1
0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-04 03:11:55 +02:00

feat: keyless signing (#2716)

* feat: keyless signing

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: perms

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: rm old pubkey

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: missing experimental flag

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: true keyless

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improve install

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: simplifying

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improvements

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: improvements

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* docs: trying to improve docs

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: config

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

* fix: package write

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
This commit is contained in:
Carlos Alexandro Becker 2021-12-16 13:43:11 -03:00 committed by GitHub
parent 994cbb47c3
commit 505888f41b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 52 deletions

View File

@ -8,6 +8,11 @@ on:
- 'v*'
pull_request:
permissions:
contents: write
id-token: write
packages: write
jobs:
goreleaser-check-pkgs:
runs-on: ubuntu-latest

View File

@ -206,18 +206,40 @@ sboms:
signs:
- cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}'
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
artifacts: checksum
env:
- COSIGN_EXPERIMENTAL=1
certificate: '${artifact}.pem'
output: true
args:
- sign-blob
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
- id: sign-sboms
cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}'
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
env:
- COSIGN_EXPERIMENTAL=1
certificate: '${artifact}.pem'
output: true
args:
- sign-blob
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
artifacts: sbom
docker_signs:
- artifacts: manifests
stdin: '{{ .Env.COSIGN_PWD }}'
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: manifests
output: true
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
publishers:
- name: fury.io
@ -231,17 +253,15 @@ milestones:
- close: true
release:
extra_files:
- glob: ./cosign.pub
footer: |
**Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }}
## What to do next?
- Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution;
- Join our [Discord server](https://discord.gg/RGEBtg8vQ6);
- Follow us on [Twitter](https://twitter.com/goreleaser);
- Read the [documentation](https://goreleaser.com/intro/).
- Read the [documentation](https://goreleaser.com/intro/)
- Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution
- Join our [Discord server](https://discord.gg/RGEBtg8vQ6)
- Follow us on [Twitter](https://twitter.com/goreleaser)
announce:
skip: "{{gt .Patch 0}}"

View File

@ -1,11 +0,0 @@
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
OCwicCI6MX0sInNhbHQiOiJtUWdJMGhQZTVLdDlkMVFYTEE0YXcrTHArZzZFWnVP
MmJnOElMUXg1RVFjPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJXeU5xVmRGTlk0YlZYMEdEK0lnTHZjZ3ZwN0Ribno5eCJ9LCJj
aXBoZXJ0ZXh0IjoiSUhMa2lBV0xtK0hUQUFrUXFKdE5vWmNVQlJTblBRYWxhY3hG
UlZTVjNOcWhMTUFPeXZndGx0MUlZVGZCTnJJTmhwYU1LZHRsazEyN1FSWEVRZUl2
TDBTNFp6OElsUGZkMkR3U1B1ejQ2L3RxWEFLRld0YURRbEhLemhLK1BYUC9qU2Yv
aDdMTWh6Tms1V0FtK091bHBOL09ScDBicVhRYkQ1WnBpYVZoRno3RlFHVHIvNTFr
OXBrdlNDaWhQM1A0SUNZOE02T2pHaU1Ecnc9PSJ9
-----END ENCRYPTED COSIGN PRIVATE KEY-----

View File

@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----

View File

@ -128,23 +128,24 @@ Below you can find the steps for each of them.
=== "Pro"
Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location.
## Verifying the binaries
## Verifying the artifacts
### binaries
All artifacts are checksummed and the checksum file is signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
=== "OSS"
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page:
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
```sh
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
```
1. Verify the signature:
```sh
cosign verify-blob \
-key https://goreleaser.com/static/goreleaser.pub \
-signature checksums.txt.sig \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -153,16 +154,17 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
```
=== "Pro"
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][pro-releases] page:
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
```sh
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
```
1. Verify the signature:
```sh
cosign verify-blob \
-key https://goreleaser.com/static/goreleaser.pub \
-signature checksums.txt.sig \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
@ -170,28 +172,25 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
sha256sum --ignore-missing -c checksums.txt
```
## Verifying docker images
### docker images
Our Docker image is signed with [cosign][].
Our Docker images are signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
Verify the signatures:
=== "OSS"
Verify the signatures:
```sh
cosign verify \
-key https://goreleaser.com/static/goreleaser.pub \
goreleaser/goreleaser
COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser
```
=== "Pro"
Verify the signatures:
```sh
cosign verify \
-key https://goreleaser.com/static/goreleaser.pub \
goreleaser/goreleaser-pro
COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser-pro
```
!!! info
The `.pem` and `.sig` files are the image `name:tag`, replacing `/` and `:` with `-`.
## Running with Docker
You can also use it within a Docker container.

View File

@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----