go/goreleaser
go/goreleaser
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-04-13 11:50:34 +02:00
Code Issues Releases Activity

docs: fix install's cosign steps (#3913)

Browse Source 
updated to the cosign v2

cc/ @cpanato

---------

Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
This commit is contained in:
Carlos Alexandro Becker 2023-04-06 14:16:16 -03:00 committed by GitHub
parent e9e392d371
commit bf2e163ce4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
www/docs/install.md
View File

@ -12,19 +12,19 @@ Below you can find the steps for each of them.
### homebrew tap
=== "OSS"
```sh
```bash
brew install goreleaser/tap/goreleaser
```
=== "Pro"
```sh
```bash
brew install goreleaser/tap/goreleaser-pro
```
### homebrew
=== "OSS"
```sh
```bash
brew install goreleaser
```
@ -35,20 +35,20 @@ Below you can find the steps for each of them.
### snapcraft
=== "OSS"
```sh
```bash
sudo snap install --classic goreleaser
```
### scoop
=== "OSS"
```sh
```bash
scoop bucket add goreleaser https://github.com/goreleaser/scoop-bucket.git
scoop install goreleaser
```
=== "Pro"
```sh
```bash
scoop bucket add goreleaser https://github.com/goreleaser/scoop-bucket.git
scoop install goreleaser-pro
```
@ -56,14 +56,14 @@ Below you can find the steps for each of them.
### apt
=== "OSS"
```sh
```bash
echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
sudo apt update
sudo apt install goreleaser
```
=== "Pro"
```sh
```bash
echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
sudo apt update
sudo apt install goreleaser-pro
@ -72,7 +72,7 @@ Below you can find the steps for each of them.
### yum
=== "OSS"
```sh
```bash
echo '[goreleaser]
name=GoReleaser
baseurl=https://repo.goreleaser.com/yum/
@ -82,7 +82,7 @@ Below you can find the steps for each of them.
```
=== "Pro"
```sh
```bash
echo '[goreleaser]
name=GoReleaser
baseurl=https://repo.goreleaser.com/yum/
@ -94,12 +94,12 @@ Below you can find the steps for each of them.
### aur
=== "OSS"
```sh
```bash
yay -S goreleaser-bin
```
=== "Pro"
```sh
```bash
yay -S goreleaser-pro-bin
```
@ -114,19 +114,19 @@ Below you can find the steps for each of them.
### go install
=== "OSS"
```sh
```bash
go install github.com/goreleaser/goreleaser@latest
```
### bash script
=== "OSS"
```sh
```bash
curl -sfL https://goreleaser.com/static/run | bash
```
=== "Pro"
```sh
```bash
curl -sfL https://goreleaser.com/static/run | DISTRIBUTION=pro bash
```
@ -191,39 +191,39 @@ All artifacts are checksummed, and the checksum file is signed with [cosign][].
=== "OSS"
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
```sh
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
```bash
wget 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt'
```
1. Verify the signature:
```sh
```bash
cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
--certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem' \
--signature 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig' \
./checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
```sh
```bash
sha256sum --ignore-missing -c checksums.txt
```
=== "Pro"
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
```sh
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
```bash
wget 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt'
```
1. Verify the signature:
```sh
```bash
cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
--certificate-identity 'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/__VERSION__-pro' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem' \
--signature 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig' \
./checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
```sh
```bash
sha256sum --ignore-missing -c checksums.txt
```
@ -234,13 +234,19 @@ Our Docker images are signed with [cosign][].
Verify the signatures:
=== "OSS"
```sh
cosign verify goreleaser/goreleaser
```bash
cosign verify \
--certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
goreleaser/goreleaser
```
=== "Pro"
```sh
cosign verify goreleaser/goreleaser-pro
```bash
cosign verify \
--certificate-identity 'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/__VERSION__-pro' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
goreleaser/goreleaser-pro
```
!!! info
@ -259,7 +265,7 @@ To do that, you'll need to execute something more-or-less like the examples belo
Example usage:
```sh
```bash
docker run --rm --privileged \
-v $PWD:/go/src/github.com/user/repo \
-v /var/run/docker.sock:/var/run/docker.sock \
@ -279,7 +285,7 @@ To do that, you'll need to execute something more-or-less like the examples belo
Example usage:
```sh
```bash
docker run --rm --privileged \
-v $PWD:/go/src/github.com/user/repo \
-v /var/run/docker.sock:/var/run/docker.sock \
@ -327,25 +333,25 @@ If you just want to build from source for whatever reason, follow these steps:
**clone:**
```sh
```bash
git clone https://github.com/goreleaser/goreleaser
cd goreleaser
```
**get the dependencies:**
```sh
```bash
go mod tidy
```
**build:**
```sh
```bash
go build -o goreleaser .
```
**verify it works:**
```sh
```bash
./goreleaser --version
```

8
www/docs/static/run vendored
View File

@ -29,15 +29,15 @@ export TAR_FILE="$TMPDIR/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
curl -sfLo "$TAR_FILE" \
"$RELEASES_URL/download/$VERSION/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
curl -sfLo "checksums.txt" "$RELEASES_URL/download/$VERSION/checksums.txt"
curl -sfLo "checksums.txt.sig" "$RELEASES_URL/download/$VERSION/checksums.txt.sig"
curl -sfLo "checksums.txt.pem" "$RELEASES_URL/download/$VERSION/checksums.txt.pem"
echo "Verifying checksums..."
sha256sum --ignore-missing --quiet --check checksums.txt
if command -v cosign >/dev/null 2>&1; then
echo "Verifying signatures..."
cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp "https://github.com/goreleaser/goreleaser.*/.github/workflows/.*.yml@refs/tags/$VERSION" \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert "$RELEASES_URL/download/$VERSION/checksums.txt.pem" \
--signature "$RELEASES_URL/download/$VERSION/checksums.txt.sig" \
checksums.txt
else
echo "Could not verify signatures, cosign is not installed."