chore: add checksum signing

BobyMCbobs · BobyMCbobs · commit e896df684079 · 2024-02-26T14:04:02.000+13:00
sign checksum to verify it's integrity
diff --git a/.github/workflows/test-iso.yml b/.github/workflows/test-iso.yml
@@ -18,9 +18,14 @@ jobs:
     container:
       image: fedora:39
       options: "--privileged"
+      env:
+        GITHUB_HOST: ${{ github.server_url }}
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
+        ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
     permissions:
       contents: read
       packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -55,4 +60,4 @@ jobs:
         run: exit 1
       - name: Exit
         shell: bash
-        run: exit 0
+        run: exit 0
diff --git a/action.yml b/action.yml
@@ -74,6 +74,9 @@ runs:
         ref: ${{ inputs.ACTION_REF }}
         submodules: recursive
 
+    - name: install cosign
+      uses: sigstore/cosign-installer@v3.4.0
+
     - name: Install dependencies
       shell: bash
       run: make install-deps
@@ -124,6 +127,18 @@ runs:
         sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
         mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
 
+    - name: sign checksum
+      shell: bash
+      env:
+        COSIGN_YES: "true"
+      run: |
+        cosign sign-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+        cosign verify-blob \
+          ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM \
+          --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+          --certificate-identity-regexp 'https://github.com/${{ github.workflow_ref }}' \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
+
     - name: Upload ISO as artifact
       uses: actions/upload-artifact@v4
       with:
