fix cosign failure
All checks were successful
Docker Build Smart Logic / Build amd64 & arm64 (push) Successful in 24s
All checks were successful
Docker Build Smart Logic / Build amd64 & arm64 (push) Successful in 24s
This commit is contained in:
@@ -254,24 +254,33 @@ jobs:
|
|||||||
- name: Sign image
|
- name: Sign image
|
||||||
if: env.IS_TAG == 'true'
|
if: env.IS_TAG == 'true'
|
||||||
shell: bash
|
shell: bash
|
||||||
|
env:
|
||||||
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||||
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Image Name definieren
|
||||||
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
|
IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
|
||||||
echo "Signing image $IMAGE_TO_SIGN"
|
echo "Signing image $IMAGE_TO_SIGN"
|
||||||
|
|
||||||
# --- Temporary keypair ---
|
# Den Private Key aus dem Secret in eine Datei schreiben (Cosign braucht das File)
|
||||||
COSIGN_KEY_FILE=$(mktemp)
|
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
||||||
echo "Generating temporary Cosign keypair at $COSIGN_KEY_FILE"
|
|
||||||
cosign generate-key-pair --key "$COSIGN_KEY_FILE"
|
|
||||||
|
|
||||||
# --- Get digest to avoid tag warning ---
|
# Den Digest des Images holen (Sicherer als Tags)
|
||||||
DIGEST=$(docker buildx imagetools inspect "$IMAGE_TO_SIGN" --raw | jq -r '.manifests[0].digest')
|
# Wir nutzen hier docker inspect direkt auf das, was wir gerade gebaut haben
|
||||||
echo "Signing digest: $DIGEST"
|
# Da wir Multiarch gebaut haben, müssen wir vorsichtig sein.
|
||||||
|
# Am sichersten ist es, den Digest remote vom Registry Server zu holen:
|
||||||
|
docker buildx imagetools inspect "${IMAGE_TO_SIGN}" --format '{{json .Manifest}}' > manifest.json
|
||||||
|
DIGEST=$(docker buildx imagetools inspect "${IMAGE_TO_SIGN}" --format '{{.Manifest.Digest}}')
|
||||||
|
|
||||||
|
echo "Signiere Digest: $DIGEST"
|
||||||
|
|
||||||
# --- Sign image ---
|
# Signieren (rekursiv für Multi-Arch)
|
||||||
cosign sign --key "$COSIGN_KEY_FILE" "${IMAGE_TO_SIGN}@${DIGEST}"
|
# -y überspringt die Bestätigungsabfrage
|
||||||
|
# --key verweist auf die Datei, die wir oben aus dem Secret erstellt haben
|
||||||
|
cosign sign --yes --key cosign.key "${IMAGE_TO_SIGN}@${DIGEST}"
|
||||||
|
|
||||||
# --- Cleanup ---
|
# Aufräumen (Key löschen, sicher ist sicher)
|
||||||
rm -f "$COSIGN_KEY_FILE" "$COSIGN_KEY_FILE.pub"
|
rm cosign.key
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user