Skip to content

Add cosign binary signing to GitHub Actions #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
martinemde wants to merge 1 commit into from
Closed

Add cosign binary signing to GitHub Actions #30

martinemde wants to merge 1 commit into from

Conversation

@martinemde
Copy link
Contributor

@martinemde martinemde commented Jan 7, 2026

Summary

  • Add cosign binary signing to release workflow using GitHub OIDC
  • Sign all release artifacts with keyless signing via sigstore
  • Upload .sig signature files alongside release binaries

Changes

  • .github/workflows/ci.yml: Add cosign installation and signing steps
  • Sign pks-mac.tar.gz, x86_64-unknown-linux-gnu.tar.gz, aarch64-unknown-linux-gnu.tar.gz

Security Benefits

  • Supply chain security via cryptographic signatures
  • Keyless signing leverages GitHub's identity for verification
  • Compatible with cosign verify toolchain

Test Plan

  • Local workflow validation passes
  • CI artifact signing verification
  • End-to-end signature validation

Part of PKS release process modernization (atomic PR #2/4).

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

@martinemde
Add cosign binary signing to GitHub Actions release workflow
0c9092d 
Uses sigstore/cosign-installer@v3 with keyless signing via GitHub OIDC.
Both upload-mac-universal-bin and upload-linux-bin jobs now:
- Install cosign
- Sign release artifacts with cosign sign-blob
- Upload .sig signature files alongside tarballs

Artifacts signed:
- pks-mac.tar.gz (macOS universal)
- x86_64-unknown-linux-gnu.tar.gz
- aarch64-unknown-linux-gnu.tar.gz
@github-project-automation github-project-automation bot moved this to Triage in Modularity Jan 7, 2026
@martinemde
Copy link
Contributor Author

martinemde commented Jan 9, 2026

These all overlap too much. Closing.

@martinemde martinemde closed this Jan 9, 2026
@github-project-automation github-project-automation bot moved this from Triage to Done in Modularity Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Modularity
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martinemde