fix(security): add cosign keyless signing to releases#495
Draft
antitree wants to merge 1 commit into
Draft
Conversation
antitree
temporarily deployed
to
acceptance-tests
GitHub Actions
Inactive
antitree
temporarily deployed
to
acceptance-tests
GitHub Actions
Inactive
Add Sigstore cosign keyless signing alongside existing GPG signing for release checksums. This provides verifiable provenance via Fulcio certificates and Rekor transparency log entries. Changes: - .goreleaser.yml: Add cosign signs block (id: cosign) for checksum artifacts, set COSIGN_YES=true env, add id: gpg to existing block - release.yml: Install cosign via sigstore/cosign-installer v4.1.1, add Sigstore endpoints to harden-runner egress allowlist The existing GPG signing is preserved (required by Terraform Registry). Cosign keyless signing uses the workflow's id-token: write permission (already present) to obtain a Fulcio certificate. Addresses: FIND-055
antitree
force-pushed
the
fix/FIND-055-cosign-signing
branch
from
44e355b to
d89d549
Compare
antitree
temporarily deployed
to
acceptance-tests
GitHub Actions
Inactive
antitree
temporarily deployed
to
acceptance-tests
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sigstore/cosign-installer@v4.1.1in the release workflowfulcio.sigstore.dev,rekor.sigstore.dev,oauth2.sigstore.dev,tuf-repo-cdn.sigstore.dev) to the harden-runner egress allowlistMotivation
Release artifacts are currently signed with GPG only (required by Terraform Registry). Adding cosign keyless signing provides:
chainguard-dev/apkoandchainguard-dev/melangesign their releasesThe workflow already has
id-token: writepermission, which cosign keyless uses to obtain a Fulcio certificate. No new secrets or keys are required.Changes
.goreleaser.ymlCOSIGN_YES=trueglobal env var (suppresses cosign interactive prompts)id: gpgto existing GPG signs block (required when multiple signs blocks exist)id: cosignsigns block that signs checksum artifacts usingcosign sign-blobwith keyless mode.github/workflows/release.ymlsigstore/cosign-installer@v4.1.1step before goreleaserid-token: writecomment to reflect dual use (GPG federation + cosign keyless)Verification
After the next tagged release, verify cosign signatures:
Applicability to other providers
This same pattern applies to all Chainguard terraform providers:
terraform-provider-apkoterraform-provider-cosignterraform-provider-imagetestterraform-provider-ociThe changes are generic — only the harden-runner endpoint list may vary per provider.
Addresses: FIND-055