Skip to content

Commit 99292dd

Browse files
aaronlew02aaronlew02
committed
Use TUF signing config for probers
Signed-off-by: Aaron Lew <[email protected]>
1 parent 190c7d6 commit 99292dd

File tree

2 files changed

+18
-26
lines changed

2 files changed

+18
-26
lines changed

.github/workflows/prober-staging.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,7 @@ jobs:
2525
issues: write
2626
with:
2727
enable_staging: true
28-
rekor_url: "https://rekor.sigstage.dev"
29-
fulcio_url: "https://fulcio.sigstage.dev"
30-
oidc_url: "https://oauth2.sigstage.dev/auth"
28+
rekor_v1_url: "https://rekor.sigstage.dev"
3129
tuf_repo: "https://tuf-repo-cdn.sigstage.dev"
3230
tuf_preprod_repo: "https://sigstore.github.io/root-signing-staging"
3331
tuf_root_path: ".github/assets/sigstage.root.json"

.github/workflows/reusable-prober.yml

Lines changed: 17 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,16 @@ on:
77
description: 'Integration key for PagerDuty'
88
required: true
99
inputs:
10-
rekor_url:
10+
rekor_v1_url:
1111
required: false
1212
type: string
1313
default: 'https://rekor.sigstore.dev'
14-
description: 'Rekor URL'
15-
fulcio_url:
14+
description: 'Rekor v1 URL'
15+
rekor_v2_url:
1616
required: false
1717
type: string
18-
default: 'https://fulcio.sigstore.dev'
19-
description: 'Fulcio URL'
20-
oidc_url:
21-
required: false
22-
type: string
23-
default: 'https://oauth2.sigstore.dev/auth'
24-
description: 'OIDC URL'
18+
default: 'https://log2025-alpha3.rekor.sigstage.dev'
19+
description: 'Rekor v2 URL'
2520
enable_staging:
2621
required: false
2722
type: boolean
@@ -148,7 +143,7 @@ jobs:
148143
GITHUB_RUN_ID: ${{ github.run_id }}
149144
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
150145
IMAGE: localhost:1338/image:${{ github.sha }}-${{ github.run_id }}
151-
REKOR_SERVER: ${{ inputs.rekor_url }}
146+
REKOR_SERVER: ${{ inputs.rekor_v1_url }}
152147
IDENTITY_REGEX: ${{ github.server_url }}/${{ github.repository }}/.github/workflows/reusable-prober.yml@refs/.*
153148
runs-on: ubuntu-latest
154149
outputs:
@@ -225,8 +220,9 @@ jobs:
225220
- name: Sign and verify the image with preprod TUF
226221
if: ${{ inputs.enable_staging == false }}
227222
run: |
228-
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
229-
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
223+
cosign version
224+
cosign sign --yes ${IMAGE} --use-signing-config --oidc-provider github-actions --new-bundle-format
225+
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_v1_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
230226
231227
- name: Remove preprod TUF
232228
run: |
@@ -247,21 +243,19 @@ jobs:
247243
248244
- name: Sign and verify the image
249245
run: |
250-
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
251-
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
252-
246+
cosign sign --yes ${IMAGE} --use-signing-config --oidc-provider github-actions --new-bundle-format
247+
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_v1_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
253248
- name: Generate and upload attestation
254249
run: |
255-
cosign attest --predicate ./prober/attestation.json --type slsaprovenance --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} ${IMAGE}
256-
cosign verify-attestation --rekor-url ${{ inputs.rekor_url }} --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
257-
250+
cosign attest --predicate ./prober/attestation.json --type slsaprovenance --use-signing-config ${IMAGE}
251+
cosign verify-attestation --rekor-url ${{ inputs.rekor_v1_url }} --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
258252
- name: Read entries from all Rekor shards
259253
run: |
260254
set -e
261255
262256
# get shard information from Rekor
263-
response=$(curl -fs ${{ inputs.rekor_url }}/api/v1/log) || {
264-
echo "Fetching loginfo from ${{ inputs.rekor_url }} failed, exiting..."; exit 1;
257+
response=$(curl -fs ${{ inputs.rekor_v1_url }}/api/v1/log) || {
258+
echo "Fetching loginfo from ${{ inputs.rekor_v1_url }} failed, exiting..."; exit 1;
265259
}
266260
267261
# shard_sizes[0] is the size of the active shard, shard_sizes [1...n] are the sizes of the inactive shards
@@ -289,8 +283,8 @@ jobs:
289283
fi
290284
291285
for index in "${result[@]}"; do
292-
echo -n "Fetching index $index from ${{ inputs.rekor_url }} ... "
293-
entry=$(curl -fs ${{ inputs.rekor_url }}/api/v1/log/entries?logIndex=$index) || {
286+
echo -n "Fetching index $index from ${{ inputs.rekor_v1_url }} ... "
287+
entry=$(curl -fs ${{ inputs.rekor_v1_url }}/api/v1/log/entries?logIndex=$index) || {
294288
echo "failed!"; exit 1;
295289
}
296290
echo

0 commit comments

Comments
 (0)