feat: keyless signing (#2716)

* feat: keyless signing Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: perms Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: rm old pubkey Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: missing experimental flag Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: true keyless Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improve install Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: simplifying Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improvements Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improvements Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: trying to improve docs Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: config Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: package write Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
2024-12-31 01:53:50 +02:00 · 2021-12-16 13:43:11 -03:00 · 2021-12-16 13:43:11 -03:00 · 505888f41b
commit 505888f41b
parent 994cbb47c3
6 changed files with 57 additions and 52 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -8,6 +8,11 @@ on:
      - 'v*'
  pull_request:

+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
  goreleaser-check-pkgs:
    runs-on: ubuntu-latest
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -206,18 +206,40 @@ sboms:

 signs:
 - cmd: cosign
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
-  artifacts: checksum
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '${artifact}.pem'
+  output: true
+  args:
+    - sign-blob
+    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
 - id: sign-sboms
  cmd: cosign
-  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '${artifact}.pem'
+  output: true
+  args:
+    - sign-blob
+    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
  artifacts: sbom

 docker_signs:
- artifacts: manifests
-  stdin: '{{ .Env.COSIGN_PWD }}'
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: manifests
+  output: true
+  args:
+  - 'sign'
+  - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
+  - '${artifact}'

 publishers:
  - name: fury.io
@ -231,17 +253,15 @@ milestones:
  - close: true

 release:
-  extra_files:
-    - glob: ./cosign.pub
  footer: |
    **Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }}

    ## What to do next?

-    - Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution;
-    - Join our [Discord server](https://discord.gg/RGEBtg8vQ6);
-    - Follow us on [Twitter](https://twitter.com/goreleaser);
-    - Read the [documentation](https://goreleaser.com/intro/).
+    - Read the [documentation](https://goreleaser.com/intro/)
+    - Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution
+    - Join our [Discord server](https://discord.gg/RGEBtg8vQ6)
+    - Follow us on [Twitter](https://twitter.com/goreleaser)

 announce:
  skip: "{{gt .Patch 0}}"
--- a/cosign.key
+++ b/cosign.key
@ -1,11 +0,0 @@
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
-eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
-OCwicCI6MX0sInNhbHQiOiJtUWdJMGhQZTVLdDlkMVFYTEE0YXcrTHArZzZFWnVP
-MmJnOElMUXg1RVFjPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
-Iiwibm9uY2UiOiJXeU5xVmRGTlk0YlZYMEdEK0lnTHZjZ3ZwN0Ribno5eCJ9LCJj
-aXBoZXJ0ZXh0IjoiSUhMa2lBV0xtK0hUQUFrUXFKdE5vWmNVQlJTblBRYWxhY3hG
-UlZTVjNOcWhMTUFPeXZndGx0MUlZVGZCTnJJTmhwYU1LZHRsazEyN1FSWEVRZUl2
-TDBTNFp6OElsUGZkMkR3U1B1ejQ2L3RxWEFLRld0YURRbEhLemhLK1BYUC9qU2Yv
-aDdMTWh6Tms1V0FtK091bHBOL09ScDBicVhRYkQ1WnBpYVZoRno3RlFHVHIvNTFr
-OXBrdlNDaWhQM1A0SUNZOE02T2pHaU1Ecnc9PSJ9
-----END ENCRYPTED COSIGN PRIVATE KEY-----
--- a/cosign.pub
+++ b/cosign.pub
@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
-0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----
--- a/www/docs/install.md
+++ b/www/docs/install.md
@ -128,23 +128,24 @@ Below you can find the steps for each of them.
 === "Pro"
    Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location.

-## Verifying the binaries
+## Verifying the artifacts
+
+### binaries

 All artifacts are checksummed and the checksum file is signed with [cosign][].

-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
-
 === "OSS"
-    1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page:
+    1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
      ```sh
      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
+      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
      ```
    1. Verify the signature:
      ```sh
      cosign verify-blob \
-        -key https://goreleaser.com/static/goreleaser.pub \
-        -signature checksums.txt.sig \
+        --cert checksums.txt.pem \
+        --signature checksums.txt.sig \
        checksums.txt
      ```
    1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -153,16 +154,17 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
      ```

 === "Pro"
-    1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][pro-releases] page:
+    1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
      ```sh
      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
+      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
      ```
    1. Verify the signature:
      ```sh
      cosign verify-blob \
-        -key https://goreleaser.com/static/goreleaser.pub \
-        -signature checksums.txt.sig \
+        --cert checksums.txt.pem \
+        --signature checksums.txt.sig \
        checksums.txt
      ```
    1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -170,28 +172,25 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
      sha256sum --ignore-missing -c checksums.txt
      ```

-## Verifying docker images
+### docker images

-Our Docker image is signed with [cosign][].
+Our Docker images are signed with [cosign][].

-You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
+Verify the signatures:

 === "OSS"
-    Verify the signatures:
    ```sh
-    cosign verify \
-      -key https://goreleaser.com/static/goreleaser.pub \
-      goreleaser/goreleaser
+    COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser
    ```

 === "Pro"
-    Verify the signatures:
    ```sh
-    cosign verify \
-      -key https://goreleaser.com/static/goreleaser.pub \
-      goreleaser/goreleaser-pro
+    COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser-pro
    ```

+!!! info
+    The `.pem` and `.sig` files are the image `name:tag`, replacing `/` and `:` with `-`.
+
 ## Running with Docker

 You can also use it within a Docker container.
--- a/www/docs/static/goreleaser.pub
+++ b/www/docs/static/goreleaser.pub
@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
-0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----