Merge pull request #931 from docker/sigstore-signing-config

sigstore: use signing config with cosign
2026-01-15 17:11:42 +01:00
parent d5a1a969a5 c47fbe6179
commit 882907c07b
3 changed files with 130 additions and 5 deletions
--- a/src/sigstore/sigstore.ts
+++ b/src/sigstore/sigstore.ts
@@ -22,6 +22,7 @@ import * as core from '@actions/core';
 import {bundleFromJSON, bundleToJSON} from '@sigstore/bundle';
 import {Artifact, Bundle, CIContextProvider, DSSEBundleBuilder, FulcioSigner, RekorWitness, TSAWitness, Witness} from '@sigstore/sign';

+import {Context} from '../context';
 import {Cosign} from '../cosign/cosign';
 import {Exec} from '../exec';
 import {GitHub} from '../github';
@@ -73,6 +74,40 @@ export class Sigstore {
      core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
      const noTransparencyLog = Sigstore.noTransparencyLog(opts.noTransparencyLog);

+      const cosignExtraArgs: string[] = [];
+      if (await this.cosign.versionSatisfies('>=3.0.4')) {
+        await core.group(`Creating Sigstore protobuf signing config`, async () => {
+          const signingConfig = Context.tmpName({
+            template: 'signing-config-XXXXXX.json',
+            tmpdir: Context.tmpDir()
+          });
+          // prettier-ignore
+          const createConfigArgs = [
+            'signing-config',
+            'create',
+            '--with-default-services=true',
+            `--out=${signingConfig}`
+          ];
+          if (noTransparencyLog) {
+            createConfigArgs.push('--no-default-rekor=true');
+          }
+          await Exec.exec('cosign', createConfigArgs, {
+            env: Object.assign({}, process.env, {
+              COSIGN_EXPERIMENTAL: '1'
+            }) as {
+              [key: string]: string;
+            }
+          });
+          core.info(JSON.stringify(JSON.parse(fs.readFileSync(signingConfig, {encoding: 'utf-8'})), null, 2));
+          cosignExtraArgs.push(`--signing-config=${signingConfig}`);
+        });
+      } else {
+        cosignExtraArgs.push('--use-signing-config');
+        if (noTransparencyLog) {
+          cosignExtraArgs.push('--tlog-upload=false');
+        }
+      }
+
      for (const imageName of opts.imageNames) {
        const attestationDigests = await this.imageTools.attestationDigests(`${imageName}@${opts.imageDigest}`);
        for (const attestationDigest of attestationDigests) {
@@ -85,11 +120,8 @@ export class Sigstore {
              '--oidc-provider', 'github-actions',
              '--registry-referrers-mode', 'oci-1-1',
              '--new-bundle-format',
-              '--use-signing-config'
+              ...cosignExtraArgs
            ];
-            if (noTransparencyLog) {
-              cosignArgs.push('--tlog-upload=false');
-            }
            core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
            const execRes = await Exec.getExecOutput('cosign', ['--verbose', ...cosignArgs, attestationRef], {
              ignoreReturnCode: true,