69 lines
2.0 KiB
Bash
69 lines
2.0 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
# Inputs (typically provided by CI/CD)
|
||
IMAGE_REF="${IMAGE_REF:?missing IMAGE_REF}" # e.g. ghcr.io/org/app:tag
|
||
ATTEST_PATH="${ATTEST_PATH:?missing ATTEST_PATH}" # DSSE envelope file path
|
||
REKOR_URL="${REKOR_URL:-https://rekor.sigstore.dev}"
|
||
KEY_REF="${KEY_REF:-cosign.key}" # could be KMS / keyless etc.
|
||
OUT_META_JSON="${OUT_META_JSON:-provenance-meta.json}"
|
||
|
||
# 1) Upload DSSE envelope to Rekor with JSON output
|
||
rekor-cli upload \
|
||
--rekor_server "${REKOR_URL}" \
|
||
--artifact "${ATTEST_PATH}" \
|
||
--type dsse \
|
||
--format json > rekor-upload.json
|
||
|
||
LOG_INDEX=$(jq '.LogIndex' rekor-upload.json)
|
||
UUID=$(jq -r '.UUID' rekor-upload.json)
|
||
INTEGRATED_TIME=$(jq '.IntegratedTime' rekor-upload.json)
|
||
|
||
# 2) Compute envelope SHA256
|
||
ENVELOPE_SHA256=$(sha256sum "${ATTEST_PATH}" | awk '{print $1}')
|
||
|
||
# 3) Extract key metadata (example for local file key; adapt for Fulcio/KMS)
|
||
# For keyless/Fulcio you’d normally extract cert from cosign verify-attestation.
|
||
KEY_ID="${KEY_ID:-${KEY_REF}}"
|
||
KEY_ALGO="${KEY_ALGO:-unknown}"
|
||
KEY_ISSUER="${KEY_ISSUER:-unknown}"
|
||
|
||
# 4) Optional: resolve image digest (if not already known in CI)
|
||
IMAGE_DIGEST="${IMAGE_DIGEST:-}"
|
||
if [ -z "${IMAGE_DIGEST}" ]; then
|
||
IMAGE_DIGEST="$(cosign triangulate "${IMAGE_REF}")"
|
||
fi
|
||
|
||
# 5) Emit provenance sidecar
|
||
cat > "${OUT_META_JSON}" <<EOF
|
||
{
|
||
"subject": {
|
||
"imageRef": "${IMAGE_REF}",
|
||
"digest": {
|
||
"sha256": "${IMAGE_DIGEST}"
|
||
}
|
||
},
|
||
"attestation": {
|
||
"path": "${ATTEST_PATH}",
|
||
"envelopeDigest": "sha256:${ENVELOPE_SHA256}",
|
||
"payloadType": "application/vnd.in-toto+json"
|
||
},
|
||
"dsse": {
|
||
"envelopeDigest": "sha256:${ENVELOPE_SHA256}",
|
||
"payloadType": "application/vnd.in-toto+json",
|
||
"key": {
|
||
"keyId": "${KEY_ID}",
|
||
"issuer": "${KEY_ISSUER}",
|
||
"algo": "${KEY_ALGO}"
|
||
},
|
||
"rekor": {
|
||
"logIndex": ${LOG_INDEX},
|
||
"uuid": "${UUID}",
|
||
"integratedTime": ${INTEGRATED_TIME}
|
||
}
|
||
}
|
||
}
|
||
EOF
|
||
|
||
echo "Provenance metadata written to ${OUT_META_JSON}"
|