diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 7c1aaf8..e94908c 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -37,6 +37,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0 + id: build with: context: ${{ env.IMAGE }} platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml index 34fd5e7..88b123d 100644 --- a/.github/workflows/dockerhub.yml +++ b/.github/workflows/dockerhub.yml @@ -24,3 +24,12 @@ jobs: - name: Pull the latest ${{ matrix.platform }} image shell: bash run: docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" + - name: Pull the latest ${{ matrix.platform }} image SBOM + shell: bash + run: docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}" + - name: Install cosign + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + - name: Verify the Docker image signature + shell: bash + run: | + cosign verify "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' diff --git a/README.md b/README.md index 9667661..55c1809 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,37 @@ docker buildx imagetools inspect leplusorg/av --format '{{ json (index .SBOM "li Replace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.). +### Sigstore + +[Sigstore](https://docs.sigstore.dev) is trying to improve supply +chain security by allowing you to verify the origin of an +artifcat. You can verify that the jar that you use was actually +produced by this repository. This means that if you verify the +signature of the ristretto jar, you can trust the integrity of the +whole supply chain from code source, to CI/CD build, to distribution +on Maven Central or whever you got the jar from. + +You can use the following command to verify the latest image using its +sigstore signature attestation: + +```bash +cosign verify leplusorg/av --certificate-identity-regexp 'https://github\.com/leplusorg/docker-av/\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' +``` + +The output should look something like this: + +```text +Verification for index.docker.io/leplusorg/xml:main -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates + +[{"critical":... +``` + +For instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/). + ## Request new tool Please use [this link](https://github.com/leplusorg/docker-av/issues/new?assignees=thomasleplus&labels=enhancement&template=feature_request.md&title=%5BFEAT%5D) (GitHub account required) to request that a new tool be added to the image. I am always interested in adding new capabilities to these images.