Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xargs is not required to do keyless signing with GH OIDC token #131

Closed
jbtrystram opened this issue Jun 5, 2023 · 0 comments · Fixed by #132
Closed

xargs is not required to do keyless signing with GH OIDC token #131

jbtrystram opened this issue Jun 5, 2023 · 0 comments · Fixed by #132
Labels
enhancement New feature or request

Comments

@jbtrystram
Copy link
Contributor

The documentation in the README suggests using xargs to sign containers/blobs without a key.
This is not needed and add complexity to the command.

I was able to sucessfully sign images from a GH action workflow with the following step:

- name: Sign the images with GitHub OIDC Token
      env:
        IMAGE: {{ env.IMAGE_REGISTRY}}/${{ env.REGISTRY_USER}}/${{ env.IMAGE_NAME }}
      run: | 
        cosign sign \
        -a "repo=${{ github.repository }}" \
        -a "workflow=${{ github.workflow }}" \
        -a "ref=${{ github.sha }}" \
        --yes ${IMAGE}@${DIGEST}

I drew inspiration from there : https://github.com/sigstore/cosign/blob/main/scripts/sign-images-ci.sh

@jbtrystram jbtrystram added the enhancement New feature or request label Jun 5, 2023
jbtrystram added a commit to jbtrystram/cosign-installer that referenced this issue Jun 5, 2023
Fixes sigstore#131

Signed-off-by: jbtrystram <jbtrystram@redhat.com>
cpanato pushed a commit that referenced this issue Jun 6, 2023
Fixes #131

Signed-off-by: jbtrystram <jbtrystram@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant