From 58478e0e405c5a71b8fef82ab32296be9be7ed00 Mon Sep 17 00:00:00 2001 From: ianhundere <138915+ianhundere@users.noreply.github.com> Date: Tue, 5 Nov 2024 12:44:33 -0500 Subject: [PATCH] feat: adds poc sigstore-cert-maker. --- .codecov.yml | 3 - .github/labeler.yml | 25 ---- .github/workflows/build.yml | 124 ++---------------- .github/workflows/pr_conventional.yml | 17 --- .github/workflows/pr_labeler.yml | 13 -- .github/workflows/release.yml | 43 ++----- .github/workflows/scorecard.yml | 73 ----------- .golangci.yaml | 28 +--- .vscode/launch.json | 13 -- CODEOWNERS | 5 - Dockerfile | 19 ++- Makefile | 53 ++------ Makefile.Common | 69 ---------- README.md | 77 +++++++++++ catalog-info.yaml | 39 ++---- go.mod | 38 +++++- go.sum | 126 +++++++++++++++++- intermediate.pem | 11 ++ main.go | 179 ++++++++++++++++++++++---- renovate.json | 22 ++-- root.pem | 11 ++ 21 files changed, 474 insertions(+), 514 deletions(-) delete mode 100644 .codecov.yml delete mode 100644 .github/labeler.yml delete mode 100644 .github/workflows/pr_conventional.yml delete mode 100644 .github/workflows/pr_labeler.yml delete mode 100644 .github/workflows/scorecard.yml delete mode 100644 .vscode/launch.json delete mode 100644 CODEOWNERS delete mode 100644 Makefile.Common create mode 100644 intermediate.pem create mode 100644 root.pem diff --git a/.codecov.yml b/.codecov.yml deleted file mode 100644 index bd8078f..0000000 --- a/.codecov.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -ignore: - - '**/generated*.go' diff --git a/.github/labeler.yml b/.github/labeler.yml deleted file mode 100644 index 4b6e18a..0000000 --- a/.github/labeler.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Add 'documentation' label to any change to *.md files -documentation: - - changed-files: - - any-glob-to-any-file: '**/*.md' - -# Add 'docker' label to any change in docker related files -docker: - - changed-files: - - any-glob-to-any-file: ['**/Dockerfile*', '**/.dockerignore'] - -# Add 'github_actions' label to any change .github/ directory -github_actions: - - changed-files: - - any-glob-to-any-file: .github/** - -# Add 'go' label to any change *.go files -go: - - changed-files: - - any-glob-to-any-file: ['**/*.go', '**/*.mod', '**/*.sum', '**/*.tmpl'] - -# Add 'build' to any config files or makefiles -build: - - changed-files: - - any-glob-to-any-file: [config/**, '**/Makefile*'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cb2cf15..dd85e7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,137 +4,33 @@ name: Build and Test on: pull_request: branches: [main] - paths: - - '**/Dockerfile' - - '**/.dockerignore' - - .github/** - - '**.go' - - '**.mod' - - '**.sum' - - config/** - - '**/Makefile*' - - '**/documentation.md' - - .golangci.yaml - - .goreleaser.yaml - push: branches: [main] jobs: lint: - strategy: - matrix: - go: ['1.22'] name: lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 with: - fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go }} - cache: false - - - name: Make install-tools - run: make install-tools - - - name: Make lint - run: make lint - - - name: Check Code Generation - run: | - make generate - git diff -s --exit-code || (echo 'Generated code is out of date. Run make generate and commit the changes' && exit 1) - - - name: Check packages are up-to-date - run: | - make tidy - git diff -s --exit-code || (echo 'Packages are out of date. Run make tidy and commit the changes' && exit 1) - - build: - name: build - strategy: - matrix: - GOOS: [darwin, linux, windows] - GOARCH: [arm64, amd64, '386'] - go: ['1.22'] - exclude: - - GOOS: darwin - GOARCH: '386' - - GOOS: darwin - GOARCH: arm - - GOOS: windows - GOARCH: arm - - GOOS: windows - GOARCH: arm64 - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go }} - cache: false - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 - if: steps.cache.outputs.cache-hit != 'true' + go-version: '1.22' + - name: Install golangci-lint + uses: golangci/golangci-lint-action@v4 with: - distribution: goreleaser-pro version: latest - args: release --clean --snapshot --split - env: - GGOOS: ${{ matrix.GOOS }} - GGOARCH: ${{ matrix.GOARCH }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + args: --timeout=5m + - name: Run linter + run: golangci-lint run test: - strategy: - matrix: - go: ['1.22'] name: test runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 with: - fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go }} - cache: false - - - name: Make test + go-version: '1.22' + - name: Run tests run: make test - - - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 - - go-semantic-release: - if: ${{ github.ref == 'refs/heads/main' }} - needs: [lint, build] - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Run go-semantic-release - uses: go-semantic-release/action@v1 - with: - github-token: ${{ secrets.SEMANTIC_RELEASE_GH_PAT }} - changelog-generator-opt: emojis=true - allow-initial-development-versions: true diff --git a/.github/workflows/pr_conventional.yml b/.github/workflows/pr_conventional.yml deleted file mode 100644 index f9f28aa..0000000 --- a/.github/workflows/pr_conventional.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: PR Linter - -on: - pull_request: - types: - - opened - - edited - - synchronize - -jobs: - triage: - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr_labeler.yml b/.github/workflows/pr_labeler.yml deleted file mode 100644 index 507099d..0000000 --- a/.github/workflows/pr_labeler.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -name: Pull Request Labeler -on: - - pull_request_target - -jobs: - labeler: - permissions: - contents: read - pull-requests: write - runs-on: ubuntu-latest - steps: - - uses: actions/labeler@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 33ed2d8..5021831 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,40 +13,15 @@ jobs: contents: write packages: write steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 with: - fetch-depth: 0 - - - name: Fetch all tags - run: git fetch --force --tags - - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Go - uses: actions/setup-go@v5 - with: - # go version must be quoted on version 1.22+ or else setup action - # will pull down version 1.2 instead of 1.22 go-version: '1.22' - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + - name: Build and release + run: | + go build -o sigstore-certificate-maker + tar czf sigstore-certificate-maker.tar.gz sigstore-certificate-maker + - name: Create Release + uses: softprops/action-gh-release@v1 with: - distribution: goreleaser-pro - version: latest - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + files: sigstore-certificate-maker.tar.gz diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index c3e8640..0000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: 42 5 * * 1 - push: - branches: [main] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read - - steps: - - name: Checkout code - uses: actions/checkout@v4 # v3.1.0 - with: - persist-credentials: false - - - name: Run analysis - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: Upload artifact - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 - with: - sarif_file: results.sarif diff --git a/.golangci.yaml b/.golangci.yaml index 3cf501f..473c846 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,27 +1,15 @@ --- run: - timeout: 10m - allow-parallel-runners: true - go: '1.22' + timeout: 5m + go: "1.22" linters-settings: errcheck: - check-type-assertions: false check-blank: true - maligned: - # print struct with more effective memory layout or not, false by default - suggest-new: true - - unused: - go: '1.22' - lll: - # max line length, lines longer will be reported. Default is 120. - # '\t' is counted as 1 character by default, and can be changed with the tab-width option - line-length: 185 - # tab width in spaces. Default to 1. - tab-width: 8 + line-length: 120 + tab-width: 4 linters: disable-all: true @@ -29,19 +17,11 @@ linters: - gofmt - errcheck - goimports - - misspell - - noctx - - lll - govet - ineffassign - - typecheck - - unused - - gosimple - staticcheck - gosec issues: - # Maximum issues count per one linter. Set to 0 to disable. Default is 50. max-issues-per-linter: 0 - # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. max-same-issues: 0 diff --git a/.vscode/launch.json b/.vscode/launch.json deleted file mode 100644 index 6e429c5..0000000 --- a/.vscode/launch.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "0.1.0", - "configurations": [ - { - "name": "Launch Go App in Debug", - "type": "go", - "request": "launch", - "mode": "auto", - "program": "${fileDirname}", - "args": [] - } - ] -} diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 3ecad47..0000000 --- a/CODEOWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# Learn about CODEOWNERS file format: -# https://help.github.com/en/articles/about-code-owners - -# Default owners for everything in the repo -* @liatrio/tag-o11y diff --git a/Dockerfile b/Dockerfile index ed22225..7ff342a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,8 @@ -FROM scratch - -ARG BIN_PATH=go-template - -ARG UID=10001 -USER ${UID} - -COPY --chmod=755 ${BIN_PATH} /usr/bin/go-template - - -ENTRYPOINT ["/usr/bin/go-template"] +FROM golang:1.22-alpine AS builder +WORKDIR /app +COPY . . +RUN go build -o sigstore-certificate-maker + +FROM alpine:latest +COPY --from=builder /app/sigstore-certificate-maker /usr/local/bin/ +ENTRYPOINT ["/usr/local/bin/sigstore-certificate-maker"] \ No newline at end of file diff --git a/Makefile b/Makefile index 0c8fb67..f1aaab1 100644 --- a/Makefile +++ b/Makefile @@ -1,48 +1,11 @@ -include ./Makefile.Common +.PHONY: lint +lint: + golangci-lint run -BUILD_DIR ?= $(SRC_ROOT)/build -OS := $(shell uname | tr '[:upper:]' '[:lower:]') -ARCH := $(shell uname -m) - -CHECKS = generate lint test tidy fmt - -# set ARCH var based on output -ifeq ($(ARCH),x86_64) - ARCH = amd64 -endif -ifeq ($(ARCH),aarch64) - ARCH = arm64 -endif - -# .PHONY: all -# # all: install-tools -# all: build - -.DEFAULT_GOAL := build +.PHONY: test +test: + go test ./... -v .PHONY: build -build: install-tools - GOOS=$(OS) GOARCH=$(ARCH) go build -o $(BUILD_DIR)/go-template - -# TODO: fix this release through goreleaser. Goreleaser installed through tools.go -# is the OSS version and doesn't support the `partial:` option in the -# .goreleaser.yaml. This option is needed for CI builds but isn't available locally. -.PHONY: grbuild -grbuild: - $(GORELEASER) build --clean --snapshot - -.PHONY: dockerbuild -dockerbuild: - $(MAKE) build OS=linux ARCH=$(ARCH) - docker build . -t liatrio/go-template:localdev --build-arg BIN_PATH="./build/go-template" --platform linux/$(ARCH) - -# Setting the paralellism to 1 to improve output readability. Reevaluate later as needed for performance -.PHONY: checks -checks: install-tools - $(MAKE) -j 1 $(CHECKS) - @if [ -n "$$(git diff --name-only)" ]; then \ - echo "Some files have changed. Please commit them."; \ - exit 1; \ - else \ - echo "completed successfully."; \ - fi +build: + go build -o sigstore-certificate-maker \ No newline at end of file diff --git a/Makefile.Common b/Makefile.Common deleted file mode 100644 index 82034ae..0000000 --- a/Makefile.Common +++ /dev/null @@ -1,69 +0,0 @@ -# In order to ensure make instructions fail if there is command that fails a pipe (ie: `go test ... | tee -a ./test_results.txt`) -# the value `-o pipefail` (or `set -o pipefail`) is added to each shell command that make runs -# otherwise in the example command pipe, only the exit code of `tee` is recorded instead of `go test` which can cause -# test to pass in CI when they should not. -SHELL = /bin/bash -ifeq ($(shell uname -s),Windows) - .SHELLFLAGS = /o pipefile /c -else - .SHELLFLAGS = -o pipefail -c -endif - -# SRC_ROOT is the top of the source tree. -SRC_ROOT := $(shell git rev-parse --show-toplevel) - -# A lot of the following install tools commands were leveraged from the -# Open Telemetry Contributor Makefile following the Go Paradigm for Third Party Tools -# See https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/Makefile.Common#L39-L74 for more details. -TOOLS_MOD_DIR := $(SRC_ROOT)/internal/tools -TOOLS_BIN_DIR := $(SRC_ROOT)/.tools -TOOLS_MOD_REGEX := "\s+_\s+\".*\"" -TOOLS_PKG_NAMES := $(shell grep -E $(TOOLS_MOD_REGEX) < $(TOOLS_MOD_DIR)/tools.go | tr -d " _\"") -TOOLS_BIN_NAMES := $(addprefix $(TOOLS_BIN_DIR)/, $(notdir $(TOOLS_PKG_NAMES))) - - -.PHONY: install-tools -install-tools: $(TOOLS_BIN_NAMES) - -.PHONY: clean -clean: - rm -rf $(TOOLS_BIN_DIR) - -$(TOOLS_BIN_DIR): - mkdir -p $@ - -$(TOOLS_BIN_NAMES): $(TOOLS_BIN_DIR) $(TOOLS_MOD_DIR)/go.mod - cd $(TOOLS_MOD_DIR) && go build -o $@ -trimpath $(filter %/$(notdir $@),$(TOOLS_PKG_NAMES)) - -LINT := $(TOOLS_BIN_DIR)/golangci-lint -GOIMPORTS := $(TOOLS_BIN_DIR)/goimports -PORTO := $(TOOLS_BIN_DIR)/porto -GOVULNCHECK := $(TOOLS_BIN_DIR)/govulncheck -GENQLIENT := $(TOOLS_BIN_DIR)/genqlient -SEC := $(TOOLS_BIN_DIR)/gosec -STATICCHECK := $(TOOLS_BIN_DIR)/staticcheck -MDATAGEN := $(TOOLS_BIN_DIR)/mdatagen -OCB := $(TOOLS_BIN_DIR)/builder -GORELEASER := $(TOOLS_BIN_DIR)/goreleaser -MULTIMOD := $(TOOLS_BIN_DIR)/multimod - -.PHONY: lint -lint: - $(LINT) run - -.PHONY: tidy -tidy: - -rm go.sum - go mod tidy -compat=1.22 - -.PHONY: generate -generate: - go generate ./... - -.PHONY: test -test: - go test -v ./... -coverprofile=coverage.out -covermode=atomic - -.PHONY: fmt -fmt: - go fmt ./... diff --git a/README.md b/README.md index 5932260..80f056a 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,80 @@ Presuming you have [homebrew](https://brew.sh) installed: 4. Run `make check` to run core build requirements 5. Run `pre-commit install` to install the pre-commits 6. #ShipIt + +``` +❯ openssl x509 -in root.pem -text -noout + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: O=Liatrio, CN=Root CA + Validity + Not Before: Nov 8 20:57:40 2024 GMT + Not After : Nov 8 20:57:40 2124 GMT + Subject: O=Liatrio, CN=Root CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:29:7c:ff:0b:4d:d2:bc:d1:38:ac:3c:13:ce:44: + be:ef:6e:55:6c:8b:c3:96:82:e5:93:69:02:6f:99: + 71:dd:f7:77:35:9e:be:ed:f7:0d:50:78:b8:73:d2: + 2d:27:c5:ed:00:7c:c2:9f:8e:b2:0e:ae:6f:b4:f0: + 93:93:40:82:cc + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 + X509v3 Subject Key Identifier: + C7:C6:B6:50:D8:DD:25:9E:3E:E8:E6:69:B6:A6:4F:E9:8B:CD:EE:AB + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:76:3d:59:0b:c4:9d:22:7b:62:65:ad:11:21:01: + 57:d1:c2:93:6f:f5:c0:cc:8f:3d:e1:c3:6d:56:73:f9:68:bd: + 02:21:00:f8:4a:ee:6a:c6:8e:67:8e:99:99:a4:03:2f:fb:86: + 56:a7:22:d0:55:b5:02:80:1c:55:51:48:01:13:eb:2a:37 +❯ openssl x509 -in intermediate.pem -text -noout + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: O=Liatrio, CN=Root CA + Validity + Not Before: Nov 8 20:57:40 2024 GMT + Not After : Nov 8 20:57:40 2124 GMT + Subject: O=Liatrio, CN=Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:e4:62:14:b0:04:ba:96:0d:67:ef:d8:e8:ff:89: + 14:14:61:25:4f:24:e4:89:fc:e0:a9:a4:05:78:45: + c9:df:9c:be:82:55:b1:7d:45:3d:c7:e0:2c:e2:cc: + 30:bb:f3:27:f4:8b:5a:d0:f4:28:48:03:9e:04:b9: + 98:50:4d:6e:c7 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 47:AC:5E:38:57:F3:4E:A2:BC:BC:CB:4C:D0:9C:DB:F0:A5:F8:40:53 + X509v3 Authority Key Identifier: + C7:C6:B6:50:D8:DD:25:9E:3E:E8:E6:69:B6:A6:4F:E9:8B:CD:EE:AB + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:5d:9c:ec:be:c6:04:79:e5:54:3c:2a:23:10:78: + d3:31:b3:3a:7e:db:e1:09:6a:c6:e4:b7:63:7a:dd:8e:96:4d: + 02:21:00:81:c2:3c:d3:ae:77:dd:f5:c0:9a:72:e4:1d:04:ff: + 7d:51:a7:21:2d:6e:24:79:b6:d5:19:4e:73:13:51:eb:6f +``` diff --git a/catalog-info.yaml b/catalog-info.yaml index 8da482f..7afa36c 100644 --- a/catalog-info.yaml +++ b/catalog-info.yaml @@ -2,36 +2,15 @@ apiVersion: backstage.io/v1alpha1 kind: Component metadata: - name: go-template - description: A template repo for Golang projects. - - # Annotations Docs: https://backstage.io/docs/features/software-catalog/well-known-annotations + name: sigstore-certificate-maker + description: POC for basic go app to create/sign CA and leaf certs. annotations: - github.com/project-slug: liatrio/go-template - - # Tags Docs: https://backstage.io/docs/features/software-catalog/descriptor-format/#metadatatags-optional + github.com/project-slug: liatrio/sigstore-certificate-maker tags: - - go - - docker - - makefile - - open-source - - # Links Docs: https://backstage.io/docs/features/software-catalog/descriptor-format/#links-optional - links: - - url: https://tag-o11y.liatr.io - title: TAG O11y Landing Page - icon: web - - url: https://openo11y.dev - title: OpenO11y Home Page - icon: web - + - automated-governance + - golang spec: - # https://backstage.io/docs/features/software-catalog/descriptor-format/#spectype-required - type: service - # Review lifecycle and pick one of the three that make the most sense. - # https://backstage.io/docs/features/software-catalog/descriptor-format/#speclifecycle-required - lifecycle: production - # Please update to include the GitHub Team name tied to this project. - # https://backstage.io/docs/features/software-catalog/descriptor-format/#specowner-required - owner: tag-o11y - system: o11y + type: other + lifecycle: experimental + owner: tag-autogov + system: demo-gh-attest-autogov diff --git a/go.mod b/go.mod index 0c344a5..97f93f5 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,40 @@ go 1.22.4 require go.uber.org/zap v1.27.0 require ( - github.com/stretchr/testify v1.9.0 // indirect - go.uber.org/multierr v1.10.0 // indirect + dario.cat/mergo v1.0.1 // indirect + filippo.io/edwards25519 v1.1.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.3.0 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.32.4 // indirect + github.com/aws/aws-sdk-go-v2/config v1.28.3 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.44 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.37.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 // indirect + github.com/aws/smithy-go v1.22.0 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/huandu/xstrings v1.5.0 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/shopspring/decimal v1.4.0 // indirect + github.com/spf13/cast v1.7.0 // indirect + golang.org/x/crypto v0.28.0 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect +) + +require ( + go.step.sm/crypto v0.54.0 + go.uber.org/multierr v1.11.0 // indirect ) diff --git a/go.sum b/go.sum index 7b08a2d..19c8601 100644 --- a/go.sum +++ b/go.sum @@ -1,14 +1,136 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE= +github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo= +github.com/aws/aws-sdk-go-v2/config v1.28.3 h1:kL5uAptPcPKaJ4q0sDUjUIdueO18Q7JDzl64GpVwdOM= +github.com/aws/aws-sdk-go-v2/config v1.28.3/go.mod h1:SPEn1KA8YbgQnwiJ/OISU4fz7+F6Fe309Jf0QTsRCl4= +github.com/aws/aws-sdk-go-v2/credentials v1.17.44 h1:qqfs5kulLUHUEXlHEZXLJkgGoF3kkUeFUTVA585cFpU= +github.com/aws/aws-sdk-go-v2/credentials v1.17.44/go.mod h1:0Lm2YJ8etJdEdw23s+q/9wTpOeo2HhNE97XcRa7T8MA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19/go.mod h1:zminj5ucw7w0r65bP6nhyOd3xL6veAUMc3ElGMoLVb4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 h1:tHxQi/XHPK0ctd/wdOw0t7Xrc2OxcRCnVzv8lwWPu0c= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4/go.mod h1:4GQbF1vJzG60poZqWatZlhP31y8PGCCVTvIGPdaaYJ0= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.5 h1:5dQJ6Q5QrQOqZxXjSbRXukBqU8Pgu6Ro6Qqtyd8yiz4= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.5/go.mod h1:A9vfQcNHVBCE7ZZN6H+UUJpXtbH26Vv6L7Zhk5nIJAY= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 h1:HJwZwRt2Z2Tdec+m+fPjvdmkq2s9Ra+VR0hjF7V2o40= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.5/go.mod h1:wrMCEwjFPms+V86TCQQeOxQF/If4vT44FGIOFiMC2ck= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4/go.mod h1:Tp/ly1cTjRLGBBmNccFumbZ8oqpZlpdhFf80SrRh4is= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.4/go.mod h1:9XEUty5v5UAsMiFOBJrNibZgwCeOma73jgGwwhgffa8= +github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= +github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= +github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.step.sm/crypto v0.54.0 h1:V8p+12Ld0NRA/RBMYoKXA0dWmVKZSdCwP56IwzweT9g= +go.step.sm/crypto v0.54.0/go.mod h1:vQJyTngfZDW+UyZdFzOMCY/txWDAmcwViEUC7Gn4YfU= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= -go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/intermediate.pem b/intermediate.pem new file mode 100644 index 0000000..ac8d6f7 --- /dev/null +++ b/intermediate.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBpDCCAUqgAwIBAgIBAjAKBggqhkjOPQQDAjAkMRAwDgYDVQQKEwdMaWF0cmlv +MRAwDgYDVQQDEwdSb290IENBMCAXDTI0MTEwODIwNTc0MFoYDzIxMjQxMTA4MjA1 +NzQwWjAsMRAwDgYDVQQKEwdMaWF0cmlvMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUg +Q0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATkYhSwBLqWDWfv2Oj/iRQUYSVP +JOSJ/OCppAV4RcnfnL6CVbF9RT3H4CzizDC78yf0i1rQ9ChIA54EuZhQTW7Ho2Mw +YTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUR6xe +OFfzTqK8vMtM0Jzb8KX4QFMwHwYDVR0jBBgwFoAUx8a2UNjdJZ4+6OZptqZP6YvN +7qswCgYIKoZIzj0EAwIDSAAwRQIgXZzsvsYEeeVUPCojEHjTMbM6ftvhCWrG5Ldj +et2Olk0CIQCBwjzTrnfd9cCacuQdBP99UachLW4kebbVGU5zE1Hrbw== +-----END CERTIFICATE----- diff --git a/main.go b/main.go index 69886f8..6a5ee93 100644 --- a/main.go +++ b/main.go @@ -1,16 +1,22 @@ package main import ( + "context" + "fmt" + "math/big" + "time" + + "crypto/x509" + "crypto/x509/pkix" + "encoding/json" + "encoding/pem" + "os" + "go.step.sm/crypto/kms/apiv1" + "go.step.sm/crypto/kms/awskms" + "go.step.sm/crypto/x509util" "go.uber.org/zap" - // Import your OTEL packages here for instrumentation. - // The default packages are for manual instrumentation, but you can use - // auto-instrumentation packages to capture communication at the edge. - // For more information see https://opentelemetry.io/docs/languages/go/getting-started/ - //"go.opentelemetry.io/otel" - //"go.opentelemetry.io/otel/trace" - //"go.opentelemetry.io/otel/exporters/otlp/otlptrace" ) var ( @@ -18,35 +24,156 @@ var ( ) func init() { - var err error - rawJSON := []byte(`{ - "level": "debug", - "encoding": "json", - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "initialFields": {"service": "go-template"}, - "encoderConfig": { - "messageKey": "message", - "levelKey": "level", - "levelEncoder": "lowercase" - } - } - `) + "level": "debug", + "encoding": "json", + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "initialFields": {"service": "sigstore-certificate-maker"}, + "encoderConfig": { + "messageKey": "message", + "levelKey": "level", + "levelEncoder": "lowercase", + "timeKey": "timestamp", + "timeEncoder": "iso8601" + } + }`) var cfg zap.Config - if err = json.Unmarshal(rawJSON, &cfg); err != nil { + if err := json.Unmarshal(rawJSON, &cfg); err != nil { panic(err) } logger = zap.Must(cfg.Build()) +} + +func initKMS(ctx context.Context, region, keyID string) (apiv1.KeyManager, error) { + opts := apiv1.Options{ + Type: "awskms", + URI: fmt.Sprintf("awskms:///%s?region=%s", keyID, region), + } + return awskms.New(ctx, opts) +} + +func createCertificates(km apiv1.KeyManager) error { + rootSubject := pkix.Name{ + CommonName: "Root CA", + Organization: []string{"Liatrio"}, + } + + rootKey, err := km.CreateKey(&apiv1.CreateKeyRequest{ + Name: "root-key", + SignatureAlgorithm: apiv1.ECDSAWithSHA256, + }) + if err != nil { + return fmt.Errorf("error creating root key: %w", err) + } + + rootSigner, err := km.CreateSigner(&apiv1.CreateSignerRequest{ + SigningKey: rootKey.Name, + }) + if err != nil { + return fmt.Errorf("error creating root signer: %w", err) + } + + rootTemplate := &x509.Certificate{ + Subject: rootSubject, + SerialNumber: big.NewInt(1), + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(100, 0, 0), + KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + BasicConstraintsValid: true, + IsCA: true, + MaxPathLen: 1, + } + + rootCert, err := x509util.CreateCertificate(rootTemplate, rootTemplate, rootSigner.Public(), rootSigner) + if err != nil { + return fmt.Errorf("error creating root certificate: %w", err) + } + + intermediateSubject := &pkix.Name{ + CommonName: "Intermediate CA", + Organization: []string{"Liatrio"}, + } + + intermediateKey, err := km.CreateKey(&apiv1.CreateKeyRequest{ + Name: "intermediate-key", + SignatureAlgorithm: apiv1.ECDSAWithSHA256, + }) + if err != nil { + return fmt.Errorf("error creating intermediate key: %w", err) + } + + intermediateSigner, err := km.CreateSigner(&apiv1.CreateSignerRequest{ + SigningKey: intermediateKey.Name, + }) + if err != nil { + return fmt.Errorf("error creating intermediate signer: %w", err) + } + + intermediateCert, err := x509util.CreateCertificate(&x509.Certificate{ + Subject: *intermediateSubject, + SerialNumber: big.NewInt(2), + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(100, 0, 0), + KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + BasicConstraintsValid: true, + IsCA: true, + MaxPathLen: 0, + }, rootTemplate, intermediateSigner.Public(), rootSigner) + if err != nil { + return fmt.Errorf("error creating intermediate certificate: %w", err) + } + + if err := writeCertificateToFile(rootCert, "root.pem"); err != nil { + return fmt.Errorf("error writing root certificate: %w", err) + } + + if err := writeCertificateToFile(intermediateCert, "intermediate.pem"); err != nil { + return fmt.Errorf("error writing intermediate certificate: %w", err) + } + + logger.Info("Certificates created successfully", + zap.String("root_cert", rootCert.Subject.CommonName), + zap.String("intermediate_cert", intermediateCert.Subject.CommonName)) + + return nil +} + +func writeCertificateToFile(cert *x509.Certificate, filename string) error { + certPEM := &pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Raw, + } + + file, err := os.Create(filename) + if err != nil { + return fmt.Errorf("failed to create file %s: %w", filename, err) + } + defer file.Close() + + if err := pem.Encode(file, certPEM); err != nil { + return fmt.Errorf("failed to write certificate to file %s: %w", filename, err) + } + + return nil +} + +func main() { defer func() { if err := logger.Sync(); err != nil { - return + fmt.Fprintf(os.Stderr, "failed to sync logger: %v\n", err) } }() -} -func main() { - logger.Info("Hello World!") + ctx := context.Background() + km, err := initKMS(ctx, "us-east-1", "alias/fulcio-key") + if err != nil { + logger.Fatal("Failed to initialize KMS", zap.Error(err)) + } + + if err := createCertificates(km); err != nil { + logger.Fatal("Failed to create certificates", zap.Error(err)) + } } diff --git a/renovate.json b/renovate.json index f65aa0a..a131b4a 100644 --- a/renovate.json +++ b/renovate.json @@ -1,17 +1,18 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "labels": [ - "dependencies", - "renovatebot" - ], - "constraints": { - "go": "1.20" - }, + "configMigration": true, "extends": [ "config:recommended" ], + "constraints": { + "go": "1.22" + }, "schedule": [ - "before 5am" + "before 5am every weekday" + ], + "labels": [ + "renovate", + "dependencies" ], "packageRules": [ { @@ -21,9 +22,14 @@ "groupName": "dockerfile deps" }, { + "extends": [ + ":semanticPrefixFixDepsChoreOthers", + "helpers:pinGitHubActionDigests" + ], "matchManagers": [ "github-actions" ], + "pinDigests": true, "groupName": "github-actions deps" }, { diff --git a/root.pem b/root.pem new file mode 100644 index 0000000..26e5462 --- /dev/null +++ b/root.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBfjCCASSgAwIBAgIBATAKBggqhkjOPQQDAjAkMRAwDgYDVQQKEwdMaWF0cmlv +MRAwDgYDVQQDEwdSb290IENBMCAXDTI0MTEwODIwNTc0MFoYDzIxMjQxMTA4MjA1 +NzQwWjAkMRAwDgYDVQQKEwdMaWF0cmlvMRAwDgYDVQQDEwdSb290IENBMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEKXz/C03SvNE4rDwTzkS+725VbIvDloLlk2kC +b5lx3fd3NZ6+7fcNUHi4c9ItJ8XtAHzCn46yDq5vtPCTk0CCzKNFMEMwDgYDVR0P +AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMfGtlDY3SWe +PujmabamT+mLze6rMAoGCCqGSM49BAMCA0gAMEUCIHY9WQvEnSJ7YmWtESEBV9HC +k2/1wMyPPeHDbVZz+Wi9AiEA+EruasaOZ46ZmaQDL/uGVqci0FW1AoAcVVFIARPr +Kjc= +-----END CERTIFICATE-----