Add support for signing with Sigstore

Fixes: https://github.com/redhat-actions/push-to-registry/issues/89
2025-02-23 10:31:22 +01:00 · 2023-11-24 15:53:18 +01:00 · 2023-11-24 15:53:18 +01:00 · 23b2687cd6
commit 23b2687cd6
parent 1d13b5ac9b
4 changed files with 72 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -32,6 +32,8 @@ Refer to the [`podman push`](http://docs.podman.io/en/latest/markdown/podman-man
 | password | Password, encrypted password, or access token to use to log in to the registry. Required unless already logged in to the registry. | None
 | tls-verify | Verify TLS certificates when contacting the registry. Set to `false` to skip certificate verification. | `true`
 | digestfile | After copying the image, write the digest of the resulting image to the file. The contents of this file are the digest output. | Auto-generated from image and tag
+| sigstore-private-key | Sigstore private key to use to sign container images | None
+| sign-passphrase | Passphrase to unlock the Sigstore private key | None
 | extra-args | Extra args to be passed to podman push. Separate arguments by newline. Do not use quotes. | None

 <a id="image-tag-inputs"></a>
--- a/action.yml
+++ b/action.yml
@ -33,6 +33,12 @@ inputs:
      By default, the filename will be determined from the image and tag.
      The contents of this file are the digest output.
    required: false
+  sigstore-private-key:
+    description: 'Sigstore private key to use to sign container images'
+    required: false
+  sign-passphrase:
+    description: 'Passphrase to unlock the Sigstore private key'
+    required: false
  extra-args:
    description: |
      Extra args to be passed to podman push.
--- a/src/generated/inputs-outputs.ts
+++ b/src/generated/inputs-outputs.ts
@ -52,6 +52,18 @@ export enum Inputs {
     * Default: None.
     */
    USERNAME = "username",
+    /**
+     * Sigstore private key to use to sign container images
+     * Required: false
+     * Default: None.
+     */
+    SIGSTORE_PRIVATE_KEY = "sigstore-private-key",
+    /**
+     * Passphrase to unlock the Sigstore private key
+     * Required: false
+     * Default: None.
+     */
+    SIGN_PASSPHRASE = "sign-passphrase",
 }

 export enum Outputs {
--- a/src/index.ts
+++ b/src/index.ts
@ -209,6 +209,33 @@ async function run(): Promise<void> {
        }
    }

+    const sigstorePrivateKey = core.getInput(Inputs.SIGSTORE_PRIVATE_KEY);
+    const sigstorePrivateKeyFile = path.join(process.env.RUNNER_TEMP || "", "sigstore_private_key");
+    if (sigstorePrivateKey) {
+        // Write sigstore private key to a temporary file in $RUNNER_TEMP that
+        // will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(sigstorePrivateKeyFile, sigstorePrivateKey);
+        }
+        catch (err) {
+            throw new Error(`Could not write sigstore private key to temporary file `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+    }
+    const signPassphrase = core.getInput(Inputs.SIGN_PASSPHRASE);
+    const signPassphraseFile = path.join(process.env.RUNNER_TEMP || "", "sign_passphrase");
+    if (signPassphrase || sigstorePrivateKey) {
+        // Write passphrase (empty string if not provided) to a temporary file
+        // in $RUNNER_TEMP that will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(signPassphraseFile, signPassphrase || "");
+        }
+        catch (err) {
+            throw new Error(`Could not write sign passphrase to temporary file `
+                + `"${signPassphraseFile}": ${err}`);
+        }
+    }
+
    let pushMsg = `⏳ Pushing "${sourceImages.join(", ")}" to "${destinationImages.join(", ")}" respectively`;
    if (username) {
        pushMsg += ` as "${username}"`;
@ -269,11 +296,36 @@ async function run(): Promise<void> {
            args.push(`--creds=${creds}`);
        }

+        if (sigstorePrivateKey) {
+            args.push("--sign-by-sigstore-private-key");
+            args.push(sigstorePrivateKeyFile);
+        }
+
+        if (signPassphrase || sigstorePrivateKey) {
+            args.push("--sign-passphrase-file");
+            args.push(signPassphraseFile);
+        }
+
        await execute(await getPodmanPath(), args);
        core.info(`✅ Successfully pushed "${sourceImages[i]}" to "${destinationImages[i]}"`);

        registryPathList.push(destinationImages[i]);

+        try {
+            await fs.promises.unlink(sigstorePrivateKeyFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sigstore private key `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+        try {
+            await fs.promises.unlink(signPassphraseFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sign passphrase `
+                + `"${signPassphraseFile}": ${err}`);
+        }
+
        try {
            const digest = (await fs.promises.readFile(digestFile)).toString();
            core.info(digest);