goreleaser/www/docs/customization/docker_sign.md

# Signing Docker Images and Manifests

Signing Docker Images and Manifests is also possible with GoReleaser.
This pipe was designed based on the common [sign](/customization/sign/) pipe having [cosign](https://github.com/sigstore/cosign) in mind.

!!! info
    Note that this pipe will run only at the end of the GoReleaser execution (in its publish phase), as cosign will change the image in the registry.


To customize the signing pipeline you can use the following options:

```yaml
# .goreleaser.yml
docker_signs:
  -
    # ID of the sign config, must be unique.
    # Only relevant if you want to produce some sort of signature file.
    #
    # Defaults to "default".
    id: foo

    # Name/template of the signature file.
    # Note that with cosign you don't need to use this.
    #
    # Defaults to empty.
    signature: "${artifact}_sig"

    # Path to the signature command
    #
    # Defaults to `cosign`
    cmd: cosign

    # Command line templateable arguments for the command
    #
    # defaults to `["sign", "-key=cosign.key", "${artifact}"]`
    args: ["sign", "-key=cosign.key", "-upload=false", "${artifact}"]


    # Which artifacts to sign
    #
    #   all:       all artifacts
    #   none:      no signing
    #   images:    only docker images
    #   manifests: only docker manifests
    #
    # defaults to `none`
    artifacts: all

    # IDs of the artifacts to sign.
    #
    # Defaults to empty (which implies no ID filtering).
    ids:
      - foo
      - bar

    # Stdin data template to be given to the signature command as stdin.
    # Defaults to empty
    stdin: '{{ .Env.COSIGN_PWD }}'

    # StdinFile file to be given to the signature command as stdin.
    # Defaults to empty
    stdin_file: ./.password

    # Sets a certificate name that your signing command should write to.
    # You can later use `${certificate}` or `.Env.certificate` in the `args` section.
    # This is particularly useful for keyless signing (for instance, with cosign).
    # Note that this should be a name, not a path.
    #
    # Defaults to empty.
    certificate: '{{ trimsuffix .Env.artifactName ".tar.gz" }}.pem'

    # List of environment variables that will be passed to the signing command as well as the templates.
    #
    # Defaults to empty
    env:
    - FOO=bar
    - HONK=honkhonk
```

### Available variable names

These environment variables might be available in the fields that are templateable:

- `${artifactName}`: the name of the artifact
- `${artifact}`: the path to the artifact that will be signed
- `${artifactID}`: the ID of the artifact that will be signed
- `${certificate}`: the certificate filename, if provided
- `${signature}`: the signature filename, if provided

## Common usage example

Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
environment variable, the simplest configuration to sign both Docker images
and manifests would look like this:

```yaml
# .goreleaser.yml
docker_signs:
- artifacts: all
  stdin: '{{ .Env.COSIGN_PWD }}'
```

Later on you (and anyone else) can verify the image with:

```sh
cosign verify -key cosign.pub your/image
```
docs: improve search fixes #2616 2021-10-30 14:50:23 +02:00			`# Signing Docker Images and Manifests`
feat: sign docker images with cosign (#2423) * feat: sign docker images with cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve sign logging Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: do not sign if skip publish is set Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: install cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix wrong docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 16:22:09 +02:00
			`Signing Docker Images and Manifests is also possible with GoReleaser.`
			`This pipe was designed based on the common [sign](/customization/sign/) pipe having [cosign](https://github.com/sigstore/cosign) in mind.`

			`!!! info`
docs: improve customization section (#2507) * docs: improve customization section Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: ignore edit urls in htmltest Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-09-28 03:43:00 +02:00			`Note that this pipe will run only at the end of the GoReleaser execution (in its publish phase), as cosign will change the image in the registry.`
feat: sign docker images with cosign (#2423) * feat: sign docker images with cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve sign logging Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: do not sign if skip publish is set Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: install cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix wrong docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 16:22:09 +02:00

			`To customize the signing pipeline you can use the following options:`

			```yaml
			`# .goreleaser.yml`
			`docker_signs:`
			`-`
			`# ID of the sign config, must be unique.`
			`# Only relevant if you want to produce some sort of signature file.`
			`#`
			`# Defaults to "default".`
			`id: foo`

			`# Name/template of the signature file.`
			`# Note that with cosign you don't need to use this.`
			`#`
			`# Defaults to empty.`
			`signature: "${artifact}_sig"`

			`# Path to the signature command`
			`#`
			# Defaults to `cosign`
			`cmd: cosign`

			`# Command line templateable arguments for the command`
			`#`
			# defaults to `["sign", "-key=cosign.key", "${artifact}"]`
			`args: ["sign", "-key=cosign.key", "-upload=false", "${artifact}"]`


			`# Which artifacts to sign`
			`#`
			`# all: all artifacts`
			`# none: no signing`
			`# images: only docker images`
			`# manifests: only docker manifests`
			`#`
			# defaults to `none`
			`artifacts: all`

			`# IDs of the artifacts to sign.`
			`#`
			`# Defaults to empty (which implies no ID filtering).`
			`ids:`
			`- foo`
			`- bar`

			`# Stdin data template to be given to the signature command as stdin.`
			`# Defaults to empty`
docs: fix environment variable to be COSIGN_PWD (#2489) Signed-off-by: Carlos Panato <ctadeu@gmail.com> 2021-09-15 13:50:43 +02:00			`stdin: '{{ .Env.COSIGN_PWD }}'`
feat: sign docker images with cosign (#2423) * feat: sign docker images with cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve sign logging Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: do not sign if skip publish is set Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: install cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix wrong docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 16:22:09 +02:00
			`# StdinFile file to be given to the signature command as stdin.`
			`# Defaults to empty`
			`stdin_file: ./.password`
feat: sign with env and output certificate (#2662) * feat: sign with env and output certificate * fix: test * fix: prop name * test: blob upload * test: http upload * test: exec * test: sign 2021-11-12 03:56:03 +02:00
			`# Sets a certificate name that your signing command should write to.`
			# You can later use `${certificate}` or `.Env.certificate` in the `args` section.
			`# This is particularly useful for keyless signing (for instance, with cosign).`
			`# Note that this should be a name, not a path.`
			`#`
			`# Defaults to empty.`
			`certificate: '{{ trimsuffix .Env.artifactName ".tar.gz" }}.pem'`

			`# List of environment variables that will be passed to the signing command as well as the templates.`
			`#`
			`# Defaults to empty`
			`env:`
			`- FOO=bar`
			`- HONK=honkhonk`
feat: sign docker images with cosign (#2423) * feat: sign docker images with cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve sign logging Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: do not sign if skip publish is set Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: install cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix wrong docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 16:22:09 +02:00			```

feat: sign with env and output certificate (#2662) * feat: sign with env and output certificate * fix: test * fix: prop name * test: blob upload * test: http upload * test: exec * test: sign 2021-11-12 03:56:03 +02:00			`### Available variable names`

			`These environment variables might be available in the fields that are templateable:`

			- `${artifactName}`: the name of the artifact
			- `${artifact}`: the path to the artifact that will be signed
			- `${artifactID}`: the ID of the artifact that will be signed
			- `${certificate}`: the certificate filename, if provided
			- `${signature}`: the signature filename, if provided

feat: sign docker images with cosign (#2423) * feat: sign docker images with cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: improve sign logging Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: do not sign if skip publish is set Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: install cosign Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix wrong docs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 16:22:09 +02:00			`## Common usage example`

			Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
			`environment variable, the simplest configuration to sign both Docker images`
			`and manifests would look like this:`

			```yaml
			`# .goreleaser.yml`
			`docker_signs:`
			`- artifacts: all`
			`stdin: '{{ .Env.COSIGN_PWD }}'`
			```

			`Later on you (and anyone else) can verify the image with:`

			```sh
			`cosign verify -key cosign.pub your/image`
			```