Skip to content

Sign the artifacts (binaries/images) using cosign #2462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cpanato opened this issue Jan 6, 2022 · 4 comments · May be fixed by #5793
Open

Sign the artifacts (binaries/images) using cosign #2462

cpanato opened this issue Jan 6, 2022 · 4 comments · May be fixed by #5793
Labels
area: ci PR that update CI enhancement New feature or improvement

Comments

@cpanato
Copy link

cpanato commented Jan 6, 2022

Your feature request related to a problem? Please describe.

Not a problem, is a feature request.

The idea is to sign the release artifacts using cosign when doing the release.
The project is already using GoReleaser and GitHub actions and that makes things easier to implement 😃

This is an initial step for a more secure release and lets the consumers have the ability to verify the release artifacts.

I can help to implement this feature if the team decides to move this idea forward.

Describe the solution you'd like.

Using the current GoRelease config and the GitHub Actions we can sign the binaries/images using a keyless approach and push the signed artifacts all together to the GitHub release.

Describe alternatives you've considered.

n/a

Additional context.

n/a
@cpanato cpanato added the enhancement New feature or improvement label Jan 6, 2022
@boring-cyborg
Copy link

boring-cyborg bot commented Jan 6, 2022

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

@ldez ldez added the area: ci PR that update CI label Jan 7, 2022
@cpanato
Copy link
Author

cpanato commented Jan 26, 2022

Do the maintainers think this is a good idea? i can implement the tiny bits if y'all agree

@scop
Copy link
Contributor

scop commented Apr 25, 2025

I do think it's a good idea, and I'm willing to chime in with the implementation as well.

scop added a commit to scop/golangci-lint that referenced this issue May 10, 2025
@scop
feat: sign release artifacts with cosign
eb49499 
Closes golangci#2462
scop added a commit to scop/golangci-lint that referenced this issue May 11, 2025
@scop
feat: sign release artifacts with cosign
12b2fc0 
Closes golangci#2462
@scop scop linked a pull request May 11, 2025 that will close this issue
Open
@scop
Copy link
Contributor

scop commented May 11, 2025

#5793 implements the binaries part, and #5794 adds verifying support in the installer.

scop added a commit to scop/golangci-lint that referenced this issue May 11, 2025
@scop
feat: sign release artifacts with cosign
6898794 
Refs golangci#2462
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: ci PR that update CI enhancement New feature or improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: sign release artifacts with cosign scop/golangci-lint
3 participants
@scop @cpanato @ldez