From 13825dacda125941418e63f6338c4f3837cfc2a7 Mon Sep 17 00:00:00 2001
From: Thomas Desrosiers <git@hive.pw>
Date: Sun, 3 Jul 2022 22:41:48 -0700
Subject: [PATCH] Use cosign to verify upstream container

---
 .github/workflows/ci.yml      | 9 +++++++++
 minisign-container-cosign.pub | 4 ++++
 2 files changed, 13 insertions(+)
 create mode 100644 minisign-container-cosign.pub

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e268ca0..c282065 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,15 @@ on:
 name: CI
 
 jobs:
+  verify_container_signatures:
+    name: "Verify upstream container's published signature matches"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: sigstore/cosign-installer@main
+      - run: |
+          cosign verify --key ./minisign-container-cosign.pub jedisct1/minisign@sha256:fab787053d0c6f600eb86344add051927caa729f1f73ebaba4aa42e0e7402609
+
   verify:
     name: "Verify"
     runs-on: ubuntu-latest
diff --git a/minisign-container-cosign.pub b/minisign-container-cosign.pub
new file mode 100644
index 0000000..2103773
--- /dev/null
+++ b/minisign-container-cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExjZWrlc6c58W7ZzmQnx6mugty99C
+OQTDtJeciX9LF9hEbs1J1fzZHRdRhV4OTqcq0jTW9PXnrSSZlk1fbkE/5w==
+-----END PUBLIC KEY-----