Commit 38295ee3 authored by Bertrand Goareguer's avatar Bertrand Goareguer
Browse files

fix: fail docker-publish when using unsupported cosign version

parent 2e9a6897

README.md

+4 −1
Original line number Diff line number Diff line
@@ -241,7 +241,10 @@ By default signatures are only activated on `$INTEG_REF`, `$PROD_REF` and `$RELE 


Cosign is used for signing images and attestations. As of now, we only support signing with a private key defined in `$DOCKER_COSIGN_PRIVATE_KEY`. Certificate and keyless signing may be added in the future.



By default the latest version of cosign is used but you can use a specific version by setting the `$DOCKER_COSIGN_DIST_URL` variable.

By default the latest version of `cosign` is used. You can use a specific version by setting the `$DOCKER_COSIGN_DIST_URL` variable.



:warning: New bundle format enabled in version `3` of `cosign` is not supported yet. You should set a specific argument `--new-bundle-fomat=false` in `cosign-opts` and `cosign-attest-opts` to disable this feature.





When the snapshot image it promoted to release, both the image signature and the signed attestation are promoted as well.

templates/gitlab-ci-docker.yml

+9 −2
Original line number Diff line number Diff line
@@ -1444,14 +1444,21 @@ docker-publish: 
        # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several

        docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE")

        all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)"

        echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do

        success=0

        while read sha; do

          log_info "Copying image signature to ${release_repository}:${sha}.sig..."

          skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \

            && success=1 \

            || log_warn "No signature found for ${sha}"

          log_info "Copying image attestation to ${release_repository}:${sha}.att..."

          skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \

            && success=1 \

            || log_warn "No attestation found for ${sha}"

        done

        done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d')

        if [[ $success -eq 0 ]]

        then

          fail "No signature or attestation could be copied"

        fi

      fi

    - |

      log_info "Well done your image is pushed and can be pulled with: docker pull $DOCKER_RELEASE_IMAGE"