fix cosign failure
All checks were successful
Docker Build Smart Logic / Build amd64 & arm64 (push) Successful in 24s
All checks were successful
Docker Build Smart Logic / Build amd64 & arm64 (push) Successful in 24s
This commit is contained in:
@@ -254,24 +254,33 @@ jobs:
|
||||
- name: Sign image
|
||||
if: env.IS_TAG == 'true'
|
||||
shell: bash
|
||||
env:
|
||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
|
||||
# Image Name definieren
|
||||
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
|
||||
echo "Signing image $IMAGE_TO_SIGN"
|
||||
|
||||
# --- Temporary keypair ---
|
||||
COSIGN_KEY_FILE=$(mktemp)
|
||||
echo "Generating temporary Cosign keypair at $COSIGN_KEY_FILE"
|
||||
cosign generate-key-pair --key "$COSIGN_KEY_FILE"
|
||||
# Den Private Key aus dem Secret in eine Datei schreiben (Cosign braucht das File)
|
||||
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
||||
|
||||
# --- Get digest to avoid tag warning ---
|
||||
DIGEST=$(docker buildx imagetools inspect "$IMAGE_TO_SIGN" --raw | jq -r '.manifests[0].digest')
|
||||
echo "Signing digest: $DIGEST"
|
||||
# Den Digest des Images holen (Sicherer als Tags)
|
||||
# Wir nutzen hier docker inspect direkt auf das, was wir gerade gebaut haben
|
||||
# Da wir Multiarch gebaut haben, müssen wir vorsichtig sein.
|
||||
# Am sichersten ist es, den Digest remote vom Registry Server zu holen:
|
||||
docker buildx imagetools inspect "${IMAGE_TO_SIGN}" --format '{{json .Manifest}}' > manifest.json
|
||||
DIGEST=$(docker buildx imagetools inspect "${IMAGE_TO_SIGN}" --format '{{.Manifest.Digest}}')
|
||||
|
||||
echo "Signiere Digest: $DIGEST"
|
||||
|
||||
# --- Sign image ---
|
||||
cosign sign --key "$COSIGN_KEY_FILE" "${IMAGE_TO_SIGN}@${DIGEST}"
|
||||
# Signieren (rekursiv für Multi-Arch)
|
||||
# -y überspringt die Bestätigungsabfrage
|
||||
# --key verweist auf die Datei, die wir oben aus dem Secret erstellt haben
|
||||
cosign sign --yes --key cosign.key "${IMAGE_TO_SIGN}@${DIGEST}"
|
||||
|
||||
# --- Cleanup ---
|
||||
rm -f "$COSIGN_KEY_FILE" "$COSIGN_KEY_FILE.pub"
|
||||
# Aufräumen (Key löschen, sicher ist sicher)
|
||||
rm cosign.key
|
||||
|
||||
|
||||
Reference in New Issue
Block a user