Skip to content

v0.2 CLI binary signing: cosign-keyless implementation (ADR-0004) #1

Description

@musingfox

Background

Per ADR-0004, v0.2 adopts cosign-keyless (Sigstore + GitHub Actions OIDC) as the sole signing mechanism for CLI release artifacts. No Apple Developer ID / no Windows EV cert this round; native signing is deferred to v0.3+ pending audience signal (download volume / xattr-friction reports / enterprise asks).

This issue tracks the implementation tasks for the v0.2 release cut.

Acceptance criteria

The v0.2 release page must show, for each release tag cli-v0.2.x:

  • 5 archives (existing): dovecote-bun-{linux-x64,linux-arm64,darwin-x64,darwin-arm64,windows-x64}.{tar.gz,zip}
  • 1 SHA256SUMS (existing)
  • 6 new <artifact>.sig files (one per archive + one for SHA256SUMS)
  • 6 new <artifact>.pem files (Fulcio-issued certificate per signature)

cosign verify-blob against any of the 6 signed artifacts must succeed with OIDC claims matching:

  • subject ends with musingfox/dovecote/.github/workflows/release-cli.yml@refs/tags/cli-v0.2.*
  • issuer = https://token.actions.githubusercontent.com

Task list

Release pipeline

  • Add sigstore/cosign-installer@v3 to .github/workflows/release-cli.yml before the Create GitHub Release step
  • Add a Sign artifacts step in the release job:
    - name: Sign release artifacts
      working-directory: release
      run: |
        for f in *.tar.gz *.zip SHA256SUMS; do
          cosign sign-blob \
            --yes \
            --output-signature "${f}.sig" \
            --output-certificate "${f}.pem" \
            "$f"
        done
  • Update softprops/action-gh-release@v2 files: glob to include release/*.sig and release/*.pem
  • Add id-token: write to the workflow's top-level permissions (required for OIDC token issuance)

Consumer side

  • setup-dovecote action: add new optional input verify (enum: "none" (default) | "cosign")
  • When verify: cosign is passed, the action additionally downloads the matching .sig + .pem and runs cosign verify-blob --certificate-identity-regexp ... --certificate-oidc-issuer https://token.actions.githubusercontent.com
  • Default verify: none keeps cli-v0.1.x consumers working (those releases have no sig sidecar)

Documentation

  • docs/setup-dovecote-runbook.md: add a "Cosign manual verify" section showing cosign verify-blob from a workstation
  • Same runbook: document verify: cosign action input usage
  • release notes template for cli-v0.2.0: mention cosign sidecars + link to runbook section

Validation

  • After implementation lands, cut a cli-v0.2.0-rc1 tag in a fork (or dedicated test tag) and verify all sidecars appear
  • Run release-smoke workflow against the rc tag with verify: cosign input set on the action — must pass on ubuntu/macos/windows

Out of scope

  • Apple Developer ID signing / notarization (v0.3+ pending re-eval)
  • Windows code signing / Azure Trusted Signing (v0.3+ pending re-eval)
  • Server-side signing (/v1/* API payloads) — unrelated; this issue is binary-artifact only
  • Re-signing existing v0.1.x releases — no retro action; v0.1 stays SHA-only with xattr workaround in release notes

References

Re-evaluation triggers for native signing (per ADR-0004)

Re-open this issue's scope (or file a follow-up) to add Apple Developer ID / Windows code signing if ANY of:

  • CLI binary monthly downloads > 1000 for 3 consecutive months
  • 5 issues report xattr workaround friction

  • A named enterprise consumer explicitly requests Windows EV signing

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions