This repository illustrates how to use GitHub, GoReleaser and cosign to release a Go based CLI program.
This uses keyless signing of blobs to provide signatures for binaries built using GitHub Actions, with GoReleaser.
Have a look at the GitHub Actions workflow and the GoReleaser configuration.
Release with signatures screenshot below:
With the increase in Supply Chain attacks targeting third party software it is important to attest the integrity of the software you are using. Project Sigstore is a standard for signing, verifying and protecting software supply chains.
To verify the artifact, you will need to download the artifact, the signature and the certificate.
cosign verify-blob \
--certificate gh-cosign-goreleaser_0.0.1_checksums.txt.pem \
--signature gh-cosign-goreleaser_0.0.1_checksums.txt.sig \
--certificate-identity-regexp "^https://github.com/wolfeidau/gh-cosign-goreleaser/.github/workflows/releaser.yml.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" gh-cosign-goreleaser_0.0.1_checksums.txt
The full certificate identity is https://github.com/wolfeidau/gh-cosign-goreleaser/.github/workflows/releaser.yml@refs/tags/v0.0.1
To read the certificate we use openssl and the .pem
file uploaded with the release, which is a base64 encoded version of the certificate.
cat gh-cosign-goreleaser_0.0.1_checksums.txt.pem | base64 -d | openssl x509 -text
This application is released under Apache 2.0 license and is copyright Mark Wolfe.