Verify through public key only.

Gerrit91 · Gerrit91 · commit b6444369a7da · 2025-11-21T13:12:17.000+01:00
diff --git a/compose.yaml b/compose.yaml
@@ -27,7 +27,7 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG} --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@metal-stack.iam.gserviceaccount.com
+        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
 
@@ -54,7 +54,7 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG} --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@metal-stack.iam.gserviceaccount.com
+        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
 
diff --git a/files/cosign.pub b/files/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdeAXd2namgVNDT0APmogKGwaV+Q4
+rfe4uVgmsyBbb6TrhX5Py6x1PsonDahTvdVpbSGC7QGEjxIHdi8HnJ4Okg==
+-----END PUBLIC KEY-----
diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml
@@ -5,11 +5,7 @@ metal_stack_release_vectors:
   - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }}
     variable_mapping_path: metal_stack_release.mapping
     include_role_defaults: metal-roles/common/roles/defaults
-    oci_cosign_verify_key: |
-      -----BEGIN PUBLIC KEY-----
-      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdeAXd2namgVNDT0APmogKGwaV+Q4
-      rfe4uVgmsyBbb6TrhX5Py6x1PsonDahTvdVpbSGC7QGEjxIHdi8HnJ4Okg==
-      -----END PUBLIC KEY-----
+    oci_cosign_verify_key: "{{ lookup('file', 'cosign.pub') }}"
 
 ##
 ## for development purposes, you can override releases from our image vector here
@@ -40,7 +36,7 @@ metal_stack_release_vectors:
 ## for ansible roles
 ##
 
-ansible_common_version: metal-stack-release-vector-module
+# ansible_common_version:
 # metal_roles_version:
 # metal_ansible_modules_version:
 
