mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-01-04 03:11:55 +02:00
feat: keyless signing (#2716)
* feat: keyless signing Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: perms Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: rm old pubkey Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: missing experimental flag Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: true keyless Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improve install Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: simplifying Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improvements Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: improvements Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * docs: trying to improve docs Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: config Signed-off-by: Carlos A Becker <caarlos0@gmail.com> * fix: package write Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
This commit is contained in:
parent
994cbb47c3
commit
505888f41b
5
.github/workflows/build.yml
vendored
5
.github/workflows/build.yml
vendored
@ -8,6 +8,11 @@ on:
|
||||
- 'v*'
|
||||
pull_request:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
packages: write
|
||||
|
||||
jobs:
|
||||
goreleaser-check-pkgs:
|
||||
runs-on: ubuntu-latest
|
||||
|
@ -206,18 +206,40 @@ sboms:
|
||||
|
||||
signs:
|
||||
- cmd: cosign
|
||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
|
||||
artifacts: checksum
|
||||
env:
|
||||
- COSIGN_EXPERIMENTAL=1
|
||||
certificate: '${artifact}.pem'
|
||||
output: true
|
||||
args:
|
||||
- sign-blob
|
||||
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
|
||||
- '--output-certificate=${certificate}'
|
||||
- '--output-signature=${signature}'
|
||||
- '${artifact}'
|
||||
- id: sign-sboms
|
||||
cmd: cosign
|
||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||
args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
|
||||
env:
|
||||
- COSIGN_EXPERIMENTAL=1
|
||||
certificate: '${artifact}.pem'
|
||||
output: true
|
||||
args:
|
||||
- sign-blob
|
||||
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
|
||||
- '--output-certificate=${certificate}'
|
||||
- '--output-signature=${signature}'
|
||||
- '${artifact}'
|
||||
artifacts: sbom
|
||||
|
||||
docker_signs:
|
||||
- artifacts: manifests
|
||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||
- cmd: cosign
|
||||
env:
|
||||
- COSIGN_EXPERIMENTAL=1
|
||||
artifacts: manifests
|
||||
output: true
|
||||
args:
|
||||
- 'sign'
|
||||
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
|
||||
- '${artifact}'
|
||||
|
||||
publishers:
|
||||
- name: fury.io
|
||||
@ -231,17 +253,15 @@ milestones:
|
||||
- close: true
|
||||
|
||||
release:
|
||||
extra_files:
|
||||
- glob: ./cosign.pub
|
||||
footer: |
|
||||
**Full Changelog**: https://github.com/goreleaser/goreleaser/compare/{{ .PreviousTag }}...{{ .Tag }}
|
||||
|
||||
## What to do next?
|
||||
|
||||
- Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution;
|
||||
- Join our [Discord server](https://discord.gg/RGEBtg8vQ6);
|
||||
- Follow us on [Twitter](https://twitter.com/goreleaser);
|
||||
- Read the [documentation](https://goreleaser.com/intro/).
|
||||
- Read the [documentation](https://goreleaser.com/intro/)
|
||||
- Check out the [GoReleaser Pro](https://goreleaser.com/pro) distribution
|
||||
- Join our [Discord server](https://discord.gg/RGEBtg8vQ6)
|
||||
- Follow us on [Twitter](https://twitter.com/goreleaser)
|
||||
|
||||
announce:
|
||||
skip: "{{gt .Patch 0}}"
|
||||
|
11
cosign.key
11
cosign.key
@ -1,11 +0,0 @@
|
||||
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
|
||||
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
|
||||
OCwicCI6MX0sInNhbHQiOiJtUWdJMGhQZTVLdDlkMVFYTEE0YXcrTHArZzZFWnVP
|
||||
MmJnOElMUXg1RVFjPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
|
||||
Iiwibm9uY2UiOiJXeU5xVmRGTlk0YlZYMEdEK0lnTHZjZ3ZwN0Ribno5eCJ9LCJj
|
||||
aXBoZXJ0ZXh0IjoiSUhMa2lBV0xtK0hUQUFrUXFKdE5vWmNVQlJTblBRYWxhY3hG
|
||||
UlZTVjNOcWhMTUFPeXZndGx0MUlZVGZCTnJJTmhwYU1LZHRsazEyN1FSWEVRZUl2
|
||||
TDBTNFp6OElsUGZkMkR3U1B1ejQ2L3RxWEFLRld0YURRbEhLemhLK1BYUC9qU2Yv
|
||||
aDdMTWh6Tms1V0FtK091bHBOL09ScDBicVhRYkQ1WnBpYVZoRno3RlFHVHIvNTFr
|
||||
OXBrdlNDaWhQM1A0SUNZOE02T2pHaU1Ecnc9PSJ9
|
||||
-----END ENCRYPTED COSIGN PRIVATE KEY-----
|
@ -1,4 +0,0 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
|
||||
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
|
||||
-----END PUBLIC KEY-----
|
@ -128,23 +128,24 @@ Below you can find the steps for each of them.
|
||||
=== "Pro"
|
||||
Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location.
|
||||
|
||||
## Verifying the binaries
|
||||
## Verifying the artifacts
|
||||
|
||||
### binaries
|
||||
|
||||
All artifacts are checksummed and the checksum file is signed with [cosign][].
|
||||
|
||||
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
|
||||
|
||||
=== "OSS"
|
||||
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page:
|
||||
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
|
||||
```sh
|
||||
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
|
||||
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
|
||||
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
|
||||
```
|
||||
1. Verify the signature:
|
||||
```sh
|
||||
cosign verify-blob \
|
||||
-key https://goreleaser.com/static/goreleaser.pub \
|
||||
-signature checksums.txt.sig \
|
||||
--cert checksums.txt.pem \
|
||||
--signature checksums.txt.sig \
|
||||
checksums.txt
|
||||
```
|
||||
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
|
||||
@ -153,16 +154,17 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
|
||||
```
|
||||
|
||||
=== "Pro"
|
||||
1. Download the files you want, and both the `checksums.txt` and `checksums.txt.sig` files from the [releases][pro-releases] page:
|
||||
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
|
||||
```sh
|
||||
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
|
||||
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
|
||||
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
|
||||
```
|
||||
1. Verify the signature:
|
||||
```sh
|
||||
cosign verify-blob \
|
||||
-key https://goreleaser.com/static/goreleaser.pub \
|
||||
-signature checksums.txt.sig \
|
||||
--cert checksums.txt.pem \
|
||||
--signature checksums.txt.sig \
|
||||
checksums.txt
|
||||
```
|
||||
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
|
||||
@ -170,28 +172,25 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease
|
||||
sha256sum --ignore-missing -c checksums.txt
|
||||
```
|
||||
|
||||
## Verifying docker images
|
||||
### docker images
|
||||
|
||||
Our Docker image is signed with [cosign][].
|
||||
Our Docker images are signed with [cosign][].
|
||||
|
||||
You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub).
|
||||
Verify the signatures:
|
||||
|
||||
=== "OSS"
|
||||
Verify the signatures:
|
||||
```sh
|
||||
cosign verify \
|
||||
-key https://goreleaser.com/static/goreleaser.pub \
|
||||
goreleaser/goreleaser
|
||||
COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser
|
||||
```
|
||||
|
||||
=== "Pro"
|
||||
Verify the signatures:
|
||||
```sh
|
||||
cosign verify \
|
||||
-key https://goreleaser.com/static/goreleaser.pub \
|
||||
goreleaser/goreleaser-pro
|
||||
COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/goreleaser-pro
|
||||
```
|
||||
|
||||
!!! info
|
||||
The `.pem` and `.sig` files are the image `name:tag`, replacing `/` and `:` with `-`.
|
||||
|
||||
## Running with Docker
|
||||
|
||||
You can also use it within a Docker container.
|
||||
|
4
www/docs/static/goreleaser.pub
vendored
4
www/docs/static/goreleaser.pub
vendored
@ -1,4 +0,0 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
|
||||
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
|
||||
-----END PUBLIC KEY-----
|
Loading…
Reference in New Issue
Block a user