From 00db25fc1e0c3432105036075404c4429dfda403 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 13 Dec 2021 12:17:02 -0800 Subject: [PATCH] Enable keyless signing for private repos. (#1295) Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor). Signed-off-by: Matt Moore --- ci/docker-publish.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 3b55fce..977635a 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -42,6 +42,9 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + with: + cosign-release: 'v1.4.0' + # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -76,18 +79,15 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - # Sign the resulting Docker image digest except on PRs and private repos - # The keyless signing process records signatures on the Rekor public - # transparency log, so signing is disabled for private repos by default - # to avoid leaking private data. If you wish to sign things anyways, - # then this check can be removed and --force can be added to the cosign - # command below. + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance, and records it to the - # sigstore community Rekor transparency log. + # against the sigstore community Fulcio instance. run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}