Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(): Sign releaser artifacts, not only container manifests #2789

Merged
merged 2 commits into from Sep 7, 2022
Merged

build(): Sign releaser artifacts, not only container manifests #2789

merged 2 commits into from Sep 7, 2022

Conversation

JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Aug 30, 2022

Description

The current goreleaser configuration leverages cosign to sign the
goreleaser container manifests using public sigstore infrastructure.
This is great!

This PR also signs the rest of the releaser artifacts (binaries, sbom
file, etc), so we can verify them using the aforementioned public
infrastructure. This is very useful for folks consuming the binaries
from the public GitHub releases.

Note that this assumes that the OIDC issuer is GitHub, and thus ties
this signature to be triggered a GitHub action.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@JAORMX JAORMX requested a review from knqyf263 as a code owner August 30, 2022 05:45
@CLAassistant
Copy link

CLAassistant commented Aug 30, 2022
edited

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@JAORMX JAORMX changed the title Sign releaser artifacts, not only container manifests build(sign): Sign releaser artifacts, not only container manifests Aug 30, 2022
@JAORMX JAORMX changed the title build(sign): Sign releaser artifacts, not only container manifests build(): Sign releaser artifacts, not only container manifests Aug 30, 2022
@JAORMX
Sign releaser artifacts, not only container manifests
4647447 
The current goreleaser configuration leverages cosign to sign the
goreleaser container manifests using public sigstore infrastructure.
This is great!

This PR also signs the rest of the releaser artifacts (binaries, sbom
file, etc), so we can verify them using the aforementioned public
infrastructure. This is very useful for folks consuming the binaries
from the public GitHub releases.

Note that this assumes that the OIDC issuer is GitHub, and thus ties
this signature to be triggered a GitHub action.

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
@JAORMX
Add --skip-sign flat to goreleaser ran in tests
249b7a0 
We only want to sign artifacts and containers when releasing, not
necessarily when testing PRs.

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
@knqyf263 knqyf263 merged commit 0f1f2c1 into aquasecurity:main Sep 7, 2022
@knqyf263
Copy link
Collaborator

knqyf263 commented Sep 7, 2022

Thanks 👍

owenrumney pushed a commit that referenced this pull request Sep 7, 2022
@JAORMX
build(): Sign releaser artifacts, not only container manifests (#2789)
1cf6800
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Provide signatures for binaries in releases
3 participants
@JAORMX @CLAassistant @knqyf263