Skip to content

Commit

Permalink
sign release artifacts using cosign (carvel-dev#450)
Browse files Browse the repository at this point in the history
Signed-off-by: Prashant Rewar <[email protected]>
  • Loading branch information
prashantrewar authored and antwacky committed Feb 21, 2024
1 parent 1453a0f commit 3184096
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 0 deletions.
13 changes: 13 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand All @@ -21,6 +22,10 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: 1.21.3

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
Expand Down Expand Up @@ -89,6 +94,14 @@ jobs:
${checksums['kbld-linux-arm64']} ./kbld-linux-arm64
${checksums['kbld-windows-amd64.exe']} ./kbld-windows-amd64.exe
${checksums['kbld-windows-arm64.exe']} ./kbld-windows-arm64.exe`
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
Expand Down
66 changes: 66 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ checksum:
name_template: 'checksums.txt'
algorithm: sha256
disable: false
signs:
- artifacts: checksum
certificate: '${artifact}.pem'
cmd: cosign
args:
- sign-blob
- "--yes"
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
output: true
snapshot:
name_template: "{{ .Tag }}-next"
release:
Expand All @@ -55,6 +66,61 @@ release:
# Defaults to false.
disable: false

header: |
<details>
<summary><h2>Installation and signature verification</h2></summary>
### Installation
#### By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
```shell
# Download the binary
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64
# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/kbld
# Make the binary executable
chmod +x /usr/local/bin/kbld
```
#### Via Homebrew (macOS or Linux)
```shell
$ brew tap carvel-dev/carvel
$ brew install kbld
$ kbld version
```
### Verify checksums file signature
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands:
```shell
# Download the checksums file, certificate and signature
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig
# Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```
### Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.
```shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
```
</details>
changelog:
# Set it to true if you wish to skip the changelog generation.
# This may result in an empty release notes on GitHub/GitLab/Gitea.
Expand Down

0 comments on commit 3184096

Please sign in to comment.