feat: add cosign keyless image signing to release workflow

mikkeldamsgaard · claude · mikkeldamsgaard · commit 10f0a7755311 · 2026-03-14T11:57:34.000+01:00
Sign both initium and initium-jyq container images with cosign keyless signing (Sigstore OIDC) after push, and attach signed SBOM attestations. Add make verify-image target and update security docs. Closes #10 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,6 +27,7 @@ jobs:
           }
         env:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      - uses: sigstore/cosign-installer@v3
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v3
@@ -51,6 +52,13 @@ jobs:
           cache-to: type=gha,mode=max,scope=docker-main
           sbom: true
           provenance: true
+      - name: Sign initium image
+        run: |
+          cosign sign --yes ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
+          cosign sign --yes ghcr.io/kitstream/initium:latest
+      - name: SBOM attestation for initium image
+        run: |
+          cosign attest --yes --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }} --format '{{json .SBOM.SPDX}}') --type spdx ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
       - uses: docker/build-push-action@v6
         with:
           context: .
@@ -66,3 +74,10 @@ jobs:
           cache-to: type=gha,mode=max,scope=docker-jyq
           sbom: true
           provenance: true
+      - name: Sign initium-jyq image
+        run: |
+          cosign sign --yes ghcr.io/kitstream/initium-jyq:${{ steps.version.outputs.VERSION }}
+          cosign sign --yes ghcr.io/kitstream/initium-jyq:latest
+      - name: SBOM attestation for initium-jyq image
+        run: |
+          cosign attest --yes --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium-jyq:${{ steps.version.outputs.VERSION }} --format '{{json .SBOM.SPDX}}') --type spdx ghcr.io/kitstream/initium-jyq:${{ steps.version.outputs.VERSION }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Cosign keyless image signing in release workflow for both `initium` and `initium-jyq` container images. Images are signed using Sigstore OIDC via GitHub Actions. SBOM attestations are also signed and attached to each image.
+- Added `make verify-image` target to verify cosign signatures locally.
+
 ### Added
 
 - `urlencode` template filter for percent-encoding strings in URLs. Useful for embedding passwords or other values containing URL-reserved characters (`@`, `%`, `:`, `/`, etc.) in connection strings.
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 BINARY   := initium
 VERSION  ?= dev
-.PHONY: all build test lint clean
+.PHONY: all build test lint clean verify-image
 all: lint test build
 build:
 cargo build --release
@@ -17,3 +17,5 @@ docker-build:
 docker build -t ghcr.io/kitstream/initium:$(VERSION) .
 docker-push:
 docker push ghcr.io/kitstream/initium:$(VERSION)
+verify-image:
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp '^https://github\.com/KitStream/initium/' ghcr.io/kitstream/initium:$(VERSION)
diff --git a/docs/security.md b/docs/security.md
@@ -78,12 +78,36 @@ If your cluster still uses PSPs, the same security context fields apply. Initium
 
 ## Image Verification
 
-Release images include SBOM and provenance attestations generated by GitHub Actions with `id-token: write` permissions:
+Release images are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing (Sigstore OIDC via GitHub Actions). SBOM and provenance attestations are also signed and attached to each image.
+
+### Verify image signature
+
+```bash
+# Verify signature (requires cosign)
+cosign verify \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp '^https://github\.com/KitStream/initium/' \
+  ghcr.io/kitstream/initium:latest
+
+# Or use the Makefile target
+make verify-image VERSION=latest
+```
+
+### Verify attestations
 
 ```bash
-# Verify provenance (requires cosign)
+# Verify provenance
 cosign verify-attestation \
   --type https://slsa.dev/provenance/v0.2 \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp '^https://github\.com/KitStream/initium/' \
+  ghcr.io/kitstream/initium:latest
+
+# Verify SBOM attestation
+cosign verify-attestation \
+  --type spdx \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp '^https://github\.com/KitStream/initium/' \
   ghcr.io/kitstream/initium:latest
 
 # View SBOM
