Also sign images with Cosign (#12)

* Add Cosign signing key

* Sign with the new keys

* Accept agreement to upload to T log

.github/workflows/build.yaml

@@ -23,6 +23,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
       - name: Build image
         id: build
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
@@ -58,7 +64,19 @@ jobs:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
-
+
+      - name: Sign the published OCI image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          digest: ${{ steps.push.outputs.digest }}
+          fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} 
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: >
+          echo "${fully_qualified_image_names_json}" 
+          | jq -r '.[]' 
+          | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}"
+      
       - name: Echo outputs for auditing
         if: github.event_name != 'pull_request'
         run: |

Containerfile

@@ -1,6 +1,7 @@
 ARG silverblue_version=40
 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version}
 
+COPY cosign.pub /etc/pki/cosign/cosign.pub
 COPY overlay-root/etc/ /etc/
 
 RUN mkdir -p /var/opt \

README.md

@@ -12,3 +12,30 @@ When things start breaking eventually, get the new key with:
 ```
 wget -O overlay-root/etc/pki/rpm-gpg/google-linux-public-key.asc https://dl.google.com/linux/linux_signing_key.pub
 ```
+
+## Cosign Signing Keys
+
+The resulting container images are signed by Cosign.
+The keys were generated with the following command:
+
+```
+$ GITHUB_TOKEN="$(gh auth token)" COSIGN_PASSWORD="$(head -c 33 /dev/urandom | base64)" cosign generate-key-pair github://samhclark/custom-silverblue --output-file cosign.pub
+Password written to COSIGN_PASSWORD github actions secret
+Private key written to COSIGN_PRIVATE_KEY github actions secret
+Public key written to COSIGN_PUBLIC_KEY github actions secret
+Public key also written to cosign.pub
+```
+
+The key is included in the image at `/etc/pki/cosign/cosign.pub`. 
+You can also download the key with:
+
+```
+wget https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub
+```
+
+The SHA-256 checksum of the key that I originally created on October 18, 2024 is
+
+```
+$ sha256sum cosign.pub 
+55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000  cosign.pub
+```

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZFHiaCiaiJrPkLbyjpTKF9KFFex
+7o2M7HBLHUDHIdFIKVMkb1IOybx1bGrzdjUJ336Gh5Y5MRaSJhydIWsUww==
+-----END PUBLIC KEY-----