Setup notation signing keys

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
refactor(trustpolicy): jasonthedeveloper -> stefanprodan
2026-04-09 12:36:50 +00:00 · 2024-02-25 12:10:06 +02:00 · 2024-02-09 10:59:44 +11:00 · 2024-02-09 10:47:11 +11:00 · 2024-02-09 10:42:51 +11:00 · 2024-02-09 10:41:19 +11:00
9 changed files with 107 additions and 2 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: stefanprodan
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -3,7 +3,7 @@ name: cve-scan
 on:
  push:
    branches:
-      - 'master'
+      - "master"

 permissions:
  contents: read
@@ -19,7 +19,7 @@ jobs:
        run: |
          IMAGE=test/podinfo:${GITHUB_SHA}
          docker build -t ${IMAGE} .
-          echo "::set-output name=image::$IMAGE"
+          echo "image=$IMAGE" >> $GITHUB_OUTPUT
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,18 @@ jobs:
      - uses: sigstore/cosign-installer@v3
      - uses: fluxcd/flux2/action@main
      - uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Notation CLI
+        uses: notaryproject/notation-action/setup@v1
+        with:
+          version: "1.0.0"
+      - name: Setup Notation signing keys
+        run: |
+          mkdir -p ~/.config/notation/localkeys/
+          cp ./.notation/signingkeys.json ~/.config/notation/
+          cp ./.notation/notation.crt ~/.config/notation/localkeys/
+          echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
+        env:
+          NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
@@ -109,6 +121,10 @@ jobs:
          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          notation sign --signature-format cose docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
      - name: Publish base image
        uses: docker/build-push-action@v5
        with:
@@ -134,6 +150,8 @@ jobs:
          echo "$COSIGN_KEY" > /tmp/cosign.key
          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
        env:
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,6 @@ bin/
 cue/cue.mod/gen/
 cue/go.mod
 cue/go.sum
+
+.notation/podinfo.csr
+.notation/podinfo.key
--- a/.notation/README.md
+++ b/.notation/README.md
@@ -0,0 +1,15 @@
+# Podinfo signed releases
+
+Podinfo release assets such as the Helm chart and the Flux artifact
+are published to GitHub Container Registry and are signed with
+[Notation](https://github.com/notaryproject/notation).
+
+## Generate signing keys
+
+Generate a new signing key pair:
+
+```sh
+openssl genrsa -out podinfo.key 2048
+openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
+openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
+```
--- a/.notation/codesign.cnf
+++ b/.notation/codesign.cnf
@@ -0,0 +1,18 @@
+[ req ]
+default_bits           = 2048
+default_keyfile        = privatekey.pem
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = RO
+ST                     = BU
+L                      = Bucharest
+O                      = Notary
+CN                     = stefanprodan.com
+
+[ v3_req ]
+keyUsage               = critical,digitalSignature
+extendedKeyUsage       = critical,codeSigning
+#subjectKeyIdentifier  = hash
--- a/.notation/notation.crt
+++ b/.notation/notation.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----
--- a/.notation/signingkeys.json
+++ b/.notation/signingkeys.json
@@ -0,0 +1,10 @@
+{
+    "default": "stefanprodan.com",
+    "keys": [
+        {
+            "name": "stefanprodan.com",
+            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
+            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
+        }
+    ]
+}
--- a/.notation/trustpolicy.json
+++ b/.notation/trustpolicy.json
@@ -0,0 +1,19 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "stefanprodan.com",
+            "registryScopes": [
+                "ghcr.io/stefanprodan/podinfo-deploy",
+                "ghcr.io/stefanprodan/charts/podinfo"
+            ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:stefanprodan.com" ],
+            "trustedIdentities": [
+                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
+            ]
+        }
+    ]
+}
Author	SHA1	Message	Date
Stefan Prodan	0ecb5d1e7f	Setup notation signing keys Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>	2024-02-25 12:10:06 +02:00
Jason	0d2c428859	refactor(trustpolicy): jasonthedeveloper -> stefanprodan	2024-02-09 10:59:44 +11:00
Jason	ecaa7cf4d3	ci(release): trigger on tag push	2024-02-09 10:47:11 +11:00
Jason	8447b6985b	ci(notation): remove release workflow	2024-02-09 10:42:51 +11:00
Jason	9371d6d153	ci(release): sign artefacts using notation	2024-02-09 10:41:19 +11:00
Jason	20b8c1043c	Merge branch 'master' into feat/notation	2024-02-09 10:14:38 +11:00
Stefan Prodan	dc830d02a6	Enable GitHub Sponsors	2023-12-30 22:18:54 +02:00
Stefan Prodan	badf3271a1	Merge pull request #332 from arunsathiya/master ci: Use `GITHUB_OUTPUT` instead of set-output	2023-12-29 00:11:06 +02:00
Arun	9f9c2f3245	Use GITHUB_OUTPUT envvar instead of set-output command as the latter is deprecated	2023-12-28 13:21:55 -08:00
Jason	174d183056	refactor(rename): policy.json -> trustpolicy.json	2023-12-14 16:16:12 +11:00
Jason	7bb64e7567	fix(trustpolicy): small typo in registryScopes	2023-12-08 17:30:47 +11:00
Jason	49a4b31d53	feat(notation): update registry scopes	2023-12-07 18:06:52 +11:00
Jason	c29e013a33	feat(notation): add trust store policy	2023-12-07 16:57:04 +11:00
Jason	45ecda63bb	ci(release): don't trigger on tag push	2023-12-07 16:26:01 +11:00
Jason	4868f430c7	ci(release): trigger on tag	2023-12-07 16:15:17 +11:00
Jason	ca9c6bb4f8	ci(release): sign artefacts using notaiton	2023-12-07 16:06:40 +11:00
Jason	86f3b1a57c	ci(release): create notation config folder	2023-12-07 15:52:29 +11:00
Jason	b22dd96a54	feat(notation): add signingkey.json config	2023-12-07 15:51:22 +11:00
Jason	5aaf95849e	ci(release): setup signing keys for notation	2023-12-07 15:50:30 +11:00
Jason	e197eca420	ci(release): add notation release workflow	2023-12-07 15:46:22 +11:00