pass cosign private key via stdin, instead of saving to disk

Author: vszakats

.github/workflows/build_latest_release_multi.yml

@@ -74,16 +74,13 @@ jobs:
           buildah manifest push --format v2s2 --all curl-base-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-base-multi:"$REL"
       - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
-        env:
-          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
-        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign images with sigstore key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:"$REL"
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-multi:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-base-multi:"$REL"
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:"$REL"
@@ -97,11 +94,12 @@ jobs:
       - name: 'sign images with a sigstore key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key docker.io/curlimages/curl:"$REL"
-          cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
-          cosign sign -y --key cosign.key docker.io/curlimages/curl-base:"$REL"
-          cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin docker.io/curlimages/curl:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin docker.io/curlimages/curl:latest
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin docker.io/curlimages/curl-base:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin docker.io/curlimages/curl-base:latest
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:"$REL"
@@ -117,11 +115,12 @@ jobs:
       - name: 'sign images with a sigstore key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key quay.io/curl/curl:"$REL"
-          cosign sign -y --key cosign.key quay.io/curl/curl:latest
-          cosign sign -y --key cosign.key quay.io/curl/curl-base:"$REL"
-          cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin quay.io/curl/curl:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin quay.io/curl/curl:latest
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin quay.io/curl/curl-base:"$REL"
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin quay.io/curl/curl-base:latest
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:"$REL"

.github/workflows/build_master.yml

@@ -70,17 +70,14 @@ jobs:
           buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master"
       - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
-        env:
-          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
-        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-dev:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-base:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master

.github/workflows/build_master_dev.yml

@@ -67,15 +67,12 @@ jobs:
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
       - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
-        env:
-          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
-        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-dev-debian:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
@@ -91,8 +88,9 @@ jobs:
       - name: 'sign image with a key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /srv/stdin ghcr.io/curl/curl-container/curl-dev-fedora:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master

.github/workflows/build_master_multi.yml

@@ -69,16 +69,13 @@ jobs:
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"
       - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
-        env:
-          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
-        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin cosign.key ghcr.io/curl/curl-container/curl-multi:master
+          echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master