Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cosign signing on build #816

Merged
merged 1 commit into from
Oct 27, 2021
Merged

Add cosign signing on build #816

merged 1 commit into from
Oct 27, 2021

Conversation

Itxaka
Copy link
Contributor

@Itxaka Itxaka commented Oct 26, 2021

Signed-off-by: Itxaka [email protected]

@Itxaka Itxaka requested a review from mudler October 26, 2021 11:51
@Itxaka
Copy link
Contributor Author

Itxaka commented Oct 26, 2021

blocked by #817 as we need cosign and luet-cosign as deps

@Itxaka
Copy link
Contributor Author

Itxaka commented Oct 27, 2021

Keyless signing test: https://github.com/Itxaka/test-oidc-signing/runs/4019264117?check_suite_focus=true

pushed signature can be verified with COSIGN_EXPERIMENTAL=1 cosign verify itxaka/test:latest

Pretty straighforward

@Itxaka Itxaka marked this pull request as ready for review October 27, 2021 09:18
@Itxaka
Copy link
Contributor Author

Itxaka commented Oct 27, 2021

Ready for review @mudler

After the test with github keyless and the manual test with keys, this should be good to go for the part of signing the images during build.

NOTE: This currently pushes the signatures to the old dockerhub repo raccos/releases-flavor which we should create beforehand (old repos used the distro names, while we use the flavors). @mudler could you create the required repos (raccos/releases-{green,blue,orange}) ?

@mudler
Copy link
Contributor

mudler commented Oct 27, 2021

Ready for review @mudler

After the test with github keyless and the manual test with keys, this should be good to go for the part of signing the images during build.

NOTE: This currently pushes the signatures to the old dockerhub repo raccos/releases-flavor which we should create beforehand (old repos used the distro names, while we use the flavors). @mudler could you create the required repos (raccos/releases-{green,blue,orange}) ?

@Itxaka Do we need each repo for each arch?

mudler
mudler approved these changes Oct 27, 2021
View reviewed changes
Copy link
Contributor

@mudler mudler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beautiful integration 💯

@Itxaka
Copy link
Contributor Author

Itxaka commented Oct 27, 2021
edited
Loading

@Itxaka Do we need each repo for each arch?

@mudler not really, but its mainly to keep with the current status of separating artifacts per repo, I dunno. Can be changed, but it should be done now. Do you prefer just one repo? raccos/release-signatures or something similar?

@Itxaka Itxaka merged commit d66f3b7 into rancher:master Oct 27, 2021
@Itxaka Itxaka mentioned this pull request Oct 27, 2021
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mudler mudler mudler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Itxaka @mudler