-off-by: Jindrich Luza <jluza@redhat.com>
  • Loading branch information
midnightercz committed Jan 30, 2025
1 parent d6959cf commit 028af7e
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
18 changes: 14 additions & 4 deletions tasks/managed/rh-sign-image-cosign/rh-sign-image-cosign.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,11 @@ spec:
secretKeyRef:
name: $(params.secretName)
key: PUBLIC_KEY
- name: REKOR_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: $(params.secretName)
key: REKOR_PUBLIC_KEY
script: |
#!/usr/bin/env bash
set -eux
Expand All @@ -84,6 +89,7 @@ spec:
fi
PUBLIC_KEY_FILE=$(mktemp)
echo -n "$PUBLIC_KEY" > "$PUBLIC_KEY_FILE"
RUNNING_JOBS="\j" # Bash parameter for number of jobs currently running
jobpid(){
Expand Down Expand Up @@ -119,11 +125,13 @@ spec:
local digest=$3
if [ -v REKOR_URL ]; then
COSIGN_REKOR_ARGS="--rekor-url=$REKOR_URL"
REKOR_PUBLIC_KEY_FILE=$(mktemp)
echo -n "$REKOR_PUBLIC_KEY" > "$REKOR_PUBLIC_KEY_FILE"
export SIGSTORE_REKOR_PUBLIC_KEY="$REKOR_PUBLIC_KEY_FILE"
else
COSIGN_REKOR_ARGS="--insecure-ignore-tlog=true"
fi
# shellcheck disable=SC2086
verify_output=$(run_cosign verify $COSIGN_REKOR_ARGS --key "$PUBLIC_KEY_FILE" "$reference")
verify_output=$(run_cosign verify "${COSIGN_REKOR_ARGS[@]}" --key "$PUBLIC_KEY_FILE" "$reference")
found_signatures=$(echo "$verify_output" | jq -j '['\
'.[]|select(.critical.image."docker-manifest-digest"| contains("'"$digest"'"))'\
'|select(.critical.identity."docker-reference"| contains("'"$identity"'"))'\
Expand All @@ -143,13 +151,15 @@ spec:
if [ -v REKOR_URL ]; then
COSIGN_REKOR_ARGS="-y --rekor-url=$REKOR_URL"
REKOR_PUBLIC_KEY_FILE=$(mktemp)
echo -n "$REKOR_PUBLIC_KEY" > "$REKOR_PUBLIC_KEY_FILE"
export SIGSTORE_REKOR_PUBLIC_KEY="$REKOR_PUBLIC_KEY_FILE"
else
COSIGN_REKOR_ARGS="--tlog-upload=false"
fi
if [ "$found_signatures" -eq 0 ]; then
# shellcheck disable=SC2086
run_cosign -t 3m0s sign $COSIGN_REKOR_ARGS \
run_cosign -t 3m0s sign "${COSIGN_REKOR_ARGS[@]}" \
--key "$SIGN_KEY" \
--sign-container-identity "$identity" "$reference@$digest"
else
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ kubectl create secret generic test-cosign-secret\
--from-literal=AWS_ACCESS_KEY_ID=test-access-key\
--from-literal=AWS_SECRET_ACCESS_KEY=test-secret-access-key\
--from-literal=SIGN_KEY=aws://arn:mykey\
--from-literal=REKOR_PUBLIC_KEY=rekor_public_key\
--from-literal=PUBLIC_KEY=public_key

kubectl create secret generic test-cosign-secret-rekor\
Expand All @@ -16,6 +17,7 @@ kubectl create secret generic test-cosign-secret-rekor\
--from-literal=AWS_SECRET_ACCESS_KEY=test-secret-access-key\
--from-literal=SIGN_KEY=aws://arn:mykey\
--from-literal=REKOR_URL=https://fake-rekor-server\
--from-literal=REKOR_PUBLIC_KEY=rekor_public_key\
--from-literal=PUBLIC_KEY=public_key

# Add mocks to the beginning of task step script
Expand Down

0 comments on commit 028af7e

Please sign in to comment.