feat(release): cosign-sign published docker images#139
Open
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Open
feat(release): cosign-sign published docker images#139mvanhorn wants to merge 1 commit intoInfisical:mainfrom
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Conversation
Adds a docker_signs block to .goreleaser.yml so each released image gets a keyless cosign signature (same OIDC trust chain as the existing checksum signing). Updates the release footer with the cosign verify command for users. Refs Infisical#108 (item 9)
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
docker_signsblock to.goreleaser.ymlso each released Docker image (and the multi-arch manifest list) gets a keyless cosign signature, using the same OIDC trust chain already wired up forchecksums.txt. Updates the release footer with acosign verifyexample for users.Refs #108 (item 9). Per the maintainer's reply on that issue: "it'd be great if you could raise separate PRs for 8, 9, and 10."
Why this matters
Per #108:
The release workflow (
.github/workflows/release.yml) already installs cosign and grantsid-token: writefor keyless signing, so this change reuses the existing trust chain — no new permissions, no new infra. Pulled images can be verified before they execute, which closes the same class of supply-chain risk the existing checksum signing closes for binary archives.Changes
.goreleaser.yml:docker_signs:block withartifacts: all(signs both per-arch images and the manifest list) usingcosign sign --yes ${artifact}@${digest}. Same shape as the existingsigns:block to keep the file consistent.cosign verifyexample forinfisical/agent-vault:{{ .Version }}, mirroring the existingcosign verify-blobexample.Testing
goreleaser check: 1 configuration file(s) validated. (Pre-existing deprecation notices aboutdockers_v2are unrelated to this PR.)docker_signsregisters correctly:{cmd: cosign, artifacts: all, args: [sign, --yes, ${artifact}@${digest}]}.End-to-end signing can only be exercised via a real tag push (
on: push: tags: v*). Suggest cutting an RC tag (e.g.v0.13.1-rc1) on a branch to confirm signatures publish correctly before the next prod release.Order with #8 and #10
Item 8 (
attest-build-provenance) is in #138; this is item 9 (independent of #138, can land in either order). Item 10 (install.shcosign + checksum verify) is best landed after #138 so it can prefergh attestation verify.Fixes #108
This contribution was developed with AI assistance.