Giters

atharvac / CASPR

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CASPR

CASPR is a Code Trust Auditing framework. It provides an organisation with necessary tools to verify, validate and attribute changes happening to their code repositories and make it part of their Build Process.

Requirements - SPAR

  1. Python >= 3.6
  2. PIP
  3. Pipenv
  4. Postman (Optional)

Installation - SPAR

Setup SPAR verification server first so that you can upload your trusted keys. Clone the repository and open the SPAR directory in your terminal / CMD.

Create a .env file in the directory. Please refer to the .env.example file.

Example

APP_CONFIG=spar.config.DevelopmentConfig
FLASK_ENV=development
DB_URL=postgresql+psycopg2://postgres:test@localhost/spar
SECRET_KEY=super-secret

Use Pipenv to install the dependancies:

pipenv install

If there are issues in the pipenv lock file, please use:

pipenv install -r requirements.txt

After the installation of the dependancies and creation of the virtual environment, use the following command to use the environment:

pipenv shell

Once the environment is activated, run the following command to setup your database:

flask db upgrade

Run the following to start the server:

flask run -h 0.0.0.0 -p 5000

The server will start listening at http://localhost:5000/

On first run, the server will ask you to setup an admin account. Please go through the process as indicated on screen.

Usage

  1. Download the Postman collection: SPAR_collection
  2. Import the Postman collection.
  3. Login to the SPAR server.
  4. Click on "Create Access Token".
  5. Enter a name and create a new Access Token.
  6. Copy the access token in green at the top.
  7. Edit the SPAR collection in Postman, go to variables and set the access_token to the one you have copied.
  8. Set the server_url to your server base URL.
  9. Generate a gpg keypair using the following command:
gpg --full-generate-key
  1. Export the generated key using the following command:
gpg --export -a "demo@example.com" > public.key
  1. Copy your fingerprint from the following command:
gpg --list-keys

Output:
pub   rsa3072 2022-07-14 [SC]
      3C37CC8474AE4160751C663AE1304A151744A119
uid           [ultimate] Demo <demo@example.com>
sub   rsa3072 2022-07-14 [E]

Here 3C37CC8474AE4160751C663AE1304A151744A119 is the fingerprint.

  1. In the same directory, download this python file: replace_rewlines.py
  2. Run the file using the following command:
python replace_newlines.py
  1. Open the "Upload Signing Public Key" postman request.
  2. In JSON body, paste the fingerprint from step 11, and public key output from step 13.
  3. Click on send. Your Public key will be registered.

Now, we will set the Server URL and the access token in the remote repository.

Github

  1. Go to the repository you want to add the CASS scripts to.
  2. Go to settings -> secrets -> actions -> New repository secret
  3. Set name as: SERVER_API_URL and the value as <server_url>/api/get-signing-key
  4. Create another repository secret Name: ACCESS_TOKEN value:

GitLab

  1. Go to the repository you want to add the CASS scripts to.
  2. Go to settings -> CI/CD -> Variables -> Expand -> Add Variable.
  3. Set key as: SERVER_API_URL and the value as <server_url>/api/get-signing-key
  4. Create another repository secret key: ACCESS_TOKEN value:

BitBucket

  1. Go to the repository you want to add the CASS scripts to.
  2. Go to Repository settings -> Pipelines -> Repository Variables.
  3. Set name as: SERVER_API_URL and the value as <server_url>/api/get-signing-key
  4. Create another repository secret Name: ACCESS_TOKEN value:

Now your repository is ready to use the SPAR server. Please refer to the installation of CASS scripts.

Installation (CASS)

Follow the documentation for whichever remote repository you are using.

GitHub

  1. Go to the CASS/github directory
  2. Run yarn install
  3. Run yarn build
  4. Copy the directory: .github to your repository
  5. Copy the files: action.yml, package.json dist/index.js to your repository.
  6. Edit action.yml, under "runs" set main to the index.js file relative to your repository root.
  7. If you already have github actions configured, please add the actions in your yml file.

GitLab

  1. Copy the .gitlab-ci.yml, index.js and package.json files in your repository.
  2. Setup your runner to run for the tag: local or change the tag name in the gitlab-ci.yml file.
  3. If you add the package.json and index.js files in a folder, edit the gitlab-ci.yml script tag to reflect the change.
  script:
    - npm install
    - git show --pretty=raw -s $CI_COMMIT_SHA | node folder/index.js

BitBucket

  1. Copy the bitbucket-pipelines.yml, index.js and package.json files in your repository.
  2. If you add the package.json and index.js files in a folder, edit the bitbucket-pipelines.yml script tag to reflect the change.
   script:
     - npm install
     - git show --pretty=raw -s $BITBUCKET_COMMIT
     - git show --pretty=raw -s $BITBUCKET_COMMIT | node folder/index.js

Usage (CASPR)

  1. Configure your git repository to use commit signing
git config --local user.signingkey <Fingerprint from gpg>
# Use gpg --list-keys to get your fingerprint
  1. Configure email
git config --local user.email <email>
  1. Setup gpg to be used for signing
git config --local gpg.program <path-to-gpg>
# git config --local gpg.program /opt/homebrew/bin/gpg
  1. Make sure every commit will be signed
git config --local commit.gpgsign true
# Alternately you can sign each commit manually using the -S flag
# E.g. git commit -S -m "Signed commit"
  1. Try to sign a new commit, and push to the remote for verification.
git add <changed_file>
git commit -m "Signed commit"
  1. Check your remote repository CI/CD process. The commit will be verified.

License

MIT

About

License:MIT License

Languages

Language:HTML 49.2%Language:Python 34.8%Language:JavaScript 14.8%Language:Mako 0.6%Language:Makefile 0.6%Language:Procfile 0.0%