sign Docker images using Cosign

.github/workflows/build-docker.yml

@@ -21,6 +21,7 @@ jobs:
       - self-hosted
       - Linux
       - ${{ matrix.runner }}
+
     strategy:
       matrix:
         cpu: [arm64, amd64, arm/v7]
@@ -34,23 +35,31 @@ jobs:
           - cpu: arm/v7
             runner: ARM
             tag: armv7
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
               mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v5
         with:
@@ -64,8 +73,18 @@ jobs:
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -74,12 +93,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -89,3 +110,13 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64 ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7
             docker manifest push ${tag}
           done
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/gateway" -o text

README.md

@@ -22,5 +22,34 @@ Find us on Matrix: [#defguard:teonite.com](https://matrix.to/#/#defguard:teonite
 
 Please review the [Contributing guide](https://defguard.gitbook.io/defguard/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://defguard.gitbook.io/defguard/for-developers/dev-env-setup) handy.
 
+## Verifiability of releases
+
+We provide following ways to verify the authenticity and integrity of official releases:
+
+### Docker Image Verification with Cosign
+
+All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image:
+
+1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI
+
+2. Verify the image signature (replace <IMAGE_TAG> with the tag you want to verify):
+   ```bash
+   cosign verify --certificate-identity-regexp="https://github.com/DefGuard/gateway" \
+     --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+     ghcr.io/defguard/defguard:<IMAGE_TAG>
+   ```
+
+### Release Asset Verification
+
+All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release:
+
+1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/gateway/releases)
+
+2. Verify the checksum:
+   ```bash
+   # Linux/macOS
+   echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check
+   ```
+
 # Legal
 WireGuard is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

flake.nix

@@ -25,6 +25,7 @@
       };
       rustToolchain = pkgs.rust-bin.stable.latest.default.override {
         extensions = ["rust-analyzer" "rust-src" "rustfmt" "clippy"];
+        targets = ["x86_64-unknown-linux-gnu" "armv7-unknown-linux-gnueabihf" "aarch64-unknown-linux-gnu" "x86_64-unknown-freebsd"];
       };
     in {
       devShells.default = pkgs.mkShell {

src/enterprise/firewall/nftables/netfilter.rs

@@ -904,7 +904,7 @@ fn new_anon_set<T>(
     table: &Table,
     family: ProtoFamily,
     interval_set: bool,
-) -> Result<Set<T>, FirewallError>
+) -> Result<Set<'_, T>, FirewallError>
 where
     T: SetKey,
 {