diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 37d0de8ba..1b26c6a2e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,11 @@ on: - 'v*' pull_request: +permissions: + contents: write + id-token: write + packages: write + jobs: goreleaser-check-pkgs: runs-on: ubuntu-latest diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 65f355ed6..49381a8df 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -206,18 +206,40 @@ sboms: signs: - cmd: cosign - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"] - artifacts: checksum + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + output: true + args: + - sign-blob + - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}' + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' - id: sign-sboms cmd: cosign - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"] + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + output: true + args: + - sign-blob + - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}' + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' artifacts: sbom docker_signs: -- artifacts: manifests - stdin: '{{ .Env.COSIGN_PWD }}' +- cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + artifacts: manifests + output: true + args: + - 'sign' + - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}' + - '${artifact}' publishers: - name: fury.io @@ -231,17 +253,15 @@ milestones: - close: true release: - extra_files: - - glob: ./cosign.pub footer: | **Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }} ## What to do next? - - Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution; - - Join our [Discord server](https://discord.gg/RGEBtg8vQ6); - - Follow us on [Twitter](https://twitter.com/goreleaser); - - Read the [documentation](https://goreleaser.com/intro/). + - Read the [documentation](https://goreleaser.com/intro/) + - Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution + - Join our [Discord server](https://discord.gg/RGEBtg8vQ6) + - Follow us on [Twitter](https://twitter.com/goreleaser) announce: skip: "{{gt .Patch 0}}" diff --git a/cosign.key b/cosign.key deleted file mode 100644 index e4c6b3936..000000000 --- a/cosign.key +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN ENCRYPTED COSIGN PRIVATE KEY----- -eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 -OCwicCI6MX0sInNhbHQiOiJtUWdJMGhQZTVLdDlkMVFYTEE0YXcrTHArZzZFWnVP -MmJnOElMUXg1RVFjPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 -Iiwibm9uY2UiOiJXeU5xVmRGTlk0YlZYMEdEK0lnTHZjZ3ZwN0Ribno5eCJ9LCJj -aXBoZXJ0ZXh0IjoiSUhMa2lBV0xtK0hUQUFrUXFKdE5vWmNVQlJTblBRYWxhY3hG -UlZTVjNOcWhMTUFPeXZndGx0MUlZVGZCTnJJTmhwYU1LZHRsazEyN1FSWEVRZUl2 -TDBTNFp6OElsUGZkMkR3U1B1ejQ2L3RxWEFLRld0YURRbEhLemhLK1BYUC9qU2Yv -aDdMTWh6Tms1V0FtK091bHBOL09ScDBicVhRYkQ1WnBpYVZoRno3RlFHVHIvNTFr -OXBrdlNDaWhQM1A0SUNZOE02T2pHaU1Ecnc9PSJ9 ------END ENCRYPTED COSIGN PRIVATE KEY----- diff --git a/cosign.pub b/cosign.pub deleted file mode 100644 index e98dc206b..000000000 --- a/cosign.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt -0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g== ------END PUBLIC KEY----- diff --git a/www/docs/install.md b/www/docs/install.md index ef843f3ba..3b5c0f98e 100644 --- a/www/docs/install.md +++ b/www/docs/install.md @@ -128,23 +128,24 @@ Below you can find the steps for each of them. === "Pro" Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location. -## Verifying the binaries +## Verifying the artifacts + +### binaries All artifacts are checksummed and the checksum file is signed with [cosign][]. -You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub). - === "OSS" - 1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page: + 1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page: ```sh wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig + wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem ``` 1. Verify the signature: ```sh cosign verify-blob \ - -key https://goreleaser.com/static/goreleaser.pub \ - -signature checksums.txt.sig \ + --cert checksums.txt.pem \ + --signature checksums.txt.sig \ checksums.txt ``` 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary: @@ -153,16 +154,17 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease ``` === "Pro" - 1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][pro-releases] page: + 1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page: ```sh wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig + wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem ``` 1. Verify the signature: ```sh cosign verify-blob \ - -key https://goreleaser.com/static/goreleaser.pub \ - -signature checksums.txt.sig \ + --cert checksums.txt.pem \ + --signature checksums.txt.sig \ checksums.txt ``` 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary: @@ -170,28 +172,25 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease sha256sum --ignore-missing -c checksums.txt ``` -## Verifying docker images +### docker images -Our Docker image is signed with [cosign][]. +Our Docker images are signed with [cosign][]. -You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub). +Verify the signatures: === "OSS" - Verify the signatures: ```sh - cosign verify \ - -key https://goreleaser.com/static/goreleaser.pub \ - goreleaser/goreleaser + COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser ``` === "Pro" - Verify the signatures: ```sh - cosign verify \ - -key https://goreleaser.com/static/goreleaser.pub \ - goreleaser/goreleaser-pro + COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser-pro ``` +!!! info + The `.pem` and `.sig` files are the image `name:tag`, replacing `/` and `:` with `-`. + ## Running with Docker You can also use it within a Docker container. diff --git a/www/docs/static/goreleaser.pub b/www/docs/static/goreleaser.pub deleted file mode 100644 index e98dc206b..000000000 --- a/www/docs/static/goreleaser.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt -0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g== ------END PUBLIC KEY-----