github.com/ahmet2mir/goreleaser@v0.180.3-0.20210927151101-8e5ee5a9b8c5/www/docs/customization/docker_sign.md

github.com/ahmet2mir/goreleaser@v0.180.3-0.20210927151101-8e5ee5a9b8c5/www/docs/customization/docker_sign.md (about)

     1  ---
     2  title: Docker Image Signing
     3  ---
     4  
     5  Signing Docker Images and Manifests is also possible with GoReleaser.
     6  This pipe was designed based on the common [sign](/customization/sign/) pipe having [cosign](https://github.com/sigstore/cosign) in mind.
     7  
     8  !!! info
     9      Note that this pipe will run only at the end of the GoReleaser execution, as cosign will change the image in the registry.
    10  
    11  
    12  To customize the signing pipeline you can use the following options:
    13  
    14  ```yaml
    15  # .goreleaser.yml
    16  docker_signs:
    17    -
    18      # ID of the sign config, must be unique.
    19      # Only relevant if you want to produce some sort of signature file.
    20      #
    21      # Defaults to "default".
    22      id: foo
    23  
    24      # Name/template of the signature file.
    25      #
    26      # Available environment variables:
    27      # - '${artifact}': the path to the artifact that will be signed
    28      # - '${artifactID}': the ID of the artifact that will be signed
    29      #
    30      # Note that with cosign you don't need to use this.
    31      #
    32      # Defaults to empty.
    33      signature: "${artifact}_sig"
    34  
    35      # Path to the signature command
    36      #
    37      # Defaults to `cosign`
    38      cmd: cosign
    39  
    40      # Command line templateable arguments for the command
    41      #
    42      # defaults to `["sign", "-key=cosign.key", "${artifact}"]`
    43      args: ["sign", "-key=cosign.key", "-upload=false", "${artifact}"]
    44  
    45  
    46      # Which artifacts to sign
    47      #
    48      #   all:       all artifacts
    49      #   none:      no signing
    50      #   images:    only docker images
    51      #   manifests: only docker manifests
    52      #
    53      # defaults to `none`
    54      artifacts: all
    55  
    56      # IDs of the artifacts to sign.
    57      #
    58      # Defaults to empty (which implies no ID filtering).
    59      ids:
    60        - foo
    61        - bar
    62  
    63      # Stdin data template to be given to the signature command as stdin.
    64      # Defaults to empty
    65      stdin: '{{ .Env.COSIGN_PWD }}'
    66  
    67      # StdinFile file to be given to the signature command as stdin.
    68      # Defaults to empty
    69      stdin_file: ./.password
    70  ```
    71  
    72  ## Common usage example
    73  
    74  Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
    75  environment variable, the simplest configuration to sign both Docker images
    76  and manifests would look like this:
    77  
    78  ```yaml
    79  # .goreleaser.yml
    80  docker_signs:
    81  - artifacts: all
    82    stdin: '{{ .Env.COSIGN_PWD }}'
    83  ```
    84  
    85  Later on you (and anyone else) can verify the image with:
    86  
    87  ```sh
    88  cosign verify -key cosign.pub your/image
    89  ```