From ea8d67d48ce425a24feedae2f9be69aa97f9fe51 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Fri, 21 Jul 2023 17:54:14 -0700 Subject: [PATCH] Sign checksum with cosign Adds config to sign artifacts. Since the checksum contains the SHAs of the artifacts, signing the checksums is enough to ensure that the artifacts were not modified. GoReleaser uses cosign to sign the artifact and uploads .sig and .pem to the release. --- .github/workflows/ci.yml | 5 +++++ .goreleaser.yml | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf25e3830a..43af980273 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,6 +98,7 @@ jobs: needs: [vars, unit-tests, njs-unit-tests] permissions: contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases + id-token: write # for goreleaser/goreleaser-action to sign artifacts steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -125,6 +126,10 @@ jobs: uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 if: startsWith(github.ref, 'refs/tags/') + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + if: startsWith(github.ref, 'refs/tags/') + - name: Build binary uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: diff --git a/.goreleaser.yml b/.goreleaser.yml index 81db615838..c494cc0a5a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -32,6 +32,18 @@ blobs: - provider: azblob bucket: '{{.Env.AZURE_BUCKET_NAME}}' +signs: + - cmd: cosign + artifacts: checksum + output: true + certificate: '${artifact}.pem' + args: + - sign-blob + - "--output-signature=${signature}" + - "--output-certificate=${certificate}" + - "${artifact}" + - "--yes" + announce: slack: enabled: true