From 1bc68b9590857ef6b020f126538f39d5494d5053 Mon Sep 17 00:00:00 2001 From: kumari tanushree Date: Thu, 21 Dec 2023 14:39:54 +0530 Subject: [PATCH] Added changes to sign artifacts Signed-off-by: kumari tanushree --- .github/workflows/release.yml | 9 +++++++++ .goreleaser.yml | 11 +++++++++++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 96c0b18f..3e0d1f77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -85,6 +86,14 @@ jobs: ${checksums['vendir-linux-amd64']} ./vendir-linux-amd64 ${checksums['vendir-linux-arm64']} ./vendir-linux-arm64 ${checksums['vendir-windows-amd64.exe']} ./vendir-windows-amd64.exe` + - name: Verify checksums signature + run: | + cosign verify-blob \ + --cert dist/checksums.txt.pem \ + --signature dist/checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/carvel-dev \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + dist/checksums.txt - name: verify uploaded artifacts if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} diff --git a/.goreleaser.yml b/.goreleaser.yml index d6c42a4b..6fb2d137 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -34,6 +34,17 @@ checksum: name_template: 'checksums.txt' algorithm: sha256 disable: false +signs: + - artifacts: checksum + certificate: '${artifact}.pem' + cmd: cosign + args: + - sign-blob + - "--yes" + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + output: true snapshot: name_template: "{{ .Tag }}-next" release: