diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 607bee50..60630340 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ jobs: # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -21,6 +22,10 @@ jobs: uses: actions/setup-go@v3 with: go-version: 1.21.3 + + - name: Set up Cosign + uses: sigstore/cosign-installer@v3 + - name: Retrieve version run: | echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT @@ -89,6 +94,14 @@ jobs: ${checksums['kbld-linux-arm64']} ./kbld-linux-arm64 ${checksums['kbld-windows-amd64.exe']} ./kbld-windows-amd64.exe ${checksums['kbld-windows-arm64.exe']} ./kbld-windows-arm64.exe` + + - name: Verify checksums signature + run: | + cosign verify-blob \ + --cert dist/checksums.txt.pem \ + --signature dist/checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt - name: verify uploaded artifacts if: startsWith(github.ref, 'refs/tags/') diff --git a/.goreleaser.yml b/.goreleaser.yml index 9fa1e1fe..d80b568d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -31,6 +31,17 @@ checksum: name_template: 'checksums.txt' algorithm: sha256 disable: false +signs: + - artifacts: checksum + certificate: '${artifact}.pem' + cmd: cosign + args: + - sign-blob + - "--yes" + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + output: true snapshot: name_template: "{{ .Tag }}-next" release: