Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sign release artifacts using cosign #450

Merged
merged 1 commit into from
Jan 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand All @@ -21,6 +22,10 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: 1.21.3

- name: Set up Cosign
uses: sigstore/cosign-installer@v3

- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
Expand Down Expand Up @@ -89,6 +94,14 @@ jobs:
${checksums['kbld-linux-arm64']} ./kbld-linux-arm64
${checksums['kbld-windows-amd64.exe']} ./kbld-windows-amd64.exe
${checksums['kbld-windows-arm64.exe']} ./kbld-windows-arm64.exe`

- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt

- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
Expand Down
66 changes: 66 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ checksum:
name_template: 'checksums.txt'
algorithm: sha256
disable: false
signs:
- artifacts: checksum
certificate: '${artifact}.pem'
cmd: cosign
args:
- sign-blob
- "--yes"
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
output: true
snapshot:
name_template: "{{ .Tag }}-next"
release:
Expand All @@ -55,6 +66,61 @@ release:
# Defaults to false.
disable: false

header: |
<details>

<summary><h2>Installation and signature verification</h2></summary>

### Installation

#### By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:
```shell
# Download the binary
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64

# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/kbld

# Make the binary executable
chmod +x /usr/local/bin/kbld
```

#### Via Homebrew (macOS or Linux)
```shell
$ brew tap carvel-dev/carvel
$ brew install kbld
$ kbld version
```

### Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands:

```shell
# Download the checksums file, certificate and signature
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

### Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.
```shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
```
</details>

changelog:
# Set it to true if you wish to skip the changelog generation.
# This may result in an empty release notes on GitHub/GitLab/Gitea.
Expand Down
Loading