diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fe13e0aa..0b6ea8b9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -114,6 +114,9 @@ jobs: needs: - unit-tests - Acceptance-Tests + permissions: + contents: write + id-token: write steps: - name: Checkout @@ -188,4 +191,3 @@ jobs: DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} FURY_TOKEN: ${{ secrets.FURY_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 50600134..9dc2aac0 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -146,14 +146,25 @@ furies: signs: - cmd: cosign - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=/tmp/goreleaser_cosign.key", "-output=${signature}", "${artifact}"] - artifacts: checksum + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + args: + - sign-blob + - '--oidc-issuer=https://token.actions.githubusercontent.com' + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' docker_signs: -- artifacts: manifests - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign", "-key=/tmp/goreleaser_cosign.key", "${artifact}"] +- cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + artifacts: manifests + args: + - 'sign' + - '--oidc-issuer=https://token.actions.githubusercontent.com' + - '${artifact}' changelog: sort: asc @@ -181,8 +192,6 @@ checksum: name_template: 'checksums.txt' release: - extra_files: - - glob: cosign.pub footer: | **Full Changelog**: https://github.com/goreleaser/nfpm/compare/{{ .PreviousTag }}...{{ .Tag }} diff --git a/scripts/vercel/build.sh b/scripts/vercel/build.sh index 5298a4ad..01bd024c 100755 --- a/scripts/vercel/build.sh +++ b/scripts/vercel/build.sh @@ -1,3 +1,5 @@ #!/bin/bash set -euo pipefail +version="$(curl -sSf -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/goreleaser/nfpm/releases/latest" | jq -r '.tag_name')" +sed -s'' -i "s/__VERSION__/$version/g" www/docs/install.md mkdocs build -f www/mkdocs.yml diff --git a/www/docs/install.md b/www/docs/install.md index 6fff2f3f..2098121b 100644 --- a/www/docs/install.md +++ b/www/docs/install.md @@ -69,18 +69,22 @@ go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest Download the pre-compiled binaries from the [releases page][releases] and copy them to the desired location. -## Verifying the binaries +## Veryifing the artifacts -All artifacts are checksummed and the checksum file is signed with [cosign][]. +### binaries -You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub). +All artifacts are checksummed and the checksum is signed with [cosign][]. + +1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page: + ```sh + wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt + wget https://github.com/goreleaser/nfpm/releases/download/__VERSION__/checksums.txt.sig + ``` -1. Download the files you want, the `checksums.txt` and `checksums.txt.sig` files from the [releases][releases] page. 1. Verify the signature: ```sh - cosign verify-blob \ - -key https://goreleaser.com/static/goreleaser.pub \ - -signature checksums.txt.sig \ + COSIGN_EXPERIMENTAL=1 cosign verify-blob \ + --signature checksums.txt.sig \ checksums.txt ``` 1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary: @@ -88,19 +92,15 @@ You can verify it using [our public key](https://goreleaser.com/static/gorelease sha256sum --ignore-missing -c checksums.txt ``` -## Verifying docker images +### docker images -Our Docker image is signed with [cosign][]. +Our Docker images are signed with [cosign][]. -You can verify it using [our public key](https://goreleaser.com/static/goreleaser.pub): +Verify the signature: ```sh -cosign verify \ - -key https://goreleaser.com/static/goreleaser.pub \ - goreleaser/nfpm -cosign verify \ - -key https://goreleaser.com/static/goreleaser.pub \ - ghcr.io/goreleaser/nfpm +COSIGN_EXPERIMENTAL=1 cosign verify goreleaser/nfpm +COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/nfpm ``` ## Running with Docker