From a762b8a2e82d1cb7534b61b8ba48b98c2f029c0c Mon Sep 17 00:00:00 2001
From: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
Date: Wed, 10 Jan 2024 00:42:48 +0530
Subject: [PATCH] sign release artifacts using cosign

Signed-off-by: Prashant Rewar <108176843+prashantrewar@users.noreply.github.com>
---
 .github/workflows/release.yml | 13 +++++++++++++
 .goreleaser.yml               | 11 +++++++++++
 2 files changed, 24 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 607bee50..60630340 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     # Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -21,6 +22,10 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.21.3
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Retrieve version
         run: |
           echo "TAG_NAME=$(echo ${{ github.ref }}  | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
@@ -89,6 +94,14 @@ jobs:
             ${checksums['kbld-linux-arm64']}  ./kbld-linux-arm64
             ${checksums['kbld-windows-amd64.exe']}  ./kbld-windows-amd64.exe
             ${checksums['kbld-windows-arm64.exe']}  ./kbld-windows-arm64.exe`
+      
+      - name: Verify checksums signature
+        run: |
+          cosign verify-blob \
+            --cert dist/checksums.txt.pem \
+            --signature dist/checksums.txt.sig \
+            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt      
 
       - name: verify uploaded artifacts
         if: startsWith(github.ref, 'refs/tags/')
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9fa1e1fe..d80b568d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -31,6 +31,17 @@ checksum:
   name_template: 'checksums.txt'
   algorithm: sha256
   disable: false
+signs:
+  - artifacts: checksum
+    certificate: '${artifact}.pem'
+    cmd: cosign
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    output: true  
 snapshot:
   name_template: "{{ .Tag }}-next"
 release: