Skip to content

Commit

Permalink
Merge pull request #887 from prashantrewar/sign-artifacts
Browse files Browse the repository at this point in the history
sign release artifacts using cosign
  • Loading branch information
praveenrewar authored Jan 18, 2024
2 parents 6a1f7d1 + 2c13cda commit a9ee6fa
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 0 deletions.
12 changes: 12 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand All @@ -21,6 +22,9 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: "1.21.3"

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Retrieve version
run: |
Expand Down Expand Up @@ -89,6 +93,14 @@ jobs:
${checksums['ytt-linux-amd64']} ./ytt-linux-amd64
${checksums['ytt-linux-arm64']} ./ytt-linux-arm64
${checksums['ytt-windows-amd64.exe']} ./ytt-windows-amd64.exe`
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
Expand Down
66 changes: 66 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,17 @@ checksum:
name_template: 'checksums.txt'
algorithm: sha256
disable: false
signs:
- artifacts: checksum
certificate: '${artifact}.pem'
cmd: cosign
args:
- sign-blob
- "--yes"
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
output: true
snapshot:
name_template: "{{ .Tag }}-next"
release:
Expand All @@ -58,6 +69,61 @@ release:
# Defaults to false.
disable: false

header: |
<details>
<summary><h2>Installation and signature verification</h2></summary>
### Installation
#### By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
```shell
# Download the binary
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64
# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/ytt
# Make the binary executable
chmod +x /usr/local/bin/ytt
```
#### Via Homebrew (macOS or Linux)
```shell
$ brew tap carvel-dev/carvel
$ brew install ytt
$ ytt version
```
### Verify checksums file signature
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands:
```shell
# Download the checksums file, certificate and signature
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig
# Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```
### Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.
```shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
```
</details>
changelog:
# Set it to true if you wish to skip the changelog generation.
# This may result in an empty release notes on GitHub/GitLab/Gitea.
Expand Down

0 comments on commit a9ee6fa

Please sign in to comment.