Skip to content

feat: sign release artifacts with cosign #5793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: sign release artifacts with cosign #5793

wants to merge 1 commit into from

Conversation

scop
Copy link
Contributor

@scop scop commented May 11, 2025
edited by ldez
Loading

Sample results in my fork (do not mind the changelog, scroll down to assets): https://github.com/scop/golangci-lint/releases/tag/v0.0.0

Fixes #2462

@scop scop mentioned this pull request May 11, 2025
Closed
scop
scop commented May 11, 2025
View reviewed changes
.goreleaser.yml
@@ -87,6 +87,16 @@ release:

For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).

signs:
Copy link
Contributor Author

@scop scop May 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-CI goreleaser release runs should likely be done with --skip sign in order to not break after we add this.

scop
scop commented May 11, 2025
View reviewed changes
.goreleaser.yml
@@ -87,6 +87,16 @@ release:

For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}).

signs:
- signature: ${artifact}.cosign.bundle
cmd: cosign
Copy link
Contributor Author

@scop scop May 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess some docs how to verify downloads with cosign would not hurt. But we don't have any for verifying the sha256sums either, so not sure. #5806 contains changes for verifying in the installer script.

@scop scop mentioned this pull request May 11, 2025
Open
@scop scop force-pushed the feat/cosign-artifacts branch from 12b2fc0 to 6898794 Compare May 11, 2025 13:37
@ldez ldez self-requested a review May 11, 2025 15:40
@ldez ldez added area: install Issue relates to installation or downloading process area: ci PR that update CI labels May 11, 2025
@scop scop mentioned this pull request May 15, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldez ldez Awaiting requested review from ldez

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
area: ci PR that update CI area: install Issue relates to installation or downloading process
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign the artifacts (binaries/images) using cosign
2 participants
@scop @ldez