build-days-to-keep: 7
build-timeout: 15
+ cosign-password-id: cosign-password
+ cosign-private-key-id: cosign-private-key
disable-job: false
git-url: "$GIT_URL/$PROJECT"
stream: master
- lf-infra-wrappers:
build-timeout: "{build-timeout}"
jenkins-ssh-credential: "{jenkins-ssh-release-credential}"
+ - credentials-binding:
+ - file:
+ credential-id: "{cosign-private-key-id}"
+ variable: COSIGN_PRIVATE_KEY
+ - text:
+ credential-id: "{cosign-password-id}"
+ variable: COSIGN_PASSWORD
scm:
- lf-infra-gerrit-scm:
- lf-infra-wrappers:
build-timeout: "{build-timeout}"
jenkins-ssh-credential: "{jenkins-ssh-credential}"
+ - credentials-binding:
+ - file:
+ credential-id: "{cosign-private-key-id}"
+ variable: COSIGN_PRIVATE_KEY
+ - text:
+ credential-id: "{cosign-password-id}"
+ variable: COSIGN_PASSWORD
scm:
- lf-infra-github-scm:
--- /dev/null
+---
+features:
+ - |
+ Use Sigstore Cosign to sign docker images and push signature.
+ In order to enable, the project needs to create their keypair and
+ credentials in Jenkins for cosign-password (keypair password) and
+ cosign-private-key.
echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
if [[ "$JOB_NAME" =~ "merge" ]]; then
+ curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+ sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+ sudo chmod +x /usr/local/bin/cosign
+ export COSIGN_PASSWORD
docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
+ image_sha=$(docker images --no-trunc --quiet \
+ "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
+ image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
+ cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
fi
echo "#########################"
fi