Skip to content

Commit 5d95c28

Browse files
prabhuprabhu
authored
Sign the generated BOMs (#1794)
Signed-off-by: Prabhu Subramanian <[email protected]>
1 parent eba6f77 commit 5d95c28

File tree

5 files changed

+81
-0
lines changed

5 files changed

+81
-0
lines changed

.github/workflows/image-build.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,19 +86,32 @@ jobs:
8686
push: true
8787
tags: ${{ steps.cdxgen-metadata.outputs.tags }}
8888
labels: ${{ steps.cdxgen-metadata.outputs.labels }}
89+
- name: save private key to file
90+
run: |
91+
echo $SBOM_SIGN_PRIVATE_KEY_DATA > private.key
92+
env:
93+
SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
8994
- name: Attach cdx sbom to base
9095
run: |
9196
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
9297
node bin/cdxgen.js -t docker -o sbom-oci-base-image.cdx.json ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }}
98+
node bin/verify.js -i sbom-oci-base-image.cdx.json --public-key contrib/bom-signer/public.key
9399
oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }} ./sbom-oci-base-image.cdx.json:application/json
94100
oras discover --format tree ${{ fromJSON(steps.base-metadata.outputs.json).tags[0] }}
95101
continue-on-error: true
96102
if: github.ref == 'refs/heads/master'
103+
env:
104+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
105+
SBOM_SIGN_PRIVATE_KEY: private.key
97106
- name: Attach cdx sbom
98107
run: |
99108
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
100109
node bin/cdxgen.js -t docker -o sbom-oci-image.cdx.json ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }}
110+
node bin/verify.js -i sbom-oci-base-image.cdx.json --public-key contrib/bom-signer/public.key
101111
oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }} ./sbom-oci-image.cdx.json:application/json
102112
oras discover --format tree ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }}
103113
continue-on-error: true
104114
if: ${{ startsWith(github.ref, 'refs/tags/') && ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
115+
env:
116+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
117+
SBOM_SIGN_PRIVATE_KEY: private.key

.github/workflows/npm-release.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,14 +124,23 @@ jobs:
124124
nydusify check --target ${{ steps.meta.outputs.tags }}-nydus
125125
if: github.ref == 'refs/heads/master'
126126
continue-on-error: true
127+
- name: save private key to file
128+
run: |
129+
echo $SBOM_SIGN_PRIVATE_KEY_DATA > private.key
130+
env:
131+
SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
127132
- name: Attach cdx sbom
128133
run: |
129134
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
130135
node bin/cdxgen.js -t docker -o cdxgen-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen:latest
136+
node bin/verify.js -i cdxgen-oci-image.cdx.json --public-key contrib/bom-signer/public.key
131137
oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen:latest ./cdxgen-oci-image.cdx.json:application/json
132138
oras discover --format tree ghcr.io/cyclonedx/cdxgen:latest
133139
continue-on-error: true
134140
if: startsWith(github.ref, 'refs/tags/')
141+
env:
142+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
143+
SBOM_SIGN_PRIVATE_KEY: private.key
135144
- name: Attach cdx sbom to release
136145
uses: softprops/action-gh-release@v2
137146
if: startsWith(github.ref, 'refs/tags/')
@@ -174,14 +183,23 @@ jobs:
174183
push: true
175184
tags: ${{ steps.meta2.outputs.tags }}
176185
labels: ${{ steps.meta2.outputs.labels }}
186+
- name: save private key to file
187+
run: |
188+
echo $SBOM_SIGN_PRIVATE_KEY_DATA > private.key
189+
env:
190+
SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
177191
- name: Attach cdx sbom
178192
run: |
179193
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
180194
node bin/cdxgen.js -t docker -o cdxgen-secure-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-secure:latest
195+
node bin/verify.js -i cdxgen-secure-oci-image.cdx.json --public-key contrib/bom-signer/public.key
181196
oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-secure:latest ./cdxgen-secure-oci-image.cdx.json:application/json
182197
oras discover --format tree ghcr.io/cyclonedx/cdxgen-secure:latest
183198
continue-on-error: true
184199
if: startsWith(github.ref, 'refs/tags/')
200+
env:
201+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
202+
SBOM_SIGN_PRIVATE_KEY: private.key
185203
- name: Attach cdx secure sbom to release
186204
uses: softprops/action-gh-release@v2
187205
if: startsWith(github.ref, 'refs/tags/')
@@ -235,14 +253,23 @@ jobs:
235253
push: true
236254
tags: ${{ steps.meta2.outputs.tags }}
237255
labels: ${{ steps.meta2.outputs.labels }}
256+
- name: save private key to file
257+
run: |
258+
echo $SBOM_SIGN_PRIVATE_KEY_DATA > private.key
259+
env:
260+
SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
238261
- name: Attach cdx sbom
239262
run: |
240263
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
241264
node bin/cdxgen.js -t docker -o cdxgen-deno-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-deno:latest
265+
node bin/verify.js -i cdxgen-deno-oci-image.cdx.json --public-key contrib/bom-signer/public.key
242266
oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-deno:latest ./cdxgen-deno-oci-image.cdx.json:application/json
243267
oras discover --format tree ghcr.io/cyclonedx/cdxgen-deno:latest
244268
continue-on-error: true
245269
if: startsWith(github.ref, 'refs/tags/')
270+
env:
271+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
272+
SBOM_SIGN_PRIVATE_KEY: private.key
246273
- name: Attach cdx deno sbom to release
247274
uses: softprops/action-gh-release@v2
248275
if: startsWith(github.ref, 'refs/tags/')
@@ -342,14 +369,23 @@ jobs:
342369
push: true
343370
tags: ${{ steps.meta5.outputs.tags }}
344371
labels: ${{ steps.meta5.outputs.labels }}
372+
- name: save private key to file
373+
run: |
374+
echo $SBOM_SIGN_PRIVATE_KEY_DATA > private.key
375+
env:
376+
SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
345377
- name: Attach cdx sbom
346378
run: |
347379
corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
348380
node bin/cdxgen.js -t docker -o cdxgen-bun-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-bun:latest
381+
node bin/verify.js -i cdxgen-bun-oci-image.cdx.json --public-key contrib/bom-signer/public.key
349382
oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-bun:latest ./cdxgen-bun-oci-image.cdx.json:application/json
350383
oras discover --format tree ghcr.io/cyclonedx/cdxgen-bun:latest
351384
continue-on-error: true
352385
if: startsWith(github.ref, 'refs/tags/')
386+
env:
387+
SBOM_SIGN_ALGORITHM: ${{ secrets.SBOM_SIGN_ALGORITHM }}
388+
SBOM_SIGN_PRIVATE_KEY: private.key
353389
- name: Attach cdx bun sbom to release
354390
uses: softprops/action-gh-release@v2
355391
if: startsWith(github.ref, 'refs/tags/')

contrib/bom-signer/README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Signed BOMs
2+
3+
BOMs generated by cdxgen for the released artifacts are signed with a default private key (stored as a repository secret). Use the public key in this directory to verify the BOMs.
4+
5+
```shell
6+
export SBOM_SIGN_ALGORITHM=RS512
7+
export SBOM_SIGN_PUBLIC_KEY=public.key
8+
9+
cdx-verify -i bom.json --public-key /path/to/public.key
10+
```

contrib/bom-signer/public.key

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
-----BEGIN PUBLIC KEY-----
2+
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtcQyHqd3UHoZixi/cRTs
3+
bdrsBpf31aGlcsRF6hfnFRSw2JvSI//JzAngheVymIbq+KNHI31t7oR6oOHqORap
4+
FlIgRhR03ftNMzi0+VpRR8ztWha5eU7+7eDV3QsRVePninVr3MxzOczprEdqcOuO
5+
CAlflRjw67FoRLMZCJBRbRNbw95GBhBdsHCfbPSMA+5xhiPywYOc3Z1D+k8s3dBh
6+
42kjCNBl3RwCNsocW1eTcEIFV+sZfVxT3kOwZ+EN9BfU6mcBW8eFMLtTzmT9wdpY
7+
r6CEE+eaCpbi7X/rD674WdDa5QaOUO/Bu/mnuRlQ7tAP9/jAVOidVvkLWMXuIpMB
8+
w/YEDgGa6qeVikrQmZdkMF3vaLmnXcRtgfUd7PmTp3K9yjEajP6CtNbfIigz4yWD
9+
KGp6nYalW1Bl3w+qKNmGWCVqjE6RlktxaZYJlXuA0l9RWL/YMtTxOvf+s+4GQru0
10+
T3RMZfpSS2V1dRBwllEaDI5lupmqUpuX2wHAFRKAKAXh4DAcg+sR5UXzXOxzfuxf
11+
Rt0AtbaoWFALUR6BpwJW1fcaBCYAakNe6aZgdWCa7lldI6fepyEq5wiyjE+7W5xm
12+
r+irUPeENIDvz4Tf8GWJ8CELT7VkZaY4SntcXhi+HF4Yk+n+ziESj/ZO+7r3A9mF
13+
H6fu+s5F5YkZESJ3FGkKt1MCAwEAAQ==
14+
-----END PUBLIC KEY-----

docs/LESSON3.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,11 @@ cdxgen --generate-key-and-sign -t docker -o bom.json docker.io/<repo>/sign-test:
4444
oras attach --artifact-type sbom/cyclonedx docker.io/<repo>/sign-test:latest ./bom.json:application/json
4545
oras discover -o tree docker.io/<repo>/sign-test:latest
4646
```
47+
48+
To download the SBOM attachment from the OCI image, use the `oras pull` command with the correct digest from the `discover` command.
49+
50+
```shell
51+
IMAGE_REF=$(oras discover --format json --artifact-type sbom/cyclonedx docker.io/<repo>/sign-test:latest | jq -r '.manifests[0].reference')
52+
oras pull $IMAGE_REF -o sbom_output_dir
53+
ls -l sbom_output_dir/bom.json
54+
```

0 commit comments

Comments
 (0)