Skip to content

Commit 27bd24d

Browse files
jlebonjlebon
committed
jobs/release: sign OCI images
This uses the new `cosa sign --oci` switch to sign our OCI images using the official Fedora GPG keys. Part of coreos/fedora-coreos-tracker#1969. I opted for not gating this behind a knob. It's safe to do this even on streams that still use encapsulated commits (it's just files in S3). But the earlier we do it, the more overlap we have in which both signature types (OCI and OSTree) co-exist and that makes migration planning easier.
1 parent c55288f commit 27bd24d

File tree

1 file changed

+16
-1
lines changed

1 file changed

+16
-1
lines changed

jobs/release.Jenkinsfile

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -289,13 +289,28 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
289289
--auth=tmp/push-secret-${metajsonname} \
290290
--repo=${repo.repo} ${tag_args.join(' ')} \
291291
--artifact=${artifact} --metajsonname=${metajsonname} \
292-
--build=${params.VERSION} ${v2s2_arg}
292+
--build=${params.VERSION} ${v2s2_arg} \
293+
--write-digest-to-file=tmp/${metajsonname}-digest
293294
rm tmp/push-secret-${metajsonname}
294295
""")
295296
}
296297
}
297298
}]}
298299
}
300+
stage("Sign OS Container") {
301+
pipeutils.tryWithMessagingCredentials() {
302+
pipeutils.shwrapWithAWSBuildUploadCredentials("""
303+
manifest_list_digest=\$(cat tmp/base-oscontainer-digest)
304+
cosa sign --build=${newBuildID} \
305+
robosignatory --s3-sigstore ${s3_stream_dir}/sigs/oci \
306+
--aws-config-file \${AWS_BUILD_UPLOAD_CONFIG} \
307+
--extra-fedmsg-keys stream=${params.STREAM} \
308+
--oci --gpgkeypath /etc/pki/rpm-gpg \
309+
--fedmsg-conf=\${FEDORA_MESSAGING_CONF} \
310+
--manifest-list-digest=\${manifest_list_digest}
311+
""")
312+
}
313+
}
299314
}
300315

301316
if (uploading_to_brew) {

0 commit comments

Comments
 (0)