Use cosign for artifact verification

yankeexe · Feb 6, 2022 · 19abc2c · 19abc2c
1 parent 2791943
commit 19abc2c
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 9 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,6 +11,10 @@ permissions:
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -19,7 +23,9 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.17
+
+      - uses: sigstore/cosign-installer@v2.0.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,31 +1,41 @@
+project_name: air
 before:
   hooks:
     - go mod tidy
     - go generate ./...
 builds:
   - ldflags:
       - -s -w -X "github.com/yankeexe/air-quality-cli/cmd.Version={{.Tag}}"
-    binary: air
     env:
       - CGO_ENABLED=0
     goos:
       - linux
       - windows
       - darwin
+
 archives:
-  - replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+  - format: binary
+
 checksum:
   name_template: "checksums.txt"
 snapshot:
-  name_template: "{{ .Tag }}-next"
+  name_template: "{{ .Tag }}-local"
 changelog:
   sort: asc
   filters:
     exclude:
       - "^docs:"
       - "^test:"
+
+signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  certificate: '${artifact}.pem'
+  output: true
+  artifacts: checksum
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
diff --git a/README.md b/README.md
@@ -12,6 +12,36 @@ Get Air Quality index for your City.
 curl -f https://raw.githubusercontent.com/yankeexe/air-quality-cli/master/install.sh | sudo sh
 ```
 
+### Manual Installation
+Download the [latest release](https://github.com/yankeexe/air-quality-cli/releases).
+
+
+### Verification of artifacts
+
+All artifacts are checksummed and the checksum file is signed with [cosign](https://github.com/sigstore/cosign#installation) (keyless).
+
+* Download checksum and sig file for verification.
+
+  ```bash
+  wget https://github.com/yankeexe/air-quality-cli/releases/download/v0.0.6/checksums.txt
+
+  wget https://github.com/yankeexe/air-quality-cli/releases/download/v0.0.6/checksums.txt.sig
+  ```
+* Verify the signature
+
+  ```bash
+  COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.sig checksums.txt
+  ```
+  If the signature is valid, verify the SHA256 match with the downloaded binary.
+
+* Verify Downloaded Binary
+
+  Store downloaded binary on the same dir as `checksums.txt`
+  ```bash
+  sha256sum --ignore-missing -c checksums.txt
+  ```
+
+
 <img src="https://i.imgur.com/FsnXPXw.png" width="800" />
 
 ## Contents