From 13a76c420d9be7ef77e0ce204da8de6e616eea91 Mon Sep 17 00:00:00 2001 From: mjs Date: Sun, 19 Nov 2023 23:59:07 +1300 Subject: [PATCH] feat: Check that cosign.pub matches private key This avoids images which can't be updated due to `invalid signature` errors because cosign.pub doesn't match the private key actually used for signing. The error is caught early in the build process as there's no point creating an image if cosign.pub is wrong. --- .github/workflows/build.yml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33fd6933e1..79b997cd08 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,6 +54,28 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 + # Confirm that cosign.pub matches SIGNING_SECRET + - uses: sigstore/cosign-installer@v3.2.0 + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + + - name: Check SIGNING_SECRET matches cosign.pub + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PASSWORD: "" + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + shell: bash + run: | + echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" + delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) + if [ -z "$delta" ]; then + echo "cosign.pub matches SIGNING_SECRET" + else + echo "cosign.pub does not match SIGNING_SECRET" + echo "$delta" + exit 1 + fi + - name: Check just syntax uses: ublue-os/just-action@v1 @@ -183,9 +205,6 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # Sign container - - uses: sigstore/cosign-installer@v3.2.0 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - - name: Sign container image if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: |