diff --git a/.github/actions/publish-release/action.yaml b/.github/actions/publish-release/action.yaml new file mode 100644 index 0000000..f5e7cf7 --- /dev/null +++ b/.github/actions/publish-release/action.yaml @@ -0,0 +1,113 @@ +name: Publish release + +description: Publish release, container image, SBOMS, signs artifacts. + +inputs: + go-version: + required: true + description: go version to install on the runner + github_token: + required : true + description: github token used for the release + registry_username: + required: true + description: Container registry username + registry_password: + required: true + description: Container registry password + registry: + required: true + description: registry used to publish container images + + +outputs: + hashes: + value: ${{ steps.binary.outputs.hashes }} + description: hash of the cheksum file in base64 + name: + value: ${{ steps.image.outputs.name }} + description: name of the published container image + digest: + value: ${{ steps.image.outputs.digest }} + description: published image digest + +runs: + using: composite + steps: + # Install go with specific version + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ inputs.go-version }} # same version than the one in the go.mod or in the .go-version + # Register to ghcr.io container Registry + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v1 + with: + registry: ${{ inputs.registry}} + username: ${{ inputs.registry_username }} + password: ${{ inputs.registry_password }} + # Install ko to publish container images + - name: Set up Ko + uses: ko-build/setup-ko@v0.7 + # Install cosign to sign artfacts with goreleaser + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + # Get LDFLAGS with a makefile command + - shell: bash + name: Get LDFLAGS + id: get_ldlflags # need to define id to pass the variable to other steps + run : | + echo "ldflags= $(make get-ldflags)" >> "$GITHUB_OUTPUT" + # Install other dependencies like scanners and go librairies + - shell: bash + name : Install dependencies + run : | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1 + # Run command goreleaser release based on .goreleaser.yml + # LDFLAGS are passed thanks to the steps.job_id.outputs.variable_name variable + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + id: goreleaser + with: + distribution: goreleaser + version: latest + args: release + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + LDFLAGS: ${{steps.get_ldlflags.outputs.ldflags}} + # Get artifacts from goreleaser's step outputs to generate cheksums file abse64 hashes + # Provenance generator action needs to have a base64 hash for generating blobs provenance + # The hash is passed as an output of goreleaser job + - shell: bash + name: Generate binary hashes + id: binary + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" + # Get artifacts from the goreleaser's step outputs to retrieve Docker Manifest containing the image and its digest + # Image Provenance generator action needs to have the image name and a digest for generating provenance and publish it to the container registry + - shell: bash + name: Image digest + id: image + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path') + image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1) + digest=$(echo "${image_and_digest}" | cut -d'@' -f2) + echo "name=$image" >> "$GITHUB_OUTPUT" + echo "digest=$digest" >> "$GITHUB_OUTPUT" + # Sign image with cosign sign command + - shell: bash + name: Generate Image Signature + env: + #COSIGN_REPOSITORY: ghcr.io/${{github.owner}}/signatures # need to use this variable for having a dfiferent signature repository + IMAGE: ${{ steps.image.outputs.name }}@${{ steps.image.outputs.digest }} + run : | + cosign sign --yes \ + ${{ env.IMAGE }} \ No newline at end of file diff --git a/.github/actions/verify-attestations/action.yaml b/.github/actions/verify-attestations/action.yaml new file mode 100644 index 0000000..36702a6 --- /dev/null +++ b/.github/actions/verify-attestations/action.yaml @@ -0,0 +1,42 @@ +name: Verify SLSA attestations + +description: Use slsa-verifier to verify provenance attestations + +inputs: + go-version: + required: true + description: go version to install on the runner + github_token: + required : true + description: github token used for the release + image: + required: true + description: Image to verify. + tag: + required : false + description : Version of the software. + checksum_file: + required : true + description : Name of the checksum. + + +runs: + using: composite + steps: + # Install go with specific version + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ inputs.go-version }} # same version than the one in the go.mod or in the .go-version + + - shell: bash + name : Install dependencies + run : | + go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.5.1 + - shell: bash + name: verify image provenance + id: image-provenance + run: | + slsa-verifier verify-image ${{ inputs.image }} \ + --source-uri github.com/${{github.repository}} \ + --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.10.0 \ No newline at end of file diff --git a/.github/workflows/Goreleaser.yaml b/.github/workflows/Goreleaser.yaml new file mode 100644 index 0000000..db8c7ef --- /dev/null +++ b/.github/workflows/Goreleaser.yaml @@ -0,0 +1,84 @@ +# .github/workflows/release.yml +name: goreleaser + +on: + pull_request: + push: + # run only against tags + tags: + - "*" + +jobs: + + goreleaser: + runs-on: ubuntu-latest + env: + WORKSPACE: ${{github.workspace}} + # Define job outputs from steps outputs + # It is + outputs: + hashes: ${{ steps.publish-artifacts.outputs.hashes }} + image: ${{ steps.publish-artifacts.outputs.name }} + digest: ${{ steps.publish-artifacts.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Publish Artifacts + id : publish-artifacts + uses: ./.github/actions/publish-release + with: + go-version: 1.21.6 + github_token : ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + registry_username: ${{ github.actor }} + registry_password: ${{ secrets.GITHUB_TOKEN }} + + # Job generating provenance for blobs artifacts requiring checksum hash in base64 format + # upload-assets is set to true to add in-toto attestation to the release + binary-provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true + # Job generating provenance for container images requiring an image and an image digest + image-provenance: + needs: [goreleaser] + permissions: + actions: read + id-token: write + packages: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 + with: + image: ${{ needs.goreleaser.outputs.image }} + digest: ${{ needs.goreleaser.outputs.digest }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + verify-provenance: + needs: [goreleaser, binary-provenance,image-provenance] + runs-on: ubuntu-latest + env: + WORKSPACE: ${{github.workspace}} + permissions: + actions: read + id-token: write + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Verify provenance attestations + id : slsa-verifier + uses: ./.github/actions/verify-attestations + with: + go-version: 1.21.6 + github_token : ${{ secrets.GITHUB_TOKEN }} + image: ${{needs.goreleaser.outputs.image}}@${{needs.goreleaser.outputs.digest}} diff --git a/.gitignore b/.gitignore index 000b8d2..51150c1 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,6 @@ build/ generated/ deployed.json .socket -k8s-kms-plugin # dev pkg/crypto11 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..2ad8c67 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,21 @@ +# .gitlab-ci.yml +variables: + RUNNER_GENERATE_ARTIFACTS_METADATA: "true" + +stages: + - release +# Maybe syft is not installed, so it'll need to add another job or action in the script section to install syft on the runner +# https://goreleaser.com/ci/gitlab/#basic-releasing +release: + stage: release + image: + name: goreleaser/goreleaser + entrypoint: [""] + only: + - tags + variables: + + GIT_DEPTH: 0 + script: + # GITLAB_TOKEN is needed to create GitLab releases. + - make release \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..2f7a21c --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,199 @@ +project_name: k8s-kms-plugin + +env: + - GO111MODULE=on + - CGO_ENABLED=1 + - LATEST_TAG=,latest + +# Prevents parallel builds from stepping on each others toes downloading modules +before: + hooks: + - go mod tidy + - go mod download + +# Define GITLAB parameters o publish release on gitlab +gitlab_urls: + api: "{{ .Env.CI_API_V4_URL }}" + download: "{{ .Env.CI_SERVER_URL }}" + skip_tls_verify: true + use_package_registry: true + +# Build the binary for different architectures +builds: + - id: k8s-kms-plugin + binary: '{{ .ProjectName }}-linux-{{ .Arch }}_{{ .Version }}' + no_unique_dist_dir: true + main: ./cmd/{{ .ProjectName }}/main.go + + mod_timestamp: '{{ .CommitTimestamp }}' + goos: + - linux + goarch: + - amd64 + ldflags: + - "{{ .Env.LDFLAGS }}" + +# Use ko-build to publish container image to a specific registry +# It is possible to define platforms +kos: + - repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }} + tags: + - "{{.Tag}}" + - "{{ if not .Prerelease }}latest{{ end }}" + main: ./cmd/k8s-kms-plugin + base_image: "cgr.dev/chainguard/glibc-dynamic:latest" + bare: true + preserve_import_paths: false + sbom: cyclonedx + platforms: + - linux/amd64 + flags: + - -trimpath + ldflags: + - "{{ .Env.LDFLAGS }}" + env: + - CGO_ENABLED=1 # Mandatory for crypto11 pkg or go libraries using C compilator + +# Generate different type of packages from binary(ies) generated in build section: apk, deb, rpm +nfpms: + - id: '{{ .ProjectName }}' + package_name: '{{ .ProjectName }}' + file_name_template: "{{ .ConventionalFileName }}" + license: "Apache License 2.0" + maintainer: ThalesGroup + builds: + - k8s-kms-plugin # need to use the same id that the build id + formats: + - apk + - deb + - rpm + contents: + - src: /usr/bin/{{ .ProjectName }}-linux-{{ .Arch }}_{{ .Version }} + dst: /usr/bin/{{ .ProjectName }} + type: "symlink" + + +# Define caracteristics of binary artifacts +# Generate zip and tar archives from binary(ies) generated in the build section +archives: + - id: binary + format: binary + name_template: "{{ .Binary }}" + allow_different_binary_count: true + - id: zip + format: zip + name_template: "{{ .Binary }}" + allow_different_binary_count: true + - id: tar + format: tar.gz + name_template: "{{ .Binary }}" + allow_different_binary_count: true +# create metadata file +metadata: + + mod_timestamp: "{{ .CommitTimestamp }}" + + +# Checksum caracteristics +checksum: + name_template: "{{ .ProjectName }}_checksums.txt" +# Snapshot caracteristics +snapshot: + name_template: SNAPSHOT-{{ .ShortCommit }} + +# Generate SBOM for all artifacts +# SPDX generate with syft (default scanner) +# CycloneDX generate with trivy +# CycloneDX "Vex" contains also informations on vulnerabilities +# It is possible to change the scanner and the command +sboms: + - id: binary sbom + artifacts: binary + documents: + - "${artifact}.spdx.sbom" + - id: CycloneDX sbom + artifacts: binary + documents: + - "${artifact}.cyclonedx-json.sbom" + args: ["$artifact", "--output", "cyclonedx-json","--file","$document"] + - id: trivy sbom + artifacts: binary + cmd: trivy + documents: + - "${artifact}.cyclonedx-vex.sbom" + args: ["fs","--format","cyclonedx","--scanners","vuln","--output","$document","{{ .Env.WORKSPACE }}"] + +# Sign the artifacts +# Use the command cosign in keyless mode to sign the different kind of artifacts: binary, checksum, package, sbom +signs: + - id : '{{ .ProjectName }}-keyless' + cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + signature : "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "-y" + - "${artifact}" + artifacts: binary + output: true + - id : checksum-keyless + cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + signature : "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "-y" + - "${artifact}" + artifacts: checksum + output: true + - id : package-keyless + cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + signature : "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "-y" + - "${artifact}" + artifacts: package + output: true + - id : 'sbom-keyless' + cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + signature : "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "-y" + - "${artifact}" + artifacts: sbom + output: true + + +# Create a release +release: + # draft: true # Used to publish a draft on github + make_latest: true + github: + owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}" + name: '{{ .ProjectName }}' + gitlab: + owner: "" + name: "{{ .Env.CI_PROJECT_PATH }}" + footer: | + ### Thanks to all contributors! + diff --git a/Makefile b/Makefile index bdf92eb..422e849 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,29 @@ -.PHONY: all lint build coverage dev gen +# Copyright 2024 Thales +.PHONY: all lint build coverage dev gen all: build -SECRETNAME=gcr-json-key +# Project name +PROJECT_NAME := k8s-kms-plugin +REPOSITORY_NAME := "github.com/ThalesGroup/$(PROJECT_NAME)" + +VERSION ?= $(shell git describe --tags --always) +COMMIT_LONG ?= $(shell git rev-parse HEAD) +COMMIT_SHORT ?= $(shell git rev-parse --short=8 HEAD) +GO_VERSION ?= $(shell go version) +BUILD_PLATFORM ?= $(shell uname -m) +BUILD_DATE ?= $(shell date -Iseconds) +LDFLAGS = "-X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.RawGitVersion=$(VERSION)' -X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.CommitVersionIdLong=$(COMMIT_LONG)' -X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.CommitVersionIdShort=$(COMMIT_SHORT)' -X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.GoVersion=$(GO_VERSION)' -X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.BuildPlatform=$(BUILD_PLATFORM)' -X '$(REPOSITORY_NAME)/cmd/k8s-kms-plugin/cmd.BuildDate=$(BUILD_DATE)'" +GO_LDFLAGS = -ldflags=$(LDFLAGS) +# For dev +SECRET_NAME=gcr-json-key P11_TOKEN=ajak P11_PIN=password ## Pipeline +# Go parameters +CGO_ENABLED := "1" + lint: @golangci-lint run coverage: @@ -26,7 +43,7 @@ gen-openapi: @swagger generate client --quiet --existing-models=pkg/est/models -c pkg/est/client -f apis/kms/v1/est.yaml build: @go version - @go build -o k8s-kms-plugin cmd/k8s-kms-plugin/main.go + @go build $(GO_LDFLAGS) -o k8s-kms-plugin cmd/k8s-kms-plugin/main.go build-debug: @go version @go build -gcflags="all=-N -l" -o k8s-kms-plugin cmd/k8s-kms-plugin/main.go @@ -54,3 +71,10 @@ p11tool-delete: deploy: @gcloud endpoints services deploy --format json "./apis/api-service.yaml" "./apis/istio/v1/v1.pb" > "./deployed.json" + +release: + @echo "Makefile: Running goreleaser release --clean fro project $(PROJECT_NAME)" + LDFLAGS=$(LDFLAGS) goreleaser release --clean +get-ldflags: + + @echo $(LDFLAGS) diff --git a/README.md b/README.md index 7f3316b..d81e8ad 100644 --- a/README.md +++ b/README.md @@ -93,4 +93,62 @@ Scanning your code and 288 packages across 34 dependent modules for known vulner No vulnerabilities found. ``` +## Signing artifacts +During the release workflow, certificates and signatures of artifacts are generated. +They are signed by a tool named cosign using a keyless mode. +It required an authentication by clicking in links present in logs. + +![Screenshot of one example of logs containing three authentication links generating tokens](docs/images/AuthLinksCosign.png) + +Once you click on one, you can submit a verification code that will redirect you to three types of authentication. Then click on Github authentication. + + ![Screenshot of the interface for submitting a code](docs/images/CodeSubmit.png) + +Do these actions for every authentication links and the signatures and the certificates will be generated with the artifacts in the release. + +## Verifying the authenticity of an artifact + +You need to downloads 3 files : [ _**[file.txt]**_, _**[file].pem**_, _**[file].sig**_] + +If you don't have, install cosign by typing the commands below : + + ```bash + curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" + sudo mv cosign-linux-amd64 /usr/local/bin/cosign + sudo chmod +x /usr/local/bin/cosign + ``` + +For a verification with cosign installed and pay attention to modify the name of the files : + + ```bash + COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert [file]-keyless.pem --signature [file]-keyless.sig --certificate-oidc-issuer "https://github.com/login/oauth" --certificate-identity [ Mail adress of the owner of the repo ] [file] + ``` + +Or using Podman without installing cosign : + +```bash +podman run --rm -it gcr.io/projectsigstore/cosign:v1.13.0 COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert [file]-keyless.pem --signature [file]-keyless.sig --certificate-oidc-issuer "https://github.com/login/oauth" --certificate-identity [ Mail adress of the owner of the repo ] [file] +``` + +## Verifying the SLSA attestation of a container + +The image's attestation of provenance has been issued by a specific oidc-issuer that is 'https://token.actions.githubusercontent.com' in this repository. +In the next command example, it is required to replace digest by the digest of the image that needs to be verified and the owner of the repo. + +```bash +cosign verify-attestation --type slsaprovenance \ + --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + ghcr.io/OWNER/k8s-kms-plugin@digest | jq .payload -r | base64 --decode | jq + +``` + +## EXPERIMENTAL: `k8s-kms-plugin` as a container + +**This is an EXPERIMENTAL feature. Do not use it.** + +There is a [ko-build](https://github.com/ko-build/ko) Job that builds the +`k8s-kms-plugin` as a container. + +However, the container does not currently connect to the TPM. diff --git a/cmd/k8s-kms-plugin/cmd/version.go b/cmd/k8s-kms-plugin/cmd/version.go new file mode 100644 index 0000000..19a5c97 --- /dev/null +++ b/cmd/k8s-kms-plugin/cmd/version.go @@ -0,0 +1,129 @@ +/* +Copyright © 2024 NAME HERE +*/ +package cmd + +import ( + "encoding/json" + "fmt" + + "github.com/coreos/go-semver/semver" + "github.com/spf13/cobra" + "gopkg.in/yaml.v3" +) + +var ( + RawGitVersion string + CommitVersionIdShort string + CommitVersionIdLong string + OutputFormat string + GoVersion string + BuildPlatform string + BuildDate string +) + +type JsonVersion struct { + Major int64 `json:"major"` + Minor int64 `json:"minor"` + Version string `json:"version"` + CommitIdLong string `json:"commitIdLong"` + CommitIdShort string `json:"commitIdShort"` + GoVersion string `json:"goVersion"` + Date string `json:"date"` + Platorm string `json:"plaform"` +} +type YamlVersion struct { + Major int64 `yaml:"major"` + Minor int64 `yaml:"minor"` + Version string `yaml:"version"` + CommitIdLong string `yaml:"commitIdLong"` + CommitIdShort string `yaml:"commitIdShort"` + GoVersion string `yaml:"goVersion"` + Date string `yaml:"date"` + Platorm string `yaml:"plaform"` +} + +func validateInputs() { + if OutputFormat != "" && OutputFormat != "json" && OutputFormat != "yaml" { + OutputFormat = "" + } +} +func CreateJsonVersion() []byte { + version := semver.New(RawGitVersion) + + jsonFormat := &JsonVersion{ + Major: version.Major, + Minor: version.Minor, + Version: RawGitVersion, + CommitIdLong: CommitVersionIdLong, + CommitIdShort: CommitVersionIdShort, + GoVersion: GoVersion, + Date: BuildDate, + Platorm: BuildPlatform, + } + data, err := json.MarshalIndent(&jsonFormat, "", " ") + if err != nil { + + fmt.Println(err) + } + return data +} +func CreateYamlVersion() []byte { + version := semver.New(RawGitVersion) + + yamlFormat := &YamlVersion{ + Major: version.Major, + Minor: version.Minor, + Version: RawGitVersion, + CommitIdLong: CommitVersionIdLong, + CommitIdShort: CommitVersionIdShort, + GoVersion: GoVersion, + Date: BuildDate, + Platorm: BuildPlatform, + } + data, err := yaml.Marshal(&yamlFormat) + if err != nil { + + fmt.Println(err) + } + return data +} + +func generateOutput() { + if OutputFormat == "json" { + fmt.Println(string(CreateJsonVersion())) + } else if OutputFormat == "yaml" { + fmt.Println(string(CreateYamlVersion())) + } else { + fmt.Println(RawGitVersion) + } +} + +// versionCmd represents the version command +var versionCmd = &cobra.Command{ + Use: "version", + Short: "Show the version of the application with the short commit sha associated", + Run: func(cmd *cobra.Command, args []string) { + if OutputFormat == "" { + fmt.Println(RawGitVersion) + } else { + validateInputs() + generateOutput() + } + + }, +} + +func init() { + rootCmd.AddCommand(versionCmd) + versionCmd.Flags().StringVarP(&OutputFormat, "output", "o", "json", "'json' or 'yaml'") + // Here you will define your flags and configuration settings. + + // Cobra supports Persistent Flags which will work for this command + // and all subcommands, e.g.: + // versionCmd.PersistentFlags().String("foo", "", "A help for foo") + + // Cobra supports local flags which will only run when this command + // is called directly, e.g.: + // versionCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle") +} diff --git a/docs/images/AuthLinksCosign.png b/docs/images/AuthLinksCosign.png new file mode 100644 index 0000000..368d33c Binary files /dev/null and b/docs/images/AuthLinksCosign.png differ diff --git a/docs/images/CodeSubmit.png b/docs/images/CodeSubmit.png new file mode 100644 index 0000000..46c9de2 Binary files /dev/null and b/docs/images/CodeSubmit.png differ diff --git a/go.mod b/go.mod index 4c9ef41..a02f4a5 100644 --- a/go.mod +++ b/go.mod @@ -52,12 +52,13 @@ require ( google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect gopkg.in/ini.v1 v1.51.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect + gopkg.in/yaml.v3 v3.0.1 ) require ( github.com/ThalesGroup/crypto11 v1.2.6-0.20240209151343-55d45d454b19 github.com/ThalesGroup/gose v0.8.8-0.20240212085359-57890b0e2357 + github.com/coreos/go-semver v0.3.1 ) require ( diff --git a/go.sum b/go.sum index 35c3c30..42a91b7 100644 --- a/go.sum +++ b/go.sum @@ -65,6 +65,8 @@ github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=