Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing artifacts and updated release notes to have steps to be followed for installation and verification #518

Merged
merged 1 commit into from
Jan 25, 2024
Merged

Signing artifacts and updated release notes to have steps to be followed for installation and verification #518

merged 1 commit into from
Jan 25, 2024

Conversation

kumaritanushree
Copy link
Contributor

@kumaritanushree kumaritanushree commented Jan 25, 2024
edited

With this change release notes will look like:

✨ What's new

New Contributors

Installation and signature verification

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate, and signature
curl -LO https://github.com/kumaritanushree/secretgen-controller/releases/download/v0.0.15/checksums.txt
curl -LO https://github.com/kumaritanushree/secretgen-controller/releases/download/v0.0.15/checksums.txt.pem
curl -LO https://github.com/kumaritanushree/secretgen-controller/releases/download/v0.0.15/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt --certificate checksums.txt.pem --signature checksums.txt.sig --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Installation of secretgen-controller

secretgen-controller can be installed by using kapp

kapp deploy -a kc -f https://github.com/kumaritanushree/secretgen-controller/releases/v0.0.15/download/release.yml

or by using kubectl

kubectl deploy -f https://github.com/kumaritanushree/secretgen-controller/releases/v0.0.15/download/release.yml

Container Images

secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry.

OCI Image URLs

  • ghcr.io/kumaritanushree/secretgen-controller@sha256:70a103b38704d50f1dae1d7b63a2e0cd49b8e4a639de4e283414f2a6c6a1da8d
  • ghcr.io/kumaritanushree/secretgen-controller-package-bundle@sha256:de320920cc33a56620bfb7a54e49da169037f7aa9c5d6538edce3b0d3b242231

Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of OCI images, run the following commands:

# Verifying secretgen-controller image
cosign verify ghcr.io/kumaritanushree/secretgen-controller@sha256:70a103b38704d50f1dae1d7b63a2e0cd49b8e4a639de4e283414f2a6c6a1da8d --certificate-identity-regexp=https://github.com/kumaritanushree --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

# Verifying secretgen-controller-package-bundle image
cosign verify ghcr.io/kumaritanushree/secretgen-controller-package-bundle@sha256:de320920cc33a56620bfb7a54e49da169037f7aa9c5d6538edce3b0d3b242231 --certificate-identity-regexp=https://github.com/kumaritanushree --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

Full Changelog: kumaritanushree/secretgen-controller@v0.0.13...v0.0.15

📂 Files Checksum

9228b98307ed972515110a14219a183930e35edb992298b23885b17b47bcd1cb  ./release.yml
ba288be541519d6b6f38ad7b5a9e8d958216fe8c6e5fdf638d5849a6ede56b11  ./package.yml
8f185deaa02964663bc3cedcb7c0af46151676e7c2abc2b69ff04178f87f28fe  ./package-metadata.yml

rcmadhankumar
rcmadhankumar reviewed Jan 25, 2024
View reviewed changes
.github/workflows/release.yml Outdated
- name: Updating release notes
run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variables referred in this job are still referring to Kapp controller.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

Signing artifacts and updated release notes to have steps to be follo…
90772a8 
…wed for installaton and verification

Signed-off-by: kumari tanushree <ktanushree@vmware.com>
@rcmadhankumar
Copy link
Contributor

LGTM!

praveenrewar
praveenrewar approved these changes Jan 25, 2024
View reviewed changes
Copy link
Member

@praveenrewar praveenrewar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kumaritanushree kumaritanushree merged commit 9c962cd into develop Jan 25, 2024
5 checks passed
@praveenrewar praveenrewar deleted the sign-artifacts branch March 13, 2024 14:28
@praveenrewar praveenrewar mentioned this pull request Mar 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcmadhankumar rcmadhankumar rcmadhankumar left review comments

@praveenrewar praveenrewar praveenrewar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Carvel
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kumaritanushree @rcmadhankumar @praveenrewar