Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add keyless to the binaries and send to tlog and update release docs #1111

Merged
merged 1 commit into from Nov 30, 2021
Merged

add keyless to the binaries and send to tlog and update release docs #1111

merged 1 commit into from Nov 30, 2021

Conversation

cpanato
Copy link
Member

@cpanato cpanato commented Nov 30, 2021

Summary

gomod:
  proxy: true

in the Goreleaser for the build reproducibility we need to have the tag in place in the repository before running the release

rehearsal: https://github.com/cpanato/cosign/releases/tag/v99.999.03

verify binary with the keyless sig

$ COSIGN_EXPERIMENTAL=true ./cosign-darwin-amd64 verify-blob --signature cosign-darwin-amd64-keyless.sig cosign-darwin-amd64
Certificate is trusted by Fulcio Root CA
Email: [keyless@cpanato-general.iam.gserviceaccount.com]
Issuer:  https://accounts.google.com
Verified OK
tlog entry verified with uuid: "4589d09ed6769db6d1015ae2375ee1ec445a33c44290e361f150cdcce57cea9f" index: 900512

verify image with the keyless

$ COSIGN_EXPERIMENTAL=true cosign verify gcr.io/cpanato-general/cosign:v99.999.03

Verification for gcr.io/cpanato-general/cosign:v99.999.03 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"gcr.io/cpanato-general/cosign"},"image":{"docker-manifest-digest":"sha256:d8fc8697f0466e5c151c2e06a8a376780f8aa8fe8066fb625d7f264a02e8f893"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIGAOTP7H9DxvsqvOHbbgy26IdFMcpogcTWpaAhKAuBXfAiEAijBqkQ9sSkiT3OEyGo/U0sQR+8GX4gFbWVd/utymTWs=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMWQzOGZjOWIzODBmZTQ2NWEyMjMxN2EwOTQ0OWZmNjYxMDFhNjY4MzNjYTA1MDI3MDcwNDYyNmZiOTI0MDI4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUNxUmdNdUZEamFaYnpVV05CZk5jVFIwTUVORStmT3FkRnpWVThMallLZmp3SWhBUHo0NkRqM3dYVWpUS0Q5Y3p4Vk5HNGFzUkRTRnRURWFsUWlvd09CS3ZWZSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU4yZWtORFFXdFRaMEYzU1VKQlowbFVXRkpuVEhaVlpIQjZkMnh4TW5Cd00wNTRaMWRHU21sUFpGUkJTMEpuWjNGb2EycFBVRkZSUkVGNlFYRUtUVkpWZDBWM1dVUldVVkZMUlhkNGVtRlhaSHBrUnpsNVdsTTFhMXBZV1hoRlZFRlFRbWRPVmtKQlRWUkRTRTV3V2pOT01HSXpTbXhOUWpSWVJGUkplQXBOVkVWNlRVUkZkMDFVVVhkT1ZtOVlSRlJKZUUxVVJYcE5SRVYzVFhwUmQwNUdiM2RCUkVKYVRVSk5SMEo1Y1VkVFRUUTVRV2RGUjBORGNVZFRUVFE1Q2tGM1JVaEJNRWxCUWs1U1dFeFhWR1psWTNwVFZFSkhXVFZRZGpFNVpubzNSMHg0VmpWS2IzQnJUamRMWjNGaFJ6VnZlSEk0UVRGUWQxTnpaRnBYY21ZS1pWazNhRFY2V21kRFYzRkNiMmx0ZEZnck9IVm1SelJOVEc1dFVHNDNUMnBuWjBaNFRVbEpRbUpVUVU5Q1owNVdTRkU0UWtGbU9FVkNRVTFEUWpSQmR3cEZkMWxFVmxJd2JFSkJkM2REWjFsSlMzZFpRa0pSVlVoQmQwMTNSRUZaUkZaU01GUkJVVWd2UWtGSmQwRkVRV1JDWjA1V1NGRTBSVVpuVVZWTUwwOTVDbGs1UmtSeGVHOUNRM0pPZDBJdlZHRmhWbEZMWmxGM2QwaDNXVVJXVWpCcVFrSm5kMFp2UVZWNVRWVmtRVVZIWVVwRGEzbFZVMVJ5UkdFMVN6ZFZiMGNLTUN0M2QyZFpNRWREUTNOSFFWRlZSa0ozUlVKQ1NVZEJUVWcwZDJaQldVbExkMWxDUWxGVlNFMUJTMGRqUjJnd1pFaEJOa3g1T1hkamJXd3lXVmhTYkFwWk1rVjBXVEk1ZFdSSFZuVmtRekF5VFVST2JWcFVaR3hPZVRCM1RVUkJkMHhVU1hsTmFtTjBXVzFaTTA1VE1XMU9SMWt4V2xSbmQxcEVTVFZPVkZGMUNtTXpVblpqYlVadVdsTTFibUl5T1c1aVIxWm9ZMGRzZWt4dFRuWmlVemxxV1ZSTk1sbFVSbXhQVkZsNVRrUkthVTlYV21wWmFrVXdUbWs1YWxsVE5Xb0tZMjVSZDFCUldVUldVakJTUVZGSUwwSkVUWGROV1VWMllUSldOV0pIVm5wak1FSnFZMGRHZFZsWVVuWk1WMlJzWW0xV2VWbFhkM1ZoVjBaMFRHMWtlZ3BhV0VveVlWZE9iRmxYVG1waU0xWjFaRU0xYW1JeU1IZExVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3Q21ONU5XNWlNamx1WWtkVmRWa3lPWFJOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpyUVUxSFdVTk5VVVJYVjBFMmVISkRWMFpFU2t0RFQwOUhhSEJhZVRnS1VIWmpXVGRRUldoUlNIUTVZblJKVXpoRWRFWlJkVzkyWTBwU1ZYVnRLMGx4YjI0eFQyaHZUakIzVlVOTlVVUmhRM3BJYW5OYWVtSlpkelprT1VSUWNRcE1PR05JV0hsSlIxTlZjbVIzU1RJM1F5ODNTMWc0WWxsSFoweDFVMlV4UVVOU05XSTRNeTlITnpnMU5HVjZPRDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0=","integratedTime":1638267246,"logIndex":900552,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"GIT_HASH":"cd4152018546142532fcf2cc97206b17e951552f","GIT_VERSION":"v99.999.03","Issuer":"https://accounts.google.com","Subject":"keyless@cpanato-general.iam.gserviceaccount.com"}}]

Ticket Link

Fixes

Release Note

add keyless to the binaries and send to tlog and update release docs

@cpanato
add keyless to the binaries and send to tlog and update release docs
9b9b9cb 
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
@dlorenc dlorenc merged commit a035b27 into sigstore:main Nov 30, 2021
@github-actions github-actions bot added this to the v1.4.0 milestone Nov 30, 2021
@cpanato cpanato deleted the keyless_binaries branch November 30, 2021 15:32
@developer-guy developer-guy mentioned this pull request Nov 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

@dekkagaijin dekkagaijin Awaiting requested review from dekkagaijin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cpanato @dlorenc