Skip to content

feat(release): sign checksums.txt with cosign keyless (Sigstore)#20

Merged
Palbahngmiyine merged 3 commits into
solapi:mainfrom
Palbahngmiyine:feat/cosign-release-signing
May 11, 2026
Merged

feat(release): sign checksums.txt with cosign keyless (Sigstore)#20
Palbahngmiyine merged 3 commits into
solapi:mainfrom
Palbahngmiyine:feat/cosign-release-signing

Conversation

@Palbahngmiyine
Copy link
Copy Markdown
Member

@Palbahngmiyine Palbahngmiyine commented May 11, 2026
edited
Loading

Summary

  • Add signs section to .goreleaser.yaml — cosign keyless signs checksums.txt, producing checksums.txt.sig and checksums.txt.pem in each GitHub release.
  • Grant id-token: write to the goreleaser job in .github/workflows/release-please.yml (job-scoped, not workflow-scoped) and add a sigstore/cosign-installer@v3 step.
  • Document optional verification under a new "서명 검증 (고급, 선택)" pointer in README.md, with the full walkthrough in VERIFYING.md.

Security model

  • Install path (unchanged): install.sh / install.ps1 verify SHA256 against checksums.txt. No new dependencies forced on end users.
  • Optional verification path (new): power users can run cosign verify-blob against checksums.txt using the published .sig + .pem and the documented certificate identity regex / OIDC issuer. This proves the checksums file was produced by this repo's release workflow at a tagged commit, after which the existing SHA256 step extends that trust to each binary.

Trade-offs considered

  • Force cosign in install scripts — rejected. It would add a hard dependency on a tool most users don't have, while providing no benefit over SHA256 against a TLS-fetched manifest for the common case.
  • Project-managed key pair (RSA/Ed25519) — rejected. Keyless avoids private-key custody and rotation; transparency log gives external auditability.

Effective from

The next release after this PR is merged. The current latest (v0.1.7) is unaffected — no retroactive signatures.

Test plan

  • After merge, cut a test pre-release tag and confirm checksums.txt.sig + checksums.txt.pem appear in the GitHub release assets.
  • Run the VERIFYING.md snippet against the new release and confirm Verified OK.
  • Confirm install.sh / install.ps1 continue to work unchanged (no .sig fetch, no behavior change).
  • Inspect the Rekor entry at search.sigstore.dev to confirm the cert identity matches release-please.yml@refs/tags/<tag>.

🤖 Generated with Claude Code

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces keyless signing for release artifacts using Sigstore/Cosign. The ".goreleaser.yaml" configuration is updated to generate signatures and certificates for the checksum file, and the "README.md" now includes a detailed guide for manual verification. Feedback was provided to improve the regular expression in the verification command to ensure it correctly handles pre-release version tags.

Comment thread README.md Outdated
Palbahngmiyine and others added 2 commits May 11, 2026 15:38
@Palbahngmiyine @claude
feat(release): sign checksums.txt with cosign keyless
c0fbcf7 
Adds Sigstore-based keyless signing of checksums.txt via goreleaser's
signs section. Each release will now publish checksums.txt.sig and
checksums.txt.pem alongside the existing checksums file. The goreleaser
job in release-please.yml gains id-token: write permission (for OIDC)
and a sigstore/cosign-installer step.

Mirrors the kubectl signed-artifact pattern: install scripts still
verify SHA256 only (no change), and signature verification is documented
as an optional advanced step in README.md. No user-facing behavior
change for existing install/upgrade flows.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Palbahngmiyine @claude
docs(verify): extract signature verification into VERIFYING.md
db82053 
Moves the cosign verification walkthrough out of README into a dedicated
VERIFYING.md and replaces the README section with a short pointer.
VERIFYING.md adds the parts that didn't fit in README: trust model,
cosign install instructions per platform, certificate identity
explanation, and troubleshooting for the common verify-blob failures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Palbahngmiyine Palbahngmiyine force-pushed the feat/cosign-release-signing branch from a57b948 to db82053 Compare May 11, 2026 06:39
@Palbahngmiyine @claude
docs(verify): drop kubectl reference from verification copy
e8406d2 
Removes "kubectl 와 동일한 모델/패턴" lines from README.md and
VERIFYING.md per review feedback.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Palbahngmiyine Palbahngmiyine merged commit aefc536 into solapi:main May 11, 2026
2 checks passed
@Palbahngmiyine Palbahngmiyine deleted the feat/cosign-release-signing branch May 11, 2026 06:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Palbahngmiyine