Compare commits

...

2 Commits

Author SHA1 Message Date
lukaszraczylo 391bce366d fixup! fixup! Add artifacts signing. 2025-12-15 00:16:16 +00:00
lukaszraczylo 9fd8f9b03b fixup! Add artifacts signing. 2025-12-14 23:56:42 +00:00
3 changed files with 17 additions and 9 deletions
+2
View File
@@ -12,6 +12,8 @@ on:
permissions: permissions:
contents: write contents: write
packages: write
id-token: write
jobs: jobs:
release: release:
+2 -9
View File
@@ -74,17 +74,10 @@ homebrew_casks:
signs: signs:
- cmd: cosign - cmd: cosign
env: signature: "${artifact}.sigstore.json"
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
certificate: "${artifact}.pem"
args: args:
- sign-blob - sign-blob
- "--key" - "--bundle=${signature}"
- "env://COSIGN_KEY"
- "--output-signature"
- "${signature}"
- "--output-certificate"
- "${certificate}"
- "${artifact}" - "${artifact}"
- "--yes" - "--yes"
artifacts: checksum artifacts: checksum
+13
View File
@@ -83,6 +83,19 @@ cd kportal
make build && make install make build && make install
``` ```
### Verifying Release Signatures
All release checksums are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. To verify:
```bash
# Download the checksum file and its sigstore bundle from the release
cosign verify-blob \
--certificate-identity-regexp "https://github.com/lukaszraczylo/kportal/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--bundle "kportal-<version>-checksums.txt.sigstore.json" \
kportal-<version>-checksums.txt
```
## 🚀 Quick Start ## 🚀 Quick Start
Create `.kportal.yaml`: Create `.kportal.yaml`: