diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 607bee50..60630340 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ jobs: # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -21,6 +22,10 @@ jobs: uses: actions/setup-go@v3 with: go-version: 1.21.3 + + - name: Set up Cosign + uses: sigstore/cosign-installer@v3 + - name: Retrieve version run: | echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT @@ -89,6 +94,14 @@ jobs: ${checksums['kbld-linux-arm64']} ./kbld-linux-arm64 ${checksums['kbld-windows-amd64.exe']} ./kbld-windows-amd64.exe ${checksums['kbld-windows-arm64.exe']} ./kbld-windows-arm64.exe` + + - name: Verify checksums signature + run: | + cosign verify-blob \ + --cert dist/checksums.txt.pem \ + --signature dist/checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt - name: verify uploaded artifacts if: startsWith(github.ref, 'refs/tags/') diff --git a/.goreleaser.yml b/.goreleaser.yml index 9fa1e1fe..5bec862e 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -31,6 +31,17 @@ checksum: name_template: 'checksums.txt' algorithm: sha256 disable: false +signs: + - artifacts: checksum + certificate: '${artifact}.pem' + cmd: cosign + args: + - sign-blob + - "--yes" + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + output: true snapshot: name_template: "{{ .Tag }}-next" release: @@ -55,6 +66,61 @@ release: # Defaults to false. disable: false + header: | +
+ +

Installation and signature verification

+ + ### Installation + + #### By downloading binary from the release + + For instance, if you are using Linux on an AMD64 architecture: + ```shell + # Download the binary + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64 + + # Move the binary in to your PATH + mv kapp-linux-amd64 /usr/local/bin/kbld + + # Make the binary executable + chmod +x /usr/local/bin/kbld + ``` + + #### Via Homebrew (macOS or Linux) + ```shell + $ brew tap carvel-dev/carvel + $ brew install kbld + $ kbld version + ``` + + ### Verify checksums file signature + + The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands: + + ```shell + # Download the checksums file, certificate and signature + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig + + # Verify the checksums file + cosign verify-blob checksums.txt \ + --certificate checksums.txt.pem \ + --signature checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify binary integrity + + To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. + ```shell + # Verify the binary using the checksums file + sha256sum -c checksums.txt --ignore-missing + ``` +
+ changelog: # Set it to true if you wish to skip the changelog generation. # This may result in an empty release notes on GitHub/GitLab/Gitea.