chore: add checksum signing

.github/workflows/test-iso.yml

@@ -18,9 +18,14 @@ jobs:
     container:
       image: fedora:39
       options: "--privileged"
+      env:
+        GITHUB_HOST: ${{ github.server_url }}
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
+        ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
     permissions:
       contents: read
       packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -55,4 +60,4 @@ jobs:
         run: exit 1
       - name: Exit
         shell: bash
-        run: exit 0
+        run: exit 0

action.yml

@@ -74,6 +74,9 @@ runs:
         ref: ${{ inputs.ACTION_REF }}
         submodules: recursive
 
+    - name: install cosign
+      uses: sigstore/[email protected]
+
     - name: Install dependencies
       shell: bash
       run: make install-deps
@@ -124,6 +127,18 @@ runs:
         sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
         mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
 
+    - name: sign checksum
+      shell: bash
+      env:
+        COSIGN_YES: "true"
+      run: |
+        cosign sign-blob ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+        cosign verify-blob \
+          ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM \
+          --bundle ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.bundle
+          --certificate-identity-regexp 'https://github.com/${{ github.workflow_ref }}' \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
+
     - name: Upload ISO as artifact
       uses: actions/upload-artifact@v4
       with: