From f74fd1057304ecb8d6f507f5a911ccb0f9e22e3a Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 10:35:16 -0700 Subject: [PATCH 01/13] Update cloud build script to latest for v1.13.x Will use the latest Go binary and Cosign version Signed-off-by: Hayden B --- release/cloudbuild.yaml | 127 ++++++++++++++++++++-------------------- 1 file changed, 65 insertions(+), 62 deletions(-) diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 921dc455ca8..f94d67ec2cc 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,83 +32,86 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} -- name: 'gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057' - dir: "go/src/sigstore/cosign" - env: - - COSIGN_EXPERIMENTAL=true - - TUF_ROOT=/tmp - args: - - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06' + - name: 'gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967' + dir: "go/src/sigstore/cosign" + env: + - TUF_ROOT=/tmp + args: + - 'verify' + - 'ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405' + - '--certificate-oidc-issuer' + - "https://token.actions.githubusercontent.com" + - '--certificate-identity' + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0" -# maybe we can build our own image and use that to be more in a safe side -- name: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06 - entrypoint: /bin/sh - dir: "go/src/sigstore/cosign" - env: - - "GOPATH=/workspace/go" - - "GOBIN=/workspace/bin" - - PROJECT_ID=${PROJECT_ID} - - KEY_LOCATION=${_KEY_LOCATION} - - KEY_RING=${_KEY_RING} - - KEY_NAME=${_KEY_NAME} - - KEY_VERSION=${_KEY_VERSION} - - GIT_TAG=${_GIT_TAG} - - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com - - COSIGN_EXPERIMENTAL=true - - KO_PREFIX=gcr.io/${PROJECT_ID} - secretEnv: - - GITHUB_TOKEN - args: - - '-c' - - | - gcloud auth configure-docker \ - && make release + # maybe we can build our own image and use that to be more in a safe side + - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 + entrypoint: /bin/sh + dir: "go/src/sigstore/cosign" + env: + - "GOPATH=/workspace/go" + - "GOBIN=/workspace/bin" + - PROJECT_ID=${PROJECT_ID} + - KEY_LOCATION=${_KEY_LOCATION} + - KEY_RING=${_KEY_RING} + - KEY_NAME=${_KEY_NAME} + - KEY_VERSION=${_KEY_VERSION} + - GIT_TAG=${_GIT_TAG} + - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com + - COSIGN_YES=true + - KO_PREFIX=gcr.io/${PROJECT_ID} + secretEnv: + - GITHUB_TOKEN + args: + - '-c' + - | + gcloud auth configure-docker \ + && make release -- name: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06 - entrypoint: 'bash' - dir: "go/src/sigstore/cosign" - env: - - "GOPATH=/workspace/go" - - "GOBIN=/workspace/bin" - - PROJECT_ID=${PROJECT_ID} - - KEY_LOCATION=${_KEY_LOCATION} - - KEY_RING=${_KEY_RING} - - KEY_NAME=${_KEY_NAME} - - KEY_VERSION=${_KEY_VERSION} - - GIT_TAG=${_GIT_TAG} - - KO_PREFIX=gcr.io/${PROJECT_ID} - - COSIGN_EXPERIMENTAL=true - - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com - - GITHUB_USER=${_GITHUB_USER} - secretEnv: - - GITHUB_TOKEN - args: - - '-c' - - | - echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \ - && make copy-signed-release-to-ghcr || true + - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 + entrypoint: 'bash' + dir: "go/src/sigstore/cosign" + env: + - "GOPATH=/workspace/go" + - "GOBIN=/workspace/bin" + - PROJECT_ID=${PROJECT_ID} + - KEY_LOCATION=${_KEY_LOCATION} + - KEY_RING=${_KEY_RING} + - KEY_NAME=${_KEY_NAME} + - KEY_VERSION=${_KEY_VERSION} + - GIT_TAG=${_GIT_TAG} + - KO_PREFIX=gcr.io/${PROJECT_ID} + - COSIGN_YES=true + - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com + - GITHUB_USER=${_GITHUB_USER} + secretEnv: + - GITHUB_TOKEN + args: + - '-c' + - | + echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \ + && make sign-release-images && make copy-signed-release-to-ghcr || true availableSecrets: secretManager: - - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest - env: GITHUB_TOKEN + - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest + env: GITHUB_TOKEN artifacts: objects: location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}' paths: - - "go/src/sigstore/cosign/dist/*" - - "go/src/sigstore/cosign/release/release-cosign.pub" + - "go/src/sigstore/cosign/dist/*" + - "go/src/sigstore/cosign/release/release-cosign.pub" options: machineType: E2_HIGHCPU_32 tags: -- cosign-release -- ${_GIT_TAG} -- ${_TOOL_ORG} -- ${_TOOL_REPO} + - cosign-release + - ${_GIT_TAG} + - ${_TOOL_ORG} + - ${_TOOL_REPO} substitutions: _GIT_TAG: 'v1.23.45' From 76498a1755c63fe9d1576c4a467048cf1b19815d Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 10:38:35 -0700 Subject: [PATCH 02/13] Update validate-release.yml Signed-off-by: Hayden B --- .github/workflows/validate-release.yml | 64 +++----------------------- 1 file changed, 7 insertions(+), 57 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 071a933c6bc..305b5e5774c 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,15 +26,16 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057 + image: gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967 steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06 + cosign verify ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0" env: TUF_ROOT: /tmp - COSIGN_EXPERIMENTAL: true validate-release-job: runs-on: ubuntu-latest @@ -42,12 +43,12 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06 + image: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 permissions: {} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 # Error: fatal: detected dubious ownership in repository at '/__w/cosign/cosign' # To add an exception for this directory, call: @@ -112,62 +113,11 @@ jobs: - name: check disk space run: df -h - - name: free up disk space - run: | - rm -rf /usr/share/dotnet/ - rm -rf "$AGENT_TOOLSDIRECTORY" - rm -rf "/usr/local/share/boost" - rm -rf /opt/ghc - docker rmi $(docker image ls -aq) || true - swapoff /swapfile || true - rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true - apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \ - clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \ - clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \ - esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \ - google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \ - ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \ - cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \ - libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \ - mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \ - mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \ - libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \ - php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \ - php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \ - php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \ - php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \ - php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \ - php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \ - php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \ - php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \ - php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \ - php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \ - php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \ - php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \ - php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \ - php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \ - php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \ - php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \ - php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \ - php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \ - php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \ - php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \ - php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \ - php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \ - php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \ - php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \ - sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true - apt-get remove -y 'php.*' || true - apt-get autoremove -y >/dev/null 2>&1 || true - apt-get autoclean -y >/dev/null 2>&1 || true - - name: check disk space - run: df -h - - name: goreleaser snapshot run: make snapshot env: PROJECT_ID: honk-fake-project - RUNTIME_IMAGE: gcr.io/distroless/static:debug-nonroot + RUNTIME_IMAGE: gcr.io/distroless/static-debian12:nonroot - name: check binaries run: | From 672e6761c03801390e57a385206d5f0c30dd4065 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 10:48:24 -0700 Subject: [PATCH 03/13] Update ko-sign-release-images.sh Signed-off-by: Hayden B --- release/ko-sign-release-images.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index 27f8d784388..c9cd94c12b9 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -32,16 +32,8 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi -if [[ ! -f sgetImagerefs ]]; then - echo "sgetImagerefs not found" - exit 1 -fi - echo "Signing cosign images with GCP KMS Key..." - -cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) -cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) +cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) echo "Signing images with Keyless..." -cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) -cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) +cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) From 8402458faa6173a644ef65682b103da165e4baaa Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 11:11:55 -0700 Subject: [PATCH 04/13] Update .goreleaser.yml Signed-off-by: Hayden B --- .goreleaser.yml | 300 ++++++++++++++++++++++-------------------------- 1 file changed, 137 insertions(+), 163 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index b6953852055..f0da7efa543 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -4,163 +4,152 @@ env: - GO111MODULE=on - CGO_ENABLED=1 - DOCKER_CLI_EXPERIMENTAL=enabled - - COSIGN_EXPERIMENTAL=true + - COSIGN_YES=true - LATEST_TAG=,latest # Prevents parallel builds from stepping on each others toes downloading modules before: hooks: - - go mod tidy - - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' -# if running a release we will generate the images in this step -# if running in the CI the CI env va is set and we dont run the ko steps -# this is needed because we are generating files that goreleaser was not aware to push to GH project release - - /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi' + - go mod tidy + - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' gomod: proxy: true sboms: -- artifacts: binary + - artifacts: binary builds: -- id: linux - binary: cosign-linux-{{ .Arch }} - no_unique_dist_dir: true - main: ./cmd/cosign - flags: - - -trimpath - mod_timestamp: '{{ .CommitTimestamp }}' - goos: - - linux - goarch: - - amd64 - - arm64 - - arm - - s390x - - ppc64le - goarm: - - '7' - ldflags: - - "{{ .Env.LDFLAGS }}" - env: - - CGO_ENABLED=0 - -- id: linux-pivkey-pkcs11key-amd64 - binary: cosign-linux-pivkey-pkcs11key-amd64 - no_unique_dist_dir: true - main: ./cmd/cosign - flags: - - -trimpath - mod_timestamp: '{{ .CommitTimestamp }}' - goos: - - linux - goarch: - - amd64 - ldflags: - - "{{ .Env.LDFLAGS }}" - tags: - - pivkey - - pkcs11key - hooks: - pre: - - apt-get update - - apt-get -y install libpcsclite-dev - env: - - PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/" - -- id: darwin-amd64 - binary: cosign-darwin-amd64 - no_unique_dist_dir: true - env: - - CC=o64-clang - - CXX=o64-clang++ - main: ./cmd/cosign - flags: - - -trimpath - mod_timestamp: '{{ .CommitTimestamp }}' - goos: - - darwin - goarch: - - amd64 - ldflags: - - "{{ .Env.LDFLAGS }}" - tags: - - pivkey - - pkcs11key - -- id: darwin-arm64 - binary: cosign-darwin-arm64 - no_unique_dist_dir: true - env: - - CC=aarch64-apple-darwin21.4-clang - - CXX=aarch64-apple-darwin21.4-clang++ - main: ./cmd/cosign - flags: - - -trimpath - goos: - - darwin - goarch: - - arm64 - tags: - - pivkey - - pkcs11key - ldflags: - - "{{.Env.LDFLAGS}}" - -- id: windows-amd64 - binary: cosign-windows-amd64 - no_unique_dist_dir: true - env: - - CC=x86_64-w64-mingw32-gcc - - CXX=x86_64-w64-mingw32-g++ - main: ./cmd/cosign - mod_timestamp: '{{ .CommitTimestamp }}' - flags: - - -trimpath - goos: - - windows - goarch: - - amd64 - ldflags: - - -buildmode=exe - - "{{ .Env.LDFLAGS }}" - tags: - - pivkey - - pkcs11key - -- id: sget - binary: sget-{{ .Os }}-{{ .Arch }} - no_unique_dist_dir: true - mod_timestamp: '{{ .CommitTimestamp }}' - main: ./cmd/sget - flags: - - -trimpath - goos: - - linux - - darwin - - windows - goarch: - - amd64 - - arm64 - - arm - - s390x - - ppc64le - goarm: - - 7 - ignore: - - goos: windows - goarch: arm64 - - goos: windows - goarch: arm - - goos: windows - goarch: s390x - - goos: windows - goarch: ppc64le - ldflags: - - "{{ .Env.LDFLAGS }}" - env: - - CGO_ENABLED=0 + - id: linux + binary: cosign-linux-{{ .Arch }} + no_unique_dist_dir: true + main: ./cmd/cosign + flags: + - -trimpath + mod_timestamp: '{{ .CommitTimestamp }}' + goos: + - linux + goarch: + - amd64 + - arm64 + - arm + - s390x + - ppc64le + - riscv64 + goarm: + - '7' + ldflags: + - "{{ .Env.LDFLAGS }}" + env: + - CGO_ENABLED=0 + + - id: linux-pivkey-pkcs11key-amd64 + binary: cosign-linux-pivkey-pkcs11key-amd64 + no_unique_dist_dir: true + main: ./cmd/cosign + flags: + - -trimpath + mod_timestamp: '{{ .CommitTimestamp }}' + goos: + - linux + goarch: + - amd64 + ldflags: + - "{{ .Env.LDFLAGS }}" + tags: + - pivkey + - pkcs11key + hooks: + pre: + - apt-get update + - apt-get -y install --no-install-recommends libpcsclite-dev + env: + - PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/ + + - id: linux-pivkey-pkcs11key-arm64 + binary: cosign-linux-pivkey-pkcs11key-arm64 + no_unique_dist_dir: true + main: ./cmd/cosign + flags: + - -trimpath + mod_timestamp: '{{ .CommitTimestamp }}' + goos: + - linux + goarch: + - arm64 + ldflags: + - "{{ .Env.LDFLAGS }}" + tags: + - pivkey + - pkcs11key + hooks: + pre: + - dpkg --add-architecture arm64 + - apt-get update + - apt-get install -y --no-install-recommends libpcsclite-dev:arm64 + env: + - CC=aarch64-linux-gnu-gcc + - PKG_CONFIG_PATH=/usr/lib/aarch64-linux-gnu/pkgconfig/ + + - id: darwin-amd64 + binary: cosign-darwin-amd64 + no_unique_dist_dir: true + env: + - CC=o64-clang + - CXX=o64-clang++ + main: ./cmd/cosign + flags: + - -trimpath + mod_timestamp: '{{ .CommitTimestamp }}' + goos: + - darwin + goarch: + - amd64 + ldflags: + - "{{ .Env.LDFLAGS }}" + tags: + - pivkey + - pkcs11key + + - id: darwin-arm64 + binary: cosign-darwin-arm64 + no_unique_dist_dir: true + env: + - CC=aarch64-apple-darwin22-clang + - CXX=aarch64-apple-darwin22-clang++ + main: ./cmd/cosign + flags: + - -trimpath + goos: + - darwin + goarch: + - arm64 + tags: + - pivkey + - pkcs11key + ldflags: + - "{{.Env.LDFLAGS}}" + + - id: windows-amd64 + binary: cosign-windows-amd64 + no_unique_dist_dir: true + env: + - CC=x86_64-w64-mingw32-gcc + - CXX=x86_64-w64-mingw32-g++ + main: ./cmd/cosign + mod_timestamp: '{{ .CommitTimestamp }}' + flags: + - -trimpath + goos: + - windows + goarch: + - amd64 + ldflags: + - -buildmode=exe + - "{{ .Env.LDFLAGS }}" + tags: + - pivkey + - pkcs11key signs: - id: cosign @@ -168,13 +157,6 @@ signs: cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] artifacts: binary - - id: sget - signature: "${artifact}.sig" - cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] - artifacts: binary - ids: - - sget # Keyless - id: cosign-keyless signature: "${artifact}-keyless.sig" @@ -182,14 +164,6 @@ signs: cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: binary - - id: sget-keyless - signature: "${artifact}-keyless.sig" - certificate: "${artifact}-keyless.pem" - cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] - artifacts: binary - ids: - - sget - id: checksum-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" @@ -224,9 +198,9 @@ nfpms: type: "symlink" archives: -- format: binary - name_template: "{{ .Binary }}" - allow_different_binary_count: true + - format: binary + name_template: "{{ .Binary }}" + allow_different_binary_count: true checksum: name_template: "{{ .ProjectName }}_checksums.txt" From 4dfbc992cf2cf32620ba7d151c4426cf5dfe563c Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 11:51:55 -0700 Subject: [PATCH 05/13] Update release.mk Signed-off-by: Hayden B --- release/release.mk | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/release/release.mk b/release/release.mk index fb6caf2b5d5..cd84c3c224d 100644 --- a/release/release.mk +++ b/release/release.mk @@ -4,7 +4,7 @@ # used when releasing together with GCP CloudBuild .PHONY: release release: - LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --timeout 120m + LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --clean --timeout 120m ###################### # sign section @@ -18,19 +18,13 @@ sign-release-images: ko # used when need to validate the goreleaser .PHONY: snapshot snapshot: - LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 60m + LDFLAGS="$(LDFLAGS)" goreleaser release --skip=sign,publish --snapshot --clean --timeout 120m --parallelism 1 #################### # copy image to GHCR #################### -.PHONY: copy-cosign-signed-release-to-ghcr -copy-cosign-signed-release-to-ghcr: - cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) - -.PHONY: copy-sget-signed-release-to-ghcr -copy-sget-signed-release-to-ghcr: - cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION) - .PHONY: copy-signed-release-to-ghcr -copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-sget-signed-release-to-ghcr +copy-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) + cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION)-dev $(GHCR_PREFIX)/cosign:$(GIT_VERSION)-dev From 544b0ff33dbf9b974305cebbd725eb00784a25f4 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 11:52:34 -0700 Subject: [PATCH 06/13] Update .ko.yaml Signed-off-by: Hayden B --- .ko.yaml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.ko.yaml b/.ko.yaml index 46c05743e1f..bfd932461cf 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -13,8 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# We need a shell for a lot of redirection/piping to work -defaultBaseImage: gcr.io/distroless/base:debug-nonroot +defaultBaseImage: gcr.io/distroless/static-debian12:nonroot builds: - id: cosign @@ -31,18 +30,3 @@ builds: ldflags: - -extldflags "-static" - "{{ .Env.LDFLAGS }}" - -- id: sget - dir: . - main: ./cmd/sget - env: - - CGO_ENABLED=0 - flags: - - -trimpath - - --tags - - "{{ .Env.GIT_HASH }}" - - --tags - - "{{ .Env.GIT_VERSION }}" - ldflags: - - -extldflags "-static" - - "{{ .Env.LDFLAGS }}" From f966da9a84b5b51595a5ad7ddf1cde59cdcb9d88 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 11:55:48 -0700 Subject: [PATCH 07/13] Update Makefile Signed-off-by: Hayden B --- Makefile | 62 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 9c28c3276bf..fadd277b6f1 100644 --- a/Makefile +++ b/Makefile @@ -13,11 +13,19 @@ # See the License for the specific language governing permissions and # limitations under the License. +ifeq (,$(shell echo $$DEBUG)) +else +SHELL = bash -x +endif + +# allow overwriting the default `go` value with the custom path to the go executable +GOEXE ?= go + # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell go env GOBIN)) -GOBIN=$(shell go env GOPATH)/bin +ifeq (,$(shell $(GOEXE) env GOBIN)) +GOBIN=$(shell $(GOEXE) env GOPATH)/bin else -GOBIN=$(shell go env GOBIN) +GOBIN=$(shell $(GOEXE) env GOBIN) endif # Set version variables for LDFLAGS @@ -27,7 +35,7 @@ GIT_TAG ?= dirty-tag GIT_VERSION ?= $(shell git describe --tags --always --dirty) GIT_HASH ?= $(shell git rev-parse HEAD) DATE_FMT = +%Y-%m-%dT%H:%M:%SZ -SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct) +SOURCE_DATE_EPOCH ?= $(shell git log -1 --no-show-signature --pretty=%ct) ifdef SOURCE_DATE_EPOCH BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") else @@ -71,20 +79,16 @@ log-%: }' cosign: $(SRCS) - CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign + CGO_ENABLED=0 $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign cosign-pivkey-pkcs11key: $(SRCS) - CGO_ENABLED=1 go build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign - -.PHONY: sget -sget: ## Build sget binary - go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/sget + CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign .PHONY: cross cross: $(foreach GOOS, $(PLATFORMS),\ $(foreach GOARCH, $(ARCHITECTURES), $(shell export GOOS=$(GOOS); export GOARCH=$(GOARCH); \ - go build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \ + $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \ shasum -a 256 cosign-$(GOOS)-$(GOARCH) > cosign-$(GOOS)-$(GOARCH).sha256 ))) \ ##################### @@ -94,17 +98,16 @@ cross: golangci-lint: rm -f $(GOLANGCI_LINT_BIN) || : set -e ;\ - GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2 ;\ + GOBIN=$(GOLANGCI_LINT_DIR) $(GOEXE) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2 ;\ lint: golangci-lint ## Run golangci-lint linter $(GOLANGCI_LINT_BIN) run -n test: - GODEBUG=x509sha1=1 go test $(shell go list ./... | grep -v third_party/) + GODEBUG=x509sha1=1 $(GOEXE) test $(shell $(GOEXE) list ./... | grep -v third_party/) clean: rm -rf cosign - rm -rf sget rm -rf dist/ KOCACHE_PATH=/tmp/ko @@ -125,7 +128,7 @@ endef # ko build ########## .PHONY: ko -ko: ko-cosign ko-sget +ko: ko-cosign ko-cosign-dev .PHONY: ko-cosign ko-cosign: @@ -134,16 +137,16 @@ ko-cosign: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ $(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \ - github.com/sigstore/cosign/cmd/cosign + github.com/sigstore/cosign/v2/cmd/cosign -.PHONY: ko-sget -ko-sget: - # sget +.PHONY: ko-cosign-dev +ko-cosign-dev: + $(create_kocache_path) LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ - KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ - --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ - --image-refs sgetImagerefs \ - github.com/sigstore/cosign/cmd/sget + KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ + --platform=all --tags $(GIT_VERSION)-dev --tags $(GIT_HASH)-dev \ + $(ARTIFACT_HUB_LABELS) --image-refs cosignDevImagerefs \ + github.com/sigstore/cosign/v2/cmd/cosign .PHONY: ko-local ko-local: @@ -152,7 +155,16 @@ ko-local: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --tags $(GIT_VERSION) --tags $(GIT_HASH) \ $(ARTIFACT_HUB_LABELS) \ - github.com/sigstore/cosign/cmd/cosign + github.com/sigstore/cosign/v2/cmd/cosign + +.PHONY: ko-local-dev +ko-local-dev: + $(create_kocache_path) + KO_DOCKER_REPO=ko.local/cosign-dev LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ + KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ + --tags $(GIT_VERSION) --tags $(GIT_HASH) \ + $(ARTIFACT_HUB_LABELS) \ + github.com/sigstore/cosign/v2/cmd/cosign ################## # help @@ -173,4 +185,4 @@ include test/ci.mk .PHONY: docgen docgen: - go run -tags pivkey,pkcs11key,cgo ./cmd/help/ + $(GOEXE) run -tags pivkey,pkcs11key,cgo ./cmd/help/ From b8f21e63d1f495b61362a4e0cbe05984f01636db Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:01:37 -0700 Subject: [PATCH 08/13] Update release.mk Signed-off-by: Hayden B --- release/release.mk | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/release/release.mk b/release/release.mk index cd84c3c224d..0ad1edb4c6f 100644 --- a/release/release.mk +++ b/release/release.mk @@ -9,12 +9,10 @@ release: ###################### # sign section ###################### - .PHONY: sign-release-images sign-release-images: ko GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ ./release/ko-sign-release-images.sh - # used when need to validate the goreleaser .PHONY: snapshot snapshot: @@ -24,7 +22,13 @@ snapshot: # copy image to GHCR #################### -.PHONY: copy-signed-release-to-ghcr -copy-signed-release-to-ghcr: +.PHONY: copy-cosign-signed-release-to-ghcr +copy-cosign-signed-release-to-ghcr: cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) - cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION)-dev $(GHCR_PREFIX)/cosign:$(GIT_VERSION)-dev + +.PHONY: copy-sget-signed-release-to-ghcr +copy-sget-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION) + +.PHONY: copy-signed-release-to-ghcr +copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-sget-signed-release-to-ghcr From 6cdefcf8628b08304b3fd1a9078114527247eefb Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:02:42 -0700 Subject: [PATCH 09/13] Update ko-sign-release-images.sh Signed-off-by: Hayden B --- release/ko-sign-release-images.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index c9cd94c12b9..7e879ad50e6 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -32,8 +32,15 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi +if [[ ! -f sgetImagerefs ]]; then + echo "sgetImagerefs not found" + exit 1 +fi + echo "Signing cosign images with GCP KMS Key..." cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) +cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) echo "Signing images with Keyless..." cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) +cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) From 1f8d2391fa88cecad86e4d6811a06d9817dba4d1 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:03:50 -0700 Subject: [PATCH 10/13] Update .ko.yaml Signed-off-by: Hayden B --- .ko.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.ko.yaml b/.ko.yaml index bfd932461cf..7ced0bb58a0 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -13,10 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -defaultBaseImage: gcr.io/distroless/static-debian12:nonroot +# We need a shell for a lot of redirection/piping to work +defaultBaseImage: gcr.io/distroless/base:debug-nonroot builds: -- id: cosign +- id: cosign dir: . main: ./cmd/cosign env: @@ -30,3 +31,18 @@ builds: ldflags: - -extldflags "-static" - "{{ .Env.LDFLAGS }}" + +- id: sget + dir: . + main: ./cmd/sget + env: + - CGO_ENABLED=0 + flags: + - -trimpath + - --tags + - "{{ .Env.GIT_HASH }}" + - --tags + - "{{ .Env.GIT_VERSION }}" + ldflags: + - -extldflags "-static" + - "{{ .Env.LDFLAGS }}" From 191664f99e703abacdbe54e9ea2a75fb417b8293 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:04:10 -0700 Subject: [PATCH 11/13] Update .ko.yaml Signed-off-by: Hayden B --- .ko.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ko.yaml b/.ko.yaml index 7ced0bb58a0..46c05743e1f 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -17,7 +17,7 @@ defaultBaseImage: gcr.io/distroless/base:debug-nonroot builds: -- id: cosign +- id: cosign dir: . main: ./cmd/cosign env: From 7207a136a1a3817f0dfac16642b851354ad5cccc Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:04:49 -0700 Subject: [PATCH 12/13] Update ko-sign-release-images.sh Signed-off-by: Hayden B --- release/ko-sign-release-images.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index 7e879ad50e6..fab09742c82 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -32,15 +32,17 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi -if [[ ! -f sgetImagerefs ]]; then - echo "sgetImagerefs not found" - exit 1 +if [[ ! -f sgetImagerefs ]]; then + echo "sgetImagerefs not found" + exit 1 fi echo "Signing cosign images with GCP KMS Key..." + cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) echo "Signing images with Keyless..." + cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) From f16c25351c04d1096ec919be574fbcf9cdbfbd8a Mon Sep 17 00:00:00 2001 From: Hayden B Date: Thu, 21 Mar 2024 12:06:57 -0700 Subject: [PATCH 13/13] Update Makefile Signed-off-by: Hayden B --- Makefile | 62 +++++++++++++++++++++++--------------------------------- 1 file changed, 25 insertions(+), 37 deletions(-) diff --git a/Makefile b/Makefile index fadd277b6f1..9c28c3276bf 100644 --- a/Makefile +++ b/Makefile @@ -13,19 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -ifeq (,$(shell echo $$DEBUG)) -else -SHELL = bash -x -endif - -# allow overwriting the default `go` value with the custom path to the go executable -GOEXE ?= go - # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell $(GOEXE) env GOBIN)) -GOBIN=$(shell $(GOEXE) env GOPATH)/bin +ifeq (,$(shell go env GOBIN)) +GOBIN=$(shell go env GOPATH)/bin else -GOBIN=$(shell $(GOEXE) env GOBIN) +GOBIN=$(shell go env GOBIN) endif # Set version variables for LDFLAGS @@ -35,7 +27,7 @@ GIT_TAG ?= dirty-tag GIT_VERSION ?= $(shell git describe --tags --always --dirty) GIT_HASH ?= $(shell git rev-parse HEAD) DATE_FMT = +%Y-%m-%dT%H:%M:%SZ -SOURCE_DATE_EPOCH ?= $(shell git log -1 --no-show-signature --pretty=%ct) +SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct) ifdef SOURCE_DATE_EPOCH BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") else @@ -79,16 +71,20 @@ log-%: }' cosign: $(SRCS) - CGO_ENABLED=0 $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign + CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign cosign-pivkey-pkcs11key: $(SRCS) - CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign + CGO_ENABLED=1 go build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign + +.PHONY: sget +sget: ## Build sget binary + go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/sget .PHONY: cross cross: $(foreach GOOS, $(PLATFORMS),\ $(foreach GOARCH, $(ARCHITECTURES), $(shell export GOOS=$(GOOS); export GOARCH=$(GOARCH); \ - $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \ + go build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \ shasum -a 256 cosign-$(GOOS)-$(GOARCH) > cosign-$(GOOS)-$(GOARCH).sha256 ))) \ ##################### @@ -98,16 +94,17 @@ cross: golangci-lint: rm -f $(GOLANGCI_LINT_BIN) || : set -e ;\ - GOBIN=$(GOLANGCI_LINT_DIR) $(GOEXE) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2 ;\ + GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2 ;\ lint: golangci-lint ## Run golangci-lint linter $(GOLANGCI_LINT_BIN) run -n test: - GODEBUG=x509sha1=1 $(GOEXE) test $(shell $(GOEXE) list ./... | grep -v third_party/) + GODEBUG=x509sha1=1 go test $(shell go list ./... | grep -v third_party/) clean: rm -rf cosign + rm -rf sget rm -rf dist/ KOCACHE_PATH=/tmp/ko @@ -128,7 +125,7 @@ endef # ko build ########## .PHONY: ko -ko: ko-cosign ko-cosign-dev +ko: ko-cosign ko-sget .PHONY: ko-cosign ko-cosign: @@ -137,16 +134,16 @@ ko-cosign: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ $(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/cmd/cosign -.PHONY: ko-cosign-dev -ko-cosign-dev: - $(create_kocache_path) +.PHONY: ko-sget +ko-sget: + # sget LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ - KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ - --platform=all --tags $(GIT_VERSION)-dev --tags $(GIT_HASH)-dev \ - $(ARTIFACT_HUB_LABELS) --image-refs cosignDevImagerefs \ - github.com/sigstore/cosign/v2/cmd/cosign + KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ + --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ + --image-refs sgetImagerefs \ + github.com/sigstore/cosign/cmd/sget .PHONY: ko-local ko-local: @@ -155,16 +152,7 @@ ko-local: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --tags $(GIT_VERSION) --tags $(GIT_HASH) \ $(ARTIFACT_HUB_LABELS) \ - github.com/sigstore/cosign/v2/cmd/cosign - -.PHONY: ko-local-dev -ko-local-dev: - $(create_kocache_path) - KO_DOCKER_REPO=ko.local/cosign-dev LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ - KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ - --tags $(GIT_VERSION) --tags $(GIT_HASH) \ - $(ARTIFACT_HUB_LABELS) \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/cmd/cosign ################## # help @@ -185,4 +173,4 @@ include test/ci.mk .PHONY: docgen docgen: - $(GOEXE) run -tags pivkey,pkcs11key,cgo ./cmd/help/ + go run -tags pivkey,pkcs11key,cgo ./cmd/help/