diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86cc3112..d29c7644 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ jobs: # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -21,6 +22,9 @@ jobs: uses: actions/setup-go@v3 with: go-version: "1.21.3" + + - name: Set up Cosign + uses: sigstore/cosign-installer@v3 - name: Retrieve version run: | @@ -89,6 +93,14 @@ jobs: ${checksums['ytt-linux-amd64']} ./ytt-linux-amd64 ${checksums['ytt-linux-arm64']} ./ytt-linux-arm64 ${checksums['ytt-windows-amd64.exe']} ./ytt-windows-amd64.exe` + + - name: Verify checksums signature + run: | + cosign verify-blob \ + --cert dist/checksums.txt.pem \ + --signature dist/checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt - name: verify uploaded artifacts if: startsWith(github.ref, 'refs/tags/') diff --git a/.goreleaser.yml b/.goreleaser.yml index 8b479e14..eb84882f 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -34,6 +34,17 @@ checksum: name_template: 'checksums.txt' algorithm: sha256 disable: false +signs: + - artifacts: checksum + certificate: '${artifact}.pem' + cmd: cosign + args: + - sign-blob + - "--yes" + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + output: true snapshot: name_template: "{{ .Tag }}-next" release: @@ -58,6 +69,61 @@ release: # Defaults to false. disable: false + header: | +
+ +

Installation and signature verification

+ + ### Installation + + #### By downloading binary from the release + + For instance, if you are using Linux on an AMD64 architecture: + ```shell + # Download the binary + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64 + + # Move the binary in to your PATH + mv kapp-linux-amd64 /usr/local/bin/ytt + + # Make the binary executable + chmod +x /usr/local/bin/ytt + ``` + + #### Via Homebrew (macOS or Linux) + ```shell + $ brew tap carvel-dev/carvel + $ brew install ytt + $ ytt version + ``` + + ### Verify checksums file signature + + The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands: + + ```shell + # Download the checksums file, certificate and signature + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig + + # Verify the checksums file + cosign verify-blob checksums.txt \ + --certificate checksums.txt.pem \ + --signature checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify binary integrity + + To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. + ```shell + # Verify the binary using the checksums file + sha256sum -c checksums.txt --ignore-missing + ``` +
+ changelog: # Set it to true if you wish to skip the changelog generation. # This may result in an empty release notes on GitHub/GitLab/Gitea.