From 369c9cd1e97fef79323c0c688777a6cb3a28231c Mon Sep 17 00:00:00 2001
From: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
Date: Tue, 26 Dec 2023 21:25:48 +0530
Subject: [PATCH] sign release artifacts using cosign

Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
---
 .github/workflows/release.yml | 17 +++++++++++++++++
 .goreleaser.yml               | 13 +++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 25206c719..86d7269bd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,7 @@ jobs:
     # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -22,6 +23,10 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.21.5
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@v3
+            
       - name: Retrieve version
         run: |
           echo "TAG_NAME=$(echo ${{ github.ref }}  | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
@@ -86,6 +91,18 @@ jobs:
             ${checksums['kapp-linux-arm64']}  ./kapp-linux-arm64
             ${checksums['kapp-windows-amd64.exe']}  ./kapp-windows-amd64.exe`
 
+      - name: Sign checksums.txt
+        run: |
+          cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem  --output-signature release/checksums.txt.sig
+    
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+            --cert release/checksums.txt.pem \
+            --signature release/checksums.txt.sig \
+            --certificate-identity-regexp=https://github.com/carvel-dev \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt      
+
       - name: verify uploaded artifacts
         if: startsWith(github.ref, 'refs/tags/')
         env:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index e83e10aee..c25387eb1 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -35,6 +35,19 @@ checksum:
   name_template: 'checksums.txt'
   algorithm: sha256
   disable: false
+
+signs:
+  - artifacts: checksum
+    certificate: '${artifact}.pem'
+    cmd: cosign
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    output: true
+      
 snapshot:
   name_template: "{{ .Tag }}-next"
 release: