diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ff7e006..1e43169 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,6 +33,7 @@ jobs: - name: Test run: go test -v ./... + # inspired by https://blog.ediri.io/build-trust-with-signing-your-cli-binary-and-container release: needs: build env: @@ -53,11 +54,12 @@ jobs: with: go-version: 1.16 - - uses: sigstore/cosign-installer@main + - name: Install Cosign + uses: sigstore/cosign-installer@main with: cosign-release: 'v1.0.0' - - name: install cosign private key + - name: Install Cosign private key run: 'echo "$COSIGN_KEY" > $COSIGN_KEY_LOCATION' shell: bash env: @@ -82,27 +84,3 @@ jobs: # run: | # echo -n "${{secrets.COSIGN_PASSWORD}}" | cosign sign -key $COSIGN_KEY_LOCATION ghcr.io/hslatman/mud-cli:${{ env.version }}-amd64 - - # only continue if the tag was pushed onto the main branch - # seems to not be working (currently) and is therefore commented out - # if: contains(github.ref, '/heads/main') - - # steps: - # - name: Install Go - # uses: actions/setup-go@v2 - # with: - # go-version: ${{ matrix.go-version }} - - # - name: Checkout code - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 # Note the fetch-depth: 0 option on the Checkout workflow step. It is required for the change log to work correctly. - - # - name: Run GoReleaser - # uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # using commit hash instead of 'v2' because this uses the GITHUB_TOKEN, see https://julienrenaux.fr/2019/12/20/github-actions-security-risk/ - # with: - # version: latest - # args: release --rm-dist - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GO_VERSION: ${{ matrix.go-version }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index a050717..1bd7265 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -19,7 +19,7 @@ builds: # Can be a path (e.g. `bin/app`) to wrap the binary in a directory. # Default is the name of the project directory. #binary: 'mud_{{.Tag}}_{{replace .Target "darwin" "macos"}}' - binary: 'mud_{{replace .Target "darwin" "macos"}}' + binary: 'mud-{{ .Tag }}-{{ .Target }}' # Custom environment variables to be set during the builds. # Default is empty. env: @@ -44,7 +44,7 @@ builds: hooks: post: #- upx "{{ .Path }}" - - sh -c "cosign sign-blob -key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .ProjectName }}_{{ .Tag }}_{{ .Target }}.sig" + - sh -c "cosign sign-blob -key $COSIGN_KEY_LOCATION {{ .Path }} > dist/mud-{{ .Tag }}-{{ .Target }}.sig" diff --git a/README.md b/README.md index 2d7adc1..8fb45fe 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # mud-cli -MUD CLI provides multiple utilities to work with [Manufacturer Usage Descriptions](https://datatracker.ietf.org/doc/rfc8520/) (RFC8520). +`mud-cli` provides multiple utilities for working with [Manufacturer Usage Descriptions](https://datatracker.ietf.org/doc/rfc8520/) (RFC8520). ## Description @@ -9,7 +9,7 @@ The access control policies described in a MUD file allow network controllers to ## Usage -The mud-cli contains the following commands: +`mud-cli` contains the following commands: * read - reads (and validates) a MUD file and prints the contents * validate - validates a MUD file @@ -36,17 +36,31 @@ Available Commands: view Provides a graphical view of a MUD file ``` +### Binary Verification + +`mud-cli` is signed using [Cosign](https://github.com/sigstore/cosign). +This means that binaries can be verified as follows: + +```bash +$ cosign verify-blob -key cosign.pub -signature mud-darwin-amd64.sig mud-darwin-amd64 +Verified OK +``` + +The public key (`cosign.pub`) is available in the repository. +Signature files and binaries are available from the [Releases](https://github.com/hslatman/mud-cli/releases) page. + ### MUD Visualizer This project embeds [MUD Visualizer](https://github.com/iot-onboarding/mud-visualizer) for visualization of MUD files. ## Things that can be done -* Fix (most) TODOs ... :-) * Improve README.md -* Add 'Use' texts to commands -* Builds for other platforms (currently only Darwin, Docker would be great; might need some changes or guidance in terms of files) +* Add 'Use' texts with examples to commands +* Building a Docker image (including Cosign signing) +* Optimizing the binary size (i.e. UPX) * Add tests +* Fix (most, highest priority) TODOs ... :-) * Customize / improve the [MUD Visualizer](https://github.com/iot-onboarding/mud-visualizer)? It needs proper attribution, at least. * Add some more logging (with levels) * Replace calls to fmt with proper logging / output @@ -54,4 +68,5 @@ This project embeds [MUD Visualizer](https://github.com/iot-onboarding/mud-visua * A command for generating MUD files (from pcap or some different way) * A command for editing MUD files (i.e. metadata) * A command that initializes a .mud directory inside user HOME, that is used for intermediate storage? If necessary, of course. +* Allow setting a different location than the user home directory ... \ No newline at end of file diff --git a/internal/key.go b/internal/key.go index 24569e1..33afcc4 100644 --- a/internal/key.go +++ b/internal/key.go @@ -48,7 +48,7 @@ func LoadOrCreateKeyAndChain(chainFilepath, keyFilepath string) ([]*x509.Certifi if !shouldContinue { return nil, nil, errors.New("no private key available nor created") } - certBytes, keyBytes, err := generateKey() + certBytes, keyBytes, err := generateKey() // TODO: return cert and key directly instead of bytes if err != nil { return nil, nil, errors.Wrap(err, "error generating new private key") }