CD/CD consolidation

2025-12-26 17:32:23 +02:00
parent a866eb6277
commit c786faae84
638 changed files with 3821 additions and 181 deletions
--- a/devops/tools/cosign/README.md
+++ b/devops/tools/cosign/README.md
@@ -0,0 +1,124 @@
+# Cosign binaries (runtime/signals signing)
+
+## Preferred (system)
+- Version: `v3.0.2`
+- Path: `/usr/local/bin/cosign` (installed on WSL Debian host)
+- Breaking change: v3 requires `--bundle <file>` when signing blobs; older `--output-signature`/`--output-certificate` pairs are deprecated.
+
+## Offline fallback (repo-pinned)
+- Version: `v2.6.0`
+- Binary: `tools/cosign/cosign` → `tools/cosign/v2.6.0/cosign-linux-amd64`
+- SHA256: `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`
+- Check: `cd tools/cosign/v2.6.0 && sha256sum -c cosign_checksums.txt --ignore-missing`
+
+## Usage examples
+- v3 DSSE blob: `cosign sign-blob --key cosign.key --predicate-type stella.ops/confidenceDecayConfig@v1 --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
+- v3 verify: `cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
+- To force offline fallback, export `PATH=./tools/cosign:$PATH` (ensures v2.6.0 is used).
+
+## CI Workflow: signals-dsse-sign.yml
+
+The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing for Signals artifacts.
+
+### Required Secrets
+| Secret | Description | Required |
+|--------|-------------|----------|
+| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key | Yes (for production) |
+| `COSIGN_PASSWORD` | Password for the private key | If key is encrypted |
+| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker upload | Optional |
+
+### Trigger Options
+1. **Automatic**: On push to `main` when signals artifacts change
+2. **Manual**: Via workflow_dispatch with options:
+   - `out_dir`: Output directory (default: `evidence-locker/signals/2025-12-01`)
+   - `allow_dev_key`: Set to `1` for testing with dev key
+
+### Setting Up CI Secrets
+```bash
+# Generate production key pair (do this once, securely)
+cosign generate-key-pair
+
+# Base64 encode the private key
+cat cosign.key | base64 -w0 > cosign.key.b64
+
+# Add to Gitea secrets:
+# - COSIGN_PRIVATE_KEY_B64: contents of cosign.key.b64
+# - COSIGN_PASSWORD: password used during key generation
+```
+
+## CI / secrets (manual usage)
+- CI should provide a base64-encoded private key via secret `COSIGN_PRIVATE_KEY_B64` and optional password in `COSIGN_PASSWORD`.
+- Example bootstrap in jobs:
+  ```bash
+  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > /tmp/cosign.key
+  chmod 600 /tmp/cosign.key
+  COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign version
+  ```
+- For local dev, copy your own key to `tools/cosign/cosign.key` or export `COSIGN_PRIVATE_KEY_B64` before running signing scripts. Never commit real keys; only `cosign.key.example` lives in git.
+
+## Development signing key
+
+A development key pair is provided for local testing and smoke tests:
+
+| File | Description |
+|------|-------------|
+| `tools/cosign/cosign.dev.key` | Private key (password-protected) |
+| `tools/cosign/cosign.dev.pub` | Public key for verification |
+
+### Usage
+```bash
+# Sign signals artifacts with dev key
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/signals/dev-test \
+  tools/cosign/sign-signals.sh
+
+# Verify a signature
+cosign verify-blob \
+  --key tools/cosign/cosign.dev.pub \
+  --bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
+  docs/modules/signals/decay/confidence_decay_config.yaml
+```
+
+### Security Notes
+- Password: `stellaops-dev` (do not reuse elsewhere)
+- **NOT** for production or Evidence Locker ingestion
+- Real signing requires the Signals Guild key via `COSIGN_PRIVATE_KEY_B64` (CI) or `tools/cosign/cosign.key` (local drop-in)
+- `sign-signals.sh` requires `COSIGN_ALLOW_DEV_KEY=1` to use the dev key; otherwise it refuses
+- The signing helper disables tlog upload (`--tlog-upload=false`) and auto-accepts prompts (`--yes`) for offline runs
+
+## Signing Scripts
+
+### sign-signals.sh
+Signs decay config, unknowns manifest, and heuristics catalog with DSSE envelopes.
+
+```bash
+# Production (CI secret or cosign.key drop-in)
+OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
+
+# Development (dev key)
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/signals/dev-test \
+  tools/cosign/sign-signals.sh
+```
+
+### Key Resolution Order
+1. `COSIGN_KEY_FILE` environment variable
+2. `COSIGN_PRIVATE_KEY_B64` (decoded to temp file)
+3. `tools/cosign/cosign.key` (production drop-in)
+4. `tools/cosign/cosign.dev.key` (only if `COSIGN_ALLOW_DEV_KEY=1`)
+
+### sign-authority-gaps.sh
+Signs Authority gap artefacts (AU1–AU10, RR1–RR10) under `docs/modules/authority/gaps/artifacts/`.
+
+```
+# Production (Authority key via CI secret or cosign.key drop-in)
+OUT_DIR=docs/modules/authority/gaps/dsse/2025-12-04 tools/cosign/sign-authority-gaps.sh
+
+# Development (dev key, smoke only)
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/authority/gaps/dev-smoke/2025-12-04 \
+  tools/cosign/sign-authority-gaps.sh
+```
+
+- Outputs bundles or dsse signatures plus `SHA256SUMS` in `OUT_DIR`.
+- tlog upload disabled (`--tlog-upload=false`) and prompts auto-accepted (`--yes`) for offline use.
--- a/devops/tools/cosign/cosign
+++ b/devops/tools/cosign/cosign
@@ -0,0 +1 @@
+v2.6.0/cosign-linux-amd64
--- a/devops/tools/cosign/cosign.dev.key
+++ b/devops/tools/cosign/cosign.dev.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJ5dlhpaXliR2lTR0NPS2x0Q2M1dlFhTy91S3pBVzNs
+Skl3QTRaU2dEMTAwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiIyNHA0T2xJZnJxdnhPVnM3dlY2MXNwVGpkNk80cVBEVCJ9LCJj
+aXBoZXJ0ZXh0IjoiTHRWSGRqVi94MXJrYXhscGxJbVB5dkVtc2NBYTB5dW5oakZ5
+UUFiZ1RSNVdZL3lCS0tYMWdFb09hclZDWksrQU0yY0tIM2tJQWlJNWlMd1AvV3c5
+Q3k2SVY1ek4za014cExpcjJ1QVZNV3c3Y3BiYUhnNjV4TzNOYkEwLzJOSi84R0dN
+NWt1QXhJRWsraER3ZWJ4Tld4WkRtNEZ4NTJVcVJxa2NPT09vNk9xWXB4OWFMaVZw
+RjgzRElGZFpRK2R4K05RUnUxUmNrKzBtOHc9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----
--- a/devops/tools/cosign/cosign.dev.pub
+++ b/devops/tools/cosign/cosign.dev.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfoI+9RFCTcfjeMqpCQ3FAyvKwBQU
+YAIM2cfDR8W98OxnXV+gfV5Dhfoi8qofAnG/vC7DbBlX2t/gT7GKUZAChA==
+-----END PUBLIC KEY-----
--- a/devops/tools/cosign/cosign.key.example
+++ b/devops/tools/cosign/cosign.key.example
@@ -0,0 +1,8 @@
+# Placeholder development cosign key
+#
+# Do not use in production. Generate your own:
+#   cosign generate-key-pair
+#
+# Store the private key securely (e.g., CI secret COSIGN_PRIVATE_KEY_B64).
+#
+# This file exists only as a path stub for tooling; it is not a real key.
--- a/devops/tools/cosign/v2.6.0/cosign-linux-amd64
+++ b/devops/tools/cosign/v2.6.0/cosign-linux-amd64
--- a/devops/tools/cosign/v2.6.0/cosign_checksums.txt
+++ b/devops/tools/cosign/v2.6.0/cosign_checksums.txt
@@ -0,0 +1,40 @@
+e8c634db1252725eabfd517f02e6ebf0d07bfba5b4779d7b45ef373ceff07b38  cosign-2.6.0-1.aarch64.rpm
+9de55601c34fe7a8eaecb7a2fab93da032dd91d423a04ae6ac17e3f5ed99ec72  cosign-2.6.0-1.armv7hl.rpm
+f7281a822306c35f2bd66c055ba6f77a7298de3375a401b12664035b8b323fdf  cosign-2.6.0-1.ppc64le.rpm
+814b890a07b56bcc6a42dfdf9004fadfe45c112e9b11a0c2f4ebf45568e72b4c  cosign-2.6.0-1.riscv64.rpm
+19241a09cc065f062d63a9c9ce45ed7c7ff839b93672be4688334b925809d266  cosign-2.6.0-1.s390x.rpm
+52709467f072043f24553c6dd1e0f287eeeedb23340dd90a4438b8506df0a0bc  cosign-2.6.0-1.x86_64.rpm
+83b0fb42bc265e62aef7de49f4979b7957c9b7320d362a9f20046b2f823330f3  cosign-darwin-amd64
+3bcbcfc41d89e162e47ba08f70ffeffaac567f663afb3545c0265a5041ce652d  cosign-darwin-amd64_2.6.0_darwin_amd64.sbom.json
+dea5b83b8b375b99ac803c7bdb1f798963dbeb47789ceb72153202e7f20e8d07  cosign-darwin-arm64
+c09a84869eb31fcf334e54d0a9f81bf466ba7444dc975a8fe46b94d742288980  cosign-darwin-arm64_2.6.0_darwin_arm64.sbom.json
+ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9  cosign-linux-amd64
+b4ccc276a5cc326f87d81fd1ae12f12a8dba64214ec368a39401522cccae7f9a  cosign-linux-amd64_2.6.0_linux_amd64.sbom.json
+641e05c21ce423cd263a49b1f9ffca58e2df022cb12020dcea63f8317c456950  cosign-linux-arm
+e09684650882fd721ed22b716ffc399ee11426cd4d1c9b4fec539cba8bf46b86  cosign-linux-arm64
+d05d37f6965c3f3c77260171289281dbf88d1f2b07e865bf9d4fd94d9f2fe5c4  cosign-linux-arm64_2.6.0_linux_arm64.sbom.json
+1b8b96535a7c30dbecead51ac3f51f559b31d8ab1dd4842562f857ebb1941fa5  cosign-linux-arm_2.6.0_linux_arm.sbom.json
+6fa93dbd97664ccce6c3e5221e22e14547b0d202ba829e2b34a3479266b33751  cosign-linux-pivkey-pkcs11key-amd64
+17b9803701f5908476d5904492b7a4d1568b86094c3fbb5a06afaa62a6910e8c  cosign-linux-pivkey-pkcs11key-amd64_2.6.0_linux_amd64.sbom.json
+fbb78394e6fc19a2f34fea4ba03ea796aca84b666b6cdf65f46775f295fc9103  cosign-linux-pivkey-pkcs11key-arm64
+35ac308bd9c59844e056f6251ab76184bfc321cb1b3ac337fdb94a9a289d4d44  cosign-linux-pivkey-pkcs11key-arm64_2.6.0_linux_arm64.sbom.json
+bd9cc643ec8a517ca66b22221b830dc9d6064bd4f3b76579e4e28b6af5cfba5f  cosign-linux-ppc64le
+ef04b0e087b95ce1ba7a902ecc962e50bfc974da0bd6b5db59c50880215a3f06  cosign-linux-ppc64le_2.6.0_linux_ppc64le.sbom.json
+17c8ff6a5dc48d3802b511c3eb7495da6142397ace28af9a1baa58fb34fad75c  cosign-linux-riscv64
+2007628a662808f221dc1983d9fba2676df32bb98717f89360cd191c929492ba  cosign-linux-riscv64_2.6.0_linux_riscv64.sbom.json
+7f7f042e7131950c658ff87079ac9080e7d64392915f06811f06a96238c242c1  cosign-linux-s390x
+e22a35083b21552c80bafb747c022aa2aad302c861a392199bc2a8fad22dd6b5  cosign-linux-s390x_2.6.0_linux_s390x.sbom.json
+7beb4dd1e19a72c328bbf7c0d7342d744edbf5cbb082f227b2b76e04a21c16ef  cosign-windows-amd64.exe
+8110eab8c5842caf93cf05dd26f260b6836d93b0263e49e06c1bd22dd5abb82c  cosign-windows-amd64.exe_2.6.0_windows_amd64.sbom.json
+7713d587f8668ce8f2a48556ee17f47c281cfb90102adfdb7182de62bc016cab  cosign_2.6.0_aarch64.apk
+c51b6437559624ef88b29a1ddd88d0782549b585dbbae0a5cb2fcc02bec72687  cosign_2.6.0_amd64.deb
+438baaa35101e9982081c6450a44ea19e04cd4d2aba283ed52242e451736990b  cosign_2.6.0_arm64.deb
+8dc33858a68e18bf0cc2cb18c2ba0a7d829aa59ad3125366b24477e7d6188024  cosign_2.6.0_armhf.deb
+88397077deee943690033276eef5206f7c60a30ea5f6ced66a51601ce79d0d0e  cosign_2.6.0_armv7.apk
+ca45b82cde86634705187f2361363e67c70c23212283594ff942d583a543f9dd  cosign_2.6.0_ppc64el.deb
+497f1a6d3899493153a4426286e673422e357224f3f931fdc028455db2fb5716  cosign_2.6.0_ppc64le.apk
+1e37d9c3d278323095899897236452858c0bc49b52a48c3bcf8ce7a236bf2ee1  cosign_2.6.0_riscv64.apk
+f2f65cf3d115fa5b25c61f6692449df2f4da58002a99e3efacc52a848fd3bca8  cosign_2.6.0_riscv64.deb
+af0a62231880fd3495bbd1f5d4c64384034464b80930b7ffcd819d7152e75759  cosign_2.6.0_s390x.apk
+e282d9337e4ba163a48ff1175855a6f6d6fbb562bc6c576c93944a6126984203  cosign_2.6.0_s390x.deb
+382a842b2242656ecd442ae461c4dc454a366ed50d41a2dafcce8b689bfd03e4  cosign_2.6.0_x86_64.apk