Sign release assets and Docker images using Cosign #1353
Description
- Use Cosign Keyless Signing via GitHub OIDC for all Docker images. Add the following steps to the workflows.
- name: Install Cosign
uses: sigstore/[email protected]
- name: Sign image with Cosign (keyless)
run: cosign sign --keyless ghcr.io/${{ github.repository }}
Images should then be verifiable using
cosign verify --keyless ghcr.io/owner/repo:tag
- Use similar approach to sign other assets (deb, rpm).
- name: Sign release files with Cosign (keyless)
run: cosign sign-blob --yes --keyless "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb" --output-signature "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb.sig" --output-certificate "defguard-1.5.0-alpha1-x86_64-unknown-linux-gnu.deb.pem"