Skip to content

buildx(install): use sigstore module to verify signature #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
crazy-max wants to merge 3 commits into
base: main
Choose a base branch
from
Open

buildx(install): use sigstore module to verify signature #929

crazy-max wants to merge 3 commits into from
+145 −47

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Jan 12, 2026

@crazy-max crazy-max mentioned this pull request Jan 12, 2026
Open
crazy-max
crazy-max commented Jan 12, 2026
View reviewed changes
src/buildx/install.ts Outdated
const signedEntity = toSignedEntity(bundle, fs.readFileSync(binPath));
const verifier = new Verifier(trustMaterial);
const signer = verifier.verify(signedEntity, {
subjectAlternativeName: /^https:\/\/github\.com\/docker\/(github-builder-experimental|github-builder)\/\.github\/workflows\/build\.yml.*$/,
Copy link
Member Author

@crazy-max crazy-max Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regexp not supported like cosign:

actions-toolkit/src/sigstore/sigstore.ts

Line 147 in 22773fa

'--certificate-identity-regexp', opts.certificateIdentityRegexp

Opened sigstore/sigstore-js#1556

@crazy-max crazy-max mentioned this pull request Jan 12, 2026
Open
28 tasks
@crazy-max crazy-max force-pushed the buildx-verify branch 13 times, most recently from 13330f9 to 01bd355 Compare January 15, 2026 09:29
@crazy-max crazy-max marked this pull request as ready for review January 15, 2026 09:35
@crazy-max crazy-max requested a review from tonistiigi January 15, 2026 09:35
tonistiigi
tonistiigi reviewed Jan 27, 2026
View reviewed changes
__tests__/buildx/install.test.itg.ts Outdated
maybe('download', () => {
// prettier-ignore
test.each(['latest'])(
test.each(['v0.31.0-rc1'])(
Copy link
Member

@tonistiigi tonistiigi Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove rc?

Copy link
Member Author

@crazy-max crazy-max Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes let me change that

Copy link
Member Author

@crazy-max crazy-max Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@crazy-max crazy-max requested a review from tonistiigi January 27, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

At least 1 approving review is required to merge this pull request.

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crazy-max @tonistiigi