Add signed SBOM to troubleshoot (#414)

This change will generate a signed software bill of materials and add it to the repository release archives when the project is released.

.github/workflows/build-test-deploy.yaml

@@ -113,6 +113,17 @@ jobs:
       - uses: actions/setup-go@v1
         with:
           go-version: "1.14"
+
+      - uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v1.2.1"
+
+      - name: Generate SBOM
+        run: |
+          COSIGN_PASSWORD=$COSIGNPASSWORD COSIGN_KEY=$COSIGN_KEY make sbom
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
    
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2

.gitignore

@@ -31,3 +31,6 @@ try.sh
 
 .vscode/
 workspace.*
+
+cosign.key
+sbom/

Makefile

@@ -137,3 +137,26 @@ run-troubleshoot: support-bundle
 .PHONY: run-analyze
 run-analyze: analyze
 	./bin/analyze --analyzers ./examples/support-bundle/sample-analyzers.yaml ./support-bundle.tar.gz
+
+.PHONY: init-sbom
+init-sbom:
+	mkdir -p sbom/spdx sbom/assets
+
+.PHONY: install-spdx-sbom-generator
+install-spdx-sbom-generator: init-sbom
+	./scripts/initialize-sbom-build.sh
+
+SPDX_GENERATOR=./sbom/spdx-sbom-generator
+
+.PHONY: generate-sbom
+generate-sbom: install-spdx-sbom-generator
+	$(SPDX_GENERATOR) -o ./sbom/spdx
+
+sbom/assets/troubleshoot-sbom.tgz: generate-sbom
+	tar -czf sbom/assets/troubleshoot-sbom.tgz sbom/spdx/*.spdx 
+
+sbom: sbom/assets/troubleshoot-sbom.tgz
+	cosign sign-blob -key cosign.key sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
+	cosign public-key -key cosign.key -outfile sbom/assets/key.pub
+
+

README.md

@@ -39,3 +39,16 @@ For details on creating the custom resource files that drive support-bundle coll
 # Community
 
 For questions about using Troubleshoot, there's a [Replicated Community](https://help.replicated.com/community) forum, and a [#app-troubleshoot channel in Kubernetes Slack](https://kubernetes.slack.com/channels/app-troubleshoot).
+
+# Software Bill of Materials 
+A signed SBOM  that includes Troubleshoot dependencies is included in each release. 
+- **troubleshoot-sbom.tgz** contains a software bill of materials for Troubleshoot. 
+- **troubleshoot-sbom.tgz.sig** is the digital signature for troubleshoot-sbom.tgz
+- **key.pub** is the public key from the key pair used to sign troubleshoot-sbom.tgz
+
+The following example illustrates using [cosign](https://github.com/sigstore/cosign) to verify that **troubleshoot-sbom.tgz** has
+not been tampered with.
+```shell
+$ cosign verify-blob -key key.pub -signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz
+Verified OK
+```

deploy/.goreleaser.yaml

@@ -58,6 +58,7 @@ archives:
       - README*
       - changelog*
       - CHANGELOG*
+      - sbom/assets/*
   - id: support-bundle
     builds:
       - support-bundle

scripts/initialize-sbom-build.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ -n "${COSIGN_KEY}" ]
+then 
+	echo "Writing cosign key to file"
+	echo "${COSIGN_KEY}" | base64 -d > ./cosign.key
+else 
+	echo "ERROR: Missing COSIGN_KEY!"
+fi
+
+if ! command -v spdx-sbom-generator &> /dev/null
+then
+	echo "Installing spdx-sbom-generator"
+        curl -L https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.13/spdx-sbom-generator-v0.0.13-linux-amd64.tar.gz -o ./sbom/spdx-sbom-generator.tar.gz
+        curl -L https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.13/spdx-sbom-generator-v0.0.13-linux-amd64.tar.gz.md5 -o ./sbom/spdx-sbom-generator.tar.gz.md5
+        md5sum ./sbom/spdx-sbom-generator.tar.gz | cut --bytes=1-32 > ./sbom/checksum
+
+        if ! cmp ./sbom/checksum ./sbom/spdx-sbom-generator.tar.gz.md5
+	then
+        	echo "ERROR: spdx-sbom-generator.tar.gz md5 sum does not match!"
+		exit 1
+	fi
+
+	tar -xzvf ./sbom/spdx-sbom-generator.tar.gz -C sbom
+fi