diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3107374d6..8e7ccfbab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -19,7 +20,8 @@ jobs: uses: actions/setup-go@v3 with: go-version: 1.21.3 - + - name: Set up Cosign + uses: sigstore/cosign-installer@v3 - name: Retrieve version run: | echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT @@ -87,7 +89,14 @@ jobs: ${checksums['imgpkg-linux-amd64']} ./imgpkg-linux-amd64 ${checksums['imgpkg-linux-arm64']} ./imgpkg-linux-arm64 ${checksums['imgpkg-windows-amd64.exe']} ./imgpkg-windows-amd64.exe` - + - name: Verify checksums signature + run: | + cosign verify-blob \ + --cert dist/checksums.txt.pem \ + --signature dist/checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/carvel-dev \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + dist/checksums.txt - name: verify uploaded artifacts if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} env: diff --git a/.goreleaser.yml b/.goreleaser.yml index e6e3db9f5..07c68dccf 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -34,6 +34,17 @@ checksum: name_template: 'checksums.txt' algorithm: sha256 disable: false +signs: + - artifacts: checksum + certificate: '${artifact}.pem' + cmd: cosign + args: + - sign-blob + - "--yes" + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + output: true snapshot: name_template: "{{ .Tag }}-next" release: @@ -58,6 +69,63 @@ release: # Defaults to false. disable: false + header: | +
+ +

Installation and signature verification

 + + ### Installation + + #### By downloading binary from the release + + For instance, if you are using Linux on an AMD64 architecture: + ```shell + # Download the binary + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64 + + # Move the binary in to your PATH + mv imgpkg-linux-amd64 /usr/local/bin/imgpkg + + # Make the binary executable + chmod +x /usr/local/bin/imgpkg + ``` + + #### Via Homebrew (macOS or Linux) + ```shell + $ brew tap carvel-dev/carvel + $ brew install imgpkg + $ imgpkg version + ``` + + ### Verify checksums file signature + + Install cosign on your system https://docs.sigstore.dev/system_config/installation/ + + The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: + + ```shell + # Download the checksums file, certificate and signature + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig + + # Verify the checksums file + cosign verify-blob checksums.txt \ + --certificate checksums.txt.pem \ + --signature checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify binary integrity + + To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. + ```shell + # Verify the binary using the checksums file + sha256sum -c checksums.txt --ignore-missing + ``` +
+ changelog: # Set it to true if you wish to skip the changelog generation. # This may result in an empty release notes on GitHub/GitLab/Gitea.