Skip to content

feat: sign release artifacts with cosign #5793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: sign release artifacts with cosign #5793

wants to merge 1 commit into from

Conversation

@scop
Copy link
Contributor

@scop scop commented May 11, 2025
edited by ldez
Loading

@scop scop mentioned this pull request May 11, 2025
Closed
scop
scop commented May 11, 2025
View reviewed changes
.goreleaser.yml
For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).
signs:
Copy link
Contributor Author

@scop scop May 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-CI goreleaser release runs should likely be done with --skip sign in order to not break after we add this.

scop
scop commented May 11, 2025
View reviewed changes
.goreleaser.yml
signs:
- signature: ${artifact}.cosign.bundle
cmd: cosign
Copy link
Contributor Author

@scop scop May 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess some docs how to verify downloads with cosign would not hurt. But we don't have any for verifying the sha256sums either, so not sure. #5806 contains changes for verifying in the installer script.

@scop scop mentioned this pull request May 11, 2025
Open
@scop scop force-pushed the feat/cosign-artifacts branch from 12b2fc0 to 6898794 Compare May 11, 2025 13:37
@ldez ldez self-requested a review May 11, 2025 15:40
@ldez ldez added area: install Issue relates to installation or downloading process area: ci PR that update CI labels May 11, 2025
@scop scop mentioned this pull request May 15, 2025
Draft
@CLAassistant
Copy link

CLAassistant commented May 20, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@scop scop force-pushed the feat/cosign-artifacts branch from 6898794 to 840da20 Compare May 23, 2025 13:38
@scop scop force-pushed the feat/cosign-artifacts branch from 840da20 to 7d7647b Compare May 23, 2025 13:40
@scop
Copy link
Contributor Author

scop commented May 23, 2025

Rebased and switched to the new bundle format.

@ldez
Copy link
Member

ldez commented Sep 17, 2025
edited
Loading

I don't forget this PR, but each time I look at it, I'm stuck with the same problems/questions.

  1. Adding a new element inside the release process introduces a new risk of release failure.
  2. The goreleaser configuration inside this PR is different than the suggested one, I don't know why, and I don't find clear references with this configuration.

@ldez ldez added the waiting for: contributor feedback Requires additional feedback label Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldez ldez Awaiting requested review from ldez

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area: ci PR that update CI area: install Issue relates to installation or downloading process waiting for: contributor feedback Requires additional feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sign the artifacts (binaries/images) using cosign

3 participants

@scop @CLAassistant @ldez