mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
9d23077a37
This now follows [PEP 517](https://peps.python.org/pep-0517/) and [PEP 621](https://peps.python.org/pep-0621/) to define the metadata of the project, as well as its dependencies. As a result, the toolchain now uses [uv](https://github.com/astral-sh/uv) instead of [poetry](https://python-poetry.org/). The build-backend has been switched to [Hatch](https://hatch.pypa.io/latest/). Fixes #677
19 lines
No EOL
1 KiB
Bash
Executable file
19 lines
No EOL
1 KiB
Bash
Executable file
# First, login to the container registry.
|
||
# (We only need this because images are not publicly available yet)
|
||
# Enter "USERNAME" instead of your username
|
||
# and use your PAT as a password
|
||
# regctl registry login ghcr.io
|
||
|
||
# Get the manifest from the latest tag
|
||
regctl manifest get --format raw-body ghcr.io/freedomofpress/dangerzone/dangerzone:latest > manifest.json
|
||
|
||
# The attestation for this manifest hash is available
|
||
# at the tag named "sha256-sha256(manifest.json)"
|
||
DIGEST="sha256-$(sha256sum manifest.json | awk '{ print $1 }')"
|
||
regctl artifact get ghcr.io/freedomofpress/dangerzone/dangerzone:${DIGEST} > bundle.json
|
||
|
||
# Finally verify that the attestation is the right one
|
||
cosign verify-blob-attestation --bundle bundle.json --new-bundle-format\
|
||
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"\
|
||
--certificate-identity-regexp="^https://github.com/freedomofpress/dangerzone/.github/workflows/release-container-image.yml@refs/heads/test/image-publication-cosign"\
|
||
manifest.json |