Merge pull request #841 from crazy-max/sigstore-multi-images

sigstore: multi image names support for signing

src/sigstore/sigstore.ts

@@ -34,7 +34,7 @@ import {MEDIATYPE_PAYLOAD as INTOTO_MEDIATYPE_PAYLOAD, Subject} from '../types/i
 import {FULCIO_URL, REKOR_URL, SEARCH_URL, TSASERVER_URL} from '../types/sigstore/sigstore';
 
 export interface SignAttestationManifestsOpts {
-  imageName: string;
+  imageNames: Array<string>;
   imageDigest: string;
   noTransparencyLog?: boolean;
 }
@@ -101,12 +101,13 @@ export class Sigstore {
       core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
       const noTransparencyLog = Sigstore.noTransparencyLog(opts.noTransparencyLog);
 
-      const attestationDigests = await this.imageTools.attestationDigests(`${opts.imageName}@${opts.imageDigest}`);
+      for (const imageName of opts.imageNames) {
-      for (const attestationDigest of attestationDigests) {
+        const attestationDigests = await this.imageTools.attestationDigests(`${imageName}@${opts.imageDigest}`);
-        const attestationRef = `${opts.imageName}@${attestationDigest}`;
+        for (const attestationDigest of attestationDigests) {
-        await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
+          const attestationRef = `${imageName}@${attestationDigest}`;
-          // prettier-ignore
+          await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
-          const cosignArgs = [
+            // prettier-ignore
+            const cosignArgs = [
             '--verbose',
             'sign',
             '--yes',
@@ -115,38 +116,39 @@ export class Sigstore {
             '--new-bundle-format',
             '--use-signing-config'
           ];
-          if (noTransparencyLog) {
+            if (noTransparencyLog) {
-            cosignArgs.push('--tlog-upload=false');
+              cosignArgs.push('--tlog-upload=false');
-          }
-          core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
-          const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
-            ignoreReturnCode: true,
-            silent: true,
-            env: Object.assign({}, process.env, {
-              COSIGN_EXPERIMENTAL: '1'
-            }) as {
-              [key: string]: string;
             }
+            core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
+            const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
+              ignoreReturnCode: true,
+              silent: true,
+              env: Object.assign({}, process.env, {
+                COSIGN_EXPERIMENTAL: '1'
+              }) as {
+                [key: string]: string;
+              }
+            });
+            const signResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+            if (execRes.exitCode != 0) {
+              if (signResult.errors && signResult.errors.length > 0) {
+                const errorMessages = signResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
+                throw new Error(`Cosign sign command failed with errors:\n${errorMessages}`);
+              } else {
+                throw new Error(`Cosign sign command failed with exit code ${execRes.exitCode}`);
+              }
+            }
+            const attest = Sigstore.toAttestation(bundleFromJSON(signResult.bundle));
+            if (attest.tlogID) {
+              core.info(`Uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
+            }
+            core.info(`Signature manifest pushed: https://oci.dag.dev/?referrers=${attestationRef}`);
+            result[attestationRef] = {
+              ...attest,
+              imageName: imageName
+            };
           });
-          const signResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+        }
-          if (execRes.exitCode != 0) {
-            if (signResult.errors && signResult.errors.length > 0) {
-              const errorMessages = signResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
-              throw new Error(`Cosign sign command failed with errors:\n${errorMessages}`);
-            } else {
-              throw new Error(`Cosign sign command failed with exit code ${execRes.exitCode}`);
-            }
-          }
-          const attest = Sigstore.toAttestation(bundleFromJSON(signResult.bundle));
-          if (attest.tlogID) {
-            core.info(`Uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
-          }
-          core.info(`Signature manifest pushed: https://oci.dag.dev/?referrers=${attestationRef}`);
-          result[attestationRef] = {
-            ...attest,
-            imageName: opts.imageName
-          };
-        });
       }
     } catch (err) {
       throw new Error(`Signing BuildKit attestation manifests failed: ${(err as Error).message}`);

yarn.lock

@@ -1797,17 +1797,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@octokit/endpoint@npm:^9.0.0":
-  version: 9.0.0
-  resolution: "@octokit/endpoint@npm:9.0.0"
-  dependencies:
-    "@octokit/types": "npm:^11.0.0"
-    is-plain-object: "npm:^5.0.0"
-    universal-user-agent: "npm:^6.0.0"
-  checksum: 10/ec160fe1a0d5244ef380b1f4fce9586bcf82ee5f24f92f128aec898255eb148620f5622fcd0dc876678b0f84dc8e7210469108afc150c0080916b7c16fbfe49e
-  languageName: node
-  linkType: hard
-
 "@octokit/endpoint@npm:^9.0.6":
   version: 9.0.6
   resolution: "@octokit/endpoint@npm:9.0.6"
@@ -1940,18 +1929,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@octokit/request-error@npm:^5.0.0":
+"@octokit/request-error@npm:^5.0.0, @octokit/request-error@npm:^5.1.1":
-  version: 5.0.0
-  resolution: "@octokit/request-error@npm:5.0.0"
-  dependencies:
-    "@octokit/types": "npm:^11.0.0"
-    deprecation: "npm:^2.0.0"
-    once: "npm:^1.4.0"
-  checksum: 10/de7ed2934035650c67b619130c407c6eec7fc80c9c47c27131feaace76fa01c64e35338cb19d4b3838f5f53f3d174a5f0933e1dc7921b952411b0457b599dc71
-  languageName: node
-  linkType: hard
-
-"@octokit/request-error@npm:^5.1.1":
   version: 5.1.1
   resolution: "@octokit/request-error@npm:5.1.1"
   dependencies:
@@ -1962,20 +1940,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@octokit/request@npm:^8.0.1, @octokit/request@npm:^8.0.2":
+"@octokit/request@npm:^8.0.1, @octokit/request@npm:^8.0.2, @octokit/request@npm:^8.4.1":
-  version: 8.1.1
-  resolution: "@octokit/request@npm:8.1.1"
-  dependencies:
-    "@octokit/endpoint": "npm:^9.0.0"
-    "@octokit/request-error": "npm:^5.0.0"
-    "@octokit/types": "npm:^11.1.0"
-    is-plain-object: "npm:^5.0.0"
-    universal-user-agent: "npm:^6.0.0"
-  checksum: 10/62fd236ef88de3bc7ecb652414751eb3934f589727e938736cb1b76545384d6db225abeae12371a1d6017bff2ae82948bf529af6b746131bdb3a270bfb177ac1
-  languageName: node
-  linkType: hard
-
-"@octokit/request@npm:^8.4.1":
   version: 8.4.1
   resolution: "@octokit/request@npm:8.4.1"
   dependencies:
@@ -1987,7 +1952,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@octokit/types@npm:^11.0.0, @octokit/types@npm:^11.1.0":
+"@octokit/types@npm:^11.0.0":
   version: 11.1.0
   resolution: "@octokit/types@npm:11.1.0"
   dependencies:
@@ -6231,13 +6196,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"is-plain-object@npm:^5.0.0":
-  version: 5.0.0
-  resolution: "is-plain-object@npm:5.0.0"
-  checksum: 10/e32d27061eef62c0847d303125440a38660517e586f2f3db7c9d179ae5b6674ab0f469d519b2e25c147a1a3bc87156d0d5f4d8821e0ce4a9ee7fe1fcf11ce45c
-  languageName: node
-  linkType: hard
-
 "is-regex@npm:^1.1.4":
   version: 1.1.4
   resolution: "is-regex@npm:1.1.4"