Skip to content

Commit d757f50

Browse files
noraebnoraeb
committed
chore: add Cosign to sign Docker images
Signed-off-by: Nora Blomaard <n.blomaard@gmail.com>
1 parent dd1193c commit d757f50

2 files changed

Lines changed: 25 additions & 0 deletions

File tree

.github/workflows/release-please.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ on:
88

99
permissions:
1010
contents: write
11+
id-token: write
1112
packages: write
1213
pull-requests: write
1314

@@ -49,6 +50,10 @@ jobs:
4950
with:
5051
username: ${{ secrets.DOCKER_HUB_USERNAME }}
5152
password: ${{ secrets.DOCKER_HUB_TOKEN }}
53+
54+
- name: Install Cosign
55+
if: ${{ steps.release.outputs.release_created }}
56+
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
5257

5358
- name: Create custom Maven Settings.xml
5459
if: ${{ steps.release.outputs.release_created }}
@@ -62,3 +67,8 @@ jobs:
6267
env:
6368
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6469

70+
- name: Sign Docker image with Cosign
71+
if: ${{ steps.release.outputs.release_created }}
72+
run: |
73+
DIGEST=$(docker buildx imagetools inspect lfenergy/compas-cim-mapping:${{ steps.release.outputs.version }} --format '{{.Manifest.Digest}}')
74+
cosign sign --yes lfenergy/compas-cim-mapping@"${DIGEST}"

SECURITY.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,21 @@ SPDX-License-Identifier: Apache-2.0
55
-->
66
# Security Policy
77

8+
## Verifying Docker images
9+
10+
Docker images published by this project are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing via [Sigstore](https://www.sigstore.dev/). Signatures are recorded in the public [Rekor](https://rekor.sigstore.dev/) transparency log — no private key is stored or required.
11+
12+
To verify an image, install Cosign ([instructions](https://docs.sigstore.dev/cosign/system_config/installation/)) and run:
13+
14+
```sh
15+
cosign verify \
16+
--certificate-identity "https://github.com/com-pas/compas-cim-mapping/.github/workflows/release-please.yml@refs/heads/main" \
17+
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
18+
lfenergy/compas-cim-mapping:<tag>
19+
```
20+
21+
Replace `<tag>` with the specific release tag (e.g. `v0.12.1`) or `latest`.
22+
823
## Reporting a Vulnerability
924

1025
Please go to [Security Advisories](https://github.com/com-pas/compas-cim-mapping/security/advisories) to privately report a security vulnerability,

0 commit comments

Comments
 (0)