Releases are signed with cosign as part of the release
process. The build produces additional attestation bundles during this process,
which can be used to verify both binaries and Docker images.
For binaries, bundles are present in the tar.gz archive created by the
release. For images, bundles are stored in the OCI registry alongside the image
itself.
Download from the sigstore/cosign project on GitHub, and
verify the release as you prefer.
The certificates issued by the release are issued for the GitHub Actions OIDC provider, and the identity is the executed workflow, referenced by the Git tag being built.
| Field | Format |
|---|---|
| Issuer | https://token.actions.githubusercontent.com |
| Identity | https://github.com/jamestelfer/chinmina-bridge/.github/workflows/release.yaml@refs/tags/<tag name> |
Important
Git tags are not static: they can be updated to point to a different commit SHA. Examine the recorded claims for the exact commit.
There are claims recorded for the exact commit of both the workflow that produced the artifact and the commit that the artifact source was built from.
Images are published to Docker Hub in the chinmina repository. The images are
named chinmina-bridge and are labelled with their release tag (vX.Y.Z).
An image can be verified with the following cosign command:
TAG=vX.Y.Z \
cosign verify "chinmina/chinmina-bridge:$TAG" \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate-identity "https://github.com/jamestelfer/chinmina-bridge/.github/workflows/release.yaml@refs/tags/$TAG" \
--output text
# more details are available if you use JSON output:
TAG=vX.Y.Z \
cosign verify "chinmina/chinmina-bridge:$TAG" \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate-identity "https://github.com/jamestelfer/chinmina-bridge/.github/workflows/release.yaml@refs/tags/$TAG" \
--output json | jqThe path .[].optional.Bundle.Payload.logIndex is the index entry in the public
transparency log, recording the details of the signing event. The details of the
event can be found at: https://search.sigstore.dev/.
Download and extract the tar.gz of the binary you're interested in. The
artifacts present include both the binary itself (named chinmina-bridge) and
the signing bundle (chinmina-bridge.cosign.bundle).
# declare the release details for download
TAG=vX.Y.Z
ARCH=arm64
# download the binary
curl -L -o chinmina-bridge_linux_${ARCH}.tar.gz \
https://github.com/jamestelfer/chinmina-bridge/releases/download/${TAG}/chinmina-bridge_linux_${ARCH}.tar.gz
# extract to the current directory
tar xvf chinmina-bridge_linux_${ARCH}.tar.gz
# verify
cosign verify-blob \
chinmina-bridge \
--bundle chinmina-bridge.cosign.bundle \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate-identity "https://github.com/jamestelfer/chinmina-bridge/.github/workflows/release.yaml@refs/tags/$TAG"
# peek the details
jq -r '.rekorBundle.Payload.logIndex | "https://search.sigstore.dev/?logIndex=\(.)"' < chinmina-bridge.cosign.bundle
# open the URL that is shown