Skip to content

Commit 0aca609

Browse files
authored
[chore] Sign release checksums and emit an SBOM (#297)
* [chore] Sign release checksums and emit an SBOM * [chore] Pin action SHAs and add Verifying releases to ToC
1 parent a98ef75 commit 0aca609

3 files changed

Lines changed: 34 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ on:
66

77
permissions:
88
contents: write
9+
id-token: write
910

1011
jobs:
1112
release:
@@ -17,6 +18,8 @@ jobs:
1718
- uses: actions/setup-go@v6
1819
with:
1920
go-version-file: go.mod
21+
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
22+
- uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
2023
- uses: goreleaser/goreleaser-action@v7
2124
with:
2225
args: release --clean

.goreleaser.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,21 @@ archives:
2929
checksum:
3030
name_template: checksums.txt
3131

32+
sboms:
33+
- artifacts: archive
34+
35+
signs:
36+
- cmd: cosign
37+
certificate: "${artifact}.pem"
38+
args:
39+
- sign-blob
40+
- "--output-certificate=${certificate}"
41+
- "--output-signature=${signature}"
42+
- "${artifact}"
43+
- "--yes"
44+
artifacts: checksum
45+
output: true
46+
3247
changelog:
3348
sort: asc
3449
abbrev: -1

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919

2020
- [Features](#features)
2121
- [Installation](#installation)
22+
- [Verifying releases](#verifying-releases)
2223
- [Quick Start](#quick-start)
2324
- [Commands](#commands)
2425
- [Configuration](#configuration)
@@ -76,6 +77,21 @@ make build
7677
# Binary is at ./bin/rimba
7778
```
7879

80+
### Verifying releases
81+
82+
Each release publishes a `checksums.txt` signed with [cosign](https://github.com/sigstore/cosign) keyless signing (Sigstore OIDC via GitHub Actions). To verify a downloaded checksum file:
83+
84+
```sh
85+
cosign verify-blob \
86+
--certificate checksums.txt.pem \
87+
--signature checksums.txt.sig \
88+
--certificate-identity-regexp 'https://github.com/lugassawan/rimba/.github/workflows/release.yml@refs/tags/v.*' \
89+
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
90+
checksums.txt
91+
```
92+
93+
Each release archive also ships a companion `*.sbom.json` (SPDX format) on the GitHub Release page.
94+
7995
## Quick Start
8096

8197
```sh

0 commit comments

Comments
 (0)