Add signer to CI to resign artifacts #1011
Conversation
Signed-off-by: Itxaka <igarcia@suse.com>
This works by getting the artifacts from the repo and checking their signatures. If those fail, it will try to resign the artifacts automatically and push those signatures. Signed-off-by: Itxaka <igarcia@suse.com>
|
this does affect the PR workflow as it changes the build.go command to build so at least it should pass that part and compile it properly. |
|
Its tested until the signing, as I dont have the keys for the repo, nor the local OIDC support to test that part, but it should work as it uses the same commands as in luet-cosign. Yes, we could use the cosign from the luet repo to do this to make sure we use the same version, but that would mean again relaying on whatever version is on our repos and we might want to play with that. Plus this should only be temporary to sign the missing version we currently have, after we should try to include this on the elemental-cli as it can help other people resign their own artifacts, even ignore the luet-cosign plugin altogether during build and do it in a different step, or create signatures and store them in different repos, i.e. in case the repos are not available or if they want to sign to a private repository for offline access, etc... |
| Urls: []string{repo}, | ||
| ReferenceID: referenceID, | ||
| }) | ||
| ctx.Config.GetSystem().Rootfs = "/" |
There was a problem hiding this comment.
huh, actually if we bump the luet module now this is changed and much easier to work with
There was a problem hiding this comment.
I dont even know what that is used for, I blindly copied it from the build.go and it didnt gave me any issues so working as intended LOL
|
Also this could do with some goroutines to do the signing in parallel, otherwise it can be slow as hell |
|
It passed the critical part of building and using the build.go file, merging |
No description provided.