chore: Validate Chainguard's cosign image signatures before proceeding

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
EyeCantCU · Jul 2, 2024 · c4eb2bb · c4eb2bb
1 parent ab5ee40
commit c4eb2bb
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/sign/action.yml b/sign/action.yml
@@ -35,6 +35,15 @@ runs:
         CONTAINER_ID=$(docker run -d cgr.dev/chainguard/cosign:latest)
         docker cp "${CONTAINER_ID}":/usr/bin/cosign /usr/local/bin/cosign
 
+    - name: Validate cosign image signatures
+      shell: bash
+      run: |
+        set -o pipefail
+        if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main>
+          echo "NOTICE: Failed to verify cosign image signatures."
+          exit 1
+        fi
+
     - name: Sign container image
       shell: bash
       run: |

diff --git a/verify/action.yml b/verify/action.yml
@@ -26,13 +26,22 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install cosign
+    - name: Fetch cosign from Chainguard
       shell: bash
       run: |
         docker pull cgr.dev/chainguard/cosign:latest
         CONTAINER_ID=$(docker run -d cgr.dev/chainguard/cosign:latest)
         docker cp "${CONTAINER_ID}":/usr/bin/cosign /usr/local/bin/cosign
 
+    - name: Validate cosign image signatures
+      shell: bash
+      run: |
+        set -o pipefail
+        if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign | jq
+          echo "NOTICE: Failed to verify cosign image signatures."
+          exit 1
+        fi
+
     - name: Verify container
       shell: bash
       run: |