Add sigstore

leplusorg · Feb 27, 2025 · 703e532 · 703e532
1 parent 0ffa21a
commit 703e532
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -37,6 +37,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
+        id: build
         with:
           context: ${{ env.IMAGE }}
           platforms: linux/amd64,linux/arm64

diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
@@ -24,3 +24,12 @@ jobs:
       - name: Pull the latest ${{ matrix.platform }} image
         shell: bash
         run: docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}"
+      - name: Pull the latest ${{ matrix.platform }} image SBOM
+        shell: bash
+        run: docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      - name: Verify the Docker image signature
+        shell: bash
+        run: |
+          cosign verify "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
diff --git a/README.md b/README.md
@@ -59,6 +59,37 @@ docker buildx imagetools inspect leplusorg/av --format '{{ json (index .SBOM "li
 
 Replace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.).
 
+### Sigstore
+
+[Sigstore](https://docs.sigstore.dev) is trying to improve supply
+chain security by allowing you to verify the origin of an
+artifcat. You can verify that the jar that you use was actually
+produced by this repository. This means that if you verify the
+signature of the ristretto jar, you can trust the integrity of the
+whole supply chain from code source, to CI/CD build, to distribution
+on Maven Central or whever you got the jar from.
+
+You can use the following command to verify the latest image using its
+sigstore signature attestation:
+
+```bash
+cosign verify leplusorg/av --certificate-identity-regexp 'https://github\.com/leplusorg/docker-av/\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
+```
+
+The output should look something like this:
+
+```text
+Verification for index.docker.io/leplusorg/xml:main --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The code-signing certificate was verified using trusted certificate authority certificates
+
+[{"critical":...
+```
+
+For instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).
+
 ## Request new tool
 
 Please use [this link](https://github.com/leplusorg/docker-av/issues/new?assignees=thomasleplus&labels=enhancement&template=feature_request.md&title=%5BFEAT%5D) (GitHub account required) to request that a new tool be added to the image. I am always interested in adding new capabilities to these images.