Skip to content

[Backport release-1.32] Upload cosign transparency log and verify signatures before release #5729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juanluisvaladas merged 2 commits into from
Apr 7, 2025
Merged

[Backport release-1.32] Upload cosign transparency log and verify signatures before release #5729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b9e815
Upload cosign transparency log
Apr 4, 2025
863a333
Fix documentation for cosign verify blob
Apr 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ jobs:
run: |
curl $CURL_OPTS --output cosign https://github.com/sigstore/cosign/releases/download/v2.3.0/cosign-linux-amd64
chmod +x ./cosign
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload -y --output-file=k0s.sig k0s
cat k0s.sig

- name: Upload Release Assets - Binary
Expand Down Expand Up @@ -195,7 +195,7 @@ jobs:
run: |
curl $CURL_OPTS --output cosign https://github.com/sigstore/cosign/releases/download/v2.3.0/cosign-linux-amd64
chmod +x ./cosign
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.exe.sig k0s.exe
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload -y --output-file=k0s.exe.sig k0s.exe
cat k0s.exe.sig

- name: Clean Docker
Expand Down Expand Up @@ -263,7 +263,7 @@ jobs:
run: |
curl $CURL_OPTS --output cosign https://github.com/sigstore/cosign/releases/download/v2.3.0/cosign-linux-arm64
chmod +x ./cosign
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload -y --output-file=k0s.sig k0s
cat k0s.sig

- name: Set up Go for smoke tests
Expand Down Expand Up @@ -350,7 +350,7 @@ jobs:
run: |
curl $CURL_OPTS --output cosign https://github.com/sigstore/cosign/releases/download/v2.3.0/cosign-linux-arm
chmod +x ./cosign
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload -y --output-file=k0s.sig k0s
cat k0s.sig

- name: Set up Go for smoke tests
Expand Down
2 changes: 1 addition & 1 deletion docs/verifying-signs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ Binaries can be verified using the `cosign` tool, for example:
cosign verify-blob \
--key https://github.com/k0sproject/k0s/releases/download/v{{{ extra.k8s_version }}}%2Bk0s.0/cosign.pub \
--signature https://github.com/k0sproject/k0s/releases/download/v{{{ extra.k8s_version }}}%2Bk0s.0/k0s-v{{{ extra.k8s_version }}}+k0s.0-amd64.sig \
--payload k0s-v{{{ extra.k8s_version }}}+k0s.0-amd64
k0s-v{{{ extra.k8s_version }}}+k0s.0-amd64
```