From 6ea2fc3fbe96ae382e5c573c9da3b49498914a8c35b85bef7f1dd0a2d51e2fa6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Mon, 25 Nov 2024 11:58:29 +0000
Subject: [PATCH] [info=c11ae7b91f877d53b9e7ed4d8ed6d010]

OBS-URL: https://build.opensuse.org/package/show/devel:BCI:Tumbleweed/cosign-image?expand=0&rev=17
---
 .gitattributes       | 23 ++++++++++++++++
 .gitignore           |  1 +
 Dockerfile           | 55 ++++++++++++++++++++++++++++++++++++++
 README.md            | 63 ++++++++++++++++++++++++++++++++++++++++++++
 _service             | 10 +++++++
 cosign-image.changes | 24 +++++++++++++++++
 6 files changed, 176 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 _service
 create mode 100644 cosign-image.changes

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..eb82349
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: Apache-2.0
+
+#     Copyright (c) 2024 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!UseOBSRepositories
+
+#!BuildTag: opensuse/cosign:%%cosign_version%%-%RELEASE%
+#!BuildTag: opensuse/cosign:%%cosign_version%%
+#!BuildTag: opensuse/cosign:2.4
+#!BuildTag: opensuse/cosign:2
+#!BuildTag: opensuse/cosign:latest
+
+FROM opensuse/bci/bci-micro:latest AS target
+FROM opensuse/tumbleweed:latest AS builder
+COPY --from=target / /target
+
+RUN set -euo pipefail; \
+    zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends cosign openSUSE-build-key; \
+    zypper -n clean; \
+    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
+# sanity check that the version from the tag is equal to the version of cosign that we expect
+RUN set -euo pipefail; \
+    [ "$(rpm --root /target -q --qf '%{version}' cosign | \
+    cut -d '.' -f -2)" = "2.4" ]
+FROM opensuse/bci/bci-micro:latest
+COPY --from=builder /target /
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=org.opensuse.application.cosign
+LABEL org.opencontainers.image.title="openSUSE Tumbleweed cosign"
+LABEL org.opencontainers.image.description="Signing OCI containers using Sigstore, based on the openSUSE Tumbleweed Base Container Image."
+LABEL org.opencontainers.image.version="%%cosign_version%%"
+LABEL org.opencontainers.image.url="https://www.opensuse.org"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="openSUSE Project"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%%cosign_version%%-%RELEASE%"
+LABEL org.opensuse.reference="registry.opensuse.org/opensuse/cosign:%%cosign_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
+LABEL org.opensuse.release-stage="released"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/cosign-image/README.md"
+LABEL io.artifacthub.package.logo-url="https://raw.githubusercontent.com/sigstore/community/main/artwork/cosign/horizontal/color/sigstore_cosign-horizontal-color.svg"
+ENTRYPOINT ["/usr/bin/cosign"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f9bea21
--- /dev/null
+++ b/README.md
@@ -0,0 +1,63 @@
+# openSUSE Tumbleweed cosign
+![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)
+
+## Description
+Cosign aims to make signatures management easy.
+
+Cosign supports the following functionality:
+
+* "Keyless signing" with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
+* Hardware and KMS signing
+* Signing with a Cosign-generated encrypted private/public keypair
+* Container signing, verification and storage in an OCI registry.
+* Bring-your-own public key infrastructure (PKI)
+
+
+## Usage
+
+### Verify a container image
+
+To verify the image, specify a certificate subject
+and a certificate issuer using the `--certificate-identity` and
+`--certificate-oidc-issuer` flags:
+
+```shell
+$ podman run registry.opensuse.org/opensuse/cosign:2.4 \
+    verify $IMAGE \
+    --certificate-identity=$IDENTITY \
+    --certificate-oidc-issuer=$OIDC_ISSUER
+```
+
+You can also provide a regex for the certificate identity and issuer flags,
+`--certificate-identity-regexp` and `--certificate-oidc-issuer-regexp`. For more information, see
+[Keyless verification using OpenID Connect](https://docs.sigstore.dev/cosign/verifying/verify/#keyless-verification-using-openid-connect).
+
+### Verify a container image against a public key
+
+The `verify` command returns `0` if *at least one* `cosign`-formatted signature for
+the image is found matching the public key. See the detailed usage below for
+information and caveats on other signature formats.
+
+Valid payload is printed to stdout, in JSON format. Note that the
+signed payload includes the digest of the container image, which indicated that these "detached" signatures apply to the correct image.
+
+```shell
+$ podman run registry.opensuse.org/opensuse/cosign:2.4 verify --key cosign.pub $IMAGE_URI:1h
+The following checks were performed on these signatures:
+  - The cosign claims were validated
+  - The signatures were verified against the specified public key
+{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container image signature"},"Optional":null}
+```
+
+For more use cases and information, refer to the
+[sigstore cosign Quickstart](https://docs.sigstore.dev/quickstart/quickstart-cosign/).
+
+## Licensing
+
+`SPDX-License-Identifier: Apache-2.0`
+
+This documentation and the build recipe are licensed as Apache-2.0.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/).
diff --git a/_service b/_service
new file mode 100644
index 0000000..5512d14
--- /dev/null
+++ b/_service
@@ -0,0 +1,10 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service name="replace_using_package_version" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%cosign_version%%</param>
+    <param name="package">cosign</param>
+    <param name="parse-version">patch</param>
+  </service>
+</services>
\ No newline at end of file
diff --git a/cosign-image.changes b/cosign-image.changes
new file mode 100644
index 0000000..ce4d76d
--- /dev/null
+++ b/cosign-image.changes
@@ -0,0 +1,24 @@
+-------------------------------------------------------------------
+Mon Nov 25 11:56:16 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- Add line breaks into package version check
+
+-------------------------------------------------------------------
+Sun Nov 24 08:03:54 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- Add major version tag
+
+-------------------------------------------------------------------
+Wed Nov 13 13:40:15 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- ship with openSUSE-build-keys
+
+-------------------------------------------------------------------
+Wed Oct 30 15:34:45 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- remove nonsensical org.opencontainers.image.authors - duplication of .vendor
+
+-------------------------------------------------------------------
+Wed Oct 30 12:55:17 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- First version of the cosign BCI