From 7e2ee54e5605cbc8b5776caafba580973a53f10c Mon Sep 17 00:00:00 2001
From: Marco Franssen <marco.franssen@philips.com>
Date: Fri, 24 Dec 2021 14:21:33 +0100
Subject: [PATCH] Attest the container using cosign

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
---
 .github/workflows/ci.yaml | 31 ++++++++++++++++++++++++++++++-
 .gitignore                |  1 +
 cosign.pub                |  4 ++++
 3 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 cosign.pub

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1dc8c7d0..1d975931 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -136,7 +136,12 @@ jobs:
         repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
 
     steps:
-      - name: Generate provenance for Release
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v1.4.1
+        with:
+          cosign-release: 'v1.4.1'
+
+      - name: Generate provenance for ${{ matrix.repo }}
         uses: philips-labs/slsa-provenance-action@v0.4.0
         with:
           command: generate
@@ -146,6 +151,30 @@ jobs:
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Login to Container registries
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
+
+      - name: Attach provenance to image
+        run: |
+          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
+          cosign attest --predicate provenance.json --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      - name: Verify attestation
+        run: |
+          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
+          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+
+      - name: Logout from Container registries
+        if: ${{ always() }}
+        run: |
+          docker logout
+          docker logout ghcr.io
+
   provenance:
     name: provenance
     needs: [release]
diff --git a/.gitignore b/.gitignore
index 36d8bb6d..4ce7da0e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ dist/
 coverage.out
 .DS_Store
 .env
+cosign.key
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 00000000..7a71055a
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP1QqZaWSrMJKZkqoAbr5zq4bV4KW
+9Vj+FQotHLTsxIM16+OAx8NbUOzmga9aaKEtAee5wXD3dvWpFX0gKXMBqA==
+-----END PUBLIC KEY-----