Merge 4bc8d25cec into 62bd622ffc

Merge branch 'main' into main
sign sbom
2025-07-04 11:27:16 -04:00 · 2025-06-06 10:49:39 +08:00 · 2025-06-06 10:49:37 +08:00 · 2025-06-05 15:40:00 +03:00
1 changed files with 12 additions and 0 deletions
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@ -94,6 +94,18 @@ jobs:
          repo_path: ./local_kernel
          source_path: ./

+      # 1. Install cosign tool
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.8.1
+        
+      # 2. Sign the sbom.spdx file using cosign. Two files are produced: sbom.sig and sbom.crt, stored in the same directory as sbom.spdx
+      - name: Attest SBOM
+        working-directory: ./local_kernel
+        run: |
+          cosign sign-blob sbom.spdx --output-certificate='sbom.crt' --output-signature='sbom.sig' -y
+          # The following is a sanity check. After signing, we verify the image to check that everything is OK
+          cosign verify-blob --signature='sbom.sig' --certificate='sbom.crt' --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp='https://github.com' ./sbom.spdx
+
      - name: commit SBOM file
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
Author	SHA1	Message	Date
Lefteris Georgiadis	8624392832	Merge `4bc8d25cec` into `62bd622ffc`	2025-06-06 10:49:39 +08:00
ActoryOu	4bc8d25cec	Merge branch 'main' into main	2025-06-06 10:49:37 +08:00
lefosg	1f23756ed3	sign sbom	2025-06-05 15:40:00 +03:00