chore: improve image signing process

Better cosign flow, check for existing signature. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-09-13 15:46:04 +04:00 · 2023-09-13 15:46:04 +04:00 · 9e78feccae
commit 9e78feccae
parent f00567e20f
1 changed files with 5 additions and 1 deletions
--- a/6
+++ b/6
@ -525,7 +525,11 @@ image-list: ## Prints a list of all images built by this Makefile with digests.

 .PHONY: sign-images
 sign-images: ## Run cosign to sign all images built by this Makefile.
-	@$(MAKE) --quiet image-list | xargs -I{} sh -c 'cosign sign --yes {}'
+	@for image in $(shell $(MAKE) --quiet image-list REGISTRY_AND_USERNAME=$(REGISTRY_AND_USERNAME) IMAGE_TAG=$(IMAGE_TAG)); do \
+		echo '==>' $$image; \
+		cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \
+			cosign sign --yes $$image; \
+	done

 .PHONY: reproducibility-test
 reproducibility-test: