chore: sign binary releases

Signed-off-by: Matthias Riegler <matthias.riegler@ankorstore.com>
2026-04-21 17:45:43 +02:00 · 2023-10-02 23:57:55 +02:00
parent b1e8a88210
commit 0064ed77d7
1 changed files with 14 additions and 0 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -37,6 +37,7 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--platform=linux/arm64"
+
 # Sign docker-image with cosign (keyless)
 docker_signs:
  - id: oci-bundle-sign
@@ -50,6 +51,19 @@ docker_signs:
    ids:
    - oci-bundle

+# Sign everything else
+signs:
+   - cmd: cosign
+     signature: "${artifact}.sig"
+     certificate: "${artifact}.pem"
+     args:
+     - sign-blob
+     - --oidc-issuer=https://token.actions.githubusercontent.com
+     - "--output-certificate=${certificate}"
+     - "--output-signature=${signature}"
+     - "${artifact}"
+     artifacts: all
+
 # Regular OS packages (for now only systemd based OSes)
 nfpms:
 - id: computeblade-agent