audit, advisories and doctors/setup work

docs/examples/binary-diff/ci-cd-integration.md

@@ -20,7 +20,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write  # For keyless signing
 
     steps:
       - name: Checkout
@@ -38,6 +37,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Write Signing Key
+        run: |
+          mkdir -p keys
+          printf '%s' "${{ secrets.BINARYDIFF_SIGNING_KEY_PEM }}" > keys/binarydiff.pem
+          chmod 600 keys/binarydiff.pem
+
       - name: Get Previous Tag
         id: prev-tag
         run: |
@@ -52,6 +57,7 @@ jobs:
             --target ghcr.io/${{ github.repository }}:${{ github.ref_name }} \
             --mode=elf \
             --emit-dsse=./attestations/ \
+            --signing-key=./keys/binarydiff.pem \
             --format=json > diff.json
 
       - name: Upload Attestations
@@ -146,11 +152,16 @@ binary-diff:
       PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
 
       if [ -n "$PREV_TAG" ]; then
+        mkdir -p keys
+        printf '%s' "$BINARYDIFF_SIGNING_KEY_PEM" > keys/binarydiff.pem
+        chmod 600 keys/binarydiff.pem
+
         stella scan diff \
           --base ${CI_REGISTRY_IMAGE}:${PREV_TAG} \
           --target ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG} \
           --mode=elf \
           --emit-dsse=attestations/ \
+          --signing-key=keys/binarydiff.pem \
           --format=json > diff.json
 
         # Upload to GitLab artifacts
@@ -214,14 +225,18 @@ pipeline {
                     ).trim()
 
                     if (prevTag) {
-                        sh """
-                            stella scan diff \\
-                                --base ${REGISTRY}/${IMAGE}:${prevTag} \\
-                                --target ${REGISTRY}/${IMAGE}:${TAG} \\
-                                --mode=elf \\
-                                --emit-dsse=attestations/ \\
-                                --format=json > diff.json
-                        """
+                        withCredentials([string(credentialsId: 'binarydiff-signing-key-pem', variable: 'BINARYDIFF_SIGNING_KEY_PEM')]) {
+                            sh 'mkdir -p keys && printf "%s" "$BINARYDIFF_SIGNING_KEY_PEM" > keys/binarydiff.pem && chmod 600 keys/binarydiff.pem'
+                            sh """
+                                stella scan diff \\
+                                    --base ${REGISTRY}/${IMAGE}:${prevTag} \\
+                                    --target ${REGISTRY}/${IMAGE}:${TAG} \\
+                                    --mode=elf \\
+                                    --emit-dsse=attestations/ \\
+                                    --signing-key=keys/binarydiff.pem \\
+                                    --format=json > diff.json
+                            """
+                        }
 
                         archiveArtifacts artifacts: 'attestations/*, diff.json'
 
@@ -272,11 +287,16 @@ steps:
       script: |
         PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
         if [ -n "$PREV_TAG" ]; then
+          mkdir -p $(Build.SourcesDirectory)/keys
+          printf '%s' "$(BINARYDIFF_SIGNING_KEY_PEM)" > $(Build.SourcesDirectory)/keys/binarydiff.pem
+          chmod 600 $(Build.SourcesDirectory)/keys/binarydiff.pem
+
           stella scan diff \
             --base $(REGISTRY)/$(IMAGE):${PREV_TAG} \
             --target $(REGISTRY)/$(IMAGE):$(Build.SourceBranchName) \
             --mode=elf \
             --emit-dsse=$(Build.ArtifactStagingDirectory)/attestations/ \
+            --signing-key=$(Build.SourcesDirectory)/keys/binarydiff.pem \
             --format=json > $(Build.ArtifactStagingDirectory)/diff.json
         fi