Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix artifact signing, use default runner
GPG signing was broken as --detach-sign does not itself take an argument to a file to sign; instead this should be a separate positional argument to the CLI as a whole. This means that stdin was signed instead of the specified file, resulting in bogus signatures. While the existing cosign signatures work, they require additional calls to rekor to fetch the corresponding certificate used to sign. Mirroring with what OpenTofu does, we can save the certificates directly so that users can verify without additional calls to the rekor network. Lastly, switch to GitHub-hosted runners to avoid needing to use a self-hosted runner for this release stage. Thanks to @JanMa and @janosdebugs for their help. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
- Loading branch information