sign Docker images using Cosign

.github/workflows/build-docker.yml

@@ -21,6 +21,7 @@ jobs:
       - self-hosted
       - Linux
       - ${{ matrix.runner }}
+
     strategy:
       matrix:
         # cpu: [arm64, amd64, arm/v7]
@@ -35,23 +36,31 @@ jobs:
           # - cpu: arm/v7
           #   runner: ARM
           #   tag: armv7
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
               mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v6
         with:
@@ -65,8 +74,18 @@ jobs:
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -75,12 +94,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -90,4 +111,14 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
-        #  ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/defguard" -o text
+

.github/workflows/ci.yml

@@ -52,21 +52,28 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
+
       - name: Install protoc
         run: apt-get update && apt-get -y install protobuf-compiler
+
       - name: Check format
         run: |
           rustup component add rustfmt
           cargo fmt -- --check
+
       - name: Run clippy linter
         run: |
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
+
       - name: Run cargo deny
         uses: EmbarkStudios/cargo-deny-action@v2
+
       - name: Install nextest
         uses: taiki-e/install-action@nextest
+
       - name: Run tests
         run: cargo nextest run --locked --no-fail-fast

.github/workflows/release.yml

@@ -53,10 +53,12 @@ jobs:
 
   build-binaries:
     needs: [create-release]
+
     runs-on:
       - self-hosted
       - Linux
       - X64
+
     strategy:
       fail-fast: false
       matrix:
@@ -71,6 +73,10 @@ jobs:
           - build: freebsd
             arch: amd64
             target: x86_64-unknown-freebsd
+
+    permissions:
+      contents: write # needed to upload release assets
+
     steps:
       # Store the version, stripping any v-prefix
       - name: Write release version

README.md

@@ -180,6 +180,35 @@ The code in this repository is available under a dual licensing model:
 
 Please review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy.
 
+## Verifiability of releases
+
+We provide following ways to verify the authenticity and integrity of official releases:
+
+### Docker Image Verification with Cosign
+
+All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image:
+
+1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI
+
+2. Verify the image signature (replace <IMAGE_TAG> with the tag you want to verify):
+   ```bash
+   cosign verify --certificate-identity-regexp="https://github.com/DefGuard/defguard" \
+     --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+     ghcr.io/defguard/defguard:<IMAGE_TAG>
+   ```
+
+### Release Asset Verification
+
+All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release:
+
+1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/defguard/releases)
+
+2. Verify the checksum:
+   ```bash
+   # Linux/macOS
+   echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check
+   ```
+
 # Built and sponsored by
 
 <p align="center">

flake.nix

@@ -42,6 +42,8 @@
           buf
           # e2e
           playwright
+          # release assets verification
+          cosign
         ];
 
         # Specify the rust-src path (many editors rely on this)