ci: sign binaries and images with cosign

Signs using the GHA OIDC token provided by the
build. This verifies both where it is build and
the source that was used to build it from.

.github/workflows/release.yaml

@@ -7,6 +7,10 @@ on:
       - "v*"
 
 permissions:
+  # required for OIDC token used as the signing identity
+  id-token: write
+
+  # required to publish the release
   contents: write
 
 jobs:
@@ -27,6 +31,11 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.4.0'
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:

.goreleaser.yaml

@@ -19,12 +19,30 @@ builds:
       - amd64
       - arm64
 
+# Sign with cosign -- this picks up the OIDC token from the environment in GHA.
+# If you do this locally, sign with an OAuth identity you don't mind being permanently
+# published to a transparency log.
+binary_signs:
+  - cmd: './ci-only.sh'
+    args:
+      - "cosign"
+      - "sign-blob"
+      - "${artifact}"
+      - "--bundle=${artifact}.cosign.bundle"
+      - "--yes" # needed on cosign 2.0.0+
+    output: false # the necessary output is the .cosign.bundle file
+
 checksum:
   name_template: "checksums.txt"
 
 archives:
   - format: tar.gz
     name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    files:
+      # cosign produces a bundle file to allow for verification of the artifacts
+      # this is included in the archive to allow for easier verification after download
+      - src: '{{ .ArtifactPath }}.cosign.bundle'
+        strip_parent: true
 
 changelog:
   disable: "{{ .Env.CHANGELOG_DISABLE }}"
@@ -49,8 +67,7 @@ release:
     If needed, binaries of this build (including Mac) can be found below.
 
 kos:
-  -
-    id: chinmina-bridge
+  - id: chinmina-bridge
     build: release
     working_dir: .
     base_image: cgr.dev/chainguard/static
@@ -77,3 +94,26 @@ kos:
 
     # Whether to use the base path without the MD5 hash after the repository name.
     base_import_paths: true
+
+# Sign with cosign -- this picks up the OIDC token from the environment in GHA.
+# If you do this locally, sign with an OAuth identity you don't mind being permanently
+# published to a transparency log.
+docker_signs:
+  - id: ko-signing
+
+    cmd: './ci-only.sh'
+    args:
+      - "cosign"
+      - "sign"
+      - "${artifact}"
+      - "--yes"
+
+    artifacts: all
+
+    ids:
+      # id of ko image above
+      - chinmina-bridge
+
+    # output is not necessary, as the signing is done in place, but it helps to
+    # provide the index in the transparency log.
+    output: true

ci-only.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -eu
+
+if [ "${CI:-false}" != "true" ]; then
+  echo "CI environment not detected, skipping script execution:"
+  echo "  --> $*"
+  exit 0
+fi
+
+# execute the parameters as the script
+exec "$@"