This repository allows to publish container signatures to the Github Container Registry (ghcr.io) when Github Personal Access Tokens (PATs) are disabled.
Disabling PATs is considered a good security practice: these tokens aren't fine-grained and as such can give more privileges than intended to the bearer. Unfortunately, the Github Container Registry doesn't provide any other mechanism of authentication.
Traditionally, container signatures are generated and published in one step using
cosign --sign, but in situations where Github PAT tokens are disabled, this is impractical.
The flow is as follows:
- Prepare the signatures locally
- Create a pull request, with the signatures
- The CI ensures signatures are valid
- The pull request is merged in the
mainbranch - A workflow is triggered, publishing the signatures to the registry.
Generate signatures locally, without publishing it. Make sure to pass the image name and its hash, without labels:
export IMAGE="ghcr.io/freedomofpress/dangerzone/dangerzone@sha256:<hash>"
uv run ./ghcr-signer.py prepare "$IMAGE"You should pass a key via --key or --sk (in case of a hardware key).
When the main branch is updated with new content inside the SIGNATURES folder,
a workflow will:
- Detect the latest folder, based on its date
- Attach signatures to the container registry using Github credentials