lukaszraczylo/kportal
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/kportal.git synced 2026-06-05 23:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(install): pin cosign cert-identity to shared-actions workflow

Browse Source 
Releases are signed by the lukaszraczylo/shared-actions reusable
workflow, so the Sigstore certificate subject is the workflow URL
rather than this repo. The previous regex
'https://github.com/lukaszraczylo/kportal/.*' never matched, so any
user with cosign installed would see verification fail and abort
the install.

Pin cert-identity to the exact workflow URL:
  ^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$

Override via COSIGN_CERT_IDENTITY_REGEXP for forks of the release
pipeline. Same fix applied to README's manual verification example.

Verified end-to-end against release v0.2.90:
  cosign verify-blob ... -> Verified OK
This commit is contained in:
Lukasz Raczylo
2026-05-06 11:02:40 +01:00
parent b4256dbbce
commit 0a8c872b01
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -92,7 +92,7 @@ All release checksums are signed with [cosign](https://github.com/sigstore/cosig
```bash
# Download the checksum file and its sigstore bundle from the release
cosign verify-blob \
--certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
--certificate-identity-regexp "^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--bundle "kportal-<version>-checksums.txt.sigstore.json" \
kportal-<version>-checksums.txt
install.sh
+5 -1
View File
@@ -133,8 +133,12 @@ verify_cosign_signature() {
fi
print_info "Verifying cosign signature on checksums.txt..."
# Releases are signed by the shared-actions reusable workflow, so the
# cert subject is the workflow URL — NOT this repo. Override with
# COSIGN_CERT_IDENTITY_REGEXP if you fork the release pipeline.
local cert_identity_regexp="${COSIGN_CERT_IDENTITY_REGEXP:-^https://github\.com/lukaszraczylo/shared-actions/\.github/workflows/go-release\.yaml@refs/heads/main$}"
if cosign verify-blob \
--certificate-identity-regexp "https://github.com/${REPO}/.*" \
--certificate-identity-regexp "${cert_identity_regexp}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--bundle "${sig_file}" \
"${checksums_file}" >/dev/null 2>&1; then