Skip to content

Commit

Permalink
CLOUDP-238743: Use mongodb/signatures
Browse files Browse the repository at this point in the history
  • Loading branch information
@josvazg
josvazg committed Mar 22, 2024
1 parent 4b0112a commit 64be7f2
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 7 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/rebuild-released-images.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ jobs:
run: |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
- name: Self-verify images
if: steps.check-signing-support.outputs.sign == 'true'
env:
Expand All @@ -177,3 +178,4 @@ jobs:
run: |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
16 changes: 10 additions & 6 deletions .github/workflows/release-post-merge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,19 +186,23 @@ jobs:
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make sign IMG="${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make sign IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make sign IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures
- name: Self-verify images
if: steps.check-signing-support.outputs.sign == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make verify IMG="${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make verify IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make verify IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ steps.tag.outputs.repo }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures
- name: Create configuration package
run: |
set -x
Expand Down
2 changes: 1 addition & 1 deletion scripts/verify.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ SIGNATURE_REPO=${SIGNATURE_REPO:-$REPO}
KEY_FILE=${KEY_FILE:-ako.pem}

COSIGN_REPOSITORY="${SIGNATURE_REPO}" cosign verify \
--key="${KEY_FILE}" "${img_to_verify}"
--insecure-ignore-tlog --key="${KEY_FILE}" "${img_to_verify}"

0 comments on commit 64be7f2

Please sign in to comment.