oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

split signing setup into pre-release hook (#794)

Browse Source 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
This commit is contained in:
Alex Goodman 2022-02-04 16:49:42 -05:00 committed by GitHub
parent e4ac7700dd
commit e7bef5e511
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 138 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/scripts/apple-signing/.gitignore vendored
View File

@ -1,2 +1,3 @@
dev-pki dev-pki
log log
signing-identity.txt

4
.github/scripts/apple-signing/cleanup.sh vendored
View File

@ -6,5 +6,5 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
. "$SCRIPT_DIR"/utils.sh . "$SCRIPT_DIR"/utils.sh
# cleanup any dev certs left behind # cleanup any dev certs left behind
. "$SCRIPT_DIR"/prep-signing-dev.sh . "$SCRIPT_DIR"/setup-dev.sh
cleanup_signing cleanup_signing

65
.github/scripts/apple-signing/run.sh vendored
View File

@ -1,65 +0,0 @@
#!/usr/bin/env bash
set -eu
ARCHIVE_PATH="$1"
IS_SNAPSHOT="$2"
## grab utilities
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
. "$SCRIPT_DIR"/utils.sh
main() {
perform_notarization=false
archive_abs_path=$(realpath "$ARCHIVE_PATH")
if [ ! -f "$archive_abs_path" ]; then
echo "archive does not exist: $archive_abs_path"
fi
case "$IS_SNAPSHOT" in
"1" | "true" | "yes")
commentary "assuming development setup..."
. "$SCRIPT_DIR"/prep-signing-dev.sh
;;
"0" | "false" | "no")
commentary "assuming production setup..."
. "$SCRIPT_DIR"/prep-signing-prod.sh
. "$SCRIPT_DIR"/notarize.sh
perform_notarization=true
;;
*)
exit_with_error "could not determine if this was a production build (isSnapshot='$IS_SNAPSHOT')"
;;
esac
. "$SCRIPT_DIR"/sign.sh
# load up all signing material into a keychain (note: this should set the MAC_SIGNING_IDENTITY env var)
setup_signing
# sign all of the binaries in the archive and recreate the input archive with the signed binaries
sign_binaries_in_archive "$archive_abs_path" "$MAC_SIGNING_IDENTITY"
# send all of the binaries off to apple to bless
if $perform_notarization ; then
notarize "$archive_abs_path"
else
commentary "skipping notarization..."
fi
}
set +u
if [ -z "$SCRIPT" ]
then
set -u
# log all output
mkdir -p "$SCRIPT_DIR/log"
/usr/bin/script "$SCRIPT_DIR/log/signing-$(basename $ARCHIVE_PATH).txt" /bin/bash -c "$0 $*"
exit $?
else
set -u
main
fi

3
.github/scripts/apple-signing/prep-signing-dev.sh → .github/scripts/apple-signing/setup-dev.sh vendored
View File

@ -162,11 +162,10 @@ EOF
} }
function cleanup_signing() { function cleanup_signing() {
title "delete the dev keychain and all certificate material" title "delete the dev keychain and all certificate material"
set -xue set -xue
security delete-keychain "$KEYCHAIN_NAME" security delete-keychain "$KEYCHAIN_NAME"
rm -f "$KEYCHAIN_PATH" rm -f "$KEYCHAIN_PATH"
rm -rf "${DIR}" rm -rf "${DIR}"
} }

0
.github/scripts/apple-signing/prep-signing-prod.sh → .github/scripts/apple-signing/setup-prod.sh vendored
View File

49
.github/scripts/apple-signing/setup.sh vendored Executable file
View File

@ -0,0 +1,49 @@
#!/usr/bin/env bash
set -eu
IS_SNAPSHOT="$1"
## grab utilities
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
. "$SCRIPT_DIR"/utils.sh
main() {
case "$IS_SNAPSHOT" in
"1" | "true" | "yes")
commentary "assuming development setup..."
. "$SCRIPT_DIR"/setup-dev.sh
;;
"0" | "false" | "no")
commentary "assuming production setup..."
. "$SCRIPT_DIR"/setup-prod.sh
;;
*)
exit_with_error "could not determine if this was a production build (isSnapshot='$IS_SNAPSHOT')"
;;
esac
# load up all signing material into a keychain (note: this should set the MAC_SIGNING_IDENTITY env var)
setup_signing
# write out identity to a file
echo -n "$MAC_SIGNING_IDENTITY" > "$SCRIPT_DIR/$SIGNING_IDENTITY_FILENAME"
}
set +u
if [ -z "$SCRIPT" ]
then
set -u
# log all output
mkdir -p "$SCRIPT_DIR/log"
/usr/bin/script "$SCRIPT_DIR/log/setup.txt" /bin/bash -c "$0 $*"
exit $?
elif [ -n "$SKIP_SIGNING" ]; then
commentary "skipping signing setup..."
else
set -u
main
fi

80
.github/scripts/apple-signing/sign.sh vendored
View File

@ -1,6 +1,14 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -eu set -eu
ARCHIVE_PATH="$1"
IS_SNAPSHOT="$2"
## grab utilities
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
. "$SCRIPT_DIR"/utils.sh
# sign_binary [binary-path] [signing-identity] # sign_binary [binary-path] [signing-identity]
# #
# signs a single binary with cosign # signs a single binary with cosign
@ -43,36 +51,90 @@ sign_binary() {
sign_binaries_in_archive() { sign_binaries_in_archive() {
archive_abs_path=$1 archive_abs_path=$1
identity=$2 identity=$2
scratch_path=$(mktemp -d) scratch_path=$(mktemp -d)
trap "rm -rf -- $scratch_path" EXIT trap "rm -rf -- $scratch_path" EXIT
title "getting contents from the release archive: $archive_abs_path" title "getting contents from the release archive: $archive_abs_path"
tar -C "$scratch_path" -xvf "$archive_abs_path" tar -C "$scratch_path" -xvf "$archive_abs_path"
# invalidate the current archive, we only want an asset with signed binaries from this point forward # invalidate the current archive, we only want an asset with signed binaries from this point forward
rm "$archive_abs_path" rm "$archive_abs_path"
title "signing binaries found in the release archive" title "signing binaries found in the release archive"
discovered_binaries=0 discovered_binaries=0
tmp_pipe=$(mktemp -ut pipe.XXX) tmp_pipe=$(mktemp -ut pipe.XXX)
mkfifo "$tmp_pipe" mkfifo "$tmp_pipe"
find "$scratch_path" -perm +111 -type f > "$tmp_pipe" & find "$scratch_path" -perm +111 -type f > "$tmp_pipe" &
while IFS= read -r binary; do while IFS= read -r binary; do
sign_binary "$binary" "$identity" sign_binary "$binary" "$identity"
((discovered_binaries++)) ((discovered_binaries++))
done < "$tmp_pipe" done < "$tmp_pipe"
rm "$tmp_pipe" rm "$tmp_pipe"
if [ "$discovered_binaries" = "0" ]; then if [ "$discovered_binaries" = "0" ]; then
exit_with_error "found no binaries to sign" exit_with_error "found no binaries to sign"
fi fi
title "recreating the release archive: $archive_abs_path" title "recreating the release archive: $archive_abs_path"
(cd "$scratch_path" && tar -czvf "$archive_abs_path" .) (cd "$scratch_path" && tar -czvf "$archive_abs_path" .)
} }
main() {
archive_abs_path=$(realpath "$ARCHIVE_PATH")
if [ ! -f "$archive_abs_path" ]; then
echo "archive does not exist: $archive_abs_path"
fi
case "$IS_SNAPSHOT" in
"1" | "true" | "yes")
commentary "disabling notarization..."
perform_notarization=false
;;
"0" | "false" | "no")
commentary "enabling notarization..."
. "$SCRIPT_DIR"/notarize.sh
perform_notarization=true
;;
*)
exit_with_error "could not determine if this was a production build (isSnapshot='$IS_SNAPSHOT')"
;;
esac
# grab the signing identity from the local temp file (setup by setup.sh)
MAC_SIGNING_IDENTITY=$(cat "$SCRIPT_DIR/$SIGNING_IDENTITY_FILENAME")
# sign all of the binaries in the archive and recreate the input archive with the signed binaries
sign_binaries_in_archive "$archive_abs_path" "$MAC_SIGNING_IDENTITY"
# send all of the binaries off to apple to bless
if $perform_notarization ; then
notarize "$archive_abs_path"
else
commentary "skipping notarization..."
fi
}
set +u
if [ -z "$SCRIPT" ]
then
set -u
# log all output
mkdir -p "$SCRIPT_DIR/log"
/usr/bin/script "$SCRIPT_DIR/log/signing-$(basename $ARCHIVE_PATH).txt" /bin/bash -c "$0 $*"
exit $?
elif [ -n "$SKIP_SIGNING" ]; then
commentary "skipping signing..."
else
set -u
main
fi

2
.github/scripts/apple-signing/utils.sh vendored
View File

@ -1,3 +1,5 @@
SIGNING_IDENTITY_FILENAME=signing-identity.txt
## terminal goodies ## terminal goodies
PURPLE='\033[0;35m' PURPLE='\033[0;35m'
GREEN='\033[0;32m' GREEN='\033[0;32m'

6
.goreleaser.yaml
View File

@ -6,6 +6,10 @@ env:
# required to support multi architecture docker builds # required to support multi architecture docker builds
- DOCKER_CLI_EXPERIMENTAL=enabled - DOCKER_CLI_EXPERIMENTAL=enabled
before:
hooks:
- ./.github/scripts/apple-signing/setup.sh {{ .IsSnapshot }}
builds: builds:
- id: linux-build - id: linux-build
binary: syft binary: syft
@ -68,7 +72,7 @@ signs:
ids: ids:
- darwin-archives - darwin-archives
signature: "${artifact}" signature: "${artifact}"
cmd: ./.github/scripts/apple-signing/run.sh cmd: ./.github/scripts/apple-signing/sign.sh
args: args:
- "${artifact}" - "${artifact}"
- "{{ .IsSnapshot }}" - "{{ .IsSnapshot }}"

12
Makefile
View File

@ -233,7 +233,7 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages
cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
# build release snapshots # build release snapshots
$(SNAPSHOT_CMD) --skip-sign --config $(TEMPDIR)/goreleaser.yaml bash -c "SKIP_SIGNING=true $(SNAPSHOT_CMD) --skip-sign --config $(TEMPDIR)/goreleaser.yaml"
.PHONY: snapshot-with-signing .PHONY: snapshot-with-signing
snapshot-with-signing: ## Build snapshot release binaries and packages (with dummy signing) snapshot-with-signing: ## Build snapshot release binaries and packages (with dummy signing)
@ -243,10 +243,10 @@ snapshot-with-signing: ## Build snapshot release binaries and packages (with dum
echo "dist: $(SNAPSHOTDIR)" > $(TEMPDIR)/goreleaser.yaml echo "dist: $(SNAPSHOTDIR)" > $(TEMPDIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
rm -f .github/scripts/apple-signing/log/signing-* rm -f .github/scripts/apple-signing/log/*.txt
# build release snapshots # build release snapshots
bash -c "$(SNAPSHOT_CMD) --config $(TEMPDIR)/goreleaser.yaml || (cat .github/scripts/apple-signing/log/signing-* && false)" bash -c "$(SNAPSHOT_CMD) --config $(TEMPDIR)/goreleaser.yaml || (cat .github/scripts/apple-signing/log/*.txt && false)"
# remove the keychain with the trusted self-signed cert automatically # remove the keychain with the trusted self-signed cert automatically
.github/scripts/apple-signing/cleanup.sh .github/scripts/apple-signing/cleanup.sh
@ -317,15 +317,15 @@ release: clean-dist CHANGELOG.md ## Build and publish final binaries and packag
echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
rm -f .github/scripts/apple-signing/log/signing-* rm -f .github/scripts/apple-signing/log/*.txt
bash -c "\ bash -c "\
$(RELEASE_CMD) \ $(RELEASE_CMD) \
--config $(TEMPDIR)/goreleaser.yaml \ --config $(TEMPDIR)/goreleaser.yaml \
--release-notes <(cat CHANGELOG.md)\ --release-notes <(cat CHANGELOG.md)\
|| cat .github/scripts/apple-signing/log/signing-* && false" || cat .github/scripts/apple-signing/log/*.txt && false"
cat .github/scripts/apple-signing/log/signing-* cat .github/scripts/apple-signing/log/*.txt
# upload the version file that supports the application version update check (excluding pre-releases) # upload the version file that supports the application version update check (excluding pre-releases)
.github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)" .github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)"