particle-os/particle-os-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: Sign all images in manifest (#148)

Browse source 
Resolves #147

`cosign sign` only signs the provided digest by default. If that digest
is a manifest which is currently the default for images built with
Docker due to
https://docs.docker.com/build/attestations/attestation-storage/, we also
want to sign each image with `--recursive` so that they can be pulled by
any container managers which enforce that (e.g. podman).

Refer to https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md
for more details.

Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
This commit is contained in:
Jordan Pryde 2024-03-29 16:54:37 -07:00 committed by GitHub
parent 47abb2bf4c
commit 1074a54672
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/commands/build.rs
View file

@ -383,6 +383,7 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
if Command::new("cosign")
.arg("sign")
.arg("--recursive")
.arg(&image_name_digest)
.status()?
.success()
@ -421,6 +422,7 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
trace!("cosign sign {image_name_digest}");
if Command::new("cosign")
.arg("sign")
.arg("--recursive")
.arg(&image_name_digest)
.status()?
.success()
@ -458,6 +460,7 @@ fn sign_priv_public_pair(image_digest: &str, image_name_tag: &str) -> Result<()>
if Command::new("cosign")
.arg("sign")
.arg("--key=env://COSIGN_PRIVATE_KEY")
.arg("--recursive")
.arg(image_digest)
.status()?
.success()