Improve signing workflow and README.md

hslatman · Aug 13, 2021 · 8c8a5ec · 8c8a5ec
1 parent e2437ee
commit 8c8a5ec
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 34 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,6 +33,7 @@ jobs:
     - name: Test
       run: go test -v ./...
 
+  # inspired by https://blog.ediri.io/build-trust-with-signing-your-cli-binary-and-container
   release:
     needs: build
     env:
@@ -53,11 +54,12 @@ jobs:
         with:
           go-version: 1.16
 
-      - uses: sigstore/cosign-installer@main
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
         with:
           cosign-release: 'v1.0.0'
 
-      - name: install cosign private key
+      - name: Install Cosign private key
         run: 'echo "$COSIGN_KEY" > $COSIGN_KEY_LOCATION'
         shell: bash
         env:
@@ -82,27 +84,3 @@ jobs:
       #   run: |
       #     echo -n "${{secrets.COSIGN_PASSWORD}}" | cosign sign -key $COSIGN_KEY_LOCATION ghcr.io/hslatman/mud-cli:${{ env.version }}-amd64
 
-
-    # only continue if the tag was pushed onto the main branch
-    # seems to not be working (currently) and is therefore commented out
-    # if: contains(github.ref, '/heads/main')
-
-    # steps:
-    # - name: Install Go
-    #   uses: actions/setup-go@v2
-    #   with:
-    #     go-version: ${{ matrix.go-version }}
-
-    # - name: Checkout code
-    #   uses: actions/checkout@v2
-    #   with:
-    #     fetch-depth: 0 # Note the fetch-depth: 0 option on the Checkout workflow step. It is required for the change log to work correctly.
-
-    # - name: Run GoReleaser
-    #   uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # using commit hash instead of 'v2' because this uses the GITHUB_TOKEN, see https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
-    #   with:
-    #     version: latest
-    #     args: release --rm-dist
-    #   env:
-    #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    #     GO_VERSION: ${{ matrix.go-version }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -19,7 +19,7 @@ builds:
     # Can be a path (e.g. `bin/app`) to wrap the binary in a directory.
     # Default is the name of the project directory.
     #binary: 'mud_{{.Tag}}_{{replace .Target "darwin" "macos"}}'
-    binary: 'mud_{{replace .Target "darwin" "macos"}}'
+    binary: 'mud-{{ .Tag }}-{{ .Target }}'
     # Custom environment variables to be set during the builds.
     # Default is empty.
     env:
@@ -44,7 +44,7 @@ builds:
     hooks:
       post:
         #- upx "{{ .Path }}"
-        - sh -c "cosign sign-blob -key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .ProjectName }}_{{ .Tag }}_{{ .Target }}.sig"
+        - sh -c "cosign sign-blob -key $COSIGN_KEY_LOCATION {{ .Path }} > dist/mud-{{ .Tag }}-{{ .Target }}.sig"
 
 
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # mud-cli
 
-MUD CLI provides multiple utilities to work with [Manufacturer Usage Descriptions](https://datatracker.ietf.org/doc/rfc8520/) (RFC8520).
+`mud-cli` provides multiple utilities for working with [Manufacturer Usage Descriptions](https://datatracker.ietf.org/doc/rfc8520/) (RFC8520).
 
 ## Description
 
@@ -9,7 +9,7 @@ The access control policies described in a MUD file allow network controllers to
 
 ## Usage
 
-The mud-cli contains the following commands:
+`mud-cli` contains the following commands:
 
 * read - reads (and validates) a MUD file and prints the contents
 * validate - validates a MUD file
@@ -36,22 +36,37 @@ Available Commands:
   view        Provides a graphical view of a MUD file
 ```
 
+### Binary Verification
+
+`mud-cli` is signed using [Cosign](https://github.com/sigstore/cosign).
+This means that binaries can be verified as follows:
+
+```bash
+$ cosign verify-blob -key cosign.pub -signature mud-darwin-amd64.sig mud-darwin-amd64
+Verified OK
+```
+
+The public key (`cosign.pub`) is available in the repository. 
+Signature files and binaries are available from the [Releases](https://github.com/hslatman/mud-cli/releases) page.
+
 ### MUD Visualizer
 
 This project embeds [MUD Visualizer](https://github.com/iot-onboarding/mud-visualizer) for visualization of MUD files.
 
 ## Things that can be done
 
-* Fix (most) TODOs ... :-)
 * Improve README.md
-* Add 'Use' texts to commands
-* Builds for other platforms (currently only Darwin, Docker would be great; might need some changes or guidance in terms of files)
+* Add 'Use' texts with examples to commands
+* Building a Docker image (including Cosign signing)
+* Optimizing the binary size (i.e. UPX)
 * Add tests
+* Fix (most, highest priority) TODOs ... :-)
 * Customize / improve the [MUD Visualizer](https://github.com/iot-onboarding/mud-visualizer)? It needs proper attribution, at least.
 * Add some more logging (with levels)
 * Replace calls to fmt with proper logging / output
 * Allow the tool to be chained (i.e. use STDIN/STDOUT, pipes, etc.)
 * A command for generating MUD files (from pcap or some different way)
 * A command for editing MUD files (i.e. metadata)
 * A command that initializes a .mud directory inside user HOME, that is used for intermediate storage? If necessary, of course.
+* Allow setting a different location than the user home directory
 ...
diff --git a/internal/key.go b/internal/key.go
@@ -48,7 +48,7 @@ func LoadOrCreateKeyAndChain(chainFilepath, keyFilepath string) ([]*x509.Certifi
 		if !shouldContinue {
 			return nil, nil, errors.New("no private key available nor created")
 		}
-		certBytes, keyBytes, err := generateKey()
+		certBytes, keyBytes, err := generateKey() // TODO: return cert and key directly instead of bytes
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "error generating new private key")
 		}