From 153f56871fd8083765b2d024cf7bbb4af1564064 Mon Sep 17 00:00:00 2001
From: Luca Comellini <luca.com@gmail.com>
Date: Fri, 4 Aug 2023 09:31:17 -0700
Subject: [PATCH] Sign checksum with cosign (#4181)

Adds config to sign artifacts. Since the checksum contains the SHAs of
the artifacts, signing the checksums is enough to ensure that the artifacts
were not modified.

GoReleaser uses cosign to sign the artifact and uploads .sig and .pem to
the release.

(cherry picked from commit d64b56661a229dd5f9777e6fbb5f17276ee85e45)
---
 .github/workflows/ci.yml |  9 ++++++++-
 .goreleaser.yml          | 12 ++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ad513b8676..5354bdb2a0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,6 +86,9 @@ jobs:
     needs: [checks, unit-tests]
     outputs:
       release-url: ${{ steps.release-notes.outputs.release-url }}
+    permissions:
+      contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases
+      id-token: write # for goreleaser/goreleaser-action to sign artifacts
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -99,7 +102,11 @@ jobs:
 
       - name: Download Syft
         uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
-        if: startsWith(github.ref, 'refs/tags/')
+        if: github.ref_type == 'tag'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        if: github.ref_type == 'tag'
 
       - name: Create/Update Draft
         uses: lucacome/draft-release@d13ccde6350706e32f451566ee5cd4bf5a27de3d # v0.2.1
diff --git a/.goreleaser.yml b/.goreleaser.yml
index eaac2c88bd..a6ec72e2fe 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -117,6 +117,18 @@ blobs:
     extra_files:
       - glob: ./dist/**.spdx.json
 
+signs:
+  - cmd: cosign
+    artifacts: checksum
+    output: true
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - "--output-signature=${signature}"
+      - "--output-certificate=${certificate}"
+      - "${artifact}"
+      - "--yes"
+
 announce:
   slack:
     enabled: true