Skip to content

Sign the release checksums and container images with Cosign and GitHub OIDC #2303

New issue
New issue
Closed
Closed
Sign the release checksums and container images with Cosign and GitHub OIDC#2303
Assignees
stefanprodan
Labels
area/ciCI related issues and pull requestsenhancementNew feature or request
@stefanprodan

Description

@stefanprodan
stefanprodan
opened on Jan 18, 2022

We should use Cosign keyless signing (using GitHub Actions OIDC) to allow our users to verify the authenticity of Flux binaries, manifests, SBOM files and container images. Besides the the Flux artifacts, all the GitOps Toolkit controller images and release artifacts should also be signed in CI using GitHub Actions, Cosign and GoReleaser.

Projects:

  • flux2
  • source-controller
  • kustomize-controller
  • helm-controller
  • notification-controller
  • image-reflector-controller
  • image-automation-controller
  • source-watcher

Metadata

Metadata

Assignees

Labels

area/ciCI related issues and pull requestsenhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions