mirror of
https://github.com/taiki-e/install-action.git
synced 2026-04-08 18:05:42 +08:00
Support cosign
This commit is contained in:
Taiki Endo
34
tools/codegen/base/cosign.json
Normal file
34
tools/codegen/base/cosign.json
Normal file
@@ -0,0 +1,34 @@
|
||||
{
|
||||
"repository": "https://github.com/sigstore/cosign",
|
||||
"tag_prefix": "v",
|
||||
"version_range": ">= 3.0.0",
|
||||
"signing": {
|
||||
"kind": "custom"
|
||||
},
|
||||
"platform": {
|
||||
"x86_64_linux_musl": {
|
||||
"asset_name": "${package}-linux-amd64"
|
||||
},
|
||||
"x86_64_macos": {
|
||||
"asset_name": "${package}-darwin-amd64"
|
||||
},
|
||||
"x86_64_windows": {
|
||||
"asset_name": "${package}-windows-amd64.exe"
|
||||
},
|
||||
"aarch64_linux_musl": {
|
||||
"asset_name": "${package}-linux-arm64"
|
||||
},
|
||||
"aarch64_macos": {
|
||||
"asset_name": "${package}-darwin-arm64"
|
||||
},
|
||||
"powerpc64le_linux_musl": {
|
||||
"asset_name": "${package}-linux-ppc64le"
|
||||
},
|
||||
"riscv64_linux_musl": {
|
||||
"asset_name": "${package}-linux-riscv64"
|
||||
},
|
||||
"s390x_linux_musl": {
|
||||
"asset_name": "${package}-linux-s390x"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -385,6 +385,58 @@ fn main() {
|
||||
);
|
||||
eprintln!("done");
|
||||
}
|
||||
"cosign" => {
|
||||
let [checksum, bundle] =
|
||||
["cosign_checksums.txt", "cosign_checksums.txt.sigstore.json"].map(
|
||||
|f| {
|
||||
let asset = release
|
||||
.assets
|
||||
.iter()
|
||||
.find(|asset| asset.name.ends_with(f))
|
||||
.unwrap();
|
||||
let download_cache =
|
||||
download_cache_dir.join(format!("{version}-{f}"));
|
||||
let url = &asset.browser_download_url;
|
||||
eprint!(
|
||||
"downloading {url} for signature verification ... "
|
||||
);
|
||||
if download_cache.is_file() {
|
||||
eprintln!("already downloaded");
|
||||
} else {
|
||||
download_to_buf(url, &mut buf);
|
||||
eprintln!("download complete");
|
||||
fs::write(&download_cache, &buf).unwrap();
|
||||
buf.clear();
|
||||
}
|
||||
download_cache
|
||||
},
|
||||
);
|
||||
eprint!("verifying checksum file for {package}@{version} ... ");
|
||||
cmd!(
|
||||
"cosign",
|
||||
"verify-blob",
|
||||
&checksum,
|
||||
"--bundle",
|
||||
bundle,
|
||||
"--certificate-identity",
|
||||
"keyless@projectsigstore.iam.gserviceaccount.com",
|
||||
"--certificate-oidc-issuer",
|
||||
"https://accounts.google.com"
|
||||
)
|
||||
.run()
|
||||
.unwrap();
|
||||
verified_checksum = Some(
|
||||
fs::read_to_string(checksum)
|
||||
.unwrap()
|
||||
.lines()
|
||||
.filter_map(|l| l.split_once(" "))
|
||||
.map(|(h, f)| {
|
||||
(f.trim_ascii().to_owned(), h.trim_ascii().to_owned())
|
||||
})
|
||||
.collect(),
|
||||
);
|
||||
eprintln!("done");
|
||||
}
|
||||
"syft" => {
|
||||
// Refs: https://oss.anchore.com/docs/installation/verification/
|
||||
let [checksum, certificate, signature] =
|
||||
@@ -572,10 +624,7 @@ fn main() {
|
||||
);
|
||||
};
|
||||
let url = url.clone() + ".sig";
|
||||
let sig_download_cache = &download_cache.with_extension(format!(
|
||||
"{}.sig",
|
||||
download_cache.extension().unwrap_or_default().to_str().unwrap()
|
||||
));
|
||||
let sig_download_cache = &download_cache.with_added_extension("sig");
|
||||
eprint!("downloading {url} for signature validation ... ");
|
||||
let sig = if sig_download_cache.is_file() {
|
||||
eprintln!("already downloaded");
|
||||
|
||||
Reference in New Issue
Block a user