gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:31:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/m11-cosign-v3-sign-blob-bundle': M-11 cosign v3 sign-blob migration

Browse Source
This commit is contained in:
shankar0123
2026-04-18 09:29:25 +00:00
parent ad93e99158 cb308bb4c7
commit 72f5246ce3
2 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yml
+15 -12
View File
@@ -79,10 +79,14 @@ jobs:
OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
run: |
set -euo pipefail
# Cosign v3.0 (shipped by cosign-installer@v4.1.1 default
# cosign-release=v3.0.5) removed --output-signature/--output-certificate
# on sign-blob. The replacement is --bundle, which emits a unified
# Sigstore bundle (signature + cert chain + Rekor inclusion proof) as
# a single .sigstore.json artefact. M-11.
cosign sign-blob \
--yes \
--output-signature "dist/${OUTPUT_NAME}.sig" \
--output-certificate "dist/${OUTPUT_NAME}.pem" \
--bundle "dist/${OUTPUT_NAME}.sigstore.json" \
"dist/${OUTPUT_NAME}"
- name: Compute SHA-256 sidecar
@@ -100,8 +104,7 @@ jobs:
name: binary-${{ steps.build.outputs.output_name }}
path: |
dist/${{ steps.build.outputs.output_name }}
dist/${{ steps.build.outputs.output_name }}.sig
dist/${{ steps.build.outputs.output_name }}.pem
dist/${{ steps.build.outputs.output_name }}.sigstore.json
dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
dist/${{ steps.build.outputs.output_name }}.sha256
if-no-files-found: error
@@ -138,7 +141,7 @@ jobs:
: > checksums.txt
for f in certctl-*; do
case "$f" in
*.sig|*.pem|*.sbom.spdx.json|*.sha256|checksums.txt)
*.sigstore.json|*.sbom.spdx.json|*.sha256|checksums.txt)
continue ;;
esac
sha256sum "$f" >> checksums.txt
@@ -156,10 +159,11 @@ jobs:
run: |
set -euo pipefail
cd artifacts
# Cosign v3.0 --bundle replaces the removed v2 flag pair
# --output-signature / --output-certificate. See M-11.
cosign sign-blob \
--yes \
--output-signature checksums.txt.sig \
--output-certificate checksums.txt.pem \
--bundle checksums.txt.sigstore.json \
checksums.txt
- name: Upload artefacts to GitHub Release
@@ -169,8 +173,7 @@ jobs:
files: |
artifacts/certctl-*
artifacts/checksums.txt
artifacts/checksums.txt.sig
artifacts/checksums.txt.pem
artifacts/checksums.txt.sigstore.json
# ----------------------------------------------------------------------
# provenance-binaries (M-3): SLSA Level 3 provenance for every binary.
@@ -402,15 +405,15 @@ jobs:
```bash
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
checksums.txt
```
Replace `checksums.txt` with any individual binary name to verify that
artefact directly (each binary ships with its own `.sig` + `.pem` sidecar).
artefact directly (each binary ships with its own `.sigstore.json`
bundle, e.g. `cosign verify-blob --bundle certctl-agent-linux-amd64.sigstore.json …`).
**3. Verify SLSA Level 3 provenance (binaries):**
README.md
+6 -4
View File
@@ -260,15 +260,17 @@ sha256sum -c checksums.txt
```bash
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
checksums.txt
```
Every individual binary has its own `.sig` + `.pem` sidecar; swap
`checksums.txt` for any binary name to verify it directly.
Every individual binary ships with its own `.sigstore.json` bundle
(unified Sigstore bundle containing signature, certificate chain, and
Rekor inclusion proof). Swap `checksums.txt` for any binary name and
point `--bundle` at the matching `<binary>.sigstore.json` to verify it
directly.
**3. Verify SLSA Level 3 provenance on a binary:**