-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
feat: verify installer downloads with cosign #5806
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will fail for releases that don't have hose signed checksum .cosign.bundles. I suppose we should address it somehow, but I'm not sure what would be the best way. Some thoughts:
- Hardcode some version comparison, don't try it for versions known to not have it? This is somewhat a chore to do in the shell script.
- Skip verify if downloading the cosign bundle fails due to HTTP 404? Not sure if there's a good way to implement that for wget.
An example of this problem can be seen in the CI failure of this PR.
CLA assistant check
All committers have signed the CLA.
279fef9 to
259df9f
Compare
Depends on #5793