1
0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-20 03:59:26 +02:00

docs: update sign docs

refs https://github.com/orgs/goreleaser/discussions/4702
This commit is contained in:
Carlos Alexandro Becker 2024-03-15 13:16:57 -03:00
parent c923fa40f5
commit b728f52f68
No known key found for this signature in database

View File

@ -5,30 +5,29 @@ This pipe was designed based on the common [sign](/customization/sign/) pipe
having [cosign](https://github.com/sigstore/cosign) in mind.
!!! info
Note that this pipe will run only at the end of the GoReleaser execution (in
its publishing phase), as cosign will change the image in the registry.
To customize the signing pipeline you can use the following options:
```yaml
# .goreleaser.yml
docker_signs:
-
# ID of the sign config, must be unique.
- # ID of the sign config, must be unique.
# Only relevant if you want to produce some sort of signature file.
#
# Default: 'default'
id: foo
# Path to the signature command
# Path to the signature command.
#
# Default: 'cosign'
cmd: cosign
# Command line arguments for the command
# Command line arguments for the command.
#
# Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"]
# Default: ["sign", "--key=cosign.key", "${artifact}", "--yes"]
# Templates: allowed
args:
- "sign"
@ -37,8 +36,7 @@ docker_signs:
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+
# Which artifacts to sign
# Which artifacts to sign.
#
# all: all artifacts
# none: no signing
@ -56,17 +54,19 @@ docker_signs:
# Stdin data to be given to the signature command as stdin.
#
# Templates: allowed
stdin: '{{ .Env.COSIGN_PWD }}'
stdin: "{{ .Env.COSIGN_PWD }}"
# StdinFile file to be given to the signature command as stdin.
stdin_file: ./.password
# List of environment variables that will be passed to the signing command as well as the templates.
# List of environment variables that will be passed to the signing command
# as well as the templates.
env:
- FOO=bar
- HONK=honkhonk
# By default, the stdout and stderr of the signing cmd are discarded unless GoReleaser is running with `--debug` set.
# By default, the stdout and stderr of the signing cmd are discarded unless
# GoReleaser is running with `--debug` set.
# You can set this to true if you want them to be displayed regardless.
#
# Since: v1.2
@ -77,19 +77,22 @@ docker_signs:
These environment variables might be available in the fields that are templateable:
- `${artifact}`: the path to the artifact that will be signed [^1]
- `${digest}`: the digest of the image/manifest that will be signed [^2]
- `${artifact}`[^1]: the path to the artifact that will be signed (including the
digest[^2])
- `${digest}`[^2]: the digest of the image/manifest that will be signed
- `${artifactID}`: the ID of the artifact that will be signed
- `${certificate}`: the certificate file name, if provided
[^1]: notice that this might contain `/` characters, which depending on how
[^1]:
notice that this might contain `/` characters, which depending on how
you use it might evaluate to actual paths within the file system. Use with
care.
[^2]: those are extracted automatically when running Docker push from within
[^2]:
those are extracted automatically when running Docker push from within
GoReleaser. Using the digest helps making sure you're signing the right image
and avoid concurrency issues.
## Common usage example
Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
@ -100,7 +103,7 @@ and manifests would look like this:
# .goreleaser.yml
docker_signs:
- artifacts: all
stdin: '{{ .Env.COSIGN_PWD }}'
stdin: "{{ .Env.COSIGN_PWD }}"
```
Later on you (and anyone else) can verify the image with: