Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix artifact signing, use default runner #375

Merged
merged 1 commit into from
Jun 18, 2024
Merged

Fix artifact signing, use default runner #375

merged 1 commit into from
Jun 18, 2024

Conversation

cipherboy
Copy link
Member

GPG signing was broken as --detach-sign does not itself take an argument to a file to sign; instead this should be a separate positional argument to the CLI as a whole. This means that stdin was signed instead of the specified file, resulting in bogus signatures.

While the existing cosign signatures work, they require additional calls to rekor to fetch the corresponding certificate used to sign. Mirroring with what OpenTofu does, we can save the certificates directly so that users can verify without additional calls to the rekor network.

Lastly, switch to GitHub-hosted runners to avoid needing to use a self-hosted runner for this release stage.

Thanks to @JanMa and @janosdebugs for their help.

@cipherboy cipherboy added bug Something isn't working docs Improvements or additions to documentation pr/no-changelog github_actions Pull requests that update GitHub Actions code labels Jun 18, 2024
@cipherboy cipherboy added this to the 2.0.0 - Beta milestone Jun 18, 2024
@cipherboy @naphelps
Fix artifact signing, use default runner
6d1861d 
GPG signing was broken as --detach-sign does not itself take an argument
to a file to sign; instead this should be a separate positional argument
to the CLI as a whole. This means that stdin was signed instead of the
specified file, resulting in bogus signatures.

While the existing cosign signatures work, they require additional calls
to rekor to fetch the corresponding certificate used to sign. Mirroring
with what OpenTofu does, we can save the certificates directly so that
users can verify without additional calls to the rekor network.

Lastly, switch to GitHub-hosted runners to avoid needing to use a
self-hosted runner for this release stage.

Thanks to @JanMa and @janosdebugs for their help.

Signed-off-by: Alexander Scheel <[email protected]>
@naphelps naphelps merged commit 9a3a3a4 into openbao:main Jun 18, 2024
1 check passed
@DanGhita DanGhita requested review from DanGhita and removed request for DanGhita June 18, 2024 19:58
DanGhita
DanGhita reviewed Jun 18, 2024
View reviewed changes
Copy link
Contributor

@DanGhita DanGhita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK for me

@cipherboy cipherboy modified the milestones: 2.0.0 - Beta, 2.0.0 - GA Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanGhita DanGhita DanGhita left review comments

@JanMa JanMa JanMa approved these changes

@naphelps naphelps naphelps approved these changes

Assignees
No one assigned
Labels
bug Something isn't working docs Improvements or additions to documentation github_actions Pull requests that update GitHub Actions code pr/no-changelog
Projects
None yet
Milestone
2.0.0 - GA
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cipherboy @JanMa @naphelps @DanGhita