Sign images using cosign (!1481) · Merge requests · GitLab.org / Build / CNG

What does this MR do?

Sign the build images with cosign and upload the signatures also to the registry. This is the first iteration mentioned in #467 (comment 1511591416)

Verifying images built by this MR's pipeline

$ export CI_COMMIT_REF_SLUG="467-sign-images-using-cosign"
$ export IMAGE_TAG=${CI_COMMIT_REF_SLUG}
$ cosign verify "registry.gitlab.com/gitlab-org/build/cng/gitlab-go:${IMAGE_TAG}" --certificate-identity "https://gitlab.com/gitlab-org/build/CNG//.gitlab-ci.yml@refs/heads/${CI_COMMIT_REF_SLUG}" --certificate-oidc-issuer "https://gitlab.com"

Related issues

Closes #467 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

Merge Request Title, and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Integration tests added to GitLab QA
The impact any change in container size has should be evaluated
New dependencies are managed with dependencies.io

Edited Aug 23, 2023 by Robert Marshall

Sign images using cosign