github/podinfo
1
0
Fork 0
mirror of https://github.com/stefanprodan/podinfo.git synced 2026-02-14 10:19:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Setup notation signing keys

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2024-02-25 12:10:06 +02:00
parent 0d2c428859
commit 24405a5a5d
6 changed files with 60 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -23,3 +23,6 @@ bin/
cue/cue.mod/gen/ cue/cue.mod/gen/
cue/go.mod cue/go.mod
cue/go.sum cue/go.sum
.notation/podinfo.csr
.notation/podinfo.key

15
.notation/README.md Normal file
View File

@@ -0,0 +1,15 @@
# Podinfo signed releases
Podinfo release assets such as the Helm chart and the Flux artifact
are published to GitHub Container Registry and are signed with
[Notation](https://github.com/notaryproject/notation).
## Generate signing keys
Generate a new signing key pair:
```sh
openssl genrsa -out podinfo.key 2048
openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
```

18
.notation/codesign.cnf Normal file
View File

@@ -0,0 +1,18 @@
[ req ]
default_bits = 2048
default_keyfile = privatekey.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = RO
ST = BU
L = Bucharest
O = Notary
CN = stefanprodan.com
[ v3_req ]
keyUsage = critical,digitalSignature
extendedKeyUsage = critical,codeSigning
#subjectKeyIdentifier = hash

37
.notation/notation.crt
View File

@@ -1,20 +1,21 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIUBk/7TYVIUsiCeUm5c11abfwMrZUwDQYJKoZIhvcNAQEL MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
BQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
MQ8wDQYDVQQKDAZOb3RhcnkxEjAQBgNVBAMMCWZsdXhjZC5pbzAeFw0yMzEyMDcw c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
NDIwNDhaFw0yNDEyMDYwNDIwNDhaMFExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJX Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
QTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGTm90YXJ5MRIwEAYDVQQDDAlm CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
bHV4Y2QuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1hpkMmSD GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
rlyjjL8UYaciLBmMtwbpFUcejDgKSSKAqHGtTPrzSHrza1oFybyjwkG7SlbR6k23 DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
fuWTIz7gVjx+rEmbnJuAnzhGCES4TY+dPO/svhuAT9iGVlJ4TKuPXFO53c+GKY+t Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
AJoWO04uzVbZsCNPlYmKoq3XvaMc3bnn2APr9xb7aHqF7LggqWe7GeKQEJvEdBYZ C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
m1KLKym6+pqnEDSPENUVGMYKQwQHNmpVz6y+HdvuR4AQxHrHGvDxo+G7GIjrDe8l 1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
cW4PurFAbv3yLLvpC4ZkppPLuVv7p0kUwy1sSeWVu7uxZ/MPGqI2HSMctDbAvGLj dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
bPY+rkVf3+4ZAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAK gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAO2TSX5ewQXidW14UzhjNKTXt AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
Yc8O6qMGNlv2PuCWT9k0ce6qC7s2XYAbvEWYNAS/fwdFC6cJMT/6/Y3s/zbFNrAH 6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
TMJTmGKZvtJnWywcCOg+HcRrLIpExJB1bAaTUW+oea9ABiitMeUEY6oiBGqacPeA uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
4eVoDQ8wVS8oNHx71fmC9G6iNHaBTip3x81j0koz3JhHf1Mc3gKN56ww1RF/LMEa 7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
NW473dG/8pkuFOp6kuz775/EKBNuYfR6bEYx9zPNIpYAzVsveTnXTHsec3xkUoCQ ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
xtfR15R8dfbvNFB1iFiew6oiBQ5Wz9abB0PU7b/pE21SjT1+lBKJ9xmMOzFwag== UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
m91USVqfeUX7ZzjDxPHE2A==
-----END CERTIFICATE----- -----END CERTIFICATE-----

4
.notation/signingkeys.json
View File

@@ -1,8 +1,8 @@
{ {
"default": "fluxcd.io", "default": "stefanprodan.com",
"keys": [ "keys": [
{ {
"name": "fluxcd.io", "name": "stefanprodan.com",
"keyPath": "/home/runner/.config/notation/localkeys/notation.key", "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
"certPath": "/home/runner/.config/notation/localkeys/notation.crt" "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
} }

6
.notation/trustpolicy.json
View File

@@ -2,7 +2,7 @@
"version": "1.0", "version": "1.0",
"trustPolicies": [ "trustPolicies": [
{ {
"name": "fluxcd.io", "name": "stefanprodan.com",
"registryScopes": [ "registryScopes": [
"ghcr.io/stefanprodan/podinfo-deploy", "ghcr.io/stefanprodan/podinfo-deploy",
"ghcr.io/stefanprodan/charts/podinfo" "ghcr.io/stefanprodan/charts/podinfo"
@@ -10,9 +10,9 @@
"signatureVerification": { "signatureVerification": {
"level" : "strict" "level" : "strict"
}, },
"trustStores": [ "ca:fluxcd.io" ], "trustStores": [ "ca:stefanprodan.com" ],
"trustedIdentities": [ "trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=Notary, CN=fluxcd.io" "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
] ]
} }
] ]