From 639bf7a8327454e14b48ffddd039e03b770e7f0c Mon Sep 17 00:00:00 2001
From: John Murphy <john@replicated.com>
Date: Tue, 21 Sep 2021 13:55:41 -0500
Subject: [PATCH] Add signed SBOM to troubleshoot (#414)

This change will generate a signed software bill of materials and add it to the repository release archives when the project is released.
---
 .github/workflows/build-test-deploy.yaml | 11 ++++++++++
 .gitignore                               |  3 +++
 Makefile                                 | 23 ++++++++++++++++++++
 README.md                                | 13 ++++++++++++
 deploy/.goreleaser.yaml                  |  1 +
 scripts/initialize-sbom-build.sh         | 27 ++++++++++++++++++++++++
 6 files changed, 78 insertions(+)
 create mode 100755 scripts/initialize-sbom-build.sh

diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml
index 0b681e7e..55d17691 100644
--- a/.github/workflows/build-test-deploy.yaml
+++ b/.github/workflows/build-test-deploy.yaml
@@ -113,6 +113,17 @@ jobs:
       - uses: actions/setup-go@v1
         with:
           go-version: "1.14"
+
+      - uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v1.2.1"
+
+      - name: Generate SBOM
+        run: |
+          COSIGN_PASSWORD=$COSIGNPASSWORD COSIGN_KEY=$COSIGN_KEY make sbom
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
    
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
diff --git a/.gitignore b/.gitignore
index 0095d9c3..6600bf94 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,6 @@ try.sh
 
 .vscode/
 workspace.*
+
+cosign.key
+sbom/
diff --git a/Makefile b/Makefile
index 7455aca9..b290b7e5 100644
--- a/Makefile
+++ b/Makefile
@@ -137,3 +137,26 @@ run-troubleshoot: support-bundle
 .PHONY: run-analyze
 run-analyze: analyze
 	./bin/analyze --analyzers ./examples/support-bundle/sample-analyzers.yaml ./support-bundle.tar.gz
+
+.PHONY: init-sbom
+init-sbom:
+	mkdir -p sbom/spdx sbom/assets
+
+.PHONY: install-spdx-sbom-generator
+install-spdx-sbom-generator: init-sbom
+	./scripts/initialize-sbom-build.sh
+
+SPDX_GENERATOR=./sbom/spdx-sbom-generator
+
+.PHONY: generate-sbom
+generate-sbom: install-spdx-sbom-generator
+	$(SPDX_GENERATOR) -o ./sbom/spdx
+
+sbom/assets/troubleshoot-sbom.tgz: generate-sbom
+	tar -czf sbom/assets/troubleshoot-sbom.tgz sbom/spdx/*.spdx 
+
+sbom: sbom/assets/troubleshoot-sbom.tgz
+	cosign sign-blob -key cosign.key sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
+	cosign public-key -key cosign.key -outfile sbom/assets/key.pub
+
+
diff --git a/README.md b/README.md
index 471d948a..66fb0c54 100644
--- a/README.md
+++ b/README.md
@@ -39,3 +39,16 @@ For details on creating the custom resource files that drive support-bundle coll
 # Community
 
 For questions about using Troubleshoot, there's a [Replicated Community](https://help.replicated.com/community) forum, and a [#app-troubleshoot channel in Kubernetes Slack](https://kubernetes.slack.com/channels/app-troubleshoot).
+
+# Software Bill of Materials 
+A signed SBOM  that includes Troubleshoot dependencies is included in each release. 
+- **troubleshoot-sbom.tgz** contains a software bill of materials for Troubleshoot. 
+- **troubleshoot-sbom.tgz.sig** is the digital signature for troubleshoot-sbom.tgz
+- **key.pub** is the public key from the key pair used to sign troubleshoot-sbom.tgz
+
+The following example illustrates using [cosign](https://github.com/sigstore/cosign) to verify that **troubleshoot-sbom.tgz** has
+not been tampered with.
+```shell
+$ cosign verify-blob -key key.pub -signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz
+Verified OK
+```
\ No newline at end of file
diff --git a/deploy/.goreleaser.yaml b/deploy/.goreleaser.yaml
index 0f100ef2..050e8887 100644
--- a/deploy/.goreleaser.yaml
+++ b/deploy/.goreleaser.yaml
@@ -58,6 +58,7 @@ archives:
       - README*
       - changelog*
       - CHANGELOG*
+      - sbom/assets/*
   - id: support-bundle
     builds:
       - support-bundle
diff --git a/scripts/initialize-sbom-build.sh b/scripts/initialize-sbom-build.sh
new file mode 100755
index 00000000..34b2759d
--- /dev/null
+++ b/scripts/initialize-sbom-build.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ -n "${COSIGN_KEY}" ]
+then 
+	echo "Writing cosign key to file"
+	echo "${COSIGN_KEY}" | base64 -d > ./cosign.key
+else 
+	echo "ERROR: Missing COSIGN_KEY!"
+fi
+
+if ! command -v spdx-sbom-generator &> /dev/null
+then
+	echo "Installing spdx-sbom-generator"
+        curl -L https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.13/spdx-sbom-generator-v0.0.13-linux-amd64.tar.gz -o ./sbom/spdx-sbom-generator.tar.gz
+        curl -L https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.13/spdx-sbom-generator-v0.0.13-linux-amd64.tar.gz.md5 -o ./sbom/spdx-sbom-generator.tar.gz.md5
+        md5sum ./sbom/spdx-sbom-generator.tar.gz | cut --bytes=1-32 > ./sbom/checksum
+
+        if ! cmp ./sbom/checksum ./sbom/spdx-sbom-generator.tar.gz.md5
+	then
+        	echo "ERROR: spdx-sbom-generator.tar.gz md5 sum does not match!"
+		exit 1
+	fi
+
+	tar -xzvf ./sbom/spdx-sbom-generator.tar.gz -C sbom
+fi