Signing artifacts and gitlab package registry #4702

grzesuav · 2024-03-15T13:20:33Z

grzesuav
Mar 15, 2024

Hi,

I had a config which is publishing to gitlab package registry -

gitlab_urls:
  use_job_token: true
  use_package_registry: true

which is working link https://gitlab.com/metacontroller/test-sem-rel/-/packages/23684709 - however it still publish on release page, is it expected ? While reading https://goreleaser.com/scm/gitlab/#generic-package-registry I was under impression it would do that instead of using gitlab release page ?

Second question, I enabled docker_sign with ko -

docker_signs:
  - cmd: cosign
    args:
      - "sign"
      - "--upload=false"
      - "${artifact}"
      - "--yes" # needed on cosign 2.0.0+
    artifacts: all

using gitlab job id_tokens - (https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#sign-or-verify-container-images-and-build-artifacts-by-using-cosign) - which works pretty neat, however while I was following docs - https://goreleaser.com/customization/docker_sign/ - (copy from docs)

# Command line arguments for the command
    #
    # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"]
    # Templates: allowed
    args:
    - "sign"
    - "--key=cosign.key"
    - "--upload=false"
    - "${artifact}"
    - "--yes" # needed on cosign 2.0.0+

it implies that "${artifact}@${digest}" is image_name:image_digest, however when I tried that, it errored :

release failed after 1m23s               error=signing docker images: failed to publish artifacts: sign: cosign failed: exit status 1: Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
Error: signing [registry.gitlab.com/metacontroller/test-sem-rel/commanda@sha256:6ce2e017d73bf84905fc341660fdafe5531725d97012174884780d5eb63009f7@sha256:6ce2e017d73bf84905fc341660fdafe5531725d97012174884780d5eb63009f7]: parsing reference: could not parse reference: registry.gitlab.com/metacontroller/test-sem-rel/commanda@sha256:6ce2e017d73bf84905fc341660fdafe5531725d97012174884780d5eb63009f7@sha256:6ce2e017d73bf84905fc341660fdafe5531725d97012174884780d5eb63009f7

when I switched to just use ${artifact}- https://gitlab.com/metacontroller/test-sem-rel/-/blob/main/.goreleaser.yaml?ref_type=heads#L196

it started to work and resolve image+digest -

 signing docker images
      • signing                                      cmd=cosign artifact=registry.gitlab.com/metacontroller/test-sem-rel/commanda@sha256:bb41d1f8de551eeac77137a2d5e49667a01e83f8e5fff14a27e4fc477fcc400c
      • signing                                      cmd=cosign artifact=registry.gitlab.com/metacontroller/test-sem-rel/commandb@sha256:72fc7c39bbb11b60a5ca2236d85224a954083ef0bca170d213c244fa9c7c70d1
      • signing                                      cmd=cosign artifact=registry.gitlab.com/metacontroller/test-sem-rel/commanda@sha256:0914fb54cd8beb2b1d998a9df39efbe0ec25097be5fbc721e0565667dd74354c
      • signing                                      cmd=cosign artifact=registry.gitlab.com/metacontroller/test-sem-rel/commandb@sha256:28e56bba2081ba2032bdf2798719bc646f74421c5108a8d6bf1295ea38b77b16
      • took: 5s
    • scm releases

so it seems artifact already contain digest ?

Last thing, I created repo with example golang flow (with two binaries, each with binaries/packages/signing packages/docker images with two flavours, signed) - https://gitlab.com/metacontroller/test-sem-rel which is actually pretty good visualization of end 2 end flow using goreleaser, if you think is it valuable I could refactor it and move/donate/make it a pr to https://gitlab.com/goreleaser/example, what do you think ?

Answered by caarlos0

Mar 15, 2024

ah, yeah, that is a bad example indeed, will fix it

about the repo, if you wanna transfer it to the goreleaser org, I would be more than happy to accept it.

we have a bunch of different examples in the github org, but only that single, simple one, in gitlab

View full answer

caarlos0 · 2024-03-15T16:14:18Z

caarlos0
Mar 15, 2024
Maintainer

ah, yeah, that is a bad example indeed, will fix it

about the repo, if you wanna transfer it to the goreleaser org, I would be more than happy to accept it.

we have a bunch of different examples in the github org, but only that single, simple one, in gitlab

12 replies

grzesuav May 21, 2024
Author

@caarlos0 are you able to transfer the project ? Or I need to grant owner access?

caarlos0 May 23, 2024
Maintainer

hey sorry for the delay... i couldn't find the option to transfer, not sure if i'm blind or its not there...

anyway, to prevent back and forth, i cloned the repo, created another repo with the same name under goreleaser's org, changed remotes, and pushed

https://gitlab.com/goreleaser/goreleaser-example-multi-binary-multi-image

I think this should be enough?
Will also give you access to it!

thanks!

grzesuav May 23, 2024
Author

ah, that great, did not think of that ;)

will try to make some silly change and do a test release to double check it is working after moving

grzesuav May 23, 2024
Author

ah, I see you did a release and it is publishing everything, packages, container images and helm. So everything is ok

caarlos0 May 23, 2024
Maintainer

noice! thanks again for all the help!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GoReleaser

Signing artifacts and gitlab package registry #4702

{{title}}

Replies: 1 comment 12 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GoReleaser

Signing artifacts and gitlab package registry #4702

grzesuav Mar 15, 2024

Replies: 1 comment · 12 replies

caarlos0 Mar 15, 2024 Maintainer

grzesuav May 21, 2024 Author

caarlos0 May 23, 2024 Maintainer

grzesuav May 23, 2024 Author

grzesuav May 23, 2024 Author

caarlos0 May 23, 2024 Maintainer

grzesuav
Mar 15, 2024

Replies: 1 comment 12 replies

caarlos0
Mar 15, 2024
Maintainer

grzesuav May 21, 2024
Author

caarlos0 May 23, 2024
Maintainer

grzesuav May 23, 2024
Author

grzesuav May 23, 2024
Author

caarlos0 May 23, 2024
Maintainer