You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
It is not related to a problem.
Describe the solution you'd like
A similar approach has been taken in cosign project1, thanks to @cpanato. Now, we can use this approach while signing and verifying the checksums.txt file of the GoReleaser.
Also thanks to @cpanato, he already prepared a repository2 to show people how they can keyless approach with GoReleaser.
Describe alternatives you've considered
We should remove both cosign.key and cosign.pub files.
We should enable cosign's experimental mode by providing the COSIGN_EXPERIMENTAL environment variable.
We should output the certificate while signing the blob, and upload this certificate to the releases.
We can use this certificate while verifying the checksums.txt.sig file.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
It is not related to a problem.
Describe the solution you'd like
A similar approach has been taken in cosign project1, thanks to @cpanato. Now, we can use this approach while signing and verifying the checksums.txt file of the GoReleaser.
Also thanks to @cpanato, he already prepared a repository2 to show people how they can keyless approach with GoReleaser.
Describe alternatives you've considered
cosign.key
andcosign.pub
files.COSIGN_EXPERIMENTAL
environment variable.checksums.txt.sig
file.Additional context
Add any other context or screenshots about the feature request here.
cc: @caarlos0 @dirien @Dentrax
Footnotes
https://github.com/sigstore/cosign/pull/1111 ↩
https://github.com/caarlos0-graveyard/gorel-keyless ↩
The text was updated successfully, but these errors were encountered: