Add support for signing with Sigstore

travier · travier · commit 23b2687cd6c9 · 2025-02-14T11:18:45.000+01:00
Fixes: redhat-actions#89
diff --git a/README.md b/README.md
@@ -32,6 +32,8 @@ Refer to the [`podman push`](http://docs.podman.io/en/latest/markdown/podman-man
 | password | Password, encrypted password, or access token to use to log in to the registry. Required unless already logged in to the registry. | None
 | tls-verify | Verify TLS certificates when contacting the registry. Set to `false` to skip certificate verification. | `true`
 | digestfile | After copying the image, write the digest of the resulting image to the file. The contents of this file are the digest output. | Auto-generated from image and tag
+| sigstore-private-key | Sigstore private key to use to sign container images | None
+| sign-passphrase | Passphrase to unlock the Sigstore private key | None
 | extra-args | Extra args to be passed to podman push. Separate arguments by newline. Do not use quotes. | None
 
 <a id="image-tag-inputs"></a>
diff --git a/action.yml b/action.yml
@@ -33,6 +33,12 @@ inputs:
       By default, the filename will be determined from the image and tag.
       The contents of this file are the digest output.
     required: false
+  sigstore-private-key:
+    description: 'Sigstore private key to use to sign container images'
+    required: false
+  sign-passphrase:
+    description: 'Passphrase to unlock the Sigstore private key'
+    required: false
   extra-args:
     description: |
       Extra args to be passed to podman push.
diff --git a/src/generated/inputs-outputs.ts b/src/generated/inputs-outputs.ts
@@ -52,6 +52,18 @@ export enum Inputs {
      * Default: None.
      */
     USERNAME = "username",
+    /**
+     * Sigstore private key to use to sign container images
+     * Required: false
+     * Default: None.
+     */
+    SIGSTORE_PRIVATE_KEY = "sigstore-private-key",
+    /**
+     * Passphrase to unlock the Sigstore private key
+     * Required: false
+     * Default: None.
+     */
+    SIGN_PASSPHRASE = "sign-passphrase",
 }
 
 export enum Outputs {
diff --git a/src/index.ts b/src/index.ts
@@ -209,6 +209,33 @@ async function run(): Promise<void> {
         }
     }
 
+    const sigstorePrivateKey = core.getInput(Inputs.SIGSTORE_PRIVATE_KEY);
+    const sigstorePrivateKeyFile = path.join(process.env.RUNNER_TEMP || "", "sigstore_private_key");
+    if (sigstorePrivateKey) {
+        // Write sigstore private key to a temporary file in $RUNNER_TEMP that
+        // will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(sigstorePrivateKeyFile, sigstorePrivateKey);
+        }
+        catch (err) {
+            throw new Error(`Could not write sigstore private key to temporary file `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+    }
+    const signPassphrase = core.getInput(Inputs.SIGN_PASSPHRASE);
+    const signPassphraseFile = path.join(process.env.RUNNER_TEMP || "", "sign_passphrase");
+    if (signPassphrase || sigstorePrivateKey) {
+        // Write passphrase (empty string if not provided) to a temporary file
+        // in $RUNNER_TEMP that will be removed after the image is pushed.
+        try {
+            await fs.promises.writeFile(signPassphraseFile, signPassphrase || "");
+        }
+        catch (err) {
+            throw new Error(`Could not write sign passphrase to temporary file `
+                + `"${signPassphraseFile}": ${err}`);
+        }
+    }
+
     let pushMsg = `⏳ Pushing "${sourceImages.join(", ")}" to "${destinationImages.join(", ")}" respectively`;
     if (username) {
         pushMsg += ` as "${username}"`;
@@ -269,11 +296,36 @@ async function run(): Promise<void> {
             args.push(`--creds=${creds}`);
         }
 
+        if (sigstorePrivateKey) {
+            args.push("--sign-by-sigstore-private-key");
+            args.push(sigstorePrivateKeyFile);
+        }
+
+        if (signPassphrase || sigstorePrivateKey) {
+            args.push("--sign-passphrase-file");
+            args.push(signPassphraseFile);
+        }
+
         await execute(await getPodmanPath(), args);
         core.info(`✅ Successfully pushed "${sourceImages[i]}" to "${destinationImages[i]}"`);
 
         registryPathList.push(destinationImages[i]);
 
+        try {
+            await fs.promises.unlink(sigstorePrivateKeyFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sigstore private key `
+                + `"${sigstorePrivateKeyFile}": ${err}`);
+        }
+        try {
+            await fs.promises.unlink(signPassphraseFile);
+        }
+        catch (err) {
+            core.warning(`Failed to remove temporary file used to store sign passphrase `
+                + `"${signPassphraseFile}": ${err}`);
+        }
+
         try {
             const digest = (await fs.promises.readFile(digestFile)).toString();
             core.info(digest);
