Skip to content
Snippets Groups Projects
Unverified Commit 7b6cf6aa authored by Timo Furrer's avatar Timo Furrer
Browse files

Sign images using cosign

parent 7c1f0218
No related branches found
No related tags found
No related merge requests found
...@@ -182,7 +182,7 @@ shellcheck: ...@@ -182,7 +182,7 @@ shellcheck:
.gitlab-opentofu-image:deploy:base: .gitlab-opentofu-image:deploy:base:
stage: deploy stage: deploy
image: image:
name: gcr.io/go-containerregistry/crane:debug name: alpine/crane:0.20.0
entrypoint: [""] entrypoint: [""]
variables: variables:
GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
...@@ -219,8 +219,18 @@ shellcheck: ...@@ -219,8 +219,18 @@ shellcheck:
gitlab-opentofu-image:deploy: gitlab-opentofu-image:deploy:
extends: ['.gitlab-opentofu-image:deploy:base'] extends: ['.gitlab-opentofu-image:deploy:base']
variables:
COSIGN_YES: "true" # Used by Cosign to skip confirmation prompts for non-destructive operations
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script: script:
# Install dependencies, can't use before_script because of the job we are extending.
- apk add --update cosign
# Release image
- crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE" - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
# Sign image
- cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
- export image_digest="$(crane digest $RELEASE_IMAGE)" - export image_digest="$(crane digest $RELEASE_IMAGE)"
- 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md' - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
artifacts: artifacts:
......
...@@ -328,6 +328,16 @@ However, we cannot use the alternative `+` which would indicate build metadata ...@@ -328,6 +328,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
as we'd like. as we'd like.
See https://github.com/distribution/distribution/issues/1201* See https://github.com/distribution/distribution/issues/1201*
### Image Signing
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
### Using with Renovate ### Using with Renovate
To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/). To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
......
...@@ -43,6 +43,8 @@ And with the follow base OS images: ...@@ -43,6 +43,8 @@ And with the follow base OS images:
- `alpine`, use `base_os: alpine` input to use it (default). - `alpine`, use `base_os: alpine` input to use it (default).
- `debian`, use `base_os: debian` input to use it. - `debian`, use `base_os: debian` input to use it.
The images have been signed with `cosign`.
> **Note:** > **Note:**
> >
> When using the component with the inputs `version` and `opentofu_version`,<br> > When using the component with the inputs `version` and `opentofu_version`,<br>
......
...@@ -347,6 +347,16 @@ However, we cannot use the alternative `+` which would indicate build metadata ...@@ -347,6 +347,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
as we'd like. as we'd like.
See https://github.com/distribution/distribution/issues/1201* See https://github.com/distribution/distribution/issues/1201*
### Image Signing
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
### Using with Renovate ### Using with Renovate
To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/). To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment