11#syntax=docker/dockerfile:1.4.3
22
33ARG ref=main
4- FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
54
5+ FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
6+
7+ FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
8+ COPY --link --from=cosign / /
69ARG name
710ARG version
811COPY <<EOF /etc/profile.d/gitsign-credential-cache
1518export GITSIGN_CREDENTIAL_CACHE="${HOME}/.cache/.sigstore/gitsign/cache.sock"
1619EOF
1720RUN <<EOF
21+ echo "### Installing gitsign ${version}"
1822curl --silent --location --output "${prefix}${target}/bin/gitsign" \
1923 "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign_${version}_linux_${alt_arch}"
2024chmod +x "${prefix}${target}/bin/gitsign"
2125
26+ echo "### Checking keyless signature for gitsign ${version}"
27+ curl --silent --location --fail --output "gitsign_${version}_linux_${alt_arch}.pem" \
28+ "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign_${version}_linux_${alt_arch}.pem"
29+ curl --silent --location --fail --output "gitsign_${version}_linux_${alt_arch}.sig" \
30+ "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign_${version}_linux_${alt_arch}.sig"
31+ SHA="$(
32+ curl "https://api.github.com/repos/sigstore/gitsign/git/matching-refs/tags/v${version}" \
33+ --silent \
34+ --location \
35+ | jq --raw-output '.[].object.sha'
36+ )"
37+ echo " Using SHA ${SHA} for gitsign ${version}"
38+ COSIGN_EXPERIMENTAL=1 cosign verify-blob \
39+ --cert "gitsign_${version}_linux_${alt_arch}.pem" \
40+ --signature "gitsign_${version}_linux_${alt_arch}.sig" \
41+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
42+ --certificate-identity "https://github.com/sigstore/gitsign/.github/workflows/release.yml@refs/tags/v${version}" \
43+ --certificate-github-workflow-name Release \
44+ --certificate-github-workflow-ref "refs/tags/v${version}" \
45+ --certificate-github-workflow-repository "sigstore/gitsign" \
46+ --certificate-github-workflow-sha "${SHA}" \
47+ --certificate-github-workflow-trigger push \
48+ "${prefix}${target}/bin/gitsign"
49+ rm -f "gitsign_${version}_linux_${alt_arch}.pem" "gitsign_${version}_linux_${alt_arch}.sig"
50+
51+ echo "### Installing gitsign-credential-cache ${version}"
2252curl --silent --location --output "${prefix}${target}/bin/gitsign-credential-cache" \
2353 "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign-credential-cache_${version}_linux_${alt_arch}"
2454chmod +x "${prefix}${target}/bin/gitsign-credential-cache"
55+
56+ echo "### Checking keyless signature for gitsign-credential-cache ${version}"
57+ curl --silent --location --fail --output "gitsign_${version}_linux_${alt_arch}.pem" \
58+ "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign_${version}_linux_${alt_arch}.pem"
59+ curl --silent --location --fail --output "gitsign_${version}_linux_${alt_arch}.sig" \
60+ "https://github.com/sigstore/gitsign/releases/download/v${version}/gitsign_${version}_linux_${alt_arch}.sig"
61+ SHA="$(
62+ curl "https://api.github.com/repos/sigstore/gitsign/git/matching-refs/tags/v${version}" \
63+ --silent \
64+ --location \
65+ | jq --raw-output '.[].object.sha'
66+ )"
67+ COSIGN_EXPERIMENTAL=1 cosign verify-blob \
68+ --cert "gitsign_${version}_linux_${alt_arch}.pem" \
69+ --signature "gitsign_${version}_linux_${alt_arch}.sig" \
70+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
71+ --certificate-identity "https://github.com/sigstore/gitsign/.github/workflows/release.yml@refs/tags/v${version}" \
72+ --certificate-github-workflow-name Release \
73+ --certificate-github-workflow-ref "refs/tags/v${version}" \
74+ --certificate-github-workflow-repository "sigstore/gitsign" \
75+ --certificate-github-workflow-sha "${SHA}" \
76+ --certificate-github-workflow-trigger push \
77+ "${prefix}${target}/bin/gitsign-credential-cache"
78+ rm -f "gitsign_${version}_linux_${alt_arch}.pem" "gitsign_${version}_linux_${alt_arch}.sig"
2579EOF
0 commit comments