From 0c9092dc9501cbc8c9050b4002c7ddb03e2c0866 Mon Sep 17 00:00:00 2001 From: nux Date: Wed, 7 Jan 2026 12:54:32 -0800 Subject: [PATCH] Add cosign binary signing to GitHub Actions release workflow Uses sigstore/cosign-installer@v3 with keyless signing via GitHub OIDC. Both upload-mac-universal-bin and upload-linux-bin jobs now: - Install cosign - Sign release artifacts with cosign sign-blob - Upload .sig signature files alongside tarballs Artifacts signed: - pks-mac.tar.gz (macOS universal) - x86_64-unknown-linux-gnu.tar.gz - aarch64-unknown-linux-gnu.tar.gz --- .github/workflows/ci.yml | 43 ++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 213d4cc..71b244b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -102,12 +102,19 @@ jobs: needs: release runs-on: macos-latest if: ${{needs.release.outputs.new_version}} + permissions: + contents: write + id-token: write steps: - uses: actions/checkout@v3 + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Build run: cargo build --release --target aarch64-apple-darwin --target x86_64-apple-darwin - - name: Upload mac universal binary + - name: Create mac universal binary run: | # This combines the intel and m1 binaries into a single binary lipo -create -output target/pks target/aarch64-apple-darwin/release/pks target/x86_64-apple-darwin/release/pks @@ -115,9 +122,13 @@ jobs: # Creates artifact for homebrew. -C means run from `target` directory tar -czf target/pks-mac.tar.gz -C target pks - # This tarball is a binary that is executable - gh release upload $NEW_VERSION target/pks-mac.tar.gz + - name: Sign mac binary with cosign + run: | + cosign sign-blob --yes --output-signature target/pks-mac.tar.gz.sig target/pks-mac.tar.gz + - name: Upload mac universal binary and signature + run: | + gh release upload $NEW_VERSION target/pks-mac.tar.gz target/pks-mac.tar.gz.sig env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NEW_VERSION: ${{ needs.release.outputs.new_version }} @@ -126,8 +137,15 @@ jobs: needs: release if: ${{needs.release.outputs.new_version}} runs-on: ubuntu-latest + permissions: + contents: write + id-token: write steps: - uses: actions/checkout@v4 + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Update local toolchain run: | cargo install cross @@ -135,12 +153,21 @@ jobs: run: | cross build --release --target x86_64-unknown-linux-gnu cross build --release --target aarch64-unknown-linux-gnu - - name: Upload linux binaries + + - name: Create linux binary tarballs + run: | + tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks + tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks + + - name: Sign linux binaries with cosign + run: | + cosign sign-blob --yes --output-signature target/x86_64-unknown-linux-gnu.tar.gz.sig target/x86_64-unknown-linux-gnu.tar.gz + cosign sign-blob --yes --output-signature target/aarch64-unknown-linux-gnu.tar.gz.sig target/aarch64-unknown-linux-gnu.tar.gz + + - name: Upload linux binaries and signatures run: | - tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks - tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks - gh release upload $NEW_VERSION target/x86_64-unknown-linux-gnu.tar.gz - gh release upload $NEW_VERSION target/aarch64-unknown-linux-gnu.tar.gz + gh release upload $NEW_VERSION target/x86_64-unknown-linux-gnu.tar.gz target/x86_64-unknown-linux-gnu.tar.gz.sig + gh release upload $NEW_VERSION target/aarch64-unknown-linux-gnu.tar.gz target/aarch64-unknown-linux-gnu.tar.gz.sig env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NEW_VERSION: ${{ needs.release.outputs.new_version }}