-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature verification added for kapp-controller artifacts #1417
Conversation
94fe6fc
to
6264848
Compare
3720219
to
247fa2f
Compare
f4a0238
to
0530798
Compare
Signed-off-by: rcmadhankumar <[email protected]>
0530798
to
0067625
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good. Suggested a small change, we can do it later in a separate PR as well.
contents: write | ||
packages: write |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need these permissions?
RELEASE_NOTES_UPLOADED=$(gh release view $RELEASE_TAG --json body | jq -r '.body') | ||
RELEASE_NOTES+=$RELEASE_NOTES_UPLOADED | ||
echo "$RELEASE_NOTES" > release_notes.txt | ||
gh release edit $RELEASE_TAG --notes-file release_notes.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we generate a file checksums-formatted.txt in the ``Add to formatted checksum` step, and then use this as the body while creating the draft release. Maybe we should have one common file to aggregate everything and then create a draft release? (We won't have to update the release notes then.)
Signed-off-by: rcmadhankumar <[email protected]>
created a new PR and it is merged: #1463 |
What this PR does / why we need it:
Added signature verification for Kapp-controller's release artifacts.
Which issue(s) this PR fixes:
Fixes #1341 #1343
Does this PR introduce a user-facing change?
Additional Notes for your reviewer:
Release notes will looks like this:
Installation and signature verification
Installation of kctrl
By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
Via Homebrew (macOS or Linux)
Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:
Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
# Verify the binary using the checksums file sha256sum -c checksums.txt --ignore-missing
Installation of kapp-controller
kapp-controller can be installed by using kapp
or by using kubectl
Container Images
Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.
OCI Image URLs
Verify container image signature
The container images are signed using Cosign with GitHub OIDC. To validate the signature of OCI images, run the following commands:
📂 Files Checksum
Full Changelog: https://github.com/rcmadhankumar/kapp-controller/commits/v0.0.1
Review Checklist:
a link to that PR
change
Additional documentation e.g., Proposal, usage docs, etc.: