manual signing blob from github workflow

[salrashid123]

I'm trying to use cosign to manually sign-blob from within a github workflow using bazel:

the version of cosign in bazel v3.0.4/cosign-linux-amd64 and i want to do the signing entirely within the bazel target

Using a raw -key works but if i use the keyless, i'm not sure what i need to set in the -signing-config file.

I know why its not working now is because the signing-config i'm using points to sigstore as the provider.

Any pointers to what values should i use for github workflow?

genrule(
    name = "sign_binary",
    srcs = [":server_linux_amd64",":server_linux_arm64", "//certs:import-cosign.key","//certs:signing_config.json","//certs:signing_config.v0.2.json"],
    outs = ["server_linux_amd64.sig","server_linux_arm64.sig"],
    tools = ["@cosign_binary//file"],
    cmd = """
        ## using local cosign cert and key and no tlog upload
        export COSIGN_PASSWORD=""
        $(location @cosign_binary//file) sign-blob --key $(location //certs:import-cosign.key) --signing-config $(location //certs:signing_config.json) --bundle $(location server_linux_amd64.sig) $(location :server_linux_amd64)

        ## using keyless and upload
        #export COSIGN_EXPERIMENTAL=1
        #$(location @cosign_binary//file) sign-blob --yes --signing-config $(location //certs:signing_config.v0.2.json) --bundle $(location server_linux_amd64.sig) $(location :server_linux_amd64)
    """,
)

[cmurphy]

What error do you run into when you sign without --key?

Have you had a look at https://docs.sigstore.dev/quickstart/quickstart-ci/#signing-and-verifying-a-container-image ? It's discussing using the cosign-installer action but most of it should apply to what you're doing with bazel in the github workflow.

Cosign should be able to automatically detect that it's running in a Github environment and use the workflow's OIDC token for keyless signing. That doc gives an example of the workflow identity and issuer string that you can use for verification.

[salrashid123]

hi @cmurphy i think whats happening is cosin isn't detecting the environment from within bazel's genrule

the error i got is a timeout which is waiting on userinput from the browser

I didn't want to use the standard cosign github workflow rules cited becasue i want do all the steps inside bazel itself.

since bazel is hermetic, i think i need to surface the way cosign detects which enviornment its in. If you've got apointer to where in cosign's code it detects the github environment, i can work backwards to expose that. I can also look at rules_oci 's cosign integration with bazel to see how they did it too

if ther'es an explicit signing_config which describes the oidc config used implicitly in cosign, i can use that too i think

thx

[salrashid123]

ok, got it working by plumbing the ACTIONS_ID_TOKEN_REQUEST_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL env vars directly into the genrule as --action_env bazel directives

in the github workflow.yaml

permissions:
  id-token: write # needed for keyless signing

      - name: sign binary artifacts    
        run: bazelisk build  app:sign_binary --action_env=ACTIONS_ID_TOKEN_REQUEST_TOKEN=$ACTIONS_ID_TOKEN_REQUEST_TOKEN --action_env=ACTIONS_ID_TOKEN_REQUEST_URL=$ACTIONS_ID_TOKEN_REQUEST_URL

at that point, the env vars are picked up automatically with cosign

genrule(
    name = "sign_binary",
    srcs = [":server_linux_amd64",":server_linux_arm64", "//certs:import-cosign.key","//certs:signing_config.json","//certs:signing_config.v0.2.json"],
    outs = ["server_linux_amd64.sig","server_linux_arm64.sig"],
    tools = ["@cosign_binary//file"],
    cmd = """
        export COSIGN_EXPERIMENTAL=1
        $(location @cosign_binary//file) sign-blob --yes  --bundle $(location server_linux_amd64.sig) $(location :server_linux_amd64)
        $(location @cosign_binary//file) sign-blob --yes  --bundle $(location server_linux_arm64.sig) $(location :server_linux_arm64)
    """,
)

---

if anyone's intersted, the end to end workflow is here

• https://github.com/salrashid123/go-bazel-github-workflow