Sign container image using Cosign in keyless mode

Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ cosign verify \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/meilisearch/meilisearch/.github/workflows/publish-docker-images.yaml' \ <image_name> ``` See #2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/signing/signing_with_containers/ [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
2025-07-04 20:37:15 +02:00 · 2025-04-23 11:50:36 +02:00 · 2025-04-23 11:50:36 +02:00 · 077255ce6d
commit 077255ce6d
parent 9fd9fcb03e
1 changed files with 17 additions and 0 deletions
--- a/.github/workflows/publish-docker-images.yml
+++ b/.github/workflows/publish-docker-images.yml
@ -16,6 +16,8 @@ on:
 jobs:
  docker:
    runs-on: docker
+    permissions:
+      id-token: write # This is needed to use Cosign in keyless mode
    steps:
      - uses: actions/checkout@v3

@ -62,6 +64,9 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Install cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # tag=v3.8.2
+
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
@ -85,6 +90,7 @@ jobs:

      - name: Build and push
        uses: docker/build-push-action@v6
+        id: build-and-push
        with:
          push: true
          platforms: linux/amd64,linux/arm64
@ -94,6 +100,17 @@ jobs:
            COMMIT_DATE=${{ steps.build-metadata.outputs.date }}
            GIT_TAG=${{ github.ref_name }}

+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
      # /!\ Don't touch this without checking with Cloud team
      - name: Send CI information to Cloud team
        # Do not send if nightly build (i.e. 'schedule' or 'workflow_dispatch' event)