From 19abc2ce1da50c35fca9a3506a721ec59075dcac Mon Sep 17 00:00:00 2001 From: Yankee Maharjan Date: Sun, 6 Feb 2022 09:41:16 +0545 Subject: [PATCH] Use cosign for artifact verification --- .github/workflows/release.yaml | 8 +++++++- .goreleaser.yml | 26 ++++++++++++++++++-------- README.md | 30 ++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6643139..453c4de 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,10 @@ permissions: jobs: goreleaser: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write steps: - name: Checkout uses: actions/checkout@v2 @@ -19,7 +23,9 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.16 + go-version: 1.17 + + - uses: sigstore/cosign-installer@v2.0.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: diff --git a/.goreleaser.yml b/.goreleaser.yml index 517045c..7f5581a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,3 +1,4 @@ +project_name: air before: hooks: - go mod tidy @@ -5,27 +6,36 @@ before: builds: - ldflags: - -s -w -X "github.com/yankeexe/air-quality-cli/cmd.Version={{.Tag}}" - binary: air env: - CGO_ENABLED=0 goos: - linux - windows - darwin + archives: - - replacements: - darwin: Darwin - linux: Linux - windows: Windows - 386: i386 - amd64: x86_64 + - format: binary + checksum: name_template: "checksums.txt" snapshot: - name_template: "{{ .Tag }}-next" + name_template: "{{ .Tag }}-local" changelog: sort: asc filters: exclude: - "^docs:" - "^test:" + +signs: +- cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + output: true + artifacts: checksum + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' diff --git a/README.md b/README.md index a04bc67..27c0b1a 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,36 @@ Get Air Quality index for your City. curl -f https://raw.githubusercontent.com/yankeexe/air-quality-cli/master/install.sh | sudo sh ``` +### Manual Installation +Download the [latest release](https://github.com/yankeexe/air-quality-cli/releases). + + +### Verification of artifacts + +All artifacts are checksummed and the checksum file is signed with [cosign](https://github.com/sigstore/cosign#installation) (keyless). + +* Download checksum and sig file for verification. + + ```bash + wget https://github.com/yankeexe/air-quality-cli/releases/download/v0.0.6/checksums.txt + + wget https://github.com/yankeexe/air-quality-cli/releases/download/v0.0.6/checksums.txt.sig + ``` +* Verify the signature + + ```bash + COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.sig checksums.txt + ``` + If the signature is valid, verify the SHA256 match with the downloaded binary. + +* Verify Downloaded Binary + + Store downloaded binary on the same dir as `checksums.txt` + ```bash + sha256sum --ignore-missing -c checksums.txt + ``` + + ## Contents