From 112e932c33a41a9e47106e85822ad04bd7c2c900 Mon Sep 17 00:00:00 2001
From: The_Spider <nhyatt@smoothnet.org>
Date: Mon, 3 Jan 2022 12:57:23 -0600
Subject: [PATCH] sign kaniko image

---
 build-kaniko.jenkins | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/build-kaniko.jenkins b/build-kaniko.jenkins
index 6258dcd..8f1dba9 100644
--- a/build-kaniko.jenkins
+++ b/build-kaniko.jenkins
@@ -2,6 +2,8 @@ def label = "jenkins-${UUID.randomUUID().toString()}"
 
 def repository = "registry.c.test-chamber-13.lan"
 def repositoryCreds = "harbor-repository-creds"
+def dockerKey = "docker-image-signing-key"
+def dockerKeyPass = "docker-image-signing-pass"
 
 podTemplate(
     label: label,
@@ -15,15 +17,27 @@ spec:
   containers:
   - name: kaniko
     imagePullPolicy: Always
-    image: gcr.io/kaniko-project/executor:debug
+    image: ${repository}/google/kaniko-project/executor:debug
+    tty: true
+  - name: alpine
+    imagePullPolicy: Always
+    image: ${repository}/libary/alpine:latest
     tty: true
-    command:
-    - /busybox/cat
 """,
 ) {
     node (label) {
         def workspace = pwd()
 
+        stage("Get Cosign") {
+            container("alpine") {
+                sh """
+                    apk add --no-cache curl jq
+                    curl --silent --location "https://github.com/sigstore/cosign/releases/download/\$(curl --silent "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')/cosign-linux-amd64" --output "${workspace}/cosign"
+                    chmod +x "${workspace}/cosign"
+                """
+            }
+        }
+
         stage ("Prepare Kaniko") {
             container ("kaniko") {
                 withCredentials([usernameColonPassword(
@@ -62,11 +76,25 @@ spec:
         stage("Build Alpine with CA") {
             container("kaniko") {
                 def DF = """FROM ${repository}/google/kaniko-project/executor:debug
+COPY ./cosign /usr/local/bin/cosign
 COPY ./kaniko-chain.crt /kaniko/ssl/certs/ca-certificates.crt
 """
                 sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\""
                 writeFile(file: workspace + "/Dockerfile", text: DF)
                 sh "/kaniko/executor --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\""
+
+                withCredentials([
+                    string(
+                        credentialsId: dockerKeyPass,
+                        variable: "signPass"
+                    ),
+                    file(
+                        credentialsId: dockerKey,
+                        variable: "signKey"
+                    )
+                ]) {
+                    sh "COSIGN_PASSWORD=\"${signPass}\" \"${workspace}/cosign\" sign --key \"${signKey}\" \"${repository}/library/kaniko:latest\""
+                }
             }
         }
     }