Sign images by cosign.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
karmada-io · May 8, 2023 · 8763ddb · 8763ddb
1 parent 2be4b33
commit 8763ddb
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     # prevent job running from forked repository, otherwise
     # 1. running on the forked repository would fail as missing necessary secret.
     # 2. running on the forked repository would use unnecessary GitHub Action time.
@@ -36,6 +38,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.3
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -49,4 +53,5 @@ jobs:
         env:
           REGISTRY: karmada
           VERSION: latest
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     strategy:
       matrix:
         target:
@@ -32,6 +34,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.3
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -45,4 +49,5 @@ jobs:
         env:
           REGISTRY: karmada
           VERSION: ${{ github.ref_name }}
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/hack/docker.sh b/hack/docker.sh
@@ -66,6 +66,7 @@ function build_local_image() {
 
   if [[ "$output_type" == "registry" ]]; then
     docker push "${image_name}"
+    signImage ${image_name}
   fi
 }
 
@@ -85,9 +86,16 @@ function build_cross_image() {
           --tag "${image_name}" \
           --file "${REPO_ROOT}/cluster/images/buildx.Dockerfile" \
           "${REPO_ROOT}/_output/bin"
+  signImage ${image_name}
   set +x
 }
 
+function signImage(){
+  local -r target=$1
+  echo "signing image: "${target}
+  cosign sign --yes ${target}
+}
+
 function isCross() {
   local platforms=$1