cosign experimental=1
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 24s
Some checks failed
Docker Build Smart Logic / Build amd64 & arm64 (push) Failing after 24s
This commit is contained in:
@@ -252,16 +252,16 @@ jobs:
|
||||
cosign version
|
||||
|
||||
- name: Sign image
|
||||
# Wir führen das aus, wenn gebaut wurde (egal ob Tag oder Main)
|
||||
if: steps.check_files.outputs.should_build == 'true'
|
||||
shell: bash
|
||||
env:
|
||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
# Das hier schaltet den OCI 1.1 Modus frei
|
||||
COSIGN_EXPERIMENTAL: 1
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Welches Image signieren wir? (Tag oder Main)
|
||||
if [[ "$IS_TAG" == "true" ]]; then
|
||||
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
|
||||
else
|
||||
@@ -269,19 +269,13 @@ jobs:
|
||||
fi
|
||||
|
||||
echo "Signing image: $IMAGE_TO_SIGN"
|
||||
|
||||
# Key aus Secret wiederherstellen
|
||||
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
||||
|
||||
# Signieren!
|
||||
# --recursive: Signiert den Multi-Arch Index UND die darunterliegenden Images (amd64/arm64)
|
||||
# --yes: Keine Rückfragen
|
||||
# Wir übergeben hier direkt das Image mit Tag. Cosign holt sich den Digest selbst.
|
||||
# Signieren mit Referrers-Mode
|
||||
# Wenn dein Gitea aktuell genug ist, verschwinden die sha256-Tags damit!
|
||||
cosign sign --yes --recursive --key cosign.key \
|
||||
--tlog-upload=false \
|
||||
--registry-referrers-mode oci-1-1 \
|
||||
"${IMAGE_TO_SIGN}"
|
||||
|
||||
# Aufräumen
|
||||
rm cosign.key
|
||||
--tlog-upload=false \
|
||||
--registry-referrers-mode oci-1-1 \
|
||||
"${IMAGE_TO_SIGN}"
|
||||
|
||||
rm -f cosign.key
|
||||
Reference in New Issue
Block a user