go/goreleaser
go/goreleaser
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-02-13 13:48:40 +02:00
Code Issues Releases Activity

docs: verifying the binaries and images

Browse Source 
Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com>
This commit is contained in:
Carlos Alexandro Becker 2021-08-24 22:31:02 -03:00
parent c100de32a3
commit c60493d3d8
No known key found for this signature in database
GPG Key ID: E61E2F7DC14AB940
2 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
www/docs/install.md
View File

@ -125,6 +125,68 @@ Bellow you can find the steps for each of them.
=== "Pro" === "Pro"
Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location. Download the pre-compiled binaries from the [Pro releases page][pro-releases] and copy them to the desired location.
## Verifying the binaries
All artifacts are checksummed and the checksum file is signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/goreleaser.pub).
=== "OSS"
1. Download the files you want, the `goreleaser_checksums.txt` and `goreleaser_checksums.txt.sig` files from the [releases][releases] page.
1. Get our public key:
```sh
wget https://goreleaser.com/goreleaser.pub
```
1. Verify the signature:
```sh
cosign verify-blob \
-key goreleaser.pub \
-signature goreleaser_checksums.txt.sig \
goreleaser_checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
```sh
sha256sum --ignore-missing -c goreleaser-pro_checksums.txt
```
=== "Pro"
1. Download the files you want, the `goreleaser-pro_checksums.txt` and `goreleaser-pro_checksums.txt.sig` files from the [releases][pro-releases] page.
1. Get our public key:
```sh
wget https://goreleaser.com/goreleaser.pub
```
1. Verify the signature:
```sh
cosign verify-blob \
-key goreleaser.pub \
-signature goreleaser-pro_checksums.txt.sig \
goreleaser-pro_checksums.txt
```
1. If the signature is ok, you can then verify the SHA256 sums match with the downloaded binary:
```sh
sha256sum --ignore-missing -c goreleaser-pro_checksums.txt
```
## Verifying docker images
Our Docker image is signed with [cosign][].
You can verify it using [our public key](https://goreleaser.com/goreleaser.pub).
=== "OSS"
```sh
wget https://goreleaser.com/goreleaser.pub
cosign verify -key goreleaser.pub goreleaser/goreleaser
cosign verify -key goreleaser.pub ghcr.io/goreleaser/goreleaser
```
=== "Pro"
```sh
wget https://goreleaser.com/goreleaser.pub
cosign verify -key goreleaser.pub goreleaser/goreleaser-pro
cosign verify -key goreleaser.pub ghcr.io/goreleaser/goreleaser-pro
```
## Running with Docker ## Running with Docker
You can also use it within a Docker container. You can also use it within a Docker container.
@ -188,6 +250,7 @@ and iterate from that.
[dockerfile]: https://github.com/goreleaser/goreleaser/blob/master/Dockerfile [dockerfile]: https://github.com/goreleaser/goreleaser/blob/master/Dockerfile
[releases]: https://github.com/goreleaser/goreleaser/releases [releases]: https://github.com/goreleaser/goreleaser/releases
[pro-releases]: https://github.com/goreleaser/goreleaser-pro/releases [pro-releases]: https://github.com/goreleaser/goreleaser-pro/releases
[cosign]: https://github.com/sigstore/cosign
## Compiling from source ## Compiling from source

4
www/docs/static/goreleaser.pub vendored Normal file
View File

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1cDYntBbC5z3yV9Os6R6VdYAF2yt
0tjp4kg12QbnN95kv2m1WTmwg4TBRd4bwYCfhCyEEJEAWAUGsWtFflzl5g==
-----END PUBLIC KEY-----