Skip to content

chore(release): sign checksums with cosign#7625

Open
scop wants to merge 1 commit into
JanDeDobbeleer:mainfrom
scop:chore/cosign
Open

chore(release): sign checksums with cosign#7625
scop wants to merge 1 commit into
JanDeDobbeleer:mainfrom
scop:chore/cosign

Conversation

@scop

@scop scop commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Prerequisites

  • I have read and understood the contributing guide.
  • The commit message follows the conventional commits guidelines.
  • Tests for the changes have been added (for bug fixes / features).
  • Docs have been added/updated (for bug fixes / features).

Description

Refs

This yields a checksums.txt.sigstore.json in release assets, which can be used to verify the checksums file and thus transitively files listed in it. This can be done manually using cosign, and software such as aqua and mise can do it automatically on install.

Note: with this, one likely wants to use --skip=sign if running goreleaser release --snapshot to test (other) things locally.

Caveat: untested, but have set up this for multiple projects previously, could work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant