chore: add checksum signing

sign checksum to verify it's integrity
ublue-os · Feb 25, 2024 · 0811d47 · 0811d47
1 parent e36da20
commit 0811d47
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/.github/workflows/test-iso.yml b/.github/workflows/test-iso.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -55,4 +56,4 @@ jobs:
         run: exit 1
       - name: Exit
         shell: bash
-        run: exit 0
+        run: exit 0
diff --git a/action.yml b/action.yml
@@ -74,6 +74,9 @@ runs:
         ref: ${{ inputs.ACTION_REF }}
         submodules: recursive
 
+    - name: install cosign
+      uses: sigstore/[email protected]
+
     - name: Install dependencies
       shell: bash
       run: make install-deps
@@ -124,6 +127,12 @@ runs:
         sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
         mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
 
+    - name: sign checksum
+      shell: bash
+      run: |
+        cosign sign-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+        cosign verify-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+
     - name: Upload ISO as artifact
       uses: actions/upload-artifact@v4
       with: