Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork1.5k
feat: verify installer downloads with cosign#5806
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
| return 0 | ||
| fi | ||
| checksums=$1 | ||
| http_download"${tmpdir}/${CHECKSUM_COSIGN_BUNDLE}""${CHECKSUM_COSIGN_BUNDLE_URL}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This will fail for releases that don't have hose signed checksum .cosign.bundles. I suppose we should address it somehow, but I'm not sure what would be the best way. Some thoughts:
- Hardcode some version comparison, don't try it for versions known to not have it? This is somewhat a chore to do in the shell script.
- Skip verify if downloading the cosign bundle fails due to HTTP 404? Not sure if there's a good way to implement that for wget.
An example of this problem can be seen in the CI failure of this PR.
CLAassistant commentedMay 20, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
|
Depends on#5793