feat(supply-chain): cosign-sign release artifacts (#2)#28
Merged
Conversation
Wire cosign keyless signing into the release pipeline so every artifact published from this repository can be verified against the GitHub Actions OIDC identity that produced it, with no public key to manage and no secret to compromise. What ships in this change: - .goreleaser.yaml: signs: block runs cosign sign-blob against checksums.txt, producing checksums.txt.sig + checksums.txt.pem alongside it on every release. Once the checksum file is signed, every binary whose hash appears in it is transitively attested by the same OIDC identity. - .goreleaser.yaml: docker_signs: block signs every per-arch container image. Signatures are attached in-registry; verification does not require pulling the image, just calling cosign verify against the image reference. - .goreleaser.yaml: release.footer template surfaces the verify commands inside every release's notes, so users hit them at the point of download instead of having to dig through docs. - .github/workflows/release.yml: id-token: write permission added to the job so the OIDC token is available for Fulcio to bind to the signing cert, plus a sigstore/cosign-installer step to make the cosign binary available to GoReleaser. - .github/workflows/ci.yml: goreleaser check step added to the snapshot job. The existing build --snapshot --clean only exercises the build pipeline; check parses every section including signs/docker_signs so a malformed cosign config fails the PR rather than the next tagged release. - README.md: Verify a release section documents the cosign verify-blob and cosign verify commands, the certificate-identity regex to expect, and what "wrong identity" means operationally (the artifact is not from this project; do not use it). Out of scope: - SLSA build provenance (#3), syft SBOM (#4), arm64 end-to-end verification (#5). These share the GoReleaser hook surface but warrant their own PRs to keep review tractable. - cronix version --verify subcommand. Useful but a CLI-level change better handled in a follow-up so this PR stays pipeline-only. Signed-off-by: Abdelhadi Sabani <asabani.work@gmail.com>
awbx
added a commit
that referenced
this pull request
May 19, 2026
Wire cosign keyless signing into the release pipeline so every artifact published from this repository can be verified against the GitHub Actions OIDC identity that produced it, with no public key to manage and no secret to compromise. What ships in this change: - .goreleaser.yaml: signs: block runs cosign sign-blob against checksums.txt, producing checksums.txt.sig + checksums.txt.pem alongside it on every release. Once the checksum file is signed, every binary whose hash appears in it is transitively attested by the same OIDC identity. - .goreleaser.yaml: docker_signs: block signs every per-arch container image. Signatures are attached in-registry; verification does not require pulling the image, just calling cosign verify against the image reference. - .goreleaser.yaml: release.footer template surfaces the verify commands inside every release's notes, so users hit them at the point of download instead of having to dig through docs. - .github/workflows/release.yml: id-token: write permission added to the job so the OIDC token is available for Fulcio to bind to the signing cert, plus a sigstore/cosign-installer step to make the cosign binary available to GoReleaser. - .github/workflows/ci.yml: goreleaser check step added to the snapshot job. The existing build --snapshot --clean only exercises the build pipeline; check parses every section including signs/docker_signs so a malformed cosign config fails the PR rather than the next tagged release. - README.md: Verify a release section documents the cosign verify-blob and cosign verify commands, the certificate-identity regex to expect, and what "wrong identity" means operationally (the artifact is not from this project; do not use it). Out of scope: - SLSA build provenance (#3), syft SBOM (#4), arm64 end-to-end verification (#5). These share the GoReleaser hook surface but warrant their own PRs to keep review tractable. - cronix version --verify subcommand. Useful but a CLI-level change better handled in a follow-up so this PR stays pipeline-only. Signed-off-by: Abdelhadi Sabani <asabani.work@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2.
Summary
Wires cosign keyless signing into the release pipeline. Every release artifact gets a signature bound to this repository's GitHub Actions OIDC identity — no public key to track, no secret to compromise. Container images get in-registry signatures via `docker_signs:`. The checksum file is the transitive root: once `checksums.txt` is signed, every binary whose hash appears in it is attested by the same identity.
What changes
Out of scope
Test plan
Verification (after the next tagged release)
```sh
cosign verify-blob
--certificate-identity-regexp 'https://github.com/awbx/cronix/.*'
--certificate-oidc-issuer https://token.actions.githubusercontent.com
--certificate checksums.txt.pem
--signature checksums.txt.sig
checksums.txt
```
The identity-regex matches the workflow URL embedded in the cosign cert by Sigstore's Fulcio CA. Anything not matching `https://github.com/awbx/cronix/.*\` did not come from this repo.