project_name: cosign env: - GO111MODULE=on - CGO_ENABLED=1 - DOCKER_CLI_EXPERIMENTAL=enabled - COSIGN_YES=true - COSIGN_EXPERIMENTAL=true - LATEST_TAG=,latest # Prevents parallel builds from stepping on each others toes downloading modules before: hooks: - go mod tidy - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' # if running a release we will generate the images in this step # if running in the CI the CI env va is set and we dont run the ko steps # this is needed because we are generating files that goreleaser was not aware to push to GH project release - /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi' gomod: proxy: true sboms: - artifacts: binary builds: - id: linux binary: cosign-linux-{{ .Arch }} no_unique_dist_dir: true main: ./cmd/cosign flags: - -trimpath mod_timestamp: '{{ .CommitTimestamp }}' goos: - linux goarch: - amd64 - arm64 - arm - s390x - ppc64le goarm: - '7' ldflags: - "{{ .Env.LDFLAGS }}" env: - CGO_ENABLED=0 - id: linux-pivkey-pkcs11key-amd64 binary: cosign-linux-pivkey-pkcs11key-amd64 no_unique_dist_dir: true main: ./cmd/cosign flags: - -trimpath mod_timestamp: '{{ .CommitTimestamp }}' goos: - linux goarch: - amd64 ldflags: - "{{ .Env.LDFLAGS }}" tags: - pivkey - pkcs11key hooks: pre: - apt-get update - apt-get -y install libpcsclite-dev env: - PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/" - id: darwin-amd64 binary: cosign-darwin-amd64 no_unique_dist_dir: true env: - CC=o64-clang - CXX=o64-clang++ main: ./cmd/cosign flags: - -trimpath mod_timestamp: '{{ .CommitTimestamp }}' goos: - darwin goarch: - amd64 ldflags: - "{{ .Env.LDFLAGS }}" tags: - pivkey - pkcs11key - id: darwin-arm64 binary: cosign-darwin-arm64 no_unique_dist_dir: true env: - CC=aarch64-apple-darwin21.4-clang - CXX=aarch64-apple-darwin21.4-clang++ main: ./cmd/cosign flags: - -trimpath goos: - darwin goarch: - arm64 tags: - pivkey - pkcs11key ldflags: - "{{.Env.LDFLAGS}}" - id: windows-amd64 binary: cosign-windows-amd64 no_unique_dist_dir: true env: - CC=x86_64-w64-mingw32-gcc - CXX=x86_64-w64-mingw32-g++ main: ./cmd/cosign mod_timestamp: '{{ .CommitTimestamp }}' flags: - -trimpath goos: - windows goarch: - amd64 ldflags: - -buildmode=exe - "{{ .Env.LDFLAGS }}" tags: - pivkey - pkcs11key - id: sget binary: sget-{{ .Os }}-{{ .Arch }} no_unique_dist_dir: true mod_timestamp: '{{ .CommitTimestamp }}' main: ./cmd/sget flags: - -trimpath goos: - linux - darwin - windows goarch: - amd64 - arm64 - arm - s390x - ppc64le goarm: - '7' ignore: - goos: windows goarch: arm64 - goos: windows goarch: arm - goos: windows goarch: s390x - goos: windows goarch: ppc64le ldflags: - "{{ .Env.LDFLAGS }}" env: - CGO_ENABLED=0 signs: - id: cosign signature: "${artifact}.sig" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] artifacts: binary - id: sget signature: "${artifact}.sig" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] artifacts: binary ids: - sget # Keyless - id: cosign-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: binary - id: sget-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: binary ids: - sget - id: checksum-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: checksum - id: packages-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: package nfpms: - id: cosign package_name: cosign file_name_template: "{{ .ConventionalFileName }}" vendor: Sigstore homepage: https://sigstore.dev maintainer: Sigstore Authors 86837369+sigstore-bot@users.noreply.github.com builds: - linux description: Container Signing, Verification and Storage in an OCI registry. license: "Apache License 2.0" formats: - apk - deb - rpm contents: - src: /usr/bin/cosign-linux-{{ .Arch }} dst: /usr/bin/cosign type: "symlink" archives: - format: binary name_template: "{{ .Binary }}" allow_different_binary_count: true checksum: name_template: "{{ .ProjectName }}_checksums.txt" snapshot: name_template: SNAPSHOT-{{ .ShortCommit }} release: prerelease: allow # remove this when we start publishing non-prerelease or set to auto draft: true # allow for manual edits github: owner: sigstore name: cosign footer: | ### Thanks to all contributors! extra_files: - glob: "./release/release-cosign.pub"