https://github.com/goreleaser/example-supply-chain
Example goreleaser + github actions config with keyless signing and SBOM generation
https://github.com/goreleaser/example-supply-chain
cosign go golang goreleaser sbom signing sigstore software-bill-of-materials supply-chain syft
Last synced: 15 days ago
JSON representation
Example goreleaser + github actions config with keyless signing and SBOM generation
- Host: GitHub
- URL: https://github.com/goreleaser/example-supply-chain
- Owner: goreleaser
- License: mit
- Created: 2021-12-22T19:17:33.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-11-22T08:23:33.000Z (5 months ago)
- Last Synced: 2024-12-05T10:29:19.591Z (5 months ago)
- Topics: cosign, go, golang, goreleaser, sbom, signing, sigstore, software-bill-of-materials, supply-chain, syft
- Language: Go
- Homepage: https://goreleaser.com
- Size: 111 KB
- Stars: 54
- Watchers: 6
- Forks: 11
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-software-supply-chain-security - goreleaser/supply-chain-example: Example goreleaser + github actions config with keyless signing and SBOM generation
README
# supply-chain-example
GoReleaser + Go Mod proxying + Cosign keyless signing + Syft SBOM generation example.
## How it works
GoReleaser manages the entire thing, basically.
It will:
- build using the Go Mod Proxy as source of truth
- call `syft` to create the SBOMs
- create the checksum file
- sign it with `cosign`
- create a docker image using the binary it just built (thus, the binary inside the docker image is the same as the one released)
- sign the docker image with `cosign` as well
## Verifying
### Checksums
```shell
wget https://github.com/goreleaser/supply-chain-example/releases/download/v1.3.4/checksums.txt
cosign verify-blob \
--certificate-identity 'https://github.com/goreleaser/example-supply-chain/.github/workflows/release.yml@refs/tags/v1.3.4' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert https://github.com/goreleaser/example-supply-chain/releases/download/v1.3.4/checksums.txt.pem \
--signature https://github.com/goreleaser/example-supply-chain/releases/download/v1.3.4/checksums.txt.sig \
./checksums.txt
```
You can then download any file you want from the release, and verify it with, for example:
```shell
wget https://github.com/goreleaser/example-supply-chain/releases/download/v1.3.4/supply-chain-example_1.3.4_linux_amd64.tar.gz.sbom.json
wget https://github.com/goreleaser/example-supply-chain/releases/download/v1.3.4/supply-chain-example_1.3.4_linux_amd64.tar.gz
sha256sum --ignore-missing -c checksums.txt
```
And both should say "OK".
You can then inspect the `.sbom` file to see the entire dependency tree of the binary.
### Attestations
This example also publishes build attestations.
You can verify any artifact with:
```shell
gh attestation verify --owner goreleaser *.tar.gz
```
### Docker image
```shell
cosign verify \
--certificate-identity 'https://github.com/goreleaser/example-supply-chain/.github/workflows/release.yml@refs/tags/v1.3.4' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/goreleaser/example-supply-chain:v1.3.4
```