Merge pull request #76 from com-pas/chore/implement-signed-release

noraeb · web-flow · commit d4b0cb261ce9 · 2026-05-12T14:13:22.000+02:00
fix: sign Docker images with Cosign
diff --git a/.github/workflows/automate-projects.yml b/.github/workflows/automate-projects.yml
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
   pull-requests: write
 
 name: release-please
@@ -61,6 +62,10 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
+    
+      - name: Install Cosign
+        if: ${{ steps.release.outputs.release_created }}
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Create custom Maven Settings.xml
         if: ${{ steps.release.outputs.release_created }}
@@ -78,3 +83,9 @@ jobs:
         run: ./mvnw -B -s custom_maven_settings.xml -Pnative-image,release clean deploy
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign Docker image with Cosign
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          DIGEST=$(docker buildx imagetools inspect lfenergy/compas-sitipe-service:${{ steps.release.outputs.version }} --format '{{.Manifest.Digest}}')
+          cosign sign --yes lfenergy/compas-sitipe-service@"${DIGEST}"
diff --git a/SECURITY.md b/SECURITY.md
@@ -5,6 +5,21 @@ SPDX-License-Identifier: Apache-2.0
 -->
 # Security Policy
 
+## Verifying Docker images
+
+Docker images published by this project are signed using [Cosign](https://github.com/sigstore/cosign) keyless signing via [Sigstore](https://www.sigstore.dev/). Signatures are recorded in the public [Rekor](https://rekor.sigstore.dev/) transparency log — no private key is stored or required.
+
+To verify an image, install Cosign ([instructions](https://docs.sigstore.dev/cosign/system_config/installation/)) and run:
+
+```sh
+cosign verify \
+  --certificate-identity "https://github.com/com-pas/compas-sitipe-service/.github/workflows/release-please.yml@refs/heads/main" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  lfenergy/compas-sitipe-service:<tag>
+```
+
+Replace `<tag>` with the specific release tag (e.g. `v0.3.1`) or `latest`.
+
 ## Reporting a Vulnerability
 
 Please go to [Security Advisories](https://github.com/com-pas/compas-sitipe-service/security/advisories) to privately report a security vulnerability, 
