Merge pull request #339 from carvel-dev/sign-release-checksum

Added changes to sign artifacts
carvel-dev · Jan 5, 2024 · b63deaf · b63deaf
2 parents 0b54783 + 1bc68b9
commit b63deaf
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -85,6 +86,14 @@ jobs:
             ${checksums['vendir-linux-amd64']}  ./vendir-linux-amd64
             ${checksums['vendir-linux-arm64']}  ./vendir-linux-arm64
             ${checksums['vendir-windows-amd64.exe']}  ./vendir-windows-amd64.exe`
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+          --cert dist/checksums.txt.pem \
+          --signature dist/checksums.txt.sig \
+          --certificate-identity-regexp=https://github.com/carvel-dev \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          dist/checksums.txt
 
       - name: verify uploaded artifacts
         if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }}

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -34,6 +34,17 @@ checksum:
   name_template: 'checksums.txt'
   algorithm: sha256
   disable: false
+signs:
+  - artifacts: checksum
+    certificate: '${artifact}.pem'
+    cmd: cosign
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    output: true
 snapshot:
   name_template: "{{ .Tag }}-next"
 release: