Skip to content

Commit

Permalink
Merge pull request #339 from carvel-dev/sign-release-checksum
Browse files Browse the repository at this point in the history
Added changes to sign artifacts
  • Loading branch information
joaopapereira authored Jan 5, 2024
2 parents 0b54783 + 1bc68b9 commit b63deaf
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
9 changes: 9 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand Down Expand Up @@ -85,6 +86,14 @@ jobs:
${checksums['vendir-linux-amd64']} ./vendir-linux-amd64
${checksums['vendir-linux-arm64']} ./vendir-linux-arm64
${checksums['vendir-windows-amd64.exe']} ./vendir-windows-amd64.exe`
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/carvel-dev \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
dist/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }}
Expand Down
11 changes: 11 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,17 @@ checksum:
name_template: 'checksums.txt'
algorithm: sha256
disable: false
signs:
- artifacts: checksum
certificate: '${artifact}.pem'
cmd: cosign
args:
- sign-blob
- "--yes"
- '--output-certificate=${certificate}'
- '--output-signature=${signature}'
- '${artifact}'
output: true
snapshot:
name_template: "{{ .Tag }}-next"
release:
Expand Down

0 comments on commit b63deaf

Please sign in to comment.