Skip to content

vlesich-sylabs/supply-chain-example

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

supply-chain-example

GoReleaser + Go Mod proxying + Cosign keyless signing + Syft SBOM generation example.

How it works

GoReleaser manages the entire thing, basically.

It will:

  • build using the Go Mod Proxy as source of truth
  • call syft to create the SBOMs
  • create the checksum file
  • sign it with cosign
  • create a docker image using the binary it just built (thus, the binary inside the docker image is the same as the one released)
  • sign the docker image with cosign as well

Verifying

Checksums

wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.sig

# then, either:
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/checksums.txt.pem
cosign verify-blob --cert checksums.txt.pem --signature checksums.txt.sig checksums.txt

# or:
COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.sig checksums.txt

You can then download any file you want from the release, and verify it with, for example:

wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/supply-chain-example_1.2.0_linux_amd64.tar.gz.sbom
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.2.0/supply-chain-example_1.2.0_linux_amd64.tar.gz
sha256sum --ignore-missing -c checksums.txt

And both should say "OK".

You can then inspect the .sbom file to see the entire dependency tree of the binary.

Docker image

COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/supply-chain-example:v1.2.0

About

Example goreleaser + github actions config with keyless signing and SBOM generation

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 73.2%
  • Dockerfile 26.8%