feat(release): sign checksums.txt with cosign keyless signing#903
Draft
mcdgavin wants to merge 1 commit into
Draft
feat(release): sign checksums.txt with cosign keyless signing#903mcdgavin wants to merge 1 commit into
mcdgavin wants to merge 1 commit into
Conversation
Sign releases via Sigstore keyless signing: goreleaser invokes cosign sign-blob on checksums.txt using the release workflow's GitHub OIDC identity, so there is no signing key to store or rotate. Each release gains checksums.txt.sig and checksums.txt.pem, and the signature is recorded in the Rekor transparency log. install-cli.sh verifies the signature opportunistically: when cosign is installed it pins the certificate identity to this repo's release workflow at the exact version tag, aborting on an invalid signature. Releases that predate signing (no .sig/.pem assets) and systems without cosign fall back to the existing checksum-only verification.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #880, which verifies archives against
checksums.txt— but the checksums file ships alongside the archive in the same release, so it can't detect substituted release assets. This PR signs releases so the checksums are bound to an identity an attacker can't forge.Approach: keyless (Sigstore) signing of
checksums.txt.goreleaser.yaml: asignssection runscosign sign-blobonchecksums.txtduring release. Keyless — cosign uses the release workflow's GitHub OIDC identity, so there is no signing key to store or rotate. Each release gainschecksums.txt.sig+checksums.txt.pem, and the signature is recorded in the Rekor transparency log. Since every archive is listed inchecksums.txt, one signature covers all release artifacts..github/workflows/release.yaml: addsid-token: writeand asigstore/cosign-installerstep (pinned by SHA, matching repo convention).install-cli.sh: opportunistic verification layered on the existing checksum check. When cosign is installed, it verifies the signature with the certificate identity pinned to this repo's release workflow at the exact version tag, aborting on an invalid signature. When cosign is absent, or the release predates signing (no.sigasset), it logs a skip and falls back to checksum-only — nothing breaks for existing releases.Manual verification for users:
cosign verify-blob \ --certificate checksums.txt.pem --signature checksums.txt.sig \ --certificate-identity-regexp '^https://github.com/livekit/livekit-cli/\.github/workflows/release\.yaml@.*$' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ checksums.txtTesting
goreleaser checkpasses on the modified config.install-cli.shblock was exercised in isolation across all four paths (no cosign → skip; sig missing → skip; valid sig → continue; invalid sig → abort).v0.0.0-signing-test) before the next real release.Possible follow-ups (out of scope here)
dockerjob (same keyless flow on the pushed digest).actions/attest-build-provenance) as a cheap complement — users could verify withgh attestation verify.