Skip to content

Add cosign keyless signing for release artifacts#734

Draft
pjbgf wants to merge 1 commit intomainfrom
pjbgf/cosign
Draft

Add cosign keyless signing for release artifacts#734
pjbgf wants to merge 1 commit intomainfrom
pjbgf/cosign

Conversation

@pjbgf
Copy link
Member

@pjbgf pjbgf commented Mar 19, 2026
edited by cursor bot
Loading

Configure goreleaser to sign checksums.txt using cosign with Sigstore OIDC-based ephemeral keys. Install cosign in the release workflow and grant id-token permission for the OIDC token. Add download and verification instructions to the README Quick Start.

Note

Medium Risk
Changes the release pipeline to use GitHub OIDC and cosign for keyless signing, which could break or block publishing if CI permissions or signing steps are misconfigured.

Overview
Adds keyless Sigstore/cosign signing to the release process by granting id-token: write and installing cosign in the GitHub Actions release workflow.

Configures GoReleaser to run cosign sign-blob on the generated checksums.txt, publishing the .sig and .pem alongside the release.

Updates the README with manual download + verification steps for release artifacts using cosign verify-blob and checksum validation.

Written by Cursor Bugbot for commit 176abe3. Configure here.

@pjbgf
Add cosign keyless signing for release artifacts
176abe3 
Configure goreleaser to sign checksums.txt using cosign with Sigstore
OIDC-based ephemeral keys. Install cosign in the release workflow and
grant id-token permission for the OIDC token. Add download and
verification instructions to the README Quick Start.

Signed-off-by: Paulo Gomes <paulo@entire.io>
Assisted-By: Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Entire-Checkpoint: 86281007a852
Copilot AI review requested due to automatic review settings March 19, 2026 14:47
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds keyless Sigstore/cosign signing for release checksum artifacts and documents how users can manually verify release downloads, aligning the project’s release process with stronger supply-chain integrity practices.

Changes:

  • Configure GoReleaser to sign checksums.txt using cosign keyless signing and emit .sig + .pem outputs.
  • Update the GitHub release workflow to install cosign and request id-token permissions for OIDC-based signing.
  • Add README instructions for downloading and verifying artifacts using the signed checksums.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
README.md Adds manual download + cosign verification steps for release artifacts.
.goreleaser.yaml Adds cosign-based signing for the checksum artifact and outputs certificate/signature files.
.github/workflows/release.yml Installs cosign in CI and enables OIDC token permissions for keyless signing.

README.md
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'github\.com/entireio/cli'
README.md

```bash
# 1. Set the version and platform
VERSION="0.5.0" # replace with desired version
README.md
Comment on lines +60 to +63
### Download & Verify (manual install)

Pre-built binaries are available from the [GitHub Releases](https://github.com/entireio/cli/releases) page. All release checksums are signed with [cosign](https://docs.sigstore.dev/cosign/overview/) using keyless (ephemeral) signing via Sigstore, so you can verify that artifacts haven't been tampered with.

.github/workflows/release.yml
Comment on lines 9 to 12
permissions:
contents: write
id-token: write # cosign keyless signing via Sigstore OIDC

cursor[bot]
cursor bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment @cursor review or bugbot run to trigger another review on this PR

README.md
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'github\.com/entireio/cli'
Copy link

@cursor cursor bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verification regexp matches unintended repositories in same org

Low Severity

The --certificate-identity-regexp 'github\.com/entireio/cli' pattern is an unanchored substring match, so it matches any Fulcio certificate SAN containing that string — including repos like entireio/client or entireio/cli-tools, since client starts with cli. The Sigstore best practice (per cosign issue #2804) is to use an anchored, path-specific pattern like 'https://github\.com/entireio/cli/\.github/workflows/release\.yml@refs/tags/v' to prevent unintended matches from other workflows or repositories.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pjbgf