IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-02-25 18:45:20 -06:00
Code Issues Packages Projects Releases Wiki Activity

Sign all artifacts with cosign and gpg (#1065)

Browse Source 
Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
This commit is contained in:
Christian Mesh 2024-01-03 13:12:37 -05:00 committed by GitHub
parent 36879aa86b
commit ae22c28289
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.goreleaser.yaml
View File

@ -208,10 +208,16 @@ checksum:
name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS"
signs:
- artifacts: checksum
- artifacts: all
id: cosign
cmd: cosign
certificate: "${artifact}.pem"
args: [ "sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes" ]
- artifacts: all
signature: "${artifact}.gpgsig"
id: gpg
cmd: gpg
args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}" ]
docker_signs:
- artifacts: all