diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6b4a102..1f3c5da 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,8 +8,9 @@ on: jobs: release: permissions: - contents: write - packages: write + contents: write # for pushing to gh-pages (HTTPS Helm repository) + packages: write # for pushing to GHCR (OCI Helm repository) + id-token: write # for signing with keyless cosign runs-on: ubuntu-latest steps: - name: Checkout @@ -17,6 +18,9 @@ jobs: with: fetch-depth: 0 + - name: Setup Cosign + uses: sigstore/cosign-installer@v3.10.0 + - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" @@ -42,12 +46,15 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push Charts to GHCR + - name: Push Charts to GHCR and Sign run: | shopt -s nullglob for pkg in .cr-release-packages/*; do if [ -z "${pkg:-}" ]; then break fi - helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts + chart_name=$(echo "${pkg##*/}" | sed 's/-[0-9].*$//') + repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts" + helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt + cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)" done diff --git a/README.md b/README.md index 27c6269..6d53210 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,24 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch ct lint --all --config ct.yaml ct install --all --config ct.yaml ``` + +## Verify Signed Helm Charts + +With the introduction of cosign for signing artifacts you can verify the +integrity of our artifacts using the following command: + +``` +VERSION=8.2.2 +cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository oauth2-proxy/manifests \ + --certificate-github-workflow-name "Release Charts" \ + --certificate-github-workflow-ref main \ + --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \ + "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq +``` + +Note: + +We utilize cosign to sign and verify artifacts with the KEYLESS mode. To learn +more about how keyless signing is done, visit the official documentation about +[Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process). diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index f2a3c03..68b009e 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 8.2.1 +version: 8.2.2 apiVersion: v2 appVersion: 7.12.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -31,8 +31,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: added - description: Add support for new container resize policy feature + - kind: security + description: Adding cosign keyless signing for helm chart artifact links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/346 + url: https://github.com/oauth2-proxy/manifests/pull/356