Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing and verification added, release notes generation automated #627

Merged
merged 1 commit into from Jan 18, 2024
Merged

Signing and verification added, release notes generation automated #627

merged 1 commit into from Jan 18, 2024

Conversation

rcmadhankumar
Copy link
Contributor

@rcmadhankumar rcmadhankumar commented Jan 18, 2024
edited

Signing and verification added for imgpkg artifacts.
Release notes generation automated for Installation and signature verification.

Release notes will look like:

✨ What's new

Full Changelog: rcmadhankumar/imgpkg@v0.0.29...v0.0.34

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/rcmadhankumar/imgpkg/releases/download/v0.0.34/imgpkg-linux-amd64

# Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

# Make the binary executable
chmod +x /usr/local/bin/imgpkg

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/rcmadhankumar/imgpkg/releases/download/v0.0.34/checksums.txt
curl -LO https://github.com/rcmadhankumar/imgpkg/releases/download/v0.0.34/checksums.txt.pem
curl -LO https://github.com/rcmadhankumar/imgpkg/releases/download/v0.0.34/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/rcmadhankumar \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

📂 Files Checksum

35a8c6ac2509288c2296a1da6057d182b1b277e3bf59ed8b6d01222fa910058d  ./imgpkg-darwin-arm64
41ddfa974219cb846fe7ae6fa142e3f1a9a19c28ac63c25ea2ac3cb235b4542f  ./imgpkg-darwin-amd64
97762f9e9cc1b7edab7fe464c1eec7635beea64990394a64fb1d17f6ec7b9528  ./imgpkg-windows-amd64.exe
9e3b9c8faabb0b5917191b2e2a571e7d5f7e8851b43887b5978524c35ef31f49  ./imgpkg-linux-amd64
ccdf4aff8cc088f70f6bff28620c6f1c760e2c6188ab8211f9e5444970ad3280  ./imgpkg-linux-arm64

@rcmadhankumar
Signing and verification added, release notes generation automated
935e0df 
Signed-off-by: rcmadhankumar <rcmadhankumar@gmail.com>
@rcmadhankumar rcmadhankumar temporarily deployed to TanzuNet Registry Dev e2e January 18, 2024 06:24 — with GitHub Actions Inactive
@rcmadhankumar rcmadhankumar linked an issue Jan 18, 2024 that may be closed by this pull request
Sign imgpkg binaries while releasing them #583
Closed
@kumaritanushree
Copy link
Contributor

LGTM

@praveenrewar praveenrewar merged commit e0da208 into carvel-dev:develop Jan 18, 2024
8 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@praveenrewar praveenrewar praveenrewar approved these changes

@100mik 100mik 100mik approved these changes

@kumaritanushree kumaritanushree kumaritanushree approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Carvel
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign imgpkg binaries while releasing them
4 participants
@rcmadhankumar @kumaritanushree @praveenrewar @100mik