Skip to content

Sign images using cosign

Balasankar 'Balu' C requested to merge 467-sign-images-using-cosign into master

What does this MR do?

Sign the build images with cosign and upload the signatures also to the registry. This is the first iteration mentioned in #467 (comment 1511591416)

Verifying images built by this MR's pipeline

$ export CI_COMMIT_REF_SLUG="467-sign-images-using-cosign"
$ export IMAGE_TAG=${CI_COMMIT_REF_SLUG}
$ cosign verify "registry.gitlab.com/gitlab-org/build/cng/gitlab-go:${IMAGE_TAG}" --certificate-identity "https://gitlab.com/gitlab-org/build/CNG//.gitlab-ci.yml@refs/heads/${CI_COMMIT_REF_SLUG}" --certificate-oidc-issuer "https://gitlab.com"

Related issues

Closes #467 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Integration tests added to GitLab QA
  • The impact any change in container size has should be evaluated
  • New dependencies are managed with dependencies.io
Edited by Robert Marshall

Merge request reports