Sign archives and checksums with cosign

Also: - update release notes generator to point to sigs - remove missing images from README Resolves #532 Signed-off-by: Josh Dolitsky <[email protected]>
helm · Jan 28, 2022 · d442676 · d442676
1 parent 1f28e49
commit d442676
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 17 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -47,11 +47,16 @@ jobs:
           echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
             --build-arg revision=$(git rev-parse --short HEAD) \
             ${TAGS} .
+      - name: Install sigstore cosign
+        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+        with:
+          cosign-release: 'v1.5.0'
       - name: Release artifacts
         id: release-artifacts
         env:
           AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
           AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
+          COSIGN_EXPERIMENTAL: "true"
         run: |
           VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
       - name: Set up QEMU
@@ -77,10 +82,6 @@ jobs:
       - name: Docker Buildx (push)
         run: |
           docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
-      - name: Install sigstore cosign
-        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
-        with:
-          cosign-release: 'v1.5.0'
       - name: Sign the published Docker images (via GitHub OIDC token)
         env:
           COSIGN_EXPERIMENTAL: "true"

diff --git a/Makefile b/Makefile
@@ -179,6 +179,13 @@ checksum:
 		shasum -a 256 "$${f}" | sed 's/_dist\///' > "$${f}.sha256sum" ; \
 	done
 
+.PHONY: cosign
+cosign:
+	for f in $$(ls _dist/*.{gz,zip,sha256sum} 2>/dev/null) ; do \
+		echo "Creating $${f}.sig" ; \
+		cosign sign-blob --output-file "$${f}.sig" "$${f}"; \
+	done
+
 .PHONY: sign
 sign:
 	for f in $$(ls _dist/*.{gz,zip,sha256sum} 2>/dev/null) ; do \

diff --git a/README.md b/README.md
@@ -10,9 +10,6 @@
 
 Works as a valid Helm Chart Repository, and also provides an API for uploading charts.
 
-<img width="120" align="right" src="https://github.com/golang-samples/gopher-vector/raw/master/gopher-side_color.png">
-<img width="40" align="right" src="https://github.com/golang-samples/gopher-vector/raw/master/gopher-side_color.png">
-
 Powered by some great Go technology:
 - [helm/helm](https://github.com/helm/helm) - for working with charts
 - [gin-gonic/gin](https://github.com/gin-gonic/gin) - for HTTP routing

diff --git a/scripts/release-artifacts.sh b/scripts/release-artifacts.sh
@@ -28,7 +28,7 @@ sudo apt install azure-cli
 
 echo "Building chartmuseum binaries"
 make build-cross
-make dist checksum VERSION="${VERSION}"
+make dist checksum cosign VERSION="${VERSION}"
 
 echo "Pushing binaries to Azure"
 az storage blob upload-batch -s _dist/ -d "$AZURE_STORAGE_CONTAINER_NAME" --pattern 'chartmuseum-*' --connection-string "$AZURE_STORAGE_CONNECTION_STRING"
diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh
@@ -79,15 +79,15 @@ The community keeps growing, and we'd love to see you there!
 
 Download ChartMuseum ${RELEASE}. The common platform binaries are here:
 
-- [MacOS amd64](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux amd64](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux arm](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-arm.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux arm64](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux i386](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-386.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux mips64le](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux ppc64le](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sha256sum | awk '{print $1}'))
-- [Linux s390x](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum | awk '{print $1}'))
-- [Windows amd64](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip) ([checksum](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum) / $(cat _dist/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum | awk '{print $1}'))
+- [MacOS amd64](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-darwin-amd64.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux amd64](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sha256sum.sig) /  $(cat _dist/chartmuseum-${RELEASE}-linux-amd64.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux arm](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-arm.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux arm64](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-arm64.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux i386](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-386.tar.gz.sha256sum.sig) /  $(cat _dist/chartmuseum-${RELEASE}-linux-386.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux mips64le](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-mips64le.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux ppc64le](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-ppc64le.tar.gz.sha256sum | awk '{print $1}'))
+- [Linux s390x](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum | awk '{print $1}'))
+- [Windows amd64](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum | awk '{print $1}'))
 
 You can use a [script to install](https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum) on any system with \`bash\`.