Skip to content

Commit

Permalink
sign binaries and images with sigstore cosign
Browse files Browse the repository at this point in the history
also generate sboms for archives and packages

Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato committed Oct 5, 2022
1 parent 3c8067e commit 4354c38
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 1 deletion.
24 changes: 24 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
project_name: opentelemetry-collector-releases
env:
- COSIGN_EXPERIMENTAL=true
builds:
- id: otelcol
goos:
Expand Down Expand Up @@ -290,3 +292,25 @@ docker_manifests:
.Version }}-arm64
- ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:{{
.Version }}-ppc64le
signs:
- cmd: cosign
args:
- sign-blob
- --output-signature
- ${artifact}.sig
- --output-certificate
- ${artifact}.pem
- ${artifact}
signature: ${artifact}.sig
artifacts: all
certificate: ${artifact}.pem
docker_signs:
- args:
- sign
- ${artifact}
artifacts: all
sboms:
- id: archive
artifacts: archive
- id: package
artifacts: package
49 changes: 48 additions & 1 deletion cmd/goreleaser/internal/configure.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
Checksum: config.Checksum{
NameTemplate: "{{ .ProjectName }}_checksums.txt",
},

Env: []string{"COSIGN_EXPERIMENTAL=true"},
Builds: Builds(dists),
Archives: Archives(dists),
NFPMs: Packages(dists),
Dockers: DockerImages(imagePrefixes, dists),
DockerManifests: DockerManifests(imagePrefixes, dists),
Signs: Sign(),
DockerSigns: DockerSigns(),
SBOMs: SBOM(),
}
}

Expand Down Expand Up @@ -214,3 +217,47 @@ func DockerManifest(imagePrefixes []string, dist string) (manifests []config.Doc
func imageName(dist string) string {
return strings.Replace(dist, "otelcol", "opentelemetry-collector", 1)
}

func Sign() []config.Sign {
return []config.Sign{
{
Artifacts: "all",
Signature: "${artifact}.sig",
Certificate: "${artifact}.pem",
Cmd: "cosign",
Args: []string{
"sign-blob",
"--output-signature",
"${artifact}.sig",
"--output-certificate",
"${artifact}.pem",
"${artifact}",
},
},
}
}

func DockerSigns() []config.Sign {
return []config.Sign{
{
Artifacts: "all",
Args: []string{
"sign",
"${artifact}",
},
},
}
}

func SBOM() []config.SBOM {
return []config.SBOM{
{
ID: "archive",
Artifacts: "archive",
},
{
ID: "package",
Artifacts: "package",
},
}
}

0 comments on commit 4354c38

Please sign in to comment.