Buildkite
Cimon Attest
In Buildkite, Cimon Attest is performed using the CLI. First, Cimon CLI should be installed, and then run on the artifact previously created, providing the desired parameters. There are several ways to perform this process in Buildkite:
- Call internal bash scripts performing the entire process.
- Using Buildkite hooks to pre install Cimon before the command execution.
- Dedicated Cimon plugin that installs the CLI, and helps invocating the attestation.
- The following way, which simply fetches Cimon to local
bindirectory, and runs it on the provided artifact.
- Unsigned
- Signed with Key Pair
- Keyless Signing
steps:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
# Downloads artifact
# Installs Cimon
# Generates attestation
- command:
- buildkite-agent artifact download artifact.txt .
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) --subjects artifact.txt --report-job-summary
artifact_paths:
- provenance.intoto.jsonl
label: "Generate attestation"
Explanation:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
- command:
- buildkite-agent artifact download artifact.txt .
Downloading previously created artifacts. This is build-specific.
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) --subjects artifact.txt --report-job-summary
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
artifact_paths:
- provenance.intoto.jsonl
Automatically uploads the created artifacts using the default provenance name. The created provenance name can be configured through the CLI parameters.
steps:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
# Downloads artifact
# Installs Cimon
# Generates attestation
- command:
- buildkite-agent artifact download artifact.txt .
- openssl genrsa -out private-key.pem 3072
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) -k private-key.pem --subjects artifact.txt --report-job-summary
artifact_paths:
- provenance.intoto.jsonl
- provenance.intoto.jsonl.sig
label: "Generate attestation"
Explanation:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
- command:
- buildkite-agent artifact download artifact.txt .
Downloading previously created artifacts. This is build-specific.
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
- openssl genrsa -out private-key.pem 3072
Creating a signature key. This is build-specific, and we just used a stub key for the process demonstration.
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) -k private-key.pem --subjects artifact.txt --report-job-summary
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
artifact_paths:
- provenance.intoto.jsonl
- provenance.intoto.jsonl.sig
Automatically uploads the created artifacts using the default provenance name. The created provenance name can be configured through the CLI parameters.
steps:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
# Downloads artifact
# Installs Cimon
# Generates attestation
- command:
- buildkite-agent artifact download artifact.txt .
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) --keyless --yes --subjects artifact.txt --report-job-summary
artifact_paths:
- provenance.intoto.jsonl
- provenance.intoto.jsonl.sig
label: "Generate attestation"
Explanation:
# Create build artifacts.
- command:
- echo artifact > artifact.txt
artifact_paths:
- artifact.txt
label: "Generate artifacts"
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
- command:
- buildkite-agent artifact download artifact.txt .
Downloading previously created artifacts. This is build-specific.
- curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
- ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) --keyless --yes --subjects artifact.txt --report-job-summary
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
artifact_paths:
- provenance.intoto.jsonl
- provenance.intoto.jsonl.sig
Automatically uploads the created artifacts using the default provenance name. The created provenance name can be configured through the CLI parameters.
Usage
The supported parameters that could be supplied to Cimon are explained in the CLI integration.
Annotation Support
Buildkite offers an efficient way to display build results within the pipeline through build annotations. The Cimon CLI leverages the annotation API to upload in-toto provenance and the signed envelope as an annotation when the --report-job-summary flag is provided to the CLI.
Keyless OIDC Support
The Cimon CLI integrates with the Buildkite OIDC API to retrieve signed JWT tokens from Buildkite’s identity provider, enabling keyless signing. These identity tokens are also supported by Fulcio and were introduced in this PR, allowing the creation of keyless attestations.