Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign checksum with cosign #897

Merged
merged 1 commit into from
Jul 24, 2023
Merged

Sign checksum with cosign #897

merged 1 commit into from
Jul 24, 2023

Conversation

lucacome
Copy link
Member

@lucacome lucacome commented Jul 22, 2023
edited

Proposed changes

Problem: Artifacts are not signed and it's not possible to prove they've not been tampered with.

Solution: Add config to sign artifacts. Since the checksum contains the SHAs of the artifacts, signing the checksums is enough to ensure that the artifacts were not modified.

GoReleaser uses cosign to sign the artifact and uploads .sig and .pem to the release.

Closes #895

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@lucacome
Sign checksum with cosign
ea8d67d 
Adds config to sign artifacts. Since the checksum contains the SHAs of
the artifacts, signing the checksums is enough to ensure that the artifacts
were not modified.

GoReleaser uses cosign to sign the artifact and uploads .sig and .pem to
the release.
@lucacome lucacome requested a review from a team as a code owner July 22, 2023 01:06
@lucacome lucacome self-assigned this Jul 22, 2023
@github-actions github-actions bot added the chore Pull requests for routine tasks label Jul 22, 2023
@lucacome lucacome merged commit fcf9764 into nginxinc:main Jul 24, 2023
17 checks passed
@lucacome lucacome deleted the chore/sign-artifacts branch July 24, 2023 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 approved these changes

@kate-osborn kate-osborn kate-osborn approved these changes

Assignees

@lucacome lucacome

Labels
chore Pull requests for routine tasks
Projects
NGINX Gateway Fabric
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign artifacts
3 participants
@lucacome @ciarams87 @kate-osborn