You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update to cosign v2.4.0 (#220)
The v2.4.0 release contains modernizations and some bug fixes from
previous releases. Let's keep our builder up-to-date.
Make sure builder image is pulled by default (#218)
* Make sure builder image is pulled by default
* Use single quote in GitHub Action expression
* Invert logic
Avoid double negation which is error prone.
* Update action.yml
Co-authored-by: Jan Čermák <[email protected]>
---------
Co-authored-by: Jan Čermák <[email protected]>
Disable cosign verification by default (#199)
Since we can't sign the current builder, we also need to disable
verification of it's signature. This avoids another chicken-egg-problem.
Disable cosign signing (#198)
Since the current builder contains a non-working cosign version, we have
to disable signing the builder temporarily as well. This will lead to a
build which is unsigned, but will allow us to build another signed builder,
and finally reenable signature checking as well.
Disable cosign signature verification (#197)
The current version of cosign deployed in the latest builder doesn't
work with the currently deployed TUF Trust Root on the sigstore servers
(see also https://blog.sigstore.dev/tuf-root-update/).
Remove the cosign identity information to temporarily disable signature
verification. This allows to build a new release with a newer cosign.
Use default cosign version v2.2.3 provided by cosign-installer action (……#196)
Move to the default cosign version what the latest cosign-installer
would provide by default. Still explicitly select the version to make
sure it stays in sync with the version installed in the builder.