Last active
September 8, 2024 17:39
-
-
Save ScriptAutomate/b7eca69ac084dc6c776a0d32abb10044 to your computer and use it in GitHub Desktop.
SOPS container creation, using slsa-verifier and cosign to ensure SOPS integrity and artifact provenance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM ubuntu:24.04 | |
| ARG SLSA_VERIFIER_VERSION=2.6.0 | |
| ARG COSIGN_VERSION=2.4.0 | |
| ARG SOPS_VERSION=3.9.0 | |
| # Prereqs for validation | |
| ## slsa-verifier | |
| ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64 /tmp/slsa-verifier-linux-amd64 | |
| ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64.intoto.jsonl /tmp/slsa-verifier-linux-amd64.intoto.jsonl | |
| ADD https://raw.githubusercontent.com/slsa-framework/slsa-verifier/main/SHA256SUM.md /tmp/slsa-SHA256SUM.md | |
| ## cosign | |
| ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 /tmp/cosign-linux-amd64 | |
| ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.pem /tmp/cosign-linux-amd64-keyless.pem | |
| ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.sig /tmp/cosign-linux-amd64-keyless.sig | |
| ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign_checksums.txt /tmp/cosign_checksums.txt | |
| # sops | |
| ## Download the linux binary of sops | |
| ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64 /tmp/sops-v${SOPS_VERSION}.linux.amd64 | |
| ## Download the checksums file, certificate and signature | |
| ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt /tmp/sops-v${SOPS_VERSION}.checksums.txt | |
| ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.pem /tmp/sops-v${SOPS_VERSION}.checksums.pem | |
| ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.sig /tmp/sops-v${SOPS_VERSION}.checksums.sig | |
| ## Download the metadata file for verifying artifact provenance | |
| ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.intoto.jsonl /tmp/sops-v${SOPS_VERSION}.intoto.jsonl | |
| # Ensure latest updates and required certs | |
| RUN apt update && apt upgrade -y && apt install ca-certificates -y | |
| # slsa-verifier | |
| ## Verify binary integrity | |
| RUN cd /tmp && cat slsa-SHA256SUM.md | grep ${SLSA_VERIFIER_VERSION} -A7 | sha256sum -c --strict --ignore-missing && chmod +x slsa-verifier-linux-amd64 | |
| ## Verify artifact provenance | |
| RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact slsa-verifier-linux-amd64 --provenance-path slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v${SLSA_VERIFIER_VERSION} | |
| # cosign | |
| ## Prep for binary verification | |
| RUN cd /tmp && base64 -d cosign-linux-amd64-keyless.sig > cosign-release.sig.decoded && base64 -d cosign-linux-amd64-keyless.pem > cosign-release.pem.decoded | |
| ## Verify binary integrity | |
| RUN cd /tmp && sha256sum -c --strict cosign_checksums.txt --ignore-missing && chmod +x cosign-linux-amd64 | |
| ## Verify binary via signature and cert | |
| RUN cd /tmp && ./cosign-linux-amd64 verify-blob cosign-linux-amd64 --certificate cosign-release.pem.decoded --signature cosign-release.sig.decoded --certificate-identity keyless@projectsigstore.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com | |
| # sops | |
| ## Verify checksums file signature | |
| RUN cd /tmp && ./cosign-linux-amd64 verify-blob sops-v${SOPS_VERSION}.checksums.txt --certificate sops-v${SOPS_VERSION}.checksums.pem --signature sops-v${SOPS_VERSION}.checksums.sig --certificate-identity-regexp=https://github.com/getsops --certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
| ## Verify binary integrity | |
| RUN cd /tmp && sha256sum -c --strict sops-v${SOPS_VERSION}.checksums.txt --ignore-missing | |
| ## Verify artifact provenance | |
| RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact sops-v${SOPS_VERSION}.linux.amd64 --provenance-path sops-v${SOPS_VERSION}.intoto.jsonl --source-uri github.com/getsops/sops --source-tag v${SOPS_VERSION} | |
| ## Install | |
| # RUN dpkg -i /tmp/sops_${SOPS_VERSION}_amd64.deb | |
| RUN cd /tmp && chmod +x sops-v${SOPS_VERSION}.linux.amd64 && mv sops-v${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops | |
| # Cleanup | |
| RUN rm -rf /tmp/* | |
| ENTRYPOINT ["sops"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment