Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign release artifacts using cosign #887

Merged
merged 1 commit into from
Jan 18, 2024
Merged

sign release artifacts using cosign #887

merged 1 commit into from
Jan 18, 2024

Conversation

prashantrewar
Copy link
Contributor

Fixes #873

@prashantrewar prashantrewar marked this pull request as ready for review January 4, 2024 12:34
@kumaritanushree
Copy link
Contributor

LGTM

@praveenrewar praveenrewar merged commit a9ee6fa into carvel-dev:develop Jan 18, 2024
5 checks passed
@prashantrewar prashantrewar deleted the sign-artifacts branch January 18, 2024 08:25
renovate bot referenced this pull request in mykso/myks Jan 21, 2024
@renovate @Zebradil
chore(deps): update dependency carvel-dev/ytt to v0.47.0 (#223)
aa18392 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [carvel-dev/ytt](https://togithub.com/carvel-dev/ytt) | minor |
`v0.46.3` -> `v0.47.0` |

---

### Release Notes

<details>
<summary>carvel-dev/ytt (carvel-dev/ytt)</summary>

###
[`v0.47.0`](https://togithub.com/carvel-dev/ytt/releases/tag/v0.47.0)

[Compare
Source](https://togithub.com/carvel-dev/ytt/compare/v0.46.3...v0.47.0)

<details>

<summary><h2>Installation and signature verification</h2></summary>

##### Installation
##### By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

```shell

### Download the binary
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.47.0/ytt-linux-amd64

### Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/ytt

### Make the binary executable
chmod +x /usr/local/bin/ytt
```

##### Via Homebrew (macOS or Linux)

```shell
$ brew tap carvel-dev/carvel
$ brew install ytt
$ ytt version  
```

##### Verify checksums file signature

The checksums file provided within the artifacts attached to this
release is signed using
[Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub
OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/)
page for cosign installation). To validate the signature of this file,
run the following commands:

```shell

### Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.47.0/checksums.txt
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.47.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.47.0/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

##### Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the
checksums file after having validated its signature.

```shell

### Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
```

</details>

#### What's Changed
* sign release artifacts using cosign by
@&#8203;prashantrew[https://github.com/carvel-dev/ytt/pull/887](https://togithub.com/carvel-dev/ytt/pull/887)ll/887
* Bump go version to 1.21.6 by
@&#8203;sethiya[https://github.com/carvel-dev/ytt/pull/888](https://togithub.com/carvel-dev/ytt/pull/888)ll/888

#### New Contributors
* @&#8203;prashantrewar made their first
contributi[https://github.com/carvel-dev/ytt/pull/887](https://togithub.com/carvel-dev/ytt/pull/887)ll/887

**Full Changelog**:
carvel-dev/ytt@v0.46.0...v0.47.0

### 📂 Files Checksum

4c37056702d842570b0bce2f461f494902a2fbd8d83ef1ded224d0def1f04ccb
./ytt-windows-arm64.exe
67b7cb20273cb00d36bda38888277c1b0e74992a422c771d28e7a9c2045da798
./ytt-windows-amd64.exe
700dbb362a73950d779cf298ba191de2a35394fa68bf19e74add5e7384b2875a
./ytt-darwin-amd64
aec0bf2b5ca7dc98dd04444135738d0a1add18fcc1294c258eb8f1061b3eb9ec
./ytt-darwin-arm64
de2dd0a659fd12b2d80e00fa2a4a9316db67e0372e79c3bf48586ea53201180e
./ytt-linux-amd64
f12dc884af6be46a56c4233cbe456e90d8082d4699c0412d4adfaaae68712f4d
./ytt-linux-arm64

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log [here](https://developer.mend.io/github/mykso/myks).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: German Lashevich <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@praveenrewar praveenrewar praveenrewar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Carvel
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign ytt binaries while releasing them
3 participants
@prashantrewar @kumaritanushree @praveenrewar