File tree Expand file tree Collapse file tree 3 files changed +41
-0
lines changed
Expand file tree Collapse file tree 3 files changed +41
-0
lines changed Original file line number Diff line number Diff line change 3737 username : ${{ secrets.DOCKERHUB_USERNAME }}
3838 password : ${{ secrets.DOCKERHUB_TOKEN }}
3939 - uses : docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
40+ id : build
4041 with :
4142 context : ${{ env.IMAGE }}
4243 platforms : linux/amd64,linux/arm64
Original file line number Diff line number Diff line change 2424 - name : Pull the latest ${{ matrix.platform }} image
2525 shell : bash
2626 run : docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}"
27+ - name : Pull the latest ${{ matrix.platform }} image SBOM
28+ shell : bash
29+ run : docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
30+ - name : Install cosign
31+ uses : sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
32+ - name : Verify the Docker image signature
33+ shell : bash
34+ run : |
35+ cosign verify "${GITHUB_REPOSITORY_OWNER}/${IMAGE}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
Original file line number Diff line number Diff line change @@ -26,3 +26,34 @@ docker buildx imagetools inspect leplusorg/aws-cli --format '{{ json (index .SBO
2626```
2727
2828Replace ` linux/amd64 ` by the desired platform (` linux/amd64 ` , ` linux/arm64 ` etc.).
29+
30+ ### Sigstore
31+
32+ [ Sigstore] ( https://docs.sigstore.dev ) is trying to improve supply
33+ chain security by allowing you to verify the origin of an
34+ artifcat. You can verify that the jar that you use was actually
35+ produced by this repository. This means that if you verify the
36+ signature of the ristretto jar, you can trust the integrity of the
37+ whole supply chain from code source, to CI/CD build, to distribution
38+ on Maven Central or whever you got the jar from.
39+
40+ You can use the following command to verify the latest image using its
41+ sigstore signature attestation:
42+
43+ ``` bash
44+ cosign verify leplusorg/aws-cli --certificate-identity-regexp ' https://github\.com/leplusorg/docker-av/\.github/workflows/.+' ' https://token.actions.githubusercontent.com'
45+ ```
46+
47+ The output should look something like this:
48+
49+ ``` text
50+ Verification for index.docker.io/leplusorg/xml:main --
51+ The following checks were performed on each of these signatures:
52+ - The cosign claims were validated
53+ - Existence of the claims in the transparency log was verified offline
54+ - The code-signing certificate was verified using trusted certificate authority certificates
55+
56+ [{"critical":...
57+ ```
58+
59+ For instructions on how to install ` cosign ` , please read this [ documentation] ( https://docs.sigstore.dev/cosign/system_config/installation/ ) .
You can’t perform that action at this time.
0 commit comments