fix cosign
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 23s
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 23s
This commit is contained in:
@@ -257,7 +257,8 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
COSIGN_EXPERIMENTAL: 1
|
# Schaltet OCI 1.1 frei (für saubere Registry ohne Tags)
|
||||||
|
COSIGN_EXPERIMENTAL: "1"
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
@@ -271,17 +272,15 @@ jobs:
|
|||||||
echo "Signing image: $IMAGE_TO_SIGN"
|
echo "Signing image: $IMAGE_TO_SIGN"
|
||||||
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
||||||
|
|
||||||
# 2. Minimale Signing-Config ohne Rekor-URLs
|
# 2. Signieren
|
||||||
# Das ist das Format, das der Protobuf-Parser schluckt
|
# Wir nutzen --tlog-upload=false weiterhin,
|
||||||
echo '{"rekorTlogUrls":[]}' > signing-config.json
|
# aber wir lassen die neue Signing-Config weg, um den Media-Type-Fehler zu umgehen.
|
||||||
|
# Falls Cosign wegen der Deprecation meckert, ignorieren wir die Warnung,
|
||||||
# 3. Signieren
|
# solange es den Exit-Code 0 (Erfolg) gibt.
|
||||||
# Wir nutzen die Config-Datei, um den Log zu deaktivieren
|
|
||||||
# und oci-1-1, um die Tags zu verstecken.
|
|
||||||
cosign sign --yes --recursive --key cosign.key \
|
cosign sign --yes --recursive --key cosign.key \
|
||||||
--signing-config signing-config.json \
|
--tlog-upload=false \
|
||||||
--registry-referrers-mode oci-1-1 \
|
--registry-referrers-mode oci-1-1 \
|
||||||
"${IMAGE_TO_SIGN}"
|
"${IMAGE_TO_SIGN}"
|
||||||
|
|
||||||
# 4. Aufräumen
|
# 3. Aufräumen
|
||||||
rm -f cosign.key signing-config.json
|
rm -f cosign.key
|
||||||
Reference in New Issue
Block a user