diff --git a/.github/workflows/rebuild-released-images.yaml b/.github/workflows/rebuild-released-images.yaml index 35a98a39f3..f89a3cd858 100644 --- a/.github/workflows/rebuild-released-images.yaml +++ b/.github/workflows/rebuild-released-images.yaml @@ -168,6 +168,7 @@ jobs: run: | make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures - name: Self-verify images if: steps.check-signing-support.outputs.sign == 'true' env: @@ -177,3 +178,4 @@ jobs: run: | make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures diff --git a/.github/workflows/release-post-merge.yml b/.github/workflows/release-post-merge.yml index d3485be6d3..f271958ec2 100644 --- a/.github/workflows/release-post-merge.yml +++ b/.github/workflows/release-post-merge.yml @@ -186,9 +186,11 @@ jobs: GRS_USERNAME: ${{ secrets.GRS_USERNAME }} GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} run: | - make sign IMG="${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} - make sign IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} - make sign IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} + make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures + make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures - name: Self-verify images if: steps.check-signing-support.outputs.sign == 'true' env: @@ -196,9 +198,11 @@ jobs: GRS_USERNAME: ${{ secrets.GRS_USERNAME }} GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} run: | - make verify IMG="${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} - make verify IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} - make verify IMG="quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ steps.tag.outputs.repo }} + make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} + make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures + make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures - name: Create configuration package run: | set -x diff --git a/scripts/verify.sh b/scripts/verify.sh index aff84e8047..ef148b223a 100755 --- a/scripts/verify.sh +++ b/scripts/verify.sh @@ -9,4 +9,4 @@ SIGNATURE_REPO=${SIGNATURE_REPO:-$REPO} KEY_FILE=${KEY_FILE:-ako.pem} COSIGN_REPOSITORY="${SIGNATURE_REPO}" cosign verify \ - --key="${KEY_FILE}" "${img_to_verify}" + --insecure-ignore-tlog --key="${KEY_FILE}" "${img_to_verify}"