fix: sign manifest with cosign (#245)

--enforce-container-sigpolicy is failing due to a missing signature. This PR signs the manifests as well as the image, which should allow us to enforce signatures during rebases and updates. Due to running the manifest step in a container, and Cosign not working well in said container, I've moved the sign step to a separate job which is completed after pushing the manifest. --------- Co-authored-by: Tulip Blossom <[email protected]>
ublue-os · Feb 3, 2025 · 33b2562 · 33b2562
1 parent 8157f31
commit 33b2562
Showing 1 changed file with 37 additions and 1 deletion.
diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml
@@ -222,6 +222,9 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    outputs:
+      image: ${{ steps.push_manifest.outputs.IMAGE }}
+      digest: ${{ steps.push_manifest.outputs.DIGEST }}
     steps:
       - name: Install dependencies
         run: |
@@ -342,12 +345,45 @@ jobs:
 
       - name: Push Manifest
         if: github.event_name != 'pull_request'
+        id: push_manifest
         env:
           MANIFEST: ${{ steps.create-manifest.outputs.MANIFEST }}
           TAGS: ${{ steps.metadata.outputs.tags }}
           IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
           IMAGE_NAME: ${{ env.IMAGE_NAME }}
         run: |
           while IFS= read -r tag; do
-            podman manifest push --all=false $MANIFEST $IMAGE_REGISTRY/$IMAGE_NAME:$tag
+            podman manifest push --all=false --digestfile=/tmp/digestfile $MANIFEST $IMAGE_REGISTRY/$IMAGE_NAME:$tag
           done <<< "$TAGS"
+
+          DIGEST=$(cat /tmp/digestfile)
+          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
+          echo "IMAGE=$IMAGE_REGISTRY/$IMAGE_NAME" >> $GITHUB_OUTPUT
+
+  # Cosign throws errors when ran inside the Fedora container for one reason or another
+  # so we move this to another step in order to run on Ubuntu
+  sign:
+    needs: manifest
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Login to GHCR
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | docker login -u ${{ github.actor }} --password-stdin ghcr.io
+          echo ${{ secrets.GITHUB_TOKEN }} | podman login -u ${{ github.actor }} --password-stdin ghcr.io
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign Manifest
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY $IMAGE@$DIGEST
+        env:
+          DIGEST: ${{ needs.manifest.outputs.digest }}
+          IMAGE: ${{ needs.manifest.outputs.image }}
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}