Skip to content

feat: sign Docker images #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 9, 2025
Merged

feat: sign Docker images #11

merged 1 commit into from
Apr 9, 2025

Conversation

@kop
Copy link
Collaborator

@kop kop commented Apr 9, 2025

This PR adds support for keyless signing using Sigstore’s identity-based workflow.

Instead of managing long-lived signing keys, Cosign now uses ephemeral keys bound to OpenID Connect (OIDC) identities, verified by Fulcio, and recorded in the Rekor transparency log. This provides a secure, auditable way to sign artifacts without persistent private keys.

Signature can be verified with:

cosign verify \
  --certificate-identity "https://github.com/firebolt-db/mcp-server/.github/workflows/release.yaml@refs/heads/main" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/firebolt-db/mcp-server:TAG

@kop
feat: sign Docker images
113dfad 
Configures signing Docker images with Cosign keyless algorithm.
@kop kop merged commit 62a3f42 into main Apr 9, 2025
4 checks passed
@kop kop deleted the oci_images_signing branch April 9, 2025 20:27
@github-actions github-actions bot mentioned this pull request Apr 9, 2025
Merged
kop pushed a commit that referenced this pull request Apr 10, 2025
@github-actions
chore(main): release 0.2.0 (#10)
512693d 
🤖 I have created a release *beep* *boop*
---


##
[0.2.0](v0.1.0...v0.2.0)
(2025-04-10)


### Features

* sign Docker images
([#11](#11))
([62a3f42](62a3f42))


### Bug Fixes

* correct tools capabilities
([c351b5f](c351b5f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kop