Merge pull request #466 from securesign/add-fips-check

JasonPowr · web-flow · commit a2a664e88a49 · 2025-11-28T09:16:37.000Z
Add fips check
diff --git a/.tekton/client-server-pull-request.yaml b/.tekton/client-server-pull-request.yaml
@@ -33,6 +33,8 @@ spec:
     value: "true"
   - name: build-source-image
     value: "true"
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
diff --git a/.tekton/client-server-push.yaml b/.tekton/client-server-push.yaml
@@ -30,6 +30,8 @@ spec:
     value: "true"
   - name: build-source-image
     value: "true"
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
diff --git a/.tekton/cosign-pull-request.yaml b/.tekton/cosign-pull-request.yaml
@@ -41,14 +41,22 @@ spec:
     value: "true"
   - name: go_unit_test
     value: "true"
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
diff --git a/.tekton/cosign-push.yaml b/.tekton/cosign-push.yaml
@@ -38,14 +38,22 @@ spec:
     value: "true"
   - name: go_unit_test
     value: "true"
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
diff --git a/Build.mak b/Build.mak
@@ -1,4 +1,3 @@
-
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_HASH ?= $(shell git rev-parse HEAD)
 DATE_FMT = +%Y-%m-%dT%H:%M:%SZ
@@ -18,34 +17,19 @@ LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION)
         -X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
         -X sigs.k8s.io/release-utils/version.gitTreeState=$(GIT_TREESTATE) \
         -X sigs.k8s.io/release-utils/version.buildDate=$(BUILD_DATE)
+FIPS_MODULE ?= latest
 
 .PHONY:
-cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-linux-amd64 cosign-linux-arm64 cosign-linux-ppc64le cosign-linux-s390x cosign-windows-amd64 ## Build all distributable (cross-platform) binaries
+cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-windows-amd64 ## Build all distributable (cross-platform) binaries
 
 .PHONY:	cosign-darwin-arm64
 cosign-darwin-arm64: ## Build for mac M1
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
 
 .PHONY: cosign-darwin-amd64
 cosign-darwin-amd64:  ## Build for Darwin (macOS)
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-amd64
-cosign-linux-amd64: ## Build for Linux amd64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o cosign-linux-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-arm64
-cosign-linux-arm64: ## Build for Linux arm64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o cosign-linux-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-ppc64le
-cosign-linux-ppc64le: ## Build for Linux ppc64le
-	env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -o cosign-linux-ppc64le -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-s390x
-cosign-linux-s390x:  ## Build for Linux s390x
-	env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o cosign-linux-s390x -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
 
 .PHONY: cosign-windows-amd64
 cosign-windows-amd64: ## Build for Windows
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
diff --git a/Dockerfile.cosign.rh b/Dockerfile.cosign.rh
@@ -1,6 +1,5 @@
 # Build stage
-
-FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS build-env
+FROM registry.redhat.io/ubi9/go-toolset:9.7 AS build-env
 
 ENV GOEXPERIMENT=strictfipsruntime
 ENV CGO_ENABLED=1
@@ -14,12 +13,14 @@ RUN git config --global --add safe.directory /cosign && \
     export GIT_HASH=$(git rev-parse HEAD) && \
     export BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') && \
     go mod vendor && \
+    GIT_TREESTATE=clean && \
+    LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \
+                -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \
+                -X sigs.k8s.io/release-utils/version.gitTreeState=${GIT_TREESTATE} \
+                -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \
+    go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \
+    gzip -k cosign-linux && \
     make -f Build.mak cross-platform && \
-    cp cosign-linux-amd64 cosign && \
-    gzip cosign-linux-amd64 && \
-    gzip cosign-linux-ppc64le && \
-    gzip cosign-linux-s390x && \
-    gzip cosign-linux-arm64 && \
     gzip cosign-darwin-amd64 && \
     gzip cosign-darwin-arm64 && \
     gzip cosign-windows-amd64.exe && \
@@ -36,27 +37,20 @@ LABEL summary="Provides the cosign CLI binary for signing and verifying containe
 LABEL com.redhat.component="cosign"
 LABEL name="rhtas/cosign-rhel9"
 
+COPY --from=build-env /cosign/cosign-linux /usr/local/bin/cosign
+COPY --from=build-env /cosign/cosign-linux.gz /usr/local/bin/cosign.gz
 COPY --from=build-env /cosign/cosign-darwin-amd64.gz /usr/local/bin/cosign-darwin-amd64.gz
 COPY --from=build-env /cosign/cosign-windows-amd64.exe.gz /usr/local/bin/cosign-windows-amd64.exe.gz
 COPY --from=build-env /cosign/cosign-darwin-arm64.gz /usr/local/bin/cosign-darwin-arm64.gz
-COPY --from=build-env /cosign/cosign-linux-arm64.gz /usr/local/bin/cosign-linux-arm64.gz
-COPY --from=build-env /cosign/cosign-linux-ppc64le.gz /usr/local/bin/cosign-linux-ppc64le.gz
-COPY --from=build-env /cosign/cosign-linux-s390x.gz /usr/local/bin/cosign-linux-s390x.gz
-COPY --from=build-env /cosign/cosign-linux-amd64.gz /usr/local/bin/cosign-linux-amd64.gz
-COPY --from=build-env /cosign/cosign /usr/local/bin/cosign
 COPY LICENSE /licenses/license.txt
 
-RUN chown root:0 /usr/local/bin/cosign && \
-    chmod g+wx /usr/local/bin/cosign && \
+RUN chown root:0 /usr/local/bin/cosign && chmod g+wx /usr/local/bin/cosign && \
+    chown root:0 /usr/local/bin/cosign.gz && chmod g+wx /usr/local/bin/cosign.gz && \
     chown root:0 /usr/local/bin/cosign-darwin-amd64.gz && chmod g+wx /usr/local/bin/cosign-darwin-amd64.gz && \
     chown root:0 /usr/local/bin/cosign-darwin-arm64.gz && chmod g+wx /usr/local/bin/cosign-darwin-arm64.gz && \
-    chown root:0 /usr/local/bin/cosign-windows-amd64.exe.gz && chmod g+wx /usr/local/bin/cosign-windows-amd64.exe.gz && \
-    chown root:0 /usr/local/bin/cosign-linux-arm64.gz && chmod g+wx /usr/local/bin/cosign-linux-arm64.gz && \
-    chown root:0 /usr/local/bin/cosign-linux-amd64.gz && chmod g+wx /usr/local/bin/cosign-linux-amd64.gz && \
-    chown root:0 /usr/local/bin/cosign-linux-ppc64le.gz && chmod g+wx /usr/local/bin/cosign-linux-ppc64le.gz && \
-    chown root:0 /usr/local/bin/cosign-linux-s390x.gz && chmod g+wx /usr/local/bin/cosign-linux-s390x.gz
+    chown root:0 /usr/local/bin/cosign-windows-amd64.exe.gz && chmod g+wx /usr/local/bin/cosign-windows-amd64.exe.gz
 
-##Configure home directory
+# Configure home directory
 ENV HOME=/home
 RUN chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}
 
