go/goreleaser
go/goreleaser
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-04 03:11:55 +02:00
Code Issues Releases Activity

feat: keyless signing (#2716)

Browse Source 
* feat: keyless signing

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: perms

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: rm old pubkey

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: missing experimental flag

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: true keyless

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improve install

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: simplifying

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improvements

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improvements

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: trying to improve docs

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: config

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: package write

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
This commit is contained in:
Carlos Alexandro Becker 2021-12-16 13:43:11 -03:00 committed by GitHub
parent 994cbb47c3
commit 505888f41b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/build.yml vendored
View File

@ -8,6 +8,11 @@ on:
- 'v*' - 'v*'
pull_request: pull_request:
permissions:
contents: write
id-token: write
packages: write
jobs: jobs:
goreleaser-check-pkgs: goreleaser-check-pkgs:
runs-on: ubuntu-latest runs-on: ubuntu-latest

46
.goreleaser.yaml
View File

@ -206,18 +206,40 @@ sboms:
signs: signs:
- cmd: cosign - cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' env:
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"] - COSIGN_EXPERIMENTAL=1
artifacts: checksum certificate: '${artifact}.pem'
output: true
args:
- sign-blob
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
- id: sign-sboms - id: sign-sboms
cmd: cosign cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' env:
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"] - COSIGN_EXPERIMENTAL=1
certificate: '${artifact}.pem'
output: true
args:
- sign-blob
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
artifacts: sbom artifacts: sbom
docker_signs: docker_signs:
- artifacts: manifests - cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' env:
- COSIGN_EXPERIMENTAL=1
artifacts: manifests
output: true
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
publishers: publishers:
- name: fury.io - name: fury.io
@ -231,17 +253,15 @@ milestones:
- close: true - close: true
release: release:
extra_files:
- glob: ./cosign.pub
footer: | footer: |
**Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }} **Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }}
## What to do next? ## What to do next?
- Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution; - Read the [documentation](https://goreleaser.com/intro/)
- Join our [Discord server](https://discord.gg/RGEBtg8vQ6); - Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution
- Follow us on [Twitter](https://twitter.com/goreleaser); - Join our [Discord server](https://discord.gg/RGEBtg8vQ6)
- Read the [documentation](https://goreleaser.com/intro/). - Follow us on [Twitter](https://twitter.com/goreleaser)
announce: announce:
skip: "{{gt .Patch 0}}" skip: "{{gt .Patch 0}}"

11
cosign.key
View File

@ -1,11 +0,0 @@
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
OCwicCI6MX0sInNhbHQiOiJtUWdJMGhQZTVLdDlkMVFYTEE0YXcrTHArZzZFWnVP
MmJnOElMUXg1RVFjPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJXeU5xVmRGTlk0YlZYMEdEK0lnTHZjZ3ZwN0Ribno5eCJ9LCJj
aXBoZXJ0ZXh0IjoiSUhMa2lBV0xtK0hUQUFrUXFKdE5vWmNVQlJTblBRYWxhY3hG
UlZTVjNOcWhMTUFPeXZndGx0MUlZVGZCTnJJTmhwYU1LZHRsazEyN1FSWEVRZUl2
TDBTNFp6OElsUGZkMkR3U1B1ejQ2L3RxWEFLRld0YURRbEhLemhLK1BYUC9qU2Yv
aDdMTWh6Tms1V0FtK091bHBOL09ScDBicVhRYkQ1WnBpYVZoRno3RlFHVHIvNTFr
OXBrdlNDaWhQM1A0SUNZOE02T2pHaU1Ecnc9PSJ9
-----END ENCRYPTED COSIGN PRIVATE KEY-----

4
cosign.pub
View File

@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----

39
www/docs/install.md
View File

@ -128,23 +128,24 @@ Below you can find the steps for each of them.
=== "Pro" === "Pro"
Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location. Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location.
## Verifying the binaries ## Verifying the artifacts
### binaries
All artifacts are checksummed and the checksum file is signed with [cosign][]. All artifacts are checksummed and the checksum file is signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
=== "OSS" === "OSS"
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page: 1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
```sh ```sh
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
``` ```
1. Verify the signature: 1. Verify the signature:
```sh ```sh
cosign verify-blob \ cosign verify-blob \
-key https://goreleaser.com/static/goreleaser.pub \ --cert checksums.txt.pem \
-signature checksums.txt.sig \ --signature checksums.txt.sig \
checksums.txt checksums.txt
``` ```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary: 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -153,16 +154,17 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
``` ```
=== "Pro" === "Pro"
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][pro-releases] page: 1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
```sh ```sh
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
``` ```
1. Verify the signature: 1. Verify the signature:
```sh ```sh
cosign verify-blob \ cosign verify-blob \
-key https://goreleaser.com/static/goreleaser.pub \ --cert checksums.txt.pem \
-signature checksums.txt.sig \ --signature checksums.txt.sig \
checksums.txt checksums.txt
``` ```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary: 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -170,28 +172,25 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
sha256sum --ignore-missing -c checksums.txt sha256sum --ignore-missing -c checksums.txt
``` ```
## Verifying docker images ### docker images
Our Docker image is signed with [cosign][]. Our Docker images are signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub). Verify the signatures:
=== "OSS" === "OSS"
Verify the signatures:
```sh ```sh
cosign verify \ COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser
-key https://goreleaser.com/static/goreleaser.pub \
goreleaser/goreleaser
``` ```
=== "Pro" === "Pro"
Verify the signatures:
```sh ```sh
cosign verify \ COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser-pro
-key https://goreleaser.com/static/goreleaser.pub \
goreleaser/goreleaser-pro
``` ```
!!! info
The `.pem` and `.sig` files are the image `name:tag`, replacing `/` and `:` with `-`.
## Running with Docker ## Running with Docker
You can also use it within a Docker container. You can also use it within a Docker container.

4
www/docs/static/goreleaser.pub vendored
View File

@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----