Sign images using Cosign v2 (#1176)

alemorcuq · web-flow · commit 12679b9895c9 · 2023-04-12T17:08:16.000+02:00
Signed-off-by: Alejandro Moreno &lt;amorenoc@vmware.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -128,18 +128,13 @@ jobs:
       uses: actions/checkout@v3.1.0
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@v2.7.0
+      uses: sigstore/cosign-installer@v3.0.2
 
     - name: Distroless verify
       run: |
         diff <(grep FROM docker/kubeseal.Dockerfile | awk '{print $2}') \
              <(grep FROM docker/controller.Dockerfile | awk '{print $2}')
-        cosign verify --key /dev/stdin "$(grep FROM docker/controller.Dockerfile | awk '{print $2}')" <<EOF
-        -----BEGIN PUBLIC KEY-----
-        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
-        OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
-        -----END PUBLIC KEY-----
-        EOF
+        cosign verify "$(grep FROM docker/controller.Dockerfile | awk '{print $2}')" --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com
 
     - name: Setup kubecfg
       run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -60,7 +60,7 @@ jobs:
 
       # Setup Cosign
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v2.7.0
+        uses: sigstore/cosign-installer@v3.0.2
       - name: Write Cosign key
         run: echo "$COSIGN_KEY" > /tmp/cosign.key
         env:
@@ -134,7 +134,7 @@ jobs:
           tags: ${{ steps.meta_kubeseal.outputs.tags }}
       - name: Sign controller image with a key in GHCR
         run: |
-          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_CURRENT
+          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
diff --git a/README.md b/README.md
@@ -716,6 +716,8 @@ kubeseal <mysecret.json >mysealedsecret.json
 
 Our images are being signed using [cosign](https://github.com/sigstore/cosign). The signatures have been saved in our [GitHub Container Registry](https://ghcr.io/bitnami-labs/sealed-secrets-controller/signs).
 
+> Images up to and including v0.20.2 were signed using Cosign v1. Newer images are signed with Cosign v2.
+
 It is pretty simple to verify the images:
 
 ```bash
