Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wolfeidau/gh-cosign-goreleaser

Example of GitHub Actions, goreleaser and cosign to release a Go based CLI program.
https://github.com/wolfeidau/gh-cosign-goreleaser

cosign github-actions golang goreleaser sigstore

Last synced: about 2 months ago
JSON representation

Example of GitHub Actions, goreleaser and cosign to release a Go based CLI program.

Host: GitHub
URL: https://github.com/wolfeidau/gh-cosign-goreleaser
Owner: wolfeidau
License: apache-2.0
Created: 2024-06-15T07:01:02.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-06-16T04:31:26.000Z (7 months ago)
Last Synced: 2024-10-12T08:12:30.029Z (3 months ago)
Topics: cosign, github-actions, golang, goreleaser, sigstore
Language: Go
Homepage: https://github.com/wolfeidau/gh-cosign-goreleaser
Size: 138 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# gh-cosign-goreleaser

This repository illustrates how to use GitHub, [GoReleaser](https://goreleaser.com/) and [cosign](https://docs.sigstore.dev) to release a [Go](https://go.dev) based CLI program.

# Overview

This uses [keyless signing of blobs](https://docs.sigstore.dev/signing/signing_with_blobs/#keyless-signing-of-blobs-and-files) to provide signatures for binaries built using GitHub Actions, with GoReleaser.

Have a look at the [GitHub Actions workflow](.github/workflows/releaser.yml) and the [GoReleaser configuration](.goreleaser.yaml).

Release with signatures screenshot below:

![release with signatures screenshot](images/release-with-signatures.png)

# Why Sigstore?

With the increase in Supply Chain attacks targeting third party software it is important to attest the integrity of the software you are using. Project Sigstore is a standard for signing, verifying and protecting software supply chains.

# Verify The Artifact

To verify the artifact, you will need to download the artifact, the signature and the certificate.

```
cosign verify-blob \
--certificate gh-cosign-goreleaser_0.0.1_checksums.txt.pem \
--signature gh-cosign-goreleaser_0.0.1_checksums.txt.sig \
--certificate-identity-regexp "^https://github.com/wolfeidau/gh-cosign-goreleaser/.github/workflows/releaser.yml.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" gh-cosign-goreleaser_0.0.1_checksums.txt
```

The full certificate identity is `https://github.com/wolfeidau/gh-cosign-goreleaser/.github/workflows/releaser.yml@refs/tags/v0.0.1`

# Read the Certificate

To read the certificate we use openssl and the `.pem` file uploaded with the release, which is a base64 encoded version of the certificate.

```
cat gh-cosign-goreleaser_0.0.1_checksums.txt.pem | base64 -d | openssl x509 -text
```

# License

This application is released under Apache 2.0 license and is copyright [Mark Wolfe](https://www.wolfe.id.au).