Using keyless in cosign

smartcontractkit · Feb 26, 2022 · 1e7f1aa · 1e7f1aa
1 parent 6d073d6
commit 1e7f1aa
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 17 deletions.
diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -38,13 +38,9 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
+  verify-signature:
+    description: When set to the string boolean value of "true", the resulting build image signature will be verified
+    default: "false"
     required: false
 
 runs:
@@ -151,29 +147,46 @@ runs:
       cosign-release: 'v1.4.0'
 
   - if: inputs.sign-images == 'true'
-    name: Write signing key to disk (only needed for `cosign sign --key`)
+    name: Sign the published root Docker image
     shell: sh
-    run: echo "${{ inputs.cosign-private-key }}" > cosign.key
+    env:
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
+      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-  - if: inputs.sign-images == 'true'
-    name: Sign the published root Docker image
+      cosign sign "$IMAGE_NAME"
+
+  - if: inputs.verify-signature == 'true'
+    name: Verify the signature of the published root Docker image
     shell: sh
     env:
-      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+      COSIGN_EXPERIMENTAL: 1
     run: |
       IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
       IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+      cosign verify "$IMAGE_NAME"
 
   - if: inputs.sign-images == 'true'
     name: Sign the published non-root Docker image
     shell: sh
     env:
-      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
+      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+
+      cosign sign "$IMAGE_NAME"
+
+  - if: inputs.verify-signature == 'true'
+    name: Verify the signature of the published non-root Docker image
+    shell: sh
+    env:
+      COSIGN_EXPERIMENTAL: 1
     run: |
       IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
       IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+      cosign verify "$IMAGE_NAME"
 
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
@@ -29,5 +29,4 @@ jobs:
           aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
           aws-region: ${{ secrets.AWS_REGION }}
           sign-images: true
-          cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+          verify-signature: true