Cosign support (home-assistant#95236)

tdelaux · Jun 26, 2023 · c75e831 · c75e831
1 parent 45ff9d8
commit c75e831
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 78 deletions.
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -48,18 +48,6 @@ jobs:
         with:
           ignore-dev: true
 
-      - name: Generate meta info
-        shell: bash
-        run: |
-          echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > OFFICIAL_IMAGE
-
-      - name: Signing meta info file
-        uses: home-assistant/actions/helpers/codenotary@master
-        with:
-          source: file://${{ github.workspace }}/OFFICIAL_IMAGE
-          asset: OFFICIAL_IMAGE-${{ steps.version.outputs.version }}
-          token: ${{ secrets.CAS_TOKEN }}
-
   build_python:
     name: Build PyPi package
     environment: ${{ needs.init.outputs.channel }}
@@ -101,6 +89,10 @@ jobs:
     if: github.repository_owner == 'home-assistant'
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures) }}
@@ -197,12 +189,6 @@ jobs:
         run: |
           echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > rootfs/OFFICIAL_IMAGE
 
-      - name: Login to DockerHub
-        uses: docker/[email protected]
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Login to GitHub Container Registry
         uses: docker/[email protected]
         with:
@@ -216,6 +202,7 @@ jobs:
           args: |
             $BUILD_ARGS \
             --${{ matrix.arch }} \
+            --cosign \
             --target /data \
             --generic ${{ needs.init.outputs.version }}
         env:
@@ -237,6 +224,10 @@ jobs:
     if: github.repository_owner == 'home-assistant'
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       matrix:
         machine:
@@ -275,12 +266,6 @@ jobs:
             echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV
           fi
 
-      - name: Login to DockerHub
-        uses: docker/[email protected]
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Login to GitHub Container Registry
         uses: docker/[email protected]
         with:
@@ -294,6 +279,7 @@ jobs:
           args: |
             $BUILD_ARGS \
             --target /data/machine \
+            --cosign \
             --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"
         env:
           CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
@@ -338,34 +324,28 @@ jobs:
     if: github.repository_owner == 'home-assistant'
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        registry:
-          - "ghcr.io/home-assistant"
-          - "homeassistant"
     steps:
       - name: Checkout the repository
         uses: actions/[email protected]
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: "v2.0.2"
+
       - name: Login to DockerHub
-        if: matrix.registry == 'homeassistant'
         uses: docker/[email protected]
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        if: matrix.registry == 'ghcr.io/home-assistant'
         uses: docker/[email protected]
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install CAS tools
-        uses: home-assistant/actions/helpers/cas@master
-
       - name: Build Meta Image
         shell: bash
         run: |
@@ -375,55 +355,78 @@ jobs:
             local tag_l=${1}
             local tag_r=${2}
 
-            docker manifest create "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \
-              "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \
-              "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \
-              "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \
-              "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}"
+            for registry in "ghcr.io/home-assistant" "docker.io/homeassistant"
+            do
+
+              docker manifest create "${registry}/home-assistant:${tag_l}" \
+                "${registry}/amd64-homeassistant:${tag_r}" \
+                "${registry}/i386-homeassistant:${tag_r}" \
+                "${registry}/armhf-homeassistant:${tag_r}" \
+                "${registry}/armv7-homeassistant:${tag_r}" \
+                "${registry}/aarch64-homeassistant:${tag_r}"
 
-            docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \
-              --os linux --arch amd64
+              docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+                "${registry}/amd64-homeassistant:${tag_r}" \
+                --os linux --arch amd64
 
-            docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \
-              --os linux --arch 386
+              docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+                "${registry}/i386-homeassistant:${tag_r}" \
+                --os linux --arch 386
 
-            docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \
-              --os linux --arch arm --variant=v6
+              docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+                "${registry}/armhf-homeassistant:${tag_r}" \
+                --os linux --arch arm --variant=v6
 
-            docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \
-              --os linux --arch arm --variant=v7
+              docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+                "${registry}/armv7-homeassistant:${tag_r}" \
+                --os linux --arch arm --variant=v7
 
-            docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
-              "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}" \
-              --os linux --arch arm64 --variant=v8
+              docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+                "${registry}/aarch64-homeassistant:${tag_r}" \
+                --os linux --arch arm64 --variant=v8
 
-            docker manifest push --purge "${{ matrix.registry }}/home-assistant:${tag_l}"
+              docker manifest push --purge "${registry}/home-assistant:${tag_l}"
+              cosign sign --yes "${registry}/home-assistant:${tag_l}"
+
+            done
           }
 
           function validate_image() {
             local image=${1}
-            if ! cas authenticate --signerID notary@home-assistant.io "docker://${image}"; then
+            if ! cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/home-assistant/core/.* "${image}"; then
               echo "Invalid signature!"
               exit 1
             fi
           }
 
-          docker pull "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}"
-          docker pull "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}"
-          docker pull "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}"
-          docker pull "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}"
-          docker pull "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
-
-          validate_image "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}"
-          validate_image "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}"
-          validate_image "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}"
-          validate_image "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}"
-          validate_image "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+          function push_dockerhub() {
+            local image=${1}
+            local tag=${2}
+
+            docker tag "ghcr.io/home-assistant/${image}:${tag}" "docker.io/homeassistant/${image}:${tag}"
+            docker push "docker.io/homeassistant/${image}:${tag}"
+            cosign sign --yes "docker.io/homeassistant/${image}:${tag}"
+          }
+
+          # Pull images from github container registry and verify signature
+          docker pull "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
+          docker pull "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
+          docker pull "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
+          docker pull "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
+          docker pull "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+
+          validate_image "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
+          validate_image "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
+          validate_image "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
+          validate_image "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
+          validate_image "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+
+          # Upload images to dockerhub
+          push_dockerhub "amd64-homeassistant" "${{ needs.init.outputs.version }}"
+          push_dockerhub "i386-homeassistant" "${{ needs.init.outputs.version }}"
+          push_dockerhub "armhf-homeassistant" "${{ needs.init.outputs.version }}"
+          push_dockerhub "armv7-homeassistant" "${{ needs.init.outputs.version }}"
+          push_dockerhub "aarch64-homeassistant" "${{ needs.init.outputs.version }}"
 
           # Create version tag
           create_manifest "${{ needs.init.outputs.version }}" "${{ needs.init.outputs.version }}"

diff --git a/build.yaml b/build.yaml
@@ -1,14 +1,16 @@
-image: homeassistant/{arch}-homeassistant
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-homeassistant
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.0
-  armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.0
-  armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.0
-  amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.0
-  i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.0
+  aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.1
+  armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.1
+  armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.1
+  amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.1
+  i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.1
 codenotary:
   signer: [email protected]
   base_image: [email protected]
+cosign:
+  base_identity: https://github.com/home-assistant/docker/.*
+  identity: https://github.com/home-assistant/core/.*
 labels:
   io.hass.type: core
   org.opencontainers.image.title: Home Assistant

diff --git a/machine/build.yaml b/machine/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{machine}-homeassistant
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{machine}-homeassistant
 build_from:
   aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:"
   armv7: "ghcr.io/home-assistant/armv7-homeassistant:"
@@ -9,6 +8,9 @@ build_from:
 codenotary:
   signer: [email protected]
   base_image: [email protected]
+cosign:
+  base_identity: https://github.com/home-assistant/core/.*
+  identity: https://github.com/home-assistant/core/.*
 labels:
   io.hass.type: core
   org.opencontainers.image.source: https://github.com/home-assistant/core