Skip to content

Commit

Permalink
fix: add rekor url so signing metadata is publicly available
Browse files Browse the repository at this point in the history 
Signed-off-by: Bence Csati <[email protected]>
  • Loading branch information
@csatib02
csatib02 committed Nov 15, 2024
1 parent ddd5e8e commit 782ebbc
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/artifacts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ jobs:
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
- name: Verify signed image with cosign
if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
Expand All @@ -144,6 +144,7 @@ jobs:
if [ "${{ github.repository }}" == "kube-logging/logging-operator" ]; then
for tag in ${TAGS[@]}; do
cosign verify "${tag}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
done
Expand All @@ -152,6 +153,7 @@ jobs:
for tag in "${TAGS[@]}"; do
for version in ${versions}; do
cosign verify "${tag}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/kube-logging/logging-operator/.github/workflows/artifacts.yaml@refs/tags/${version}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq && break
done
Expand Down Expand Up @@ -276,7 +278,7 @@ jobs:
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
env:
DIGEST: ${{ steps.push.outputs.digest }}
run: cosign sign --yes "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"
run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"

- name: Verify signed chart with cosign
if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
Expand All @@ -285,12 +287,14 @@ jobs:
run: |
if [ "${{ github.repository }}" == "kube-logging/logging-operator" ]; then
cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
else
versions=$(curl -s https://api.github.com/repos/kube-logging/logging-operator/releases | jq -r '.[].tag_name')
for version in ${versions}; do
cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
--rekor-url "https://rekor.sigstore.dev/" \
--certificate-identity "https://github.com/kube-logging/logging-operator/.github/workflows/artifacts.yaml@refs/tags/${version}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq && break
done
Expand Down

0 comments on commit 782ebbc

Please sign in to comment.