Add signatures for keyless signing (#1361)

.github/workflows/release.yml

@@ -7,6 +7,10 @@ on:
     tags:
     - v*.*.*
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -19,6 +23,10 @@ jobs:
       uses: actions/setup-go@v3
       with:
         go-version: 1.18
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v2.2.1
+      with:
+        cosign-release: 'v1.7.2'
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:

.goreleaser.yml

@@ -22,6 +22,19 @@ changelog:
   skip: true
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - cmd: cosign
+    env:
+    - COSIGN_EXPERIMENTAL=1
+    signature: '${artifact}.keyless.sig'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
 release:
   github:
     owner: terraform-linters

README.md

@@ -36,6 +36,25 @@ Chocolatey (Windows):
 choco install tflint
 ```
 
+### Verification
+
+GnuPG
+
+```
+gpg --import 8CE69160EB3F2FE9.key
+gpg --verify checksum.txt.sig checksum.txt
+sha256sum --ignore-missing -c checksums.txt
+```
+
+Cosign (experimental)
+
+```
+COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.keyless.sig checksums.txt
+sha256sum --ignore-missing -c checksums.txt
+```
+
+**IMPORTANT:** Keyless Signing is in development and you should not completely trust this way. For instance, you have not validated the OIDC subject claim, so it is not guaranteed to be the public key issued by the maintainers.
+
 ### Docker
 
 Instead of installing directly, you can use the Docker images: