From cba22d1de4a790ad57e07c6bcc6e226234be87d2 Mon Sep 17 00:00:00 2001 From: Timo Furrer <tfurrer@gitlab.com> Date: Wed, 30 Oct 2024 14:04:10 +0100 Subject: [PATCH] Introduce signature verification --- .gitlab-ci.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6ff8184..36cc5ff 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -55,6 +55,7 @@ stages: - quality - deploy - sign + - verify - release - cleanup @@ -271,6 +272,22 @@ gitlab-opentofu-image:sign: rules: - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG' +gitlab-opentofu-image:verify-signature: + extends: '.image-matrix:deploy' + stage: verify + image: alpine:3.20.3 + before_script: + - *image-matrix-deploy-release-name-script + - apk add --update cosign + script: + - cosign verify + --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" + --certificate-oidc-issuer "https://gitlab.com" + "$RELEASE_IMAGE" + "$(crane digest --full-ref "$RELEASE_IMAGE")" + rules: + - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG' + .release:base: stage: release image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0 -- GitLab