Lines 180-220javascript
180 cosignPath = execFileSync(lookupCommand, lookupArgs, { encoding: "utf8", shell: false }).split(/\r?\n/)[0].trim();
182 // cosign not available — checksum-only mode
186 if (!cosignPath) return;
188 const repo = REPOSITORY;
189 const sigUrl = `${baseUrl}/${asset}.sig`;
190 const certUrl = `${baseUrl}/${asset}.pem`;
191 const sigFile = path.join(os.tmpdir(), `${asset}.sig`);
192 const certFile = path.join(os.tmpdir(), `${asset}.pem`);
194 await download(sigUrl, sigFile).catch(() => null);
195 await download(certUrl, certFile).catch(() => null);
197 if (!fs.existsSync(sigFile) || !fs.existsSync(certFile)) {
198 fs.rmSync(sigFile, { force: true });
199 fs.rmSync(certFile, { force: true });
201 if (process.env.CONTROLKEEL_REQUIRE_SIGNATURE === "1") {
202 throw new Error(`[controlkeel] No cosign signature/certificate available for ${asset}`);
209 execFileSync(cosignPath, [
210 "verify-blob", filePath,
211 "--signature", sigFile,
212 "--certificate", certFile,
213 "--certificate-identity-regexp", `^https://github.com/${repo}/.github/workflows/release.yml@refs/tags/v[0-9].*`,
214 "--certificate-oidc-issuer", "https://token.actions.githubusercontent.com"
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/install.jsView on unpkg · L200 215 ], { stdio: "pipe", timeout: 30000 });
217 console.log(`[controlkeel] Verified ${asset} signature (cosign keyless)`);
219 throw new Error(`[controlkeel] cosign signature verification failed for ${asset}`);