feat(compat): sign seeded-ci.json with cosign (Phase 4.1)
All checks were successful
addon-qualify / qualify (push) Successful in 12s
All checks were successful
addon-qualify / qualify (push) Successful in 12s
Adds cosign install + sign-blob step before commit. The detached .sig (base64-encoded ASN.1 DER ECDSA over SHA256(file)) is committed alongside seeded-ci.json. Tower's loader verifies it pure-Go before replay; mismatched/missing sig → refuse + log. cosign.pub is also checked in so the workflow can self-verify before push (catches key-rotation mismatch early). The same pubkey is embedded in Tower's binary at compat_bootstrap_pubkey.pem; both copies must match or replay will fail.
This commit is contained in:
compat-seeder
4
compat-bootstrap/cosign.pub
Normal file
4
compat-bootstrap/cosign.pub
Normal file
@@ -0,0 +1,4 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgbGcCGMzThWEY5aaVK249Q+ZNm1w
|
||||
BznDxfRvzL9AGdb1vkUngdcVmGXZBwg/rHXSkYJjt4t9Ky9mZkB9pB02BQ==
|
||||
-----END PUBLIC KEY-----
|
||||
Reference in New Issue
Block a user