Skip to content

Commit 2a4f177

Browse files
frezboshanduur
frezbo
authored and
shanduur
committed
feat: use image signer
Use `image-signer` to sign images. Signed-off-by: Noel Georgi <git@frezbo.dev> (cherry picked from commit 7e498fa)
1 parent e043e1b commit 2a4f177

File tree

1 file changed

+2
-5
lines changed

1 file changed

+2
-5
lines changed

Makefile

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ GENERATE_VEX_PREFIX ?= ghcr.io/siderolabs/generate-vex
3232
GENERATE_VEX ?= latest
3333

3434
KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
35+
IMAGE_SIGNER_IMAGE ?= ghcr.io/siderolabs/image-signer:latest
3536
CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest
3637

3738
PKG_APPARMOR ?= $(PKGS_PREFIX)/apparmor:$(PKGS)
@@ -719,11 +720,7 @@ image-list: ## Prints a list of all images built by this Makefile with digests.
719720

720721
.PHONY: sign-images
721722
sign-images: ## Run cosign to sign all images built by this Makefile.
722-
@for image in $(shell $(MAKE) --quiet image-list REGISTRY_AND_USERNAME=$(REGISTRY_AND_USERNAME) IMAGE_TAG_IN=$(IMAGE_TAG_IN)); do \
723-
echo '==>' $$image; \
724-
cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \
725-
cosign sign --yes $$image; \
726-
done
723+
@docker run --pull=always --rm --net=host $(IMAGE_SIGNER_IMAGE) sign $(shell $(MAKE) --quiet image-list REGISTRY_AND_USERNAME=$(REGISTRY_AND_USERNAME) IMAGE_TAG_IN=$(IMAGE_TAG_IN))
727724

728725
.PHONY: reproducibility-test
729726
reproducibility-test: $(ARTIFACTS)

0 commit comments

Comments
 (0)