Sign all Images, also push to GHCR, closes #44 (#45)

wollomatic · web-flow · commit 6a7e23d20706 · 2025-03-23T20:18:31.000+01:00
* Update to Go 1.24.1 * Add Cosign for "testing" images * sign a multi-arch container image AND all referenced, discrete images, fixes #44 * additionally push images to GHCR * Gosec Action * Solve Gosec G115 * Push testing image to GHCR, sign GHCR images * Update Cosign to 2.4.3 in prod action, fix Gosec * Sign images for Docker registry and GHCR * update documentation --------- Co-authored-by: wollomatic <wollomatic@users.noreply.github.com>
diff --git a/.github/workflows/docker-image-release.yaml b/.github/workflows/docker-image-release.yaml
@@ -9,22 +9,26 @@ jobs:
   build:
 
     runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
+        with:
+          args: ./...
 
       - name: Extract tag name
         id: get_tag
         run: echo "::set-output name=VERSION::${GITHUB_REF#refs/tags/}"
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.1.2
+        uses: sigstore/cosign-installer@v3.8.1
         with:
-          cosign-release: 'v2.2.0'
+          cosign-release: 'v2.4.3'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -35,6 +39,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         id: build-and-push
@@ -43,10 +54,20 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           push: true
           build-args: VERSION=${{ steps.get_tag.outputs.VERSION }}
-          tags: docker.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }},docker.io/wollomatic/socket-proxy:1
+          tags: |
+            docker.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}
+            docker.io/wollomatic/socket-proxy:1
+            ghcr.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}
+            ghcr.io/wollomatic/socket-proxy:1
+
+      - name: Sign images for Docker
+        run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY docker.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}@${{ steps.build-and-push.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
-      - name: Sign images for all platforms
-        run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY docker.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}@${{ steps.build-and-push.outputs.digest }}
+      - name: Sign images for GHCR
+        run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY ghcr.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}@${{ steps.build-and-push.outputs.digest }}
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
diff --git a/.github/workflows/docker-image-testing.yaml b/.github/workflows/docker-image-testing.yaml
@@ -10,13 +10,22 @@ jobs:
   build:
 
     runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+        with:
+          cosign-release: 'v2.4.3'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -27,6 +36,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         id: build-and-push
@@ -35,4 +51,20 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           build-args: VERSION=testing-${{ github.sha }}
-          tags: docker.io/wollomatic/socket-proxy:testing,docker.io/wollomatic/socket-proxy:testing-${{ github.sha }}
+          tags: | 
+            docker.io/wollomatic/socket-proxy:testing
+            docker.io/wollomatic/socket-proxy:testing-${{ github.sha }}
+            ghcr.io/wollomatic/socket-proxy:testing
+            ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }}
+
+      - name: Sign Docker Hub image
+        run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY docker.io/wollomatic/socket-proxy:testing-${{ github.sha }}@${{ steps.build-and-push.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      - name: Sign GitHub Container Registry image
+        run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }}@${{ steps.build-and-push.outputs.digest }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
diff --git a/README.md b/README.md
@@ -11,7 +11,10 @@ It is designed with security in mind, so there are secure defaults and an additi
 
 The allowlist is configured for each HTTP method separately using the Go regexp syntax, allowing fine-grained control over the allowed HTTP methods.
 
-The source code is available on [GitHub: wollomatic/socket-proxy](https://github.com/wollomatic/socket-proxy).
+The source code is available on [GitHub: wollomatic/socket-proxy](https://github.com/wollomatic/socket-proxy)
+
+> [!NOTE]
+> Starting with version 1.6.0, the socket-proxy container image is also available on GHCR.  
 
 ## Getting Started
 
@@ -23,14 +26,17 @@ You should know what you are doing. Never expose socket-proxy to a public networ
 
 ### Installing
 
-The container image is available on [Docker Hub: wollomatic/socket-proxy](https://hub.docker.com/r/wollomatic/socket-proxy).
+The container image is available on [Docker Hub (wollomatic/socket-proxy)](https://hub.docker.com/r/wollomatic/socket-proxy) 
+and on the [GitHub Container Registry (ghcr.io/wollomatic/socket-proxy)](https://hub.docker.com/r/wollomatic/socket-proxy).
+
 
-To pin one specific version, use the version tag (for example, `wollomatic/socket-proxy:1.0.1`).
-To always use the most recent version, use the `1` tag (`wollomatic/socket-proxy:1`). This tag will be valid as long as there is no breaking change in the deployment.
+To pin one specific version, use the version tag (for example, `wollomatic/socket-proxy:1.6.0` or `ghcr.io/wollomatic/socket-proxy:1.6.0`).
+To always use the most recent version, use the `1` tag (`wollomatic/socket-proxy:1` or `ghcr.io/wollomatic/socket-proxy:1`). This tag will be valid as long as there is no breaking change in the deployment.
 
 There may be an additional docker image with the `testing`-tag. This image is only for testing. Likely, documentation for the `testing` image could only be found in the GitHub commit messages. It is not recommended to use the `testing` image in production.
 
 Every socket-proxy release image is signed with Cosign. The public key is available on [GitHub: wollomatic/socket-proxy/main/cosign.pub](https://raw.githubusercontent.com/wollomatic/socket-proxy/main/cosign.pub) and [https://wollomatic.de/socket-proxy/cosign.pub](https://wollomatic.de/socket-proxy/cosign.pub). For more information, please refer to the [Security Policy](https://github.com/wollomatic/socket-proxy/blob/main/SECURITY.md).
+As of version 1.6, all multi-arch images are signed.
 
 ### Allowing access
 
@@ -44,9 +50,6 @@ Socket-proxy listens per default only on `127.0.0.1`. Depending on what you need
 
 #### Using a unix socket instead of a TCP listener
 
-> [!CAUTION]
-> This is a new feature introduced in version 1.5.0. If you experience any issues, please feel free to open an GitHub issue.
-
 If you want to proxy/filter the unix socket to a new unix socket instead to a TCP listener,
 you need to set the `-proxysocketendpoint` parameter or the `SP_PROXYSOCKETENDPOINT` env variable to the socket path of the new unix socket.
 This will also disable the TCP listener.
@@ -202,6 +205,8 @@ socket-proxy can be configured via command line parameters or via environment va
 
 1.5 - allow unix socket as proxied/filtered endpoint
 
+1.6 - Cosign: sign a multi-arch container image AND all referenced, discrete images. Image is also available on GHCR.
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
diff --git a/cmd/socket-proxy/checksocketconnection.go b/cmd/socket-proxy/checksocketconnection.go
@@ -25,7 +25,7 @@ func checkSocketAvailability(socketPath string) error {
 }
 
 // startSocketWatchdog starts a watchdog that checks the socket availability every n seconds.
-func startSocketWatchdog(socketPath string, interval uint, stopOnWatchdog bool, exitChan chan int) {
+func startSocketWatchdog(socketPath string, interval int64, stopOnWatchdog bool, exitChan chan int) {
 	ticker := time.NewTicker(time.Duration(interval) * time.Second)
 	defer ticker.Stop()
 
diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go
@@ -141,7 +141,7 @@ func main() {
 
 	// start the watchdog if configured
 	if cfg.WatchdogInterval > 0 {
-		go startSocketWatchdog(cfg.SocketPath, cfg.WatchdogInterval, cfg.StopOnWatchdog, internalQuit)
+		go startSocketWatchdog(cfg.SocketPath, int64(cfg.WatchdogInterval), cfg.StopOnWatchdog, internalQuit) // #nosec G115 - we validated the integer size in config.go
 		slog.Debug("watchdog running")
 	}
 
@@ -161,7 +161,7 @@ func main() {
 		exitCode = value
 	}
 	// Try to shut down gracefully
-	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(cfg.ShutdownGraceTime)*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(int64(cfg.ShutdownGraceTime))*time.Second) // #nosec G115 - we validated the integer size in config.go
 	defer cancel()
 	if err := srv.Shutdown(ctx); err != nil {
 		slog.Warn("timeout stopping server", "error", err)
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"log/slog"
+	"math"
 	"net"
 	"net/http"
 	"os"
@@ -139,9 +140,15 @@ func InitConfig() (*Config, error) {
 	flag.StringVar(&logLevel, "loglevel", defaultLogLevel, "set log level: DEBUG, INFO, WARN, ERROR")
 	flag.UintVar(&proxyPort, "proxyport", defaultProxyPort, "tcp port to listen on")
 	flag.UintVar(&cfg.ShutdownGraceTime, "shutdowngracetime", defaultShutdownGraceTime, "maximum time in seconds to wait for the server to shut down gracefully")
+	if cfg.ShutdownGraceTime > math.MaxInt64 {
+		return nil, fmt.Errorf("shutdowngracetime has to be smaller than %i", math.MaxInt64) // this maximum value has no practical significance
+	}
 	flag.StringVar(&cfg.SocketPath, "socketpath", defaultSocketPath, "unix socket path to connect to")
 	flag.BoolVar(&cfg.StopOnWatchdog, "stoponwatchdog", defaultStopOnWatchdog, "stop the program when the socket gets unavailable (otherwise log only)")
 	flag.UintVar(&cfg.WatchdogInterval, "watchdoginterval", defaultWatchdogInterval, "watchdog interval in seconds (0 to disable)")
+	if cfg.WatchdogInterval > math.MaxInt64 {
+		return nil, fmt.Errorf("watchdoginterval has to be smaller than %i", math.MaxInt64) // this maximum value has no practical significance
+	}
 	flag.StringVar(&cfg.ProxySocketEndpoint, "proxysocketendpoint", defaultProxySocketEndpoint, "unix socket endpoint (if set, used instead of the TCP listener)")
 	flag.UintVar(&endpointFileMode, "proxysocketendpointfilemode", defaultProxySocketEndpointFileMode, "set the file mode of the unix socket endpoint")
 	for i := range mr {
@@ -172,7 +179,10 @@ func InitConfig() (*Config, error) {
 		return nil, errors.New("invalid log level " + logLevel + ": Supported levels are DEBUG, INFO, WARN, ERROR")
 	}
 
-	cfg.ProxySocketEndpointFileMode = os.FileMode(endpointFileMode)
+	if endpointFileMode > 0o777 {
+		return nil, errors.New("file mode has to be between 0 and 0o777")
+	}
+	cfg.ProxySocketEndpointFileMode = os.FileMode(uint32(endpointFileMode))
 
 	// compile regexes for allowed requests
 	cfg.AllowedRequests = make(map[string]*regexp.Regexp)

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func checkSocketAvailability(socketPath string) error {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`// startSocketWatchdog starts a watchdog that checks the socket availability every n seconds.`
`28`		`-func startSocketWatchdog(socketPath string, interval uint, stopOnWatchdog bool, exitChan chan int) {`
	`28`	`+func startSocketWatchdog(socketPath string, interval int64, stopOnWatchdog bool, exitChan chan int) {`
`29`	`29`	`ticker := time.NewTicker(time.Duration(interval) * time.Second)`
`30`	`30`	`defer ticker.Stop()`
`31`	`31`