fix: added image signing and updated Postgres DOC-964 (#4)

* fix: added image signing and updated Postgres

* Update docs/image-verification.md

Co-authored-by: caroldelwing <[email protected]>

---------

Co-authored-by: caroldelwing <[email protected]>

.copywrite.hcl

@@ -0,0 +1,15 @@
+schema_version = 1
+
+project {
+  copyright_holder = "Spectro Cloud"
+  license        = "MPL-2.0"
+  copyright_year = 2024
+
+  # (OPTIONAL) A list of globs that should not have copyright/license headers.
+  # Supports doublestar glob patterns for more flexibility in defining which
+  # files or folders should be ignored
+  header_ignore = [
+    # "vendors/**",
+    # "**autogen**",
+  ]
+}

.dockerignore

@@ -2,4 +2,7 @@ static/
 build/
 README.md
 LICENSE
-.gitignore
+.gitignore
+\*.hcl
+docs/
+cosign.key

.github/workflows/release.yaml

@@ -2,7 +2,7 @@ name: Release to Production
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -16,10 +16,10 @@ jobs:
     steps:
       - id: checkout
         name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Nodejs
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 18
 
@@ -43,27 +43,43 @@ jobs:
         if: ${{ steps.version.outputs.VERSION != ''}}
         uses: docker/setup-buildx-action@v2
 
-
       - name: Login to GHCR
         if: ${{ steps.version.outputs.VERSION != ''}}
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and Push Docker Image
         if: ${{ steps.version.outputs.VERSION != ''}}
+        id: build-and-push
         uses: docker/build-push-action@v2
         with:
           context: .
           build-args: VERSION=${{steps.version.outputs.VERSION}}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ghcr.io/${{ github.repository }}:${{steps.version.outputs.VERSION}}
-
+
+      - uses: sigstore/[email protected]
+
+      - name: Image Signing
+        run: |
+          cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          -a "owner=Spectro Cloud" \
+          --key env://COSIGN_PRIVATE_KEY --recursive "${TAGS}@${DIGEST}"
+        env:
+          TAGS: ghcr.io/${{ github.repository }}:${{steps.dependencies.outputs.VERSION}}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
       - name: "release"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-              npx semantic-release
+          npx semantic-release

.gitignore

@@ -14,4 +14,5 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 .DS_STORE
-node_modules/
+node_modules/
+cosign.key

.releaserc.yaml

@@ -1,19 +1,19 @@
+# Copyright (c) Spectro Cloud
+# SPDX-License-Identifier: MPL-2.0
+
 branches: [main]
 repositoryUrl: https://github.com/spectrocloud/hello-universe-db
 plugins:
-- "@semantic-release/commit-analyzer"
-- "@semantic-release/release-notes-generator"
-- "@semantic-release/changelog"
-- - "@semantic-release/exec"
-  - analyzeCommitsCmd: echo 'NEW_VERSION=false' > VERSION.env
-    verifyReleaseCmd: |-
-      echo 'export VERSION=${nextRelease.version}
-      NEW_VERSION=true' > VERSION.env
-- - "@semantic-release/github"
-  - assets:
-    - "*.zip"
-- - "@semantic-release/git"
-  - assets:
-    - CHANGELOG.md
-- - "@semantic-release/npm"
-  - npmPublish: false
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - "@semantic-release/changelog"
+  - - "@semantic-release/exec"
+    - analyzeCommitsCmd: echo 'NEW_VERSION=false' > VERSION.env
+      verifyReleaseCmd: |-
+        echo 'export VERSION=${nextRelease.version}
+        NEW_VERSION=true' > VERSION.env
+  - - "@semantic-release/github"
+    - assets:
+        - "*.zip"
+  - - "@semantic-release/git"
+    - npmPublish: false

CODEOWNERS

@@ -0,0 +1,2 @@
+# Catch All Rule
+* @spectrocloud/education-engineers

Dockerfile

@@ -1,4 +1,7 @@
-FROM postgres:15.2-alpine
+# Copyright (c) Spectro Cloud
+# SPDX-License-Identifier: MPL-2.0
+
+FROM postgres:16.1-alpine
 ENV POSTGRES_PASSWORD password
 ENV POSTGRES_USER postgres
 ENV POSTGRES_PORT 5432

Makefile

@@ -0,0 +1,18 @@
+.PHONY: license
+
+
+
+build: ## Create a local Docker image
+	@echo "Building Docker image..."
+	docker build -t hello-universe-db .
+
+
+start: build ## Start the Docker container
+	@echo "Starting Docker container..."
+	docker run -d -p 3306:3306 --name hello-universe-db hello-universe-db
+
+license: ## Adds a license header to all files. Reference https://github.com/hashicorp/copywrite to learn more.
+	@echo "Applying license headers..."
+	 copywrite headers
+
+

README.md

@@ -1,34 +1,39 @@
 [![semantic-release: angular](https://img.shields.io/badge/semantic--release-angular-e10079?logo=semantic-release)](https://github.com/semantic-release/semantic-release)
+
 # Hello Universe DB
+
 A Spectro Cloud demo application. This is the database that supports the Hello Universe app.
 
 <p align="center">
 <img src="./static/img/spectronaut.png" alt="drawing" width="400"/>
 </p>
 
-
 # Overview
 
 The [Hello Universe](https://github.com/spectrocloud/hello-universe) app includes an [API server](https://github.com/spectrocloud/hello-universe-api) that relies on a Postgres database for storing the number of clicks and other metadata about the clicks such as the browser, os, and timestamp. For your convenience, a Postgres container is available for use.
 
-
 ## Usage
 
 To get use the container you can issue the following command to download the container.
 
 ```
-docker pull ghcr.io/spectrocloud/hello-universe-db:1.0.0 && \
-docker run -p 5432:5432 ghcr.io/spectrocloud/hello-universe-db:1.0.0
+docker pull ghcr.io/spectrocloud/hello-universe-db:1.0.2 && \
+docker run -p 5432:5432 ghcr.io/spectrocloud/hello-universe-db:1.0.2
 ```
+
 The command you issued downloaded the container and exposed port `5432`. The default user name is `postgres` and the password is `password`.
 
 ### Database Schema
 
 The database uses the following schema for the `counter` table.
 
-| Field   | Description                                  | Type      |
-|---------|----------------------------------------------|-----------|
-| id      | The primary key.                             | Number    |
-| date    | The timestamp of the click.                  | Timestamp |
-| browser | The web browser used to click by the client. | Varchar   |
-| os      | The operating system used by the client.     | Varchar   |
+| Field     | Description                                  | Type      |
+| --------- | -------------------------------------------- | --------- |
+| `id`      | The primary key.                             | Number    |
+| `date`    | The timestamp of the click.                  | Timestamp |
+| `browser` | The web browser used to click by the client. | Varchar   |
+| `os`      | The operating system used by the client.     | Varchar   |
+
+## Image Verification
+
+We sign our images through [Cosign](https://docs.sigstore.dev/signing/quickstart/). Review the [Image Verification](./docs/image-verification.md) page to learn more.

commitlint.config.js

@@ -1,3 +1,8 @@
+/**
+ * Copyright (c) Spectro Cloud
+ * SPDX-License-Identifier: MPL-2.0
+ */
+
 module.exports = {
     extends: [
         '@commitlint/config-conventional'

docs/image-verification.md

@@ -0,0 +1,81 @@
+# Image Verification
+
+The Hello Universe DB container image is signed using [Sigstore's](https://sigstore.dev/) Cosign. The container image is signed using a cryptographic key pair that is private and stored internally. The public key is available in the official Spectro Cloud documentation repository at [**static/cosign.pub**](https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub). Use the public key to verify the authenticity of the container image. You can learn more about the container image signing process by reviewing the [Signing Containers](https://docs.sigstore.dev/signing/signing_with_containers) documentation page.
+
+> [!NOTE]
+> Cosign generates a key pair that uses the ECDSA-P256 algorithm for the signature and SHA256 for hashes. The keys are stored in PEM-encoded PKCS8 format.
+
+Use the following command to verify the authenticity of the container image. Replace the image tag with the version you want to verify.
+
+```shell
+cosign verify --key https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub \
+ghcr.io/spectrocloud/hello-universe-db:1.0.2
+```
+
+If the container image is valid, the following output is displayed. The example output is formatted using `jq` to improve readability.
+
+```shell hideClipboard
+Verification for ghcr.io/spectrocloud/hello-universe-db:1.0.2 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+[
+  {
+    "critical": {
+      "identity": {
+        "docker-reference": "ghcr.io/spectrocloud/hello-universe-db:1.0.2"
+      },
+      "image": {
+        "docker-manifest-digest": "sha256:285a95a8594883b3748138460182142f5a1b74f80761e2fecb1b86d3c9b9d191"
+      },
+      "type": "cosign container image signature"
+    },
+    "optional": {
+      "Bundle": {
+        "SignedEntryTimestamp": "MEYCIQCZ6FZzNB5wA9+W/lF57jx0qTaszZhg5FxJiBmgIFxPVwIhANnoQQ5gqjr1h93LCq1Td8BohqrxxIvfrXTnT1tYR4i7",
+        "Payload": {
+          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0MzU0MzFjNjY1Y2Y2ZGZjYzM0NzI2YWRkNjAzMDVjYjZlMzhlNjVkZmJlMWQ0NWU2ZGVkM2IzNzg3NTYwY2MxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM0TFFxYVFDclhOc0VzdkI0ZE84bmtZSWg0L3o5UzdScGVEdUZnUDJwbDJ3SWdOdEJsNElDaHBmT3RnVDBlNW5QTmRMYWt4RTJHcnFFK0tjV1JXSGZPTnpnPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGV1VoeVl6SlhTVVV6WVhCTFRHMWplR3hHUmtoNVZsRkRVVnBYYUFveUsyRnNOVmN2Vmsxc1VISXpkVFJGV2k5V0wwZFBRbTAySzFrNVowWXpWWE16ZEhkMVpWaFpaMlJaWlVadk5XODNRbFZ1TnpCTlVGQjNQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
+          "integratedTime": 1702758491,
+          "logIndex": 57230483,
+          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
+        }
+      },
+      "owner": "Spectro Cloud",
+      "ref": "e597f70be238369ce4f0e5778492a155e23fec17",
+      "repo": "spectrocloud/hello-universe-db",
+      "workflow": "Release"
+    }
+  }
+]
+```
+
+> [!CAUTION]
+> Do not use the container image if the authenticity cannot be verified. Verify you downloaded the correct public key and that the container image is from `ghcr.io/spectrocloud/hello-universe-db`.
+
+If the container image is not valid, an error is displayed. The following example shows an error when the container image is not valid.
+
+```shell hideClipboard
+cosign verify --key https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub \
+ghcr.io/spectrocloud/hello-universe-db:1.0.2
+```
+
+```shell hideClipboard
+Error: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEheVfGYrVn2mIUQ4cxMJ6x09oXf82
+zFEMG++p4q8Mf+y2gp7Ae4oUaXk6Q9V7aVjjltRVN6SQcoSASxf2H2EpgA==
+-----END PUBLIC KEY-----
+, got -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYHrc2WIE3apKLmcxlFFHyVQCQZWh
+2+al5W/VMlPr3u4EZ/V/GOBm6+Y9gF3Us3twueXYgdYeFo5o7BUn70MPPw==
+-----END PUBLIC KEY-----
+
+main.go:69: error during command execution: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEheVfGYrVn2mIUQ4cxMJ6x09oXf82
+zFEMG++p4q8Mf+y2gp7Ae4oUaXk6Q9V7aVjjltRVN6SQcoSASxf2H2EpgA==
+-----END PUBLIC KEY-----
+, got -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYHrc2WIE3apKLmcxlFFHyVQCQZWh
+2+al5W/VMlPr3u4EZ/V/GOBm6+Y9gF3Us3twueXYgdYeFo5o7BUn70MPPw==
+-----END PUBLIC KEY-----
+```

init.sql

@@ -1,3 +1,6 @@
+-- Copyright (c) Spectro Cloud
+-- SPDX-License-Identifier: MPL-2.0
+
 CREATE TABLE "counter" (
     "id" SERIAL PRIMARY KEY,
     "date" timestamp NOT NULL,