github.com/goreleaser/goreleaser@v1.25.1/www/docs/customization/docker_sign.md (about) 1 # Signing Docker Images and Manifests 2 3 Signing Docker Images and Manifests is also possible with GoReleaser. 4 This pipe was designed based on the common [sign](/customization/sign/) pipe 5 having [cosign](https://github.com/sigstore/cosign) in mind. 6 7 !!! info 8 9 Note that this pipe will run only at the end of the GoReleaser execution (in 10 its publishing phase), as cosign will change the image in the registry. 11 12 To customize the signing pipeline you can use the following options: 13 14 ```yaml 15 # .goreleaser.yml 16 docker_signs: 17 - # ID of the sign config, must be unique. 18 # Only relevant if you want to produce some sort of signature file. 19 # 20 # Default: 'default' 21 id: foo 22 23 # Path to the signature command. 24 # 25 # Default: 'cosign' 26 cmd: cosign 27 28 # Command line arguments for the command. 29 # 30 # Default: ["sign", "--key=cosign.key", "${artifact}", "--yes"] 31 # Templates: allowed 32 args: 33 - "sign" 34 - "--key=cosign.key" 35 - "--upload=false" 36 - "${artifact}" 37 - "--yes" # needed on cosign 2.0.0+ 38 39 # Which artifacts to sign. 40 # 41 # all: all artifacts 42 # none: no signing 43 # images: only docker images 44 # manifests: only docker manifests 45 # 46 # Default: 'none' 47 artifacts: all 48 49 # IDs of the artifacts to sign. 50 ids: 51 - foo 52 - bar 53 54 # Stdin data to be given to the signature command as stdin. 55 # 56 # Templates: allowed 57 stdin: "{{ .Env.COSIGN_PWD }}" 58 59 # StdinFile file to be given to the signature command as stdin. 60 stdin_file: ./.password 61 62 # List of environment variables that will be passed to the signing command 63 # as well as the templates. 64 env: 65 - FOO=bar 66 - HONK=honkhonk 67 68 # By default, the stdout and stderr of the signing cmd are discarded unless 69 # GoReleaser is running with `--debug` set. 70 # You can set this to true if you want them to be displayed regardless. 71 # 72 # Since: v1.2 73 output: true 74 ``` 75 76 ### Available variable names 77 78 These environment variables might be available in the fields that are templateable: 79 80 - `${artifact}`[^1]: the path to the artifact that will be signed (including the 81 digest[^2]) 82 - `${digest}`[^2]: the digest of the image/manifest that will be signed 83 - `${artifactID}`: the ID of the artifact that will be signed 84 - `${certificate}`: the certificate file name, if provided 85 86 [^1]: 87 notice that this might contain `/` characters, which depending on how 88 you use it might evaluate to actual paths within the file system. Use with 89 care. 90 91 [^2]: 92 those are extracted automatically when running Docker push from within 93 GoReleaser. Using the digest helps making sure you're signing the right image 94 and avoid concurrency issues. 95 96 ## Common usage example 97 98 Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD` 99 environment variable, the simplest configuration to sign both Docker images 100 and manifests would look like this: 101 102 ```yaml 103 # .goreleaser.yml 104 docker_signs: 105 - artifacts: all 106 stdin: "{{ .Env.COSIGN_PWD }}" 107 ``` 108 109 Later on you (and anyone else) can verify the image with: 110 111 ```bash 112 cosign verify --key cosign.pub your/image 113 ```