1project_name: cosign
2
3env:
4 - GO111MODULE=on
5 - CGO_ENABLED=1
6 - DOCKER_CLI_EXPERIMENTAL=enabled
7 - COSIGN_YES=true
8 - LATEST_TAG=,latest
9
10# Prevents parallel builds from stepping on each others toes downloading modules
11before:
12 hooks:
13 - go mod tidy
14 - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
15
16gomod:
17 proxy: true
18
19sboms:
20 - artifacts: binary
21
22builds:
23 - id: linux
24 binary: cosign-linux-{{ .Arch }}
25 no_unique_dist_dir: true
26 main: ./cmd/cosign
27 flags:
28 - -trimpath
29 mod_timestamp: '{{ .CommitTimestamp }}'
30 goos:
31 - linux
32 goarch:
33 - amd64
34 - arm64
35 - arm
36 - s390x
37 - ppc64le
38 - riscv64
39 goarm:
40 - '7'
41 ldflags:
42 - "{{ .Env.LDFLAGS }}"
43 env:
44 - CGO_ENABLED=0
45
46 - id: linux-pivkey-pkcs11key-amd64
47 binary: cosign-linux-pivkey-pkcs11key-amd64
48 no_unique_dist_dir: true
49 main: ./cmd/cosign
50 flags:
51 - -trimpath
52 mod_timestamp: '{{ .CommitTimestamp }}'
53 goos:
54 - linux
55 goarch:
56 - amd64
57 ldflags:
58 - "{{ .Env.LDFLAGS }}"
59 tags:
60 - pivkey
61 - pkcs11key
62 hooks:
63 pre:
64 - apt-get update
65 - apt-get -y install --no-install-recommends libpcsclite-dev
66 env:
67 - PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/
68
69 - id: linux-pivkey-pkcs11key-arm64
70 binary: cosign-linux-pivkey-pkcs11key-arm64
71 no_unique_dist_dir: true
72 main: ./cmd/cosign
73 flags:
74 - -trimpath
75 mod_timestamp: '{{ .CommitTimestamp }}'
76 goos:
77 - linux
78 goarch:
79 - arm64
80 ldflags:
81 - "{{ .Env.LDFLAGS }}"
82 tags:
83 - pivkey
84 - pkcs11key
85 hooks:
86 pre:
87 - dpkg --add-architecture arm64
88 - apt-get update
89 - apt-get install -y --no-install-recommends libpcsclite-dev:arm64
90 env:
91 - CC=aarch64-linux-gnu-gcc
92 - PKG_CONFIG_PATH=/usr/lib/aarch64-linux-gnu/pkgconfig/
93
94 - id: darwin-amd64
95 binary: cosign-darwin-amd64
96 no_unique_dist_dir: true
97 env:
98 - CC=o64-clang
99 - CXX=o64-clang++
100 main: ./cmd/cosign
101 flags:
102 - -trimpath
103 mod_timestamp: '{{ .CommitTimestamp }}'
104 goos:
105 - darwin
106 goarch:
107 - amd64
108 ldflags:
109 - "{{ .Env.LDFLAGS }}"
110 tags:
111 - pivkey
112 - pkcs11key
113
114 - id: darwin-arm64
115 binary: cosign-darwin-arm64
116 no_unique_dist_dir: true
117 env:
118 - CC=aarch64-apple-darwin22-clang
119 - CXX=aarch64-apple-darwin22-clang++
120 main: ./cmd/cosign
121 flags:
122 - -trimpath
123 goos:
124 - darwin
125 goarch:
126 - arm64
127 tags:
128 - pivkey
129 - pkcs11key
130 ldflags:
131 - "{{.Env.LDFLAGS}}"
132
133 - id: windows-amd64
134 binary: cosign-windows-amd64
135 no_unique_dist_dir: true
136 env:
137 - CC=x86_64-w64-mingw32-gcc
138 - CXX=x86_64-w64-mingw32-g++
139 main: ./cmd/cosign
140 mod_timestamp: '{{ .CommitTimestamp }}'
141 flags:
142 - -trimpath
143 goos:
144 - windows
145 goarch:
146 - amd64
147 ldflags:
148 - -buildmode=exe
149 - "{{ .Env.LDFLAGS }}"
150 tags:
151 - pivkey
152 - pkcs11key
153
154signs:
155 - id: cosign
156 signature: "${artifact}.sig"
157 cmd: ./dist/cosign-linux-amd64
158 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
159 artifacts: binary
160 # Keyless
161 - id: cosign-keyless
162 signature: "${artifact}-keyless.sig"
163 certificate: "${artifact}-keyless.pem"
164 cmd: ./dist/cosign-linux-amd64
165 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
166 artifacts: binary
167 - id: checksum-keyless
168 signature: "${artifact}-keyless.sig"
169 certificate: "${artifact}-keyless.pem"
170 cmd: ./dist/cosign-linux-amd64
171 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
172 artifacts: checksum
173 - id: packages-keyless
174 signature: "${artifact}-keyless.sig"
175 certificate: "${artifact}-keyless.pem"
176 cmd: ./dist/cosign-linux-amd64
177 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
178 artifacts: package
179
180nfpms:
181 - id: cosign
182 package_name: cosign
183 file_name_template: "{{ .ConventionalFileName }}"
184 vendor: Sigstore
185 homepage: https://sigstore.dev
186 maintainer: Sigstore Authors 86837369+sigstore-bot@users.noreply.github.com
187 builds:
188 - linux
189 description: Container Signing, Verification and Storage in an OCI registry.
190 license: "Apache License 2.0"
191 formats:
192 - apk
193 - deb
194 - rpm
195 contents:
196 - src: /usr/bin/cosign-linux-{{ .Arch }}
197 dst: /usr/bin/cosign
198 type: "symlink"
199
200archives:
201 - format: binary
202 name_template: "{{ .Binary }}"
203 allow_different_binary_count: true
204
205checksum:
206 name_template: "{{ .ProjectName }}_checksums.txt"
207
208snapshot:
209 name_template: SNAPSHOT-{{ .ShortCommit }}
210
211release:
212 prerelease: allow # remove this when we start publishing non-prerelease or set to auto
213 draft: true # allow for manual edits
214 github:
215 owner: sigstore
216 name: cosign
217 footer: |
218 ### Thanks to all contributors!
219
220 extra_files:
221 - glob: "./release/release-cosign.pub"
View as plain text