feat: use digest to sign docker images/manifests (#3556)

this drives it home by using the actual images/manifest digests to sign with cosign by default. the default signing command is changing in this PR, but since `digest` should be always there (if not, the pipeline will fail way earlier), it should be fine. refs https://github.com/goreleaser/goreleaser/issues/3496 refs https://github.com/goreleaser/goreleaser/pull/3540 Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
2025-11-29 23:07:42 +02:00 · 2022-11-15 08:21:18 -03:00
parent 2a46d627c7
commit b55b9976c7
6 changed files with 21 additions and 9 deletions
--- a/www/docs/customization/docker_sign.md
+++ b/www/docs/customization/docker_sign.md
@@ -28,7 +28,7 @@ docker_signs:

    # Command line templateable arguments for the command
    #
-    # defaults to `["sign", "--key=cosign.key", "${artifact}"]`
+    # defaults to `["sign", "--key=cosign.key", "${artifact}@${digest}"]`
    args: ["sign", "--key=cosign.key", "--upload=false", "${artifact}"]


@@ -77,12 +77,16 @@ docker_signs:
 These environment variables might be available in the fields that are templateable:

 - `${artifact}`: the path to the artifact that will be signed [^1]
+- `${digest}`: the digest of the image/manifest that will be signed [^2]
 - `${artifactID}`: the ID of the artifact that will be signed
 - `${certificate}`: the certificate file name, if provided

 [^1]: notice that this might contain `/` characters, which depending on how
  you use it might evaluate to actual paths within the file system. Use with
  care.
+[^2]: those are extracted automatically when running Docker push from within
+  GoReleaser. Using the digest helps making sure you're signing the right image
+  and avoid concurrency issues.


 ## Common usage example