ScriptAutomate · September 8, 2024 17:39
diff --git a/sops.Dockerfile b/sops.Dockerfile
 FROM ubuntu:24.04
 ARG SLSA_VERIFIER_VERSION=2.6.0
 ARG COSIGN_VERSION=2.4.0
 ARG SOPS_VERSION=3.9.0

 # Prereqs for validation
 ## slsa-verifier
 ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64 /tmp/slsa-verifier-linux-amd64 
 ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64.intoto.jsonl /tmp/slsa-verifier-linux-amd64.intoto.jsonl
 ADD https://raw.githubusercontent.com/slsa-framework/slsa-verifier/main/SHA256SUM.md /tmp/slsa-SHA256SUM.md
 ## cosign
 ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 /tmp/cosign-linux-amd64
 ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.pem /tmp/cosign-linux-amd64-keyless.pem
 ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.sig /tmp/cosign-linux-amd64-keyless.sig 
 ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign_checksums.txt /tmp/cosign_checksums.txt

 # sops
 ## Download the linux binary of sops
 ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64  /tmp/sops-v${SOPS_VERSION}.linux.amd64
 ## Download the checksums file, certificate and signature
 ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt /tmp/sops-v${SOPS_VERSION}.checksums.txt
 ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.pem /tmp/sops-v${SOPS_VERSION}.checksums.pem
 ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.sig /tmp/sops-v${SOPS_VERSION}.checksums.sig
 ## Download the metadata file for verifying artifact provenance
 ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.intoto.jsonl /tmp/sops-v${SOPS_VERSION}.intoto.jsonl

 # Ensure latest updates and required certs
 RUN apt update && apt upgrade -y && apt install ca-certificates -y

 # slsa-verifier
 ## Verify binary integrity
 RUN cd /tmp && cat slsa-SHA256SUM.md | grep ${SLSA_VERIFIER_VERSION} -A7 | sha256sum -c --strict --ignore-missing && chmod +x slsa-verifier-linux-amd64
 ## Verify artifact provenance
 RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact slsa-verifier-linux-amd64 --provenance-path slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v${SLSA_VERIFIER_VERSION}

 # cosign
 ## Prep for binary verification
 RUN cd /tmp && base64 -d cosign-linux-amd64-keyless.sig > cosign-release.sig.decoded && base64 -d cosign-linux-amd64-keyless.pem > cosign-release.pem.decoded
 ## Verify binary integrity
 RUN cd /tmp && sha256sum -c --strict cosign_checksums.txt --ignore-missing && chmod +x cosign-linux-amd64
 ## Verify binary via signature and cert
 RUN cd /tmp && ./cosign-linux-amd64 verify-blob cosign-linux-amd64 --certificate cosign-release.pem.decoded --signature cosign-release.sig.decoded --certificate-identity [email protected] --certificate-oidc-issuer https://accounts.google.com

 # sops
 ## Verify checksums file signature
 RUN cd /tmp && ./cosign-linux-amd64 verify-blob sops-v${SOPS_VERSION}.checksums.txt --certificate sops-v${SOPS_VERSION}.checksums.pem --signature sops-v${SOPS_VERSION}.checksums.sig --certificate-identity-regexp=https://github.com/getsops --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ## Verify binary integrity
 RUN cd /tmp && sha256sum -c --strict sops-v${SOPS_VERSION}.checksums.txt --ignore-missing
 ## Verify artifact provenance
 RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact sops-v${SOPS_VERSION}.linux.amd64 --provenance-path sops-v${SOPS_VERSION}.intoto.jsonl --source-uri github.com/getsops/sops --source-tag v${SOPS_VERSION}
 ## Install
 # RUN dpkg -i /tmp/sops_${SOPS_VERSION}_amd64.deb
 RUN cd /tmp && chmod +x sops-v${SOPS_VERSION}.linux.amd64 && mv sops-v${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops

 # Cleanup
 RUN rm -rf /tmp/*

 ENTRYPOINT ["sops"]
	FROM ubuntu:24.04
	ARG SLSA_VERIFIER_VERSION=2.6.0
	ARG COSIGN_VERSION=2.4.0
	ARG SOPS_VERSION=3.9.0

	# Prereqs for validation
	## slsa-verifier
	ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64 /tmp/slsa-verifier-linux-amd64
	ADD https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-linux-amd64.intoto.jsonl /tmp/slsa-verifier-linux-amd64.intoto.jsonl
	ADD https://raw.githubusercontent.com/slsa-framework/slsa-verifier/main/SHA256SUM.md /tmp/slsa-SHA256SUM.md
	## cosign
	ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 /tmp/cosign-linux-amd64
	ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.pem /tmp/cosign-linux-amd64-keyless.pem
	ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64-keyless.sig /tmp/cosign-linux-amd64-keyless.sig
	ADD https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign_checksums.txt /tmp/cosign_checksums.txt

	# sops
	## Download the linux binary of sops
	ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64 /tmp/sops-v${SOPS_VERSION}.linux.amd64
	## Download the checksums file, certificate and signature
	ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt /tmp/sops-v${SOPS_VERSION}.checksums.txt
	ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.pem /tmp/sops-v${SOPS_VERSION}.checksums.pem
	ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.sig /tmp/sops-v${SOPS_VERSION}.checksums.sig
	## Download the metadata file for verifying artifact provenance
	ADD https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.intoto.jsonl /tmp/sops-v${SOPS_VERSION}.intoto.jsonl

	# Ensure latest updates and required certs
	RUN apt update && apt upgrade -y && apt install ca-certificates -y

	# slsa-verifier
	## Verify binary integrity
	RUN cd /tmp && cat slsa-SHA256SUM.md \| grep ${SLSA_VERIFIER_VERSION} -A7 \| sha256sum -c --strict --ignore-missing && chmod +x slsa-verifier-linux-amd64
	## Verify artifact provenance
	RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact slsa-verifier-linux-amd64 --provenance-path slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v${SLSA_VERIFIER_VERSION}

	# cosign
	## Prep for binary verification
	RUN cd /tmp && base64 -d cosign-linux-amd64-keyless.sig > cosign-release.sig.decoded && base64 -d cosign-linux-amd64-keyless.pem > cosign-release.pem.decoded
	## Verify binary integrity
	RUN cd /tmp && sha256sum -c --strict cosign_checksums.txt --ignore-missing && chmod +x cosign-linux-amd64
	## Verify binary via signature and cert
	RUN cd /tmp && ./cosign-linux-amd64 verify-blob cosign-linux-amd64 --certificate cosign-release.pem.decoded --signature cosign-release.sig.decoded --certificate-identity [email protected] --certificate-oidc-issuer https://accounts.google.com

	# sops
	## Verify checksums file signature
	RUN cd /tmp && ./cosign-linux-amd64 verify-blob sops-v${SOPS_VERSION}.checksums.txt --certificate sops-v${SOPS_VERSION}.checksums.pem --signature sops-v${SOPS_VERSION}.checksums.sig --certificate-identity-regexp=https://github.com/getsops --certificate-oidc-issuer=https://token.actions.githubusercontent.com
	## Verify binary integrity
	RUN cd /tmp && sha256sum -c --strict sops-v${SOPS_VERSION}.checksums.txt --ignore-missing
	## Verify artifact provenance
	RUN cd /tmp && ./slsa-verifier-linux-amd64 verify-artifact sops-v${SOPS_VERSION}.linux.amd64 --provenance-path sops-v${SOPS_VERSION}.intoto.jsonl --source-uri github.com/getsops/sops --source-tag v${SOPS_VERSION}
	## Install
	# RUN dpkg -i /tmp/sops_${SOPS_VERSION}_amd64.deb
	RUN cd /tmp && chmod +x sops-v${SOPS_VERSION}.linux.amd64 && mv sops-v${SOPS_VERSION}.linux.amd64 /usr/local/bin/sops

	# Cleanup
	RUN rm -rf /tmp/*

	ENTRYPOINT ["sops"]