...
Script to Sign Helm Charts and Docker Images
Code Block |
---|
#!/bin/bash #source optional env file set -a . ~/cosign/env set -e BUILD +a #************ SAMPLE ENV FILE ************ #BUILD="22.0.1-4040670" export COSIGN_PASSWORD="" #export COSIGN#SRE_BUILD="23.2.0-3610795" #OCI_REPO="xxx.azurecr.io" #OCI_REPO_USERNAME=xxx #OCI_REPO_PASSWORD="xxx" #COSIGN_PRIVATE_KEY="-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- #... # -----END ENCRYPTED SIGSTORE PRIVATE KEY-----" #export COSIGN#COSIGN_PUBLIC_KEY="-----BEGIN PUBLIC KEY----- #... #-----END PUBLIC KEY-----" #export OCI_REPO="xxx.azurecr.io" #export OCI_REPO_USERNAME=xxx #export OCI_REPO_ export COSIGN_PASSWORD="xxx" signArtifact () { cosign sign --yes --key env://COSIGN_PRIVATE_KEY \ --registry-username="${OCI_REPO_USERNAME}" \ --registry-password="${OCI_REPO_PASSWORD}" \ ${OCI_REPO}/$1 } verifyArtifact(){ cosign verify --key env://COSIGN_PUBLIC_KEY \ --registry-username="${OCI_REPO_USERNAME}" \ --registry-password="${OCI_REPO_PASSWORD}" \ ${OCI_REPO}/$1 >/dev/null } source images.src source charts.src images=(${images[@]}) charts=(${charts[@]}) requiredBins=( "cosign" ) for bin in "${requiredBins[@]}"; do if ! command -v ${bin} &> /dev/null then echo "Required command ${bin} could not be found, please install and re-run" exit fi done echo echo "==================" echo "SIGNING CHARTS" echo "==================" for chart in "${charts[@]}"; do chartName=`echo ${chart}|sed 's/:.*//'` chartVersion=`echo ${chart}|sed -e 's/.*://'` echo "ChartName: ${chartName}" echo "ChartVersion: ${chartVersion}" echo "------------------" signArtifact charts/${chartName}:${chartVersion} verifyArtifact charts/${chartName}:${chartVersion} echo "------------------" done echo echo "==================" echo "SIGNING IMAGES" echo "==================" for image in "${images[@]}"; do imageNameAndVersion=`echo $image |sed 's:[^/]*/\(.*\):\1:'` imageName=`echo ${imageNameAndVersion}|sed -e 's/:.*//'` imageVersion=`echo ${imageNameAndVersion}|sed -e 's/.*://'` echo "Image Name: ${imageName}" echo "Image Version: ${imageVersion}" echo "------------------" signArtifact ${imageName}:${imageVersion} verifyArtifact ${imageName}:${imageVersion} echo "------------------" done echo "" echo "DONE!" |
...