feat: sign release artifacts with cosign #5793
Conversation
| For key updates, see the [changelog](https://golangci-lint.run/product/changelog/#{{ .Major }}{{ .Minor }}{{ .Patch }}). | ||
| signs: |
There was a problem hiding this comment.
Non-CI goreleaser release runs should likely be done with --skip sign in order to not break after we add this.
| signs: | ||
| - signature: ${artifact}.cosign.bundle | ||
| cmd: cosign |
There was a problem hiding this comment.
I guess some docs how to verify downloads with cosign would not hurt. But we don't have any for verifying the sha256sums either, so not sure. #5806 contains changes for verifying in the installer script.
scop
force-pushed
the
feat/cosign-artifacts
branch
from
12b2fc0 to
6898794
Compare
ldez
added
area: install
|
|
scop
force-pushed
the
feat/cosign-artifacts
branch
from
6898794 to
840da20
Compare
scop
force-pushed
the
feat/cosign-artifacts
branch
from
840da20 to
7d7647b
Compare
|
Rebased and switched to the new bundle format. |
|
I don't forget this PR, but each time I look at it, I'm stuck with the same problems/questions.
|
|
Keyless cosigning is IME the currently prominent way to do things, and goreleaser's docs as well as others out there are just lagging behind. The GitHub artifact attestations we'll hopefully have for > 2.7.2 will make this mostly redundant, so I don't intend to pursue this further. |
3 participants
Sample results in my fork (do not mind the changelog, scroll down to assets): https://github.com/scop/golangci-lint/releases/tag/v0.0.0
https://goreleaser.com/customization/binary_sign/?h=cosign#signing-with-cosign
Fixes #2462