From 0eca1c8aaa99e3bc88607ed32b696af2d875d93c Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Mon, 16 Feb 2026 14:45:38 +0100 Subject: [PATCH] fix: image sign identity --- .github/workflows/release.yml | 40 ++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 54b073a..971814b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,10 +67,40 @@ jobs: IMAGE_DIGEST: ${{ needs.build-docker-image.outputs.image_digest }} CERT_OIDC_ISSUER: https://token.actions.githubusercontent.com CERT_IDENTITY: ${{ format('https://github.com/{0}', github.workflow_ref) }} + SIGNER_WORKFLOW_REF: ${{ github.workflow_ref }} run: | IMAGE_REF="${IMAGE_NAME}@${IMAGE_DIGEST}" - cosign sign "${IMAGE_REF}" - cosign verify \ - --certificate-identity "${CERT_IDENTITY}" \ - --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ - "${IMAGE_REF}" + # Docker Hub can lag before a newly pushed signature is queryable. + for i in 1 2 3; do + cosign sign -a signer_workflow_ref="${SIGNER_WORKFLOW_REF}" "${IMAGE_REF}" && break + if [ "$i" -eq 3 ]; then + exit 1 + fi + sleep $((i * 5)) + done + - name: Debug cosign data + if: failure() + env: + IMAGE_NAME: docker.io/digintlab/opencti-connector + IMAGE_DIGEST: ${{ needs.build-docker-image.outputs.image_digest }} + run: | + IMAGE_REF="${IMAGE_NAME}@${IMAGE_DIGEST}" + echo "Debug image ref: ${IMAGE_REF}" + echo "Cosign tree:" + cosign tree "${IMAGE_REF}" || true + echo "Cosign verify (unfiltered):" + cosign verify "${IMAGE_REF}" || true + for i in 1 2 3 4 5; do + if cosign verify \ + -a signer_workflow_ref="${SIGNER_WORKFLOW_REF}" \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + "${IMAGE_REF}"; then + exit 0 + fi + if [ "$i" -eq 5 ]; then + echo "Verification failed after retries" + exit 1 + fi + sleep $((i * 5)) + done