feat: Use Chainguard's cosign image instead of cosign-installer

sign/action.yml

@@ -28,18 +28,14 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Sign container image
       shell: bash
       run: |
         REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
         for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
+          podman run --env-host cgr.dev/chainguard/cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
         done
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}

verify/Dockerfile

@@ -0,0 +1,5 @@
+FROM cgr.dev/chainguard/cosign:latest
+
+COPY verify.sh /tmp/verify.sh
+
+ENTRYPOINT ["/tmp/verify.sh"]

verify/action.yml

@@ -24,37 +24,12 @@ inputs:
     default: 'ghcr.io/ublue-os'
     required: true
 runs:
-  using: "composite"
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
-    - name: Verify container
-      shell: bash
-      run: |
-        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
-        set -o pipefail
-        if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
-          for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
-              if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
-        elif [[ -n "${{ inputs.pubkey }}" ]]; then
-          for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
-              if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
-        else
-          exit 1
-        fi
-      env:
-        CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
+  using: "docker"
+  image: "Dockerfile"
+  env:
+    CERT_IDENTITY: ${{ inputs.cert-identity }}
+    CONTAINERS: ${{ inputs.containers }}
+    FAIL_SILENTLY: ${{ inputs.fail-silently }}
+    PUBKEY: ${{ inputs.pubkey }}
+    OIDC_ISSUER: ${{ inputs.oidc-issuer }}
+    REGISTRY: ${{ inputs.registry }}

verify/verify.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -ouex pipefail
+
+REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
+
+if [[ -n "$CERT_IDENTITY" && -n "$OIDC_ISSUER" ]]; then
+  for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
+    if cosign verify $REGISTRY/${CONTAINER} --certificate-identity=$CERT_IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER | jq; then
+      echo "NOTICE: Verification failed. Please ensure your public key is correct."
+      if [[ "$FAIL_SILENTLY" != 'true' ]]; then
+        exit 1
+      fi
+    fi
+  done
+elif [[ -n "$PUBKEY" ]]; then
+  for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
+    if ! cosign verify --key $PUBKEY $REGISTRY/${CONTAINER} | jq; then
+      echo "NOTICE: Verification failed. Please ensure your public key is correct."
+      if [[ "$FAIL_SILENTLY" != 'true' ]]; then
+        exit 1
+      fi
+    fi
+  done
+else
+  exit 1
+fi