Skip to content

Sign the artifacts (binaries/images) using cosign  #2462

New issue
New issue
Open
#5793
Open
Sign the artifacts (binaries/images) using cosign #2462
#5793
Labels
area: ciPR that update CIenhancementNew feature or improvement
@cpanato

Description

@cpanato
cpanato
opened on Jan 6, 2022

Your feature request related to a problem? Please describe.

Not a problem, is a feature request.

The idea is to sign the release artifacts using cosign when doing the release.
The project is already using GoReleaser and GitHub actions and that makes things easier to implement 😃

This is an initial step for a more secure release and lets the consumers have the ability to verify the release artifacts.

I can help to implement this feature if the team decides to move this idea forward.

Describe the solution you'd like.

Using the current GoRelease config and the GitHub Actions we can sign the binaries/images using a keyless approach and push the signed artifacts all together to the GitHub release.

Describe alternatives you've considered.

n/a

Additional context.

n/a

Activity

cpanato
added
enhancementNew feature or improvement
on Jan 6, 2022
boring-cyborg

boring-cyborg commented on Jan 6, 2022

@boring-cyborg
boring-cyborgbot
on Jan 6, 2022

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

ldez
added
area: ciPR that update CI
on Jan 7, 2022
cpanato

cpanato commented on Jan 26, 2022

@cpanato
cpanato
on Jan 26, 2022
Author

Do the maintainers think this is a good idea? i can implement the tiny bits if y'all agree

scop

scop commented on Apr 25, 2025

@scop
scop
on Apr 25, 2025
Contributor

I do think it's a good idea, and I'm willing to chime in with the implementation as well.

scop
added 2 commits that reference this issue on May 10, 2025

feat: sign release artifacts with cosign

eb49499

feat: sign release artifacts with cosign

12b2fc0
scop
linked a pull request that will close this issue on May 11, 2025
scop

scop commented on May 11, 2025

@scop
scop
on May 11, 2025
Contributor

#5793 implements the binaries part, and #5794 adds verifying support in the installer.

scop
added a commit that references this issue on May 11, 2025

feat: sign release artifacts with cosign

6898794
scop
added 2 commits that reference this issue on May 23, 2025

feat: sign release artifacts with cosign

840da20

feat: sign release artifacts with cosign

7d7647b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: ciPR that update CIenhancementNew feature or improvement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @scop@cpanato@ldez

      Issue actions
        Sign the artifacts (binaries/images) using cosign · Issue #2462 · golangci/golangci-lint