From acdb6860c5c0f84c4c08f0d5aeb81354d37b6720 Mon Sep 17 00:00:00 2001
From: RJ Sampson <rj.sampson@chainguard.dev>
Date: Mon, 1 Jul 2024 20:40:24 -0600
Subject: [PATCH] chore: Validate Chainguard's cosign image signatures before
 proceeding

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
---
 sign/action.yml   | 11 ++++++++++-
 verify/action.yml | 11 ++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/sign/action.yml b/sign/action.yml
index bc34655..8744171 100644
--- a/sign/action.yml
+++ b/sign/action.yml
@@ -28,13 +28,22 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
+    - name: Fetch cosign from Chainguard
       shell: bash
       run: |
         docker pull cgr.dev/chainguard/cosign:latest
         CONTAINER_ID=$(docker run -d cgr.dev/chainguard/cosign:latest)
         docker cp "${CONTAINER_ID}":/usr/bin/cosign /usr/local/bin/cosign
 
+    - name: Validate cosign image signatures
+      shell: bash
+      run: |
+        set -o pipefail
+        if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign | jq; then
+          echo "NOTICE: Failed to verify cosign image signatures."
+          exit 1
+        fi
+
     - name: Sign container image
       shell: bash
       run: |
diff --git a/verify/action.yml b/verify/action.yml
index 69009aa..81cfb0b 100644
--- a/verify/action.yml
+++ b/verify/action.yml
@@ -26,13 +26,22 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install cosign
+    - name: Fetch cosign from Chainguard
       shell: bash
       run: |
         docker pull cgr.dev/chainguard/cosign:latest
         CONTAINER_ID=$(docker run -d cgr.dev/chainguard/cosign:latest)
         docker cp "${CONTAINER_ID}":/usr/bin/cosign /usr/local/bin/cosign
 
+    - name: Validate cosign image signatures
+      shell: bash
+      run: |
+        set -o pipefail
+        if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign | jq; then
+          echo "NOTICE: Failed to verify cosign image signatures."
+          exit 1
+        fi
+
     - name: Verify container
       shell: bash
       run: |