fix: image signing

Signed-off-by: Bence Csati <[email protected]>
csatib02 · Sep 2, 2024 · e7d4e8d · e7d4e8d
1 parent 4d42671
commit e7d4e8d
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 30 deletions.
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
@@ -74,18 +74,19 @@ jobs:
           cache-to: type=gha,mode=max
           outputs: type=image, push=true
 
-      - name: Sign image with GitHub OIDC Token
+      - name: Sign image with a key
         if: ${{ inputs.publish && github.repository_owner == 'csatib02' }}
         env:
           DIGEST: ${{ inputs.publish && steps.build.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           images=""
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          
-          cosign sign --yes ${images}
+          cosign sign --yes --key ${COSIGN_KEY} ${images}
       
       - name: Upload image artifact
         uses: actions/upload-artifact@v4
@@ -120,7 +121,7 @@ jobs:
         with:
           distribution: goreleaser
           version: '~> v2'
-          args: goreleaser release
+          args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/.gitignore b/.gitignore
@@ -1,29 +1,5 @@
-# If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
-#
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
-
 /bin/
 /build/
 .envrc
+coverage.out
+coverage.html
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security
+
+## Verifying container images
+
+To verify KPA container-images you can use the following public key:
+
+```key
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk3vpOBc1zsCdQ+vU56tETv64F5RW
+ISazzb8sOyUqrkKV/JRe7Xb0OnaqGY7KopsIIxbrX+CbyCdQDtN73qf5EA==
+-----END PUBLIC KEY-----
+```
+
+Save the key to a file:
+
+```bash
+echo '-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk3vpOBc1zsCdQ+vU56tETv64F5RW
+ISazzb8sOyUqrkKV/JRe7Xb0OnaqGY7KopsIIxbrX+CbyCdQDtN73qf5EA==
+-----END PUBLIC KEY-----' > cosign.pub
+```
+
+Verify an image:
+
+```bash
+cosign verify --key cosign.pub <image url>
+```