diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 337cab872..de9dd079b 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -9,7 +9,7 @@ on: - aqua/imports/reviewdog.yaml jobs: actionlint: - uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@b6a5f966d4504893b2aeb60cf2b0de8946e48504 # v0.5.0 + uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@beaeeecc42b2645b4c8ecf9d9692fabb16a5eadd # v0.5.1 with: aqua_version: v2.25.0 aqua_policy_allow: true diff --git a/.github/workflows/debug-with-action-tmate.yaml b/.github/workflows/debug-with-action-tmate.yaml index ed3c9013f..228fc49d2 100644 --- a/.github/workflows/debug-with-action-tmate.yaml +++ b/.github/workflows/debug-with-action-tmate.yaml @@ -23,7 +23,7 @@ jobs: if: inputs.pr_number != '' env: GITHUB_TOKEN: ${{github.token}} - - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0 + - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2 with: aqua_version: v2.25.0 env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b1000628d..3f0f4f6ee 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,7 +6,7 @@ on: permissions: {} jobs: release: - uses: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml@dc7096a64b1f1f8426fe836000f291e8b37dae3a # v0.5.0 + uses: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml@054a40b66dd01c1fd552c915e31a5ecbfe801791 # v0.5.1 with: homebrew: true go-version: 1.22.1 diff --git a/.github/workflows/wc-ghalint.yaml b/.github/workflows/wc-ghalint.yaml index 291344349..f29a86153 100644 --- a/.github/workflows/wc-ghalint.yaml +++ b/.github/workflows/wc-ghalint.yaml @@ -10,7 +10,7 @@ jobs: permissions: {} steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0 + - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2 with: aqua_version: v2.25.0 env: diff --git a/.github/workflows/wc-go-mod-tidy.yaml b/.github/workflows/wc-go-mod-tidy.yaml index fa45cc182..ff784c2e4 100644 --- a/.github/workflows/wc-go-mod-tidy.yaml +++ b/.github/workflows/wc-go-mod-tidy.yaml @@ -9,7 +9,7 @@ on: required: true jobs: go-mod-tidy: - uses: suzuki-shunsuke/go-mod-tidy-workflow/.github/workflows/go-mod-tidy.yaml@8facac38f5b2008648c14e31c632c3a709439b9c # v0.1.1 + uses: suzuki-shunsuke/go-mod-tidy-workflow/.github/workflows/go-mod-tidy.yaml@a5c2fa84515541e6abd8d746d948e251400404a6 # v0.1.2 with: go-version: 1.22.1 aqua_version: v2.25.0 diff --git a/.github/workflows/wc-integration-test.yaml b/.github/workflows/wc-integration-test.yaml index 0b9814689..b641cdd36 100644 --- a/.github/workflows/wc-integration-test.yaml +++ b/.github/workflows/wc-integration-test.yaml @@ -1,6 +1,9 @@ --- name: integration-test on: workflow_call +env: + AQUA_DISABLE_COSIGN: "true" + AQUA_DISABLE_SLSA: "true" jobs: integration-test: runs-on: ubuntu-latest diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml index ce5fb1dd9..aea3edb7e 100644 --- a/.github/workflows/wc-update-aqua-checksums.yaml +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -10,7 +10,7 @@ on: jobs: update-aqua-checksums: # Update aqua-checksums.json and push a commit - uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@3598c506108a2e0e9e31a0c6ef9c202c77049420 # v0.1.9 + uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@6b620c8ceb97e4ae8f256ea24056edc4d2524bd3 # v0.1.10 permissions: contents: read with: diff --git a/.github/workflows/windows-test.yaml b/.github/workflows/windows-test.yaml index a6c9afb43..dc8fc8932 100644 --- a/.github/workflows/windows-test.yaml +++ b/.github/workflows/windows-test.yaml @@ -34,7 +34,7 @@ jobs: env: GITHUB_TOKEN: ${{github.token}} - - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0 + - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2 if: inputs.aqua_version != '' with: aqua_version: ${{inputs.aqua_version}} @@ -121,7 +121,7 @@ jobs: env: GITHUB_TOKEN: ${{github.token}} - - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0 + - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2 if: inputs.aqua_version != '' with: aqua_version: ${{inputs.aqua_version}} diff --git a/.goreleaser.yml b/.goreleaser.yml index 01180b1a4..6e892dbeb 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -31,10 +31,9 @@ signs: signature: ${artifact}.sig certificate: ${artifact}.pem output: true - env: - - COSIGN_EXPERIMENTAL=1 args: - sign-blob + - "-y" - --output-signature - ${signature} - --output-certificate diff --git a/aqua/aqua-checksums.json b/aqua/aqua-checksums.json index ca2cf8f36..aae47873d 100644 --- a/aqua/aqua-checksums.json +++ b/aqua/aqua-checksums.json @@ -131,28 +131,28 @@ "algorithm": "sha256" }, { - "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-darwin-amd64", - "checksum": "5A77CF6F5411AC8038F3DD2EB96E54E879026F6038A5D6A385DE2351E17F34EF", + "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-darwin-amd64", + "checksum": "2429F4B027FC311A6324E9DB6FB3A937D559DC61DE906A1C2D0D1E0671685E4C", "algorithm": "sha256" }, { - "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-darwin-arm64", - "checksum": "68703D61A1E8006E4EBEF4222B82C1214DF446795FF39CD081CA5D59384A5A60", + "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-darwin-arm64", + "checksum": "3D95AB46D4C4CC55E6465758C238DC03F830CC8A1FC38BC7A33BC203E0FB2C3B", "algorithm": "sha256" }, { - "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-linux-amd64", - "checksum": "9B0F52ABB2E6D79529F37646E524A35A409DC811D2CDEC7EF5BE2DC5130489C0", + "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-linux-amd64", + "checksum": "F669F41176CB1D58BB6A3FDB06E24861540CFDB5A571B4EC5EB2218B0DF5D304", "algorithm": "sha256" }, { - "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-linux-arm64", - "checksum": "3C109B66788686DD81F3E445439215532A8BB3E14A54EFB6B65382B0E3578F5E", + "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-linux-arm64", + "checksum": "B088D676F0C0123B8C348E18D421CF966020EDC4977A486115A12643DEA99A3F", "algorithm": "sha256" }, { - "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-windows-amd64.exe", - "checksum": "F16868B69C85BBA30CBAF023885398A2A258002BAABB0709CCE1D60491171765", + "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-windows-amd64.exe", + "checksum": "F7F272D56C580B0EC96F59BFE9F88EC5F42B6E195DF009CE3417428E0E0DEAD1", "algorithm": "sha256" }, { diff --git a/aqua/imports/cosign.yaml b/aqua/imports/cosign.yaml index f5d219c9f..0ae542cad 100644 --- a/aqua/imports/cosign.yaml +++ b/aqua/imports/cosign.yaml @@ -1,4 +1,2 @@ packages: - - name: sigstore/cosign@v1.13.2 - update: - enabled: false + - name: sigstore/cosign@v2.2.3 diff --git a/pkg/config/cosign.go b/pkg/config/cosign.go index a4faa9abd..27248a5fe 100644 --- a/pkg/config/cosign.go +++ b/pkg/config/cosign.go @@ -20,10 +20,9 @@ func (p *Package) RenderCosign(cos *registry.Cosign, rt *runtime.Runtime) (*regi } return ®istry.Cosign{ - CosignExperimental: cos.CosignExperimental, - Signature: cos.Signature, - Certificate: cos.Certificate, - Key: cos.Key, - Opts: opts, + Signature: cos.Signature, + Certificate: cos.Certificate, + Key: cos.Key, + Opts: opts, }, nil } diff --git a/pkg/config/registry/cosign.go b/pkg/config/registry/cosign.go index 558ff62da..a98e3eebe 100644 --- a/pkg/config/registry/cosign.go +++ b/pkg/config/registry/cosign.go @@ -8,12 +8,11 @@ import ( ) type Cosign struct { - Enabled *bool `json:"enabled,omitempty"` - CosignExperimental bool `yaml:"cosign_experimental" json:"cosign_experimental,omitempty"` - Opts []string `json:"opts,omitempty"` - Signature *DownloadedFile `json:"signature,omitempty"` - Certificate *DownloadedFile `json:"certificate,omitempty"` - Key *DownloadedFile `json:"key,omitempty"` + Enabled *bool `json:"enabled,omitempty"` + Opts []string `json:"opts,omitempty"` + Signature *DownloadedFile `json:"signature,omitempty"` + Certificate *DownloadedFile `json:"certificate,omitempty"` + Key *DownloadedFile `json:"key,omitempty"` } type DownloadedFile struct { @@ -31,7 +30,7 @@ func (c *Cosign) GetEnabled() bool { if c.Enabled != nil { return *c.Enabled } - return len(c.Opts) != 0 || c.Signature != nil || c.Certificate != nil || c.Key != nil || c.CosignExperimental + return len(c.Opts) != 0 || c.Signature != nil || c.Certificate != nil || c.Key != nil } func (c *Cosign) RenderOpts(rt *runtime.Runtime, art *template.Artifact) ([]string, error) { diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 58994d8c8..d59ee27c1 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -55,6 +55,7 @@ func (v *Verifier) Verify(ctx context.Context, logE *logrus.Entry, rt *runtime.R logE.Debug("verification with cosign is disabled") return nil } + opts, err := cos.RenderOpts(rt, art) if err != nil { return fmt.Errorf("render cosign options: %w", err) @@ -118,14 +119,12 @@ func (v *Verifier) Verify(ctx context.Context, logE *logrus.Entry, rt *runtime.R } if err := v.verify(ctx, logE, &ParamVerify{ - Opts: opts, - CosignExperimental: cos.CosignExperimental, - Target: verifiedFilePath, + Opts: opts, + Target: verifiedFilePath, }); err != nil { return fmt.Errorf("verify a signature file with Cosign: %w", logerr.WithFields(err, logrus.Fields{ - "cosign_opts": strings.Join(opts, ", "), - "cosign_experimental": cos.CosignExperimental, - "target": verifiedFilePath, + "cosign_opts": strings.Join(opts, ", "), + "target": verifiedFilePath, })) } return nil @@ -136,19 +135,18 @@ type Executor interface { } type ParamVerify struct { - CosignExperimental bool - Opts []string - Target string - CosignExePath string + Opts []string + Target string + CosignExePath string } var errVerify = errors.New("verify with Cosign") -func (v *Verifier) exec(ctx context.Context, args, envs []string) (string, error) { +func (v *Verifier) exec(ctx context.Context, args []string) (string, error) { // https://github.com/aquaproj/aqua/issues/1555 mutex.Lock() defer mutex.Unlock() - out, _, err := v.executor.ExecWithEnvsAndGetCombinedOutput(ctx, v.cosignExePath, args, envs) + out, _, err := v.executor.ExecWithEnvsAndGetCombinedOutput(ctx, v.cosignExePath, args, nil) return out, err //nolint:wrapcheck } @@ -166,14 +164,10 @@ func wait(ctx context.Context, logE *logrus.Entry, retryCount int) error { } func (v *Verifier) verify(ctx context.Context, logE *logrus.Entry, param *ParamVerify) error { - envs := []string{} - if param.CosignExperimental { - envs = []string{"COSIGN_EXPERIMENTAL=1"} - } args := append([]string{"verify-blob"}, append(param.Opts, param.Target)...) for i := 0; i < 5; i++ { // https://github.com/aquaproj/aqua/issues/1554 - if _, err := v.exec(ctx, args, envs); err == nil { + if _, err := v.exec(ctx, args); err == nil { return nil } if i == 4 { //nolint:gomnd diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 538cda01d..82d7e94c4 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -57,7 +57,6 @@ func TestVerifier_Verify(t *testing.T) { //nolint:funlen RootDir: "/home/foo/.local/share/aquaproj-aqua", }, cos: ®istry.Cosign{ - CosignExperimental: true, Opts: []string{ "--signature", "https://github.com/aquaproj/aqua-installer/releases/download/{{.Version}}/aqua-installer.sig", @@ -96,7 +95,6 @@ func TestVerifier_Verify(t *testing.T) { //nolint:funlen RootDir: "/home/foo/.local/share/aquaproj-aqua", }, cos: ®istry.Cosign{ - CosignExperimental: true, Signature: ®istry.DownloadedFile{ Type: "github_release", Asset: ptr.String("aqua-installer.sig"), diff --git a/pkg/cosign/version.go b/pkg/cosign/version.go index 408ffebb7..98c737cee 100644 --- a/pkg/cosign/version.go +++ b/pkg/cosign/version.go @@ -1,13 +1,13 @@ package cosign -const Version = "v1.13.2" +const Version = "v2.2.3" func Checksums() map[string]string { return map[string]string{ - "darwin/amd64": "5A77CF6F5411AC8038F3DD2EB96E54E879026F6038A5D6A385DE2351E17F34EF", - "darwin/arm64": "68703D61A1E8006E4EBEF4222B82C1214DF446795FF39CD081CA5D59384A5A60", - "linux/amd64": "9B0F52ABB2E6D79529F37646E524A35A409DC811D2CDEC7EF5BE2DC5130489C0", - "linux/arm64": "3C109B66788686DD81F3E445439215532A8BB3E14A54EFB6B65382B0E3578F5E", - "windows/amd64": "F16868B69C85BBA30CBAF023885398A2A258002BAABB0709CCE1D60491171765", + "darwin/amd64": "2429F4B027FC311A6324E9DB6FB3A937D559DC61DE906A1C2D0D1E0671685E4C", + "darwin/arm64": "3D95AB46D4C4CC55E6465758C238DC03F830CC8A1FC38BC7A33BC203E0FB2C3B", + "linux/amd64": "F669F41176CB1D58BB6A3FDB06E24861540CFDB5A571B4EC5EB2218B0DF5D304", + "linux/arm64": "B088D676F0C0123B8C348E18D421CF966020EDC4977A486115A12643DEA99A3F", + "windows/amd64": "F7F272D56C580B0EC96F59BFE9F88EC5F42B6E195DF009CE3417428E0E0DEAD1", } }