Skip to content

buildx(install): use sigstore module to verify signature #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
crazy-max wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

buildx(install): use sigstore module to verify signature #929

crazy-max wants to merge 3 commits into from
+126 −46

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Jan 12, 2026

@crazy-max crazy-max mentioned this pull request Jan 12, 2026
Open
crazy-max
crazy-max commented Jan 12, 2026
View reviewed changes
src/buildx/install.ts Outdated
const signedEntity = toSignedEntity(bundle, fs.readFileSync(binPath));
const verifier = new Verifier(trustMaterial);
const signer = verifier.verify(signedEntity, {
subjectAlternativeName: /^https:\/\/github\.com\/docker\/(github-builder-experimental|github-builder)\/\.github\/workflows\/build\.yml.*$/,
Copy link
Member Author

@crazy-max crazy-max Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regexp not supported like cosign:

actions-toolkit/src/sigstore/sigstore.ts

Line 147 in 22773fa

'--certificate-identity-regexp', opts.certificateIdentityRegexp

Opened sigstore/sigstore-js#1556

@crazy-max crazy-max mentioned this pull request Jan 12, 2026
Open
28 tasks
@crazy-max crazy-max force-pushed the buildx-verify branch 2 times, most recently from 716027e to 6ec757f Compare January 13, 2026 12:42
@crazy-max
buildx(install): use sigstore module to verify signature
ad237b4 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max
buildx(install): workaround to check subjectAlternativeName
694b7dd 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the buildx-verify branch 2 times, most recently from 66f5d8c to eace984 Compare January 14, 2026 23:30
@crazy-max
sigstore: verifyArtifact func to verify arbitrary artifact
ade0696 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crazy-max