From a2c2e43853cf95c417fbaa6605314439fb55d1d3 Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Sat, 6 Jan 2024 20:02:17 -0700
Subject: [PATCH] feat: Use Chainguard's cosign image instead of
 cosign-installer

---
 sign/action.yml   |  6 +-----
 verify/Dockerfile |  5 +++++
 verify/action.yml | 43 +++++++++----------------------------------
 verify/verify.sh  | 27 +++++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 39 deletions(-)
 create mode 100644 verify/Dockerfile
 create mode 100755 verify/verify.sh

diff --git a/sign/action.yml b/sign/action.yml
index 5b06b44..7ffb299 100644
--- a/sign/action.yml
+++ b/sign/action.yml
@@ -28,18 +28,14 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Sign container image
       shell: bash
       run: |
         REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
         for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
+          podman run --env-host cgr.dev/chainguard/cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
         done
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}
diff --git a/verify/Dockerfile b/verify/Dockerfile
new file mode 100644
index 0000000..75aa776
--- /dev/null
+++ b/verify/Dockerfile
@@ -0,0 +1,5 @@
+FROM cgr.dev/chainguard/cosign:latest
+
+COPY verify.sh /tmp/verify.sh
+
+ENTRYPOINT ["/tmp/verify.sh"]
diff --git a/verify/action.yml b/verify/action.yml
index e20a7ed..e48d8a9 100644
--- a/verify/action.yml
+++ b/verify/action.yml
@@ -24,37 +24,12 @@ inputs:
     default: 'ghcr.io/ublue-os'
     required: true
 runs:
-  using: "composite"
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
-    - name: Verify container
-      shell: bash
-      run: |
-        REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
-        set -o pipefail
-        if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
-          for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
-              if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
-        elif [[ -n "${{ inputs.pubkey }}" ]]; then
-          for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
-              echo "NOTICE: Verification failed. Please ensure your public key is correct."
-              if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
-                exit 1
-              fi
-            fi
-          done
-        else
-          exit 1
-        fi
-      env:
-        CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
+  using: "docker"
+  image: "Dockerfile"
+  env:
+    CERT_IDENTITY: ${{ inputs.cert-identity }}
+    CONTAINERS: ${{ inputs.containers }}
+    FAIL_SILENTLY: ${{ inputs.fail-silently }}
+    PUBKEY: ${{ inputs.pubkey }}
+    OIDC_ISSUER: ${{ inputs.oidc-issuer }}
+    REGISTRY: ${{ inputs.registry }}
diff --git a/verify/verify.sh b/verify/verify.sh
new file mode 100755
index 0000000..c491dee
--- /dev/null
+++ b/verify/verify.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -ouex pipefail
+
+REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
+
+if [[ -n "$CERT_IDENTITY" && -n "$OIDC_ISSUER" ]]; then
+  for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
+    if cosign verify $REGISTRY/${CONTAINER} --certificate-identity=$CERT_IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER | jq; then
+      echo "NOTICE: Verification failed. Please ensure your public key is correct."
+      if [[ "$FAIL_SILENTLY" != 'true' ]]; then
+        exit 1
+      fi
+    fi
+  done
+elif [[ -n "$PUBKEY" ]]; then
+  for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
+    if ! cosign verify --key $PUBKEY $REGISTRY/${CONTAINER} | jq; then
+      echo "NOTICE: Verification failed. Please ensure your public key is correct."
+      if [[ "$FAIL_SILENTLY" != 'true' ]]; then
+        exit 1
+      fi
+    fi
+  done
+else
+  exit 1
+fi