ci(goreleaser): sign artifacts with cosign

joshuar · Oct 21, 2023 · d3057bd · d3057bd
1 parent c06af4e
commit d3057bd
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 0 deletions.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -55,3 +55,4 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
diff --git a/.gitignore b/.gitignore
@@ -16,6 +16,7 @@
 !docs/**/*.png
 !tools/*
 !internal/**/*.png
+!cosign.*
 # ...even if they are in subdirectories
 !*/
 

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -15,6 +15,17 @@ builds:
       pre:
         - go generate ./...
 
+signs:
+- cmd: cosign
+  stdin: '{{ .Env.COSIGN_PWD }}'
+  args:
+  - "sign-blob"
+  - "--key=cosign.key"
+  - "--output-signature=${signature}"
+  - "${artifact}"
+  - "--yes" # needed on cosign 2.0.0+
+  artifacts: all
+
 archives:
 - format: binary
 

diff --git a/cosign.key b/cosign.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJBdWJVSWszUmNGT2MrV0hONnV3U2ltRE14QXkzSlF6
+NHFDT0crdzQwZ0Q0PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJEczZHSC92YXRqdWRCRkR6YktRYXgxeFYvUmV0RGJweSJ9LCJj
+aXBoZXJ0ZXh0IjoiSkQxSnhWTEQzWStVekFsaVFBdStsVG55d2l5QzZ6S2k3WXVB
+MXNHbmVRb0dsUHNQeWF0QjYyWTlvNlIybkJURHo4MVpob2hZK2dCQUhzR2FjNWJm
+c1VqWEJVWk1MaW5FVGkxdUZST09OL0poa2xIa2d5UnhrUVc4bzU1RGVxRDNjcjBk
+a0o1VnlsR1hBejdlbDhtR0lxeTZ2NmhwSThueHg0b3dsZlAzM3IxVm1aUW9WejN4
+TmljL3lMb0QxREFJd3I1amo2Ym40L0NaY0E9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJVfVTRU9qlJ6F+eZTQO/KSo3bmZn
+ooVnvYAquh44OQbmT87BtzeyvMYj2f8VKj653B5lU6P+lkJ/i72XDK8DuA==
+-----END PUBLIC KEY-----