diff --git a/sign/action.yml b/sign/action.yml index 5b06b44..a98bb9c 100644 --- a/sign/action.yml +++ b/sign/action.yml @@ -28,18 +28,21 @@ runs: username: ${{ github.actor }} password: ${{ inputs.registry-token }} - - name: Install cosign - uses: sigstore/cosign-installer@v3.3.0 - - name: Sign container image shell: bash - run: | - REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}') + run: >- + REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}'); for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do - cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS} + docker run + -e "COSIGN_PRIVATE_KEY=$COSIGN_PRIVATE_KEY" + -e "REGISTRY=$REGISTRY" + -e "CONTAINER=$CONTAINER" + -e "TAGS=$TAGS" + cgr.dev/chainguard/cosign sign -y + --key $COSIGN_PRIVATE_KEY + $REGISTRY/${CONTAINER}@${TAGS}; done env: CONTAINERS: ${{ inputs.containers }} - COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }} TAGS: ${{ inputs.tags }} diff --git a/verify/action.yml b/verify/action.yml index e20a7ed..103a20f 100644 --- a/verify/action.yml +++ b/verify/action.yml @@ -26,35 +26,47 @@ inputs: runs: using: "composite" steps: - - name: Install cosign - uses: sigstore/cosign-installer@v3.3.0 - - name: Verify container shell: bash - run: | - REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}') - set -o pipefail + run: >- + REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}'); + set -o pipefail; if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do - if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then - echo "NOTICE: Verification failed. Please ensure your public key is correct." + if ! docker run + -e "CERT_IDENTITY=${{ inputs.cert-identity }}" + -e "OIDC_ISSUER=${{ inputs.oidc-issuer }}" + -e "REGISTRY=$REGISTRY" + -e "CONTAINER=$CONTAINER" + cgr.dev/chainguard/cosign verify + --certificate-identity=$CERT_IDENTITY + --certificate-oidc-issuer=$OIDC_ISSUER + $REGISTRY/${CONTAINER} | jq; + then + echo "NOTICE: Verification failed. Please ensure your public key is correct."; if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then - exit 1 - fi - fi - done + exit 1; + fi; + fi; + done; elif [[ -n "${{ inputs.pubkey }}" ]]; then for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do - if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then - echo "NOTICE: Verification failed. Please ensure your public key is correct." + if ! docker run + -e "PUBKEY=${{ inputs.pubkey }}" + -e "REGISTRY=$REGISTRY" + -e "CONTAINER=$CONTAINER" + cgr.dev/chainguard/cosign verify + --key $PUBKEY + $REGISTRY/${CONTAINER} | jq; + then + echo "NOTICE: Verification failed. Please ensure your public key is correct."; if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then - exit 1 - fi - fi - done + exit 1; + fi; + fi; + done; else - exit 1 + exit 1; fi env: CONTAINERS: ${{ inputs.containers }} - COSIGN_EXPERIMENTAL: false