Add tlog's for slsa and sbom as well

Signed-off-by: Jeroen Knoops <jeroen.knoops@philips.com>
philips-software · Nov 2, 2022 · 2a1e448 · 2a1e448
1 parent 100c09a
commit 2a1e448
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/container_digest.sh b/container_digest.sh
@@ -87,8 +87,11 @@ then
     COSIGN_PUB_ARGUMENT="--key $COSIGN_PUB"
   fi
   echo "Sign image"
+
   # shellcheck disable=SC2086
-  cosign sign ${COSIGN_KEY_ARGUMENT} "$registry_url_prefix"/"$imagename"@"${containerdigest}"
+  cosign sign ${COSIGN_KEY_ARGUMENT} "$registry_url_prefix"/"$imagename"@"${containerdigest}" | tee output.txt
+  tlog_id=$(grep "tlog entry created with index"  output.txt | grep -o '[0-9]\+')
+  rm output.txt
 
   echo "Verify signing"
   # shellcheck disable=SC2086
@@ -107,7 +110,6 @@ then
     echo '```'
     if [ -n "${KEYLESS}" ]
     then
-      tlog_id=$(cosign verify "$registry_url_prefix"/"$imagename"@"${containerdigest}" 2>/dev/null | jq '.[0].optional.Bundle.Payload.logIndex')
       echo "Public Rekore tlog-url: <https://rekor.tlog.dev/?logIndex=$tlog_id>"
     fi
   } >> "$GITHUB_STEP_SUMMARY"
@@ -146,7 +148,9 @@ then
 
     echo "Attest predicate"
   # shellcheck disable=SC2086
-    cosign attest --predicate provenance-predicate.json ${COSIGN_KEY_ARGUMENT} --type slsaprovenance "$registry_url_prefix"/"$imagename"@"${containerdigest}"
+    cosign attest --predicate provenance-predicate.json ${COSIGN_KEY_ARGUMENT} --type slsaprovenance "$registry_url_prefix"/"$imagename"@"${containerdigest}" | tee output.txt
+    tlog_id=$(grep "tlog entry created with index"  output.txt | grep -o '[0-9]\+')
+    rm output.txt
 
     {
       echo "SLSA Provenance file is attested. You can verify it with the following command."
@@ -160,6 +164,10 @@ then
         echo "cosign verify-attestation --key cosign.pub --type slsaprovenance $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'"
       fi
       echo '```'
+      if [ -n "${KEYLESS}" ]
+      then
+        echo "Public Rekore tlog-url: <https://rekor.tlog.dev/?logIndex=$tlog_id>"
+      fi
     } >> "$GITHUB_STEP_SUMMARY"
   fi
 fi
@@ -186,7 +194,9 @@ then
 
     echo "Attest SBOM"
     # shellcheck disable=SC2086
-    cosign attest --predicate sbom-spdx.json --type spdx ${COSIGN_KEY_ARGUMENT} "$registry_url_prefix"/"$imagename"@"${containerdigest}"
+    cosign attest --predicate sbom-spdx.json --type spdx ${COSIGN_KEY_ARGUMENT} "$registry_url_prefix"/"$imagename"@"${containerdigest}" | tee output.txt
+    tlog_id=$(grep "tlog entry created with index"  output.txt | grep -o '[0-9]\+')
+    rm output.txt
 
     echo "Done attesting the SBOM"
 
@@ -202,6 +212,10 @@ then
         echo "cosign verify-attestation --key cosign.pub --type spdx $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
       fi
       echo '```'
+      if [ -n "${KEYLESS}" ]
+      then
+        echo "Public Rekore tlog-url: <https://rekor.tlog.dev/?logIndex=$tlog_id>"
+      fi
     } >> "$GITHUB_STEP_SUMMARY"
 
   fi