From a1a712fbf24fa984c82645b807c30d950069726c Mon Sep 17 00:00:00 2001 From: Gregor Zeitlinger Date: Tue, 8 Apr 2025 17:39:01 +0200 Subject: [PATCH 1/2] verify signatures --- .gitignore | 1 + docker/Dockerfile | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/.gitignore b/.gitignore index ba7cc1fd..5543587e 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,5 @@ venv/ .env opentelemetry-javaagent*.jar grafana-opentelemetry*.jar +build/ diff --git a/docker/Dockerfile b/docker/Dockerfile index 6f43a414..f0f739aa 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -27,36 +27,57 @@ ARG OPENTELEMETRY_COLLECTOR_VERSION ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} +# renovate: datasource=github-releases depName=cosign packageName=sigstore/cosign +ARG COSIGN_VERSION=v2.5.0 + +RUN bash -c 'curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-"${COSIGN_VERSION:1}"-1.x86_64.rpm && \ + yum install -y cosign-"${COSIGN_VERSION:1}"-1.x86_64.rpm' + # hadolint ignore=DL3033 RUN yum install -y unzip dos2unix jq procps RUN bash -c 'ARCHIVE=grafana-"${GRAFANA_VERSION:1}".linux-"${TARGETARCH}".tar.gz && \ curl -sOL https://dl.grafana.com/oss/release/"${ARCHIVE}" && \ + echo "$(curl -sL https://grafana.com/api/downloads/grafana/versions/\"${GRAFANA_VERSION:1}\"/packages/\"${TARGETARCH}\"/linux -H \"accept: application/json\" | jq -r \".sha256\") ${ARCHIVE}" | echo && \ tar xfz "${ARCHIVE}" && \ rm "${ARCHIVE}" && \ mv grafana-"${GRAFANA_VERSION}" grafana/' RUN bash -c 'ARCHIVE=prometheus-"${PROMETHEUS_VERSION:1}".linux-"${TARGETARCH}" && \ + curl -sOL https://github.com/prometheus/prometheus/releases/download/"${PROMETHEUS_VERSION}"/sha256sums.txt && \ curl -sOL https://github.com/prometheus/prometheus/releases/download/"${PROMETHEUS_VERSION}"/"${ARCHIVE}".tar.gz && \ + sha256sum -c sha256sums.txt --ignore-missing && \ tar xfz "${ARCHIVE}".tar.gz && \ mv "${ARCHIVE}" prometheus && \ rm "${ARCHIVE}".tar.gz' RUN bash -c 'ARCHIVE=tempo_"${TEMPO_VERSION:1}"_linux_"${TARGETARCH}".tar.gz && \ + curl -sOL https://github.com/grafana/tempo/releases/download/"${TEMPO_VERSION}"/SHA256SUMS && \ curl -sOL https://github.com/grafana/tempo/releases/download/"${TEMPO_VERSION}"/"${ARCHIVE}" && \ + sha256sum -c SHA256SUMS --ignore-missing && \ mkdir tempo && \ tar xfz "${ARCHIVE}" -C tempo/ && \ rm "${ARCHIVE}"' RUN bash -c 'ARCHIVE=loki-linux-"${TARGETARCH}".zip && \ + curl -sOL https://github.com/grafana/loki/releases/download/"${LOKI_VERSION}"/SHA256SUMS && \ curl -sOL https://github.com/grafana/loki/releases/download/"${LOKI_VERSION}"/"${ARCHIVE}" && \ + sha256sum -c SHA256SUMS --ignore-missing && \ mkdir loki && \ unzip "${ARCHIVE}" -d loki/ && \ rm "${ARCHIVE}" && \ mv loki/loki-linux-"${TARGETARCH}" loki/loki' RUN bash -c 'ARCHIVE=otelcol-contrib_"${OPENTELEMETRY_COLLECTOR_VERSION:1}"_linux_"${TARGETARCH}".tar.gz && \ + curl -sOL https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/"${OPENTELEMETRY_COLLECTOR_VERSION}"/"${ARCHIVE}".sig && \ + curl -sOL https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/"${OPENTELEMETRY_COLLECTOR_VERSION}"/"${ARCHIVE}".pem && \ curl -sOL https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/"${OPENTELEMETRY_COLLECTOR_VERSION}"/"${ARCHIVE}" && \ + cosign verify-blob \ + --certificate-identity-regexp github.com/open-telemetry/opentelemetry-collector-releases \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate "${ARCHIVE}".pem \ + --signature "${ARCHIVE}".sig \ + "${ARCHIVE}" && \ mkdir otelcol-contrib && \ tar xfz "${ARCHIVE}" -C otelcol-contrib/ && \ rm "${ARCHIVE}"' From 37b906bcc6a97db10e3979c97bd72e5be74efcae Mon Sep 17 00:00:00 2001 From: Gregor Zeitlinger Date: Wed, 9 Apr 2025 13:37:58 +0200 Subject: [PATCH 2/2] verify signatures --- docker/Dockerfile | 11 ++++------- docker/download-grafana.sh | 13 +++++++++++++ 2 files changed, 17 insertions(+), 7 deletions(-) create mode 100755 docker/download-grafana.sh diff --git a/docker/Dockerfile b/docker/Dockerfile index f0f739aa..a48d108e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -30,18 +30,15 @@ ENV TARGETARCH=${TARGETARCH} # renovate: datasource=github-releases depName=cosign packageName=sigstore/cosign ARG COSIGN_VERSION=v2.5.0 -RUN bash -c 'curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-"${COSIGN_VERSION:1}"-1.x86_64.rpm && \ +RUN bash -c 'cd /tmp && \ + curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-"${COSIGN_VERSION:1}"-1.x86_64.rpm && \ yum install -y cosign-"${COSIGN_VERSION:1}"-1.x86_64.rpm' # hadolint ignore=DL3033 RUN yum install -y unzip dos2unix jq procps -RUN bash -c 'ARCHIVE=grafana-"${GRAFANA_VERSION:1}".linux-"${TARGETARCH}".tar.gz && \ - curl -sOL https://dl.grafana.com/oss/release/"${ARCHIVE}" && \ - echo "$(curl -sL https://grafana.com/api/downloads/grafana/versions/\"${GRAFANA_VERSION:1}\"/packages/\"${TARGETARCH}\"/linux -H \"accept: application/json\" | jq -r \".sha256\") ${ARCHIVE}" | echo && \ - tar xfz "${ARCHIVE}" && \ - rm "${ARCHIVE}" && \ - mv grafana-"${GRAFANA_VERSION}" grafana/' +COPY download-grafana.sh /tmp +RUN /tmp/download-grafana.sh RUN bash -c 'ARCHIVE=prometheus-"${PROMETHEUS_VERSION:1}".linux-"${TARGETARCH}" && \ curl -sOL https://github.com/prometheus/prometheus/releases/download/"${PROMETHEUS_VERSION}"/sha256sums.txt && \ diff --git a/docker/download-grafana.sh b/docker/download-grafana.sh new file mode 100755 index 00000000..41856863 --- /dev/null +++ b/docker/download-grafana.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -euo pipefail + +# too complicated to have as inline script in dockerfile + +ARCHIVE=grafana-"${GRAFANA_VERSION:1}".linux-"${TARGETARCH}".tar.gz +curl -sOL https://dl.grafana.com/oss/release/"${ARCHIVE}" +CHECKSUM_URL=https://grafana.com/api/downloads/grafana/versions/"${GRAFANA_VERSION:1}"/packages/"${TARGETARCH}"/linux +echo "$(curl -sL "${CHECKSUM_URL}" -H 'accept: application/json' | jq -r '.sha256') ${ARCHIVE}" | sha256sum -c +tar xfz "${ARCHIVE}" +rm "${ARCHIVE}" +mv grafana-"${GRAFANA_VERSION}" grafana/