Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor the cosign script. #823

Merged
merged 1 commit into from
Sep 12, 2021
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -57,6 +57,8 @@ steps:
- PROJECT_ID=${PROJECT_ID}
- COMMIT_SHA=${COMMIT_SHA}
- REGISTRY=gcr.io
- KMS_VAL=gcpkms://projects/${PROJECT_ID}/locations/global/keyRings/cosign/cryptoKeys/cosign
entrypoint: sh
args:
- ./cloudbuild_cosign.sh
- -c
- ./cloudbuild_cosign.sh -key $KMS_VAL
50 changes: 24 additions & 26 deletions cloudbuild_cosign.sh
Original file line number Diff line number Diff line change
@@ -4,43 +4,41 @@ set -o errexit
set -o xtrace


export KMS_VAL=gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosign/cryptoKeys/cosign

cosign version

# Get all images from 'images' file

while IFS= read -r line; do
cosign sign -key $KMS_VAL $line
cosign sign "$@" $line
done < images

# Sign 'latest' images with cosign
for distro_suffix in "" -debian10 -debian11; do
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/static${distro_suffix}:nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/static${distro_suffix}:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/static${distro_suffix}:debug-nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/static${distro_suffix}:debug

cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/base${distro_suffix}:nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/base${distro_suffix}:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/base${distro_suffix}:debug-nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/base${distro_suffix}:debug
cosign sign "$@" gcr.io/$PROJECT_ID/static${distro_suffix}:nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/static${distro_suffix}:latest
cosign sign "$@" gcr.io/$PROJECT_ID/static${distro_suffix}:debug-nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/static${distro_suffix}:debug

cosign sign "$@" gcr.io/$PROJECT_ID/base${distro_suffix}:nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/base${distro_suffix}:latest
cosign sign "$@" gcr.io/$PROJECT_ID/base${distro_suffix}:debug-nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/base${distro_suffix}:debug
done

for distro_suffix in "" -debian10; do
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/cc${distro_suffix}:nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/cc${distro_suffix}:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/cc${distro_suffix}:debug-nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/cc${distro_suffix}:debug

cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python2.7${distro_suffix}:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python2.7${distro_suffix}:debug

cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python3${distro_suffix}:nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python3${distro_suffix}:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python3${distro_suffix}:debug-nonroot
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/python3${distro_suffix}:debug
cosign sign "$@" gcr.io/$PROJECT_ID/cc${distro_suffix}:nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/cc${distro_suffix}:latest
cosign sign "$@" gcr.io/$PROJECT_ID/cc${distro_suffix}:debug-nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/cc${distro_suffix}:debug

cosign sign "$@" gcr.io/$PROJECT_ID/python2.7${distro_suffix}:latest
cosign sign "$@" gcr.io/$PROJECT_ID/python2.7${distro_suffix}:debug

cosign sign "$@" gcr.io/$PROJECT_ID/python3${distro_suffix}:nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/python3${distro_suffix}:latest
cosign sign "$@" gcr.io/$PROJECT_ID/python3${distro_suffix}:debug-nonroot
cosign sign "$@" gcr.io/$PROJECT_ID/python3${distro_suffix}:debug
done

cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/nodejs:latest
cosign sign -key $KMS_VAL gcr.io/$PROJECT_ID/nodejs:debug
cosign sign "$@" gcr.io/$PROJECT_ID/nodejs:latest
cosign sign "$@" gcr.io/$PROJECT_ID/nodejs:debug