From b494b67aabff730efadae5f103a4944f92631a95 Mon Sep 17 00:00:00 2001
From: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
Date: Thu, 18 Jan 2024 14:06:05 +0530
Subject: [PATCH] sign release artifacts using cosign (#877)

Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
---
 .github/workflows/release.yml | 13 +++++++
 .goreleaser.yml               | 66 +++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 25206c719..693938ad3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,7 @@ jobs:
     # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -22,6 +23,10 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.21.5
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@v3
+            
       - name: Retrieve version
         run: |
           echo "TAG_NAME=$(echo ${{ github.ref }}  | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
@@ -86,6 +91,14 @@ jobs:
             ${checksums['kapp-linux-arm64']}  ./kapp-linux-arm64
             ${checksums['kapp-windows-amd64.exe']}  ./kapp-windows-amd64.exe`
 
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+            --cert dist/checksums.txt.pem \
+            --signature dist/checksums.txt.sig \
+            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt      
+
       - name: verify uploaded artifacts
         if: startsWith(github.ref, 'refs/tags/')
         env:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index e83e10aee..b359eafb6 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -35,6 +35,17 @@ checksum:
   name_template: 'checksums.txt'
   algorithm: sha256
   disable: false
+signs:
+  - artifacts: checksum
+    certificate: '${artifact}.pem'
+    cmd: cosign
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    output: true     
 snapshot:
   name_template: "{{ .Tag }}-next"
 release:
@@ -59,6 +70,61 @@ release:
   # Defaults to false.
   disable: false
 
+  header: |
+    <details>
+
+    <summary><h2>Installation and signature verification</h2></summary>
+
+    ### Installation
+    
+    #### By downloading binary from the release
+
+    For instance, if you are using Linux on an AMD64 architecture:
+    ```shell
+    # Download the binary
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64
+
+    # Move the binary in to your PATH
+    mv kapp-linux-amd64 /usr/local/bin/kapp
+
+    # Make the binary executable
+    chmod +x /usr/local/bin/kapp
+    ```
+
+    #### Via Homebrew (macOS or Linux)
+    ```shell
+    $ brew tap carvel-dev/carvel
+    $ brew install kapp
+    $ kapp version  
+    ```
+
+    ### Verify checksums file signature
+
+    The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC(Refer [this](https://docs.sigstore.dev/system_config/installation/) page for cosign installation). To validate the signature of this file, run the following commands:
+
+    ```shell
+    # Download the checksums file, certificate and signature
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig
+
+    # Verify the checksums file
+    cosign verify-blob checksums.txt \
+      --certificate checksums.txt.pem \
+      --signature checksums.txt.sig \
+      --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
+      --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+    ```
+
+    ### Verify binary integrity
+
+    To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.
+    ```shell
+    # Verify the binary using the checksums file
+    sha256sum -c checksums.txt --ignore-missing
+    ```
+    </details>
+
 changelog:
   # Set it to true if you wish to skip the changelog generation.
   # This may result in an empty release notes on GitHub/GitLab/Gitea.