diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e10a59d8..cf1f2baf8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -128,18 +128,13 @@ jobs: uses: actions/checkout@v3.1.0 - name: Install Cosign - uses: sigstore/cosign-installer@v2.7.0 + uses: sigstore/cosign-installer@v3.0.2 - name: Distroless verify run: | diff <(grep FROM docker/kubeseal.Dockerfile | awk '{print $2}') \ <(grep FROM docker/controller.Dockerfile | awk '{print $2}') - cosign verify --key /dev/stdin "$(grep FROM docker/controller.Dockerfile | awk '{print $2}')" < /tmp/cosign.key env: @@ -134,7 +134,7 @@ jobs: tags: ${{ steps.meta_kubeseal.outputs.tags }} - name: Sign controller image with a key in GHCR run: | - echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_CURRENT + echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }} diff --git a/README.md b/README.md index 27284f0e2..32ba45070 100644 --- a/README.md +++ b/README.md @@ -716,6 +716,8 @@ kubeseal mysealedsecret.json Our images are being signed using [cosign](https://github.com/sigstore/cosign). The signatures have been saved in our [GitHub Container Registry](https://ghcr.io/bitnami-labs/sealed-secrets-controller/signs). +> Images up to and including v0.20.2 were signed using Cosign v1. Newer images are signed with Cosign v2. + It is pretty simple to verify the images: ```bash