add signing to action (#729)

* add signing to action * add cosign pub key to README.md * add cosign to release * add CHANGELOG.md --------- Co-authored-by: Jörg Zimmermann <[email protected]>
fkie-cad · Dec 17, 2024 · e668b17 · e668b17
1 parent 474d906
commit e668b17
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 29 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -126,10 +126,11 @@ jobs:
       - name: Ensure logprep is available in image
         run: |
           docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version
-  
+
       # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
       - name: Push image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           context: .
           push: true
@@ -138,7 +139,7 @@ jobs:
             PYTHON_VERSION=${{ matrix.python-version }}
           tags: |
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
-  
+
       # To avoid the trivy-db becoming outdated, we save the cache for one day
       - name: Get date
         id: date
@@ -151,7 +152,7 @@ jobs:
           key: trivy-cache-${{ steps.date.outputs.date }}
           restore-keys:
             trivy-cache-
-      
+
       - name: Scan image using Trivy
         uses: aquasecurity/[email protected]
         env:
@@ -166,3 +167,16 @@ jobs:
       # So we need to change the permissions before caching the database.
       - name: Change permissions for trivy.db
         run: sudo chmod 0644 ./cache/db/trivy.db
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Sign image with a key
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
diff --git a/...ws/publish-latest-dev-release-to-pypi.yml → .../publish-latest-dev-release-to-github.yml b/...ws/publish-latest-dev-release-to-pypi.yml → .../publish-latest-dev-release-to-github.yml
diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml
@@ -90,3 +90,16 @@ jobs:
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }}
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Sign image with a key
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,7 @@ the list is now fixed inside the packaged logprep
 * remove `tldextract` dependency
 * remove `urlextract` dependency
 * fix wrong documentation for `timestamp_differ`
+* add container signatures to image build inside ci pipeline
 
 ### Bugfix
 

diff --git a/README.md b/README.md
@@ -26,18 +26,15 @@ message is sent to a configured output connector.
 Logprep is primarily designed to process log messages. Generally, Logprep can handle JSON messages,
 allowing further applications besides log handling.
 
-This readme provides basic information about the following topics:
-- [About Logprep](#about-logprep)
-- [Getting Started](https://logprep.readthedocs.io/en/latest/getting_started.html)
+- [About Logprep](https://github.com/fkie-cad/Logprep/blob/main/README.md#about-logprep)
+- [Installation](https://logprep.readthedocs.io/en/latest/installation.html)
 - [Deployment Examples](https://logprep.readthedocs.io/en/latest/examples/index.html)
 - [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation)
 - [Documentation](https://logprep.readthedocs.io/en/latest)
-- [Contributing](CONTRIBUTING)
-- [License](LICENSE)
-- [Changelog](CHANGELOG.md)
-
-More detailed information can be found in the
-[Documentation](https://logprep.readthedocs.io/en/latest/).
+- [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures)
+- [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md)
+- [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE)
+- [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md)
 
 ## About Logprep
 
@@ -230,22 +227,6 @@ If it does exist then the dropper would delete this field from the log message.
 Details about the rule language and how to write rules for the processors can be found in the
 [rule configuration documentation](https://logprep.readthedocs.io/en/latest/configuration/rules.html).
 
-## Getting Started
-
-For installation instructions see: https://logprep.readthedocs.io/en/latest/installation.html
-For execution instructions see: https://logprep.readthedocs.io/en/latest/user_manual/execution.html
-
-### Reload the Configuration
-
-A `config_refresh_interval` can be set to periodically and automatically refresh the given configuration.
-This can be useful in case of containerized environments (such as Kubernetes), when pod volumes often change
-on the fly.
-
-If the configuration does not pass a consistency check, then an error message is logged and
-Logprep keeps running with the previous configuration.
-The configuration should be then checked and corrected on the basis of the error message.
-
-
 ## Documentation
 
 The documentation for Logprep is online at https://logprep.readthedocs.io/en/latest/ or it can
@@ -259,3 +240,22 @@ make html
 ```
 
 A HTML documentation can be then found in `doc/_build/html/index.html`.
+
+## Container signatures
+
+From release 15 on, Logprep containers are signed using the cosign tool.
+To verify the container, you can copy the following public key into a file
+`logprep.pub`:
+
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgkQXDi/N4TDFE2Ao0pulOFfbGm5g
+kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA==
+-----END PUBLIC KEY-----
+```
+
+And use it to verify the signature:
+
+```
+cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest
+```