feat: Use Chainguard's cosign image, drop dependency on cosign-installer

sign/action.yml

@@ -28,18 +28,21 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Sign container image
       shell: bash
-      run: |
-        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
+      run: >-
+        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}');
         for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
+          docker run \
+            -e "COSIGN_PRIVATE_KEY=$COSIGN_PRIVATE_KEY" \
+            -e "REGISTRY=$REGISTRY" \
+            -e "CONTAINER=$CONTAINER" \
+            -e "TAGS=$TAGS" \
+            cgr.dev/chainguard/cosign sign -y \
+            --key $COSIGN_PRIVATE_KEY \
+            $REGISTRY/${CONTAINER}@${TAGS};
         done
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}

verify/action.yml

@@ -26,35 +26,47 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Verify container
       shell: bash
-      run: |
-        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
-        set -o pipefail
+      run: >-
+        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}');
+        set -o pipefail;
         if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
+            if ! docker run \
+                   -e "CERT_IDENTITY=${{ inputs.cert-identity }}" \
+                   -e "OIDC_ISSUER=${{ inputs.oidc-issuer }}" \
+                   -e "REGISTRY=$REGISTRY" \
+                   -e "CONTAINER=$CONTAINER" \
+                   cgr.dev/chainguard/cosign verify \
+                   --certificate-identity=$CERT_IDENTITY \
+                   --certificate-oidc-issuer=$OIDC_ISSUER \
+                   $REGISTRY/${CONTAINER} | jq;
+              then
+              echo "NOTICE: Verification failed. Please ensure your public key is correct.";
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
+                exit 1;
+              fi;
+            fi;
+          done;
         elif [[ -n "${{ inputs.pubkey }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
+            if ! docker run \
+                   -e "PUBKEY=${{ inputs.pubkey }}" \
+                   -e "REGISTRY=$REGISTRY" \
+                   -e "CONTAINER=$CONTAINER" \
+                   cgr.dev/chainguard/cosign verify \
+                   --key $PUBKEY \
+                   $REGISTRY/${CONTAINER} | jq;
+              then
+              echo "NOTICE: Verification failed. Please ensure your public key is correct.";
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
+                exit 1;
+              fi;
+            fi;
+          done;
         else
-          exit 1
+          exit 1;
         fi
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false