Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ci): add cosign to sign the released binaries #459

Merged
merged 4 commits into from
Feb 5, 2024
Merged

feat(ci): add cosign to sign the released binaries #459

merged 4 commits into from
Feb 5, 2024

Conversation

Mossaka
Copy link
Member

@Mossaka Mossaka commented Jan 24, 2024
edited
Loading

This draft PR adds cosign signing for the released binaries. It is WIP.

I am testing releases in my own forked repo: https://github.com/Mossaka/runwasi/actions/runs/7634841458

Related to #417

@Mossaka Mossaka marked this pull request as draft January 24, 2024 02:48
@Mossaka Mossaka mentioned this pull request Jan 24, 2024
Closed
@Mossaka Mossaka closed this Jan 24, 2024
@Mossaka Mossaka reopened this Jan 24, 2024
@Mossaka Mossaka marked this pull request as ready for review January 29, 2024 23:54
jsturtevant
jsturtevant reviewed Jan 30, 2024
View reviewed changes
Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not super familiar with cosign but did a bit of reading and this seems like it is using the approach suggested in the docs.

Could we add a doc on how to run the verification after downloading the files?

.github/workflows/release.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml
Comment on lines +79 to +81
make dist-${{ needs.parse.outputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the scenario where there are no files after running make dist-*

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You meant afer make build-*?

If we release containerd-shim-wasm-test-modules, I think there will be no files in disk/bin.

.github/workflows/release.yml Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
@Mossaka
Copy link
Member Author

Mossaka commented Jan 31, 2024

Could we add a doc on how to run the verification after downloading the files?

Sure, I also intend to add the verification doc on the release page.

@Mossaka
add cosign to sign the released binaries
a552e39 
Signed-off-by: jiaxiao zhou <jiazho@microsoft.com>
@Mossaka
changed the name
0ccb0a4 
Signed-off-by: jiaxiao zhou <jiazho@microsoft.com>
@Mossaka
use bundle for sign-blobs
b242586 
Signed-off-by: jiaxiao zhou <jiazho@microsoft.com>
@Mossaka
docs: added signing verification section on the release page
130c62a 
Signed-off-by: jiaxiao zhou <jiazho@microsoft.com>
@Mossaka
Copy link
Member Author

Mossaka commented Feb 2, 2024

@jeremyrickard could you please take a look?

jsturtevant
jsturtevant reviewed Feb 2, 2024
View reviewed changes
Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, it would be nice to have one more set of eyes on this PR since I am fairly new to cosign

jeremyrickard
jeremyrickard approved these changes Feb 5, 2024
View reviewed changes
Copy link

@jeremyrickard jeremyrickard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Mossaka Mossaka merged commit 71f8df9 into containerd:main Feb 5, 2024
43 checks passed
@Mossaka Mossaka deleted the signing branch February 5, 2024 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsturtevant jsturtevant jsturtevant left review comments

@jeremyrickard jeremyrickard jeremyrickard approved these changes

@cpuguy83 cpuguy83 Awaiting requested review from cpuguy83

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Mossaka @jsturtevant @jeremyrickard