2021-10-30 14:50:23 +02:00
# Signing Docker Images and Manifests
2021-08-24 16:22:09 +02:00
Signing Docker Images and Manifests is also possible with GoReleaser.
This pipe was designed based on the common [sign ](/customization/sign/ ) pipe having [cosign ](https://github.com/sigstore/cosign ) in mind.
!!! info
2021-09-28 03:43:00 +02:00
Note that this pipe will run only at the end of the GoReleaser execution (in its publish phase), as cosign will change the image in the registry.
2021-08-24 16:22:09 +02:00
To customize the signing pipeline you can use the following options:
```yaml
# .goreleaser.yml
docker_signs:
-
# ID of the sign config, must be unique.
# Only relevant if you want to produce some sort of signature file.
#
# Defaults to "default".
id: foo
# Path to the signature command
#
# Defaults to `cosign`
cmd: cosign
# Command line templateable arguments for the command
#
2021-12-03 19:22:31 +02:00
# defaults to `["sign", "--key=cosign.key", "${artifact}"]`
args: ["sign", "--key=cosign.key", "--upload=false", "${artifact}"]
2021-08-24 16:22:09 +02:00
# Which artifacts to sign
#
# all: all artifacts
# none: no signing
# images: only docker images
# manifests: only docker manifests
#
# defaults to `none`
artifacts: all
# IDs of the artifacts to sign.
#
# Defaults to empty (which implies no ID filtering).
ids:
- foo
- bar
# Stdin data template to be given to the signature command as stdin.
# Defaults to empty
2021-09-15 13:50:43 +02:00
stdin: '{{ .Env.COSIGN_PWD }}'
2021-08-24 16:22:09 +02:00
# StdinFile file to be given to the signature command as stdin.
# Defaults to empty
stdin_file: ./.password
2021-11-12 03:56:03 +02:00
# List of environment variables that will be passed to the signing command as well as the templates.
#
# Defaults to empty
env:
- FOO=bar
- HONK=honkhonk
2021-12-06 15:07:47 +02:00
# By default, the stdout and stderr of the signing cmd are discarded unless GoReleaser is running with `--debug` set.
# You can set this to true if you want them to be displayed regardless.
#
# Defaults to false
output: true
2021-08-24 16:22:09 +02:00
```
2021-11-12 03:56:03 +02:00
### Available variable names
These environment variables might be available in the fields that are templateable:
2021-11-22 02:01:08 +02:00
- `${artifact}` : the path to the artifact that will be signed [^1]
2021-11-12 03:56:03 +02:00
- `${artifactID}` : the ID of the artifact that will be signed
- `${certificate}` : the certificate filename, if provided
2021-11-22 02:01:08 +02:00
[^1]: notice that the this might contain `/` characters, which depending on how you use it migth evaluate to actual paths within the filesystem. Use with care.
2021-11-12 03:56:03 +02:00
2021-08-24 16:22:09 +02:00
## Common usage example
Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
environment variable, the simplest configuration to sign both Docker images
and manifests would look like this:
```yaml
# .goreleaser.yml
docker_signs:
- artifacts: all
stdin: '{{ .Env.COSIGN_PWD }}'
```
Later on you (and anyone else) can verify the image with:
```sh
2021-12-03 19:22:31 +02:00
cosign verify --key cosign.pub your/image
2021-08-24 16:22:09 +02:00
```
