Add cosign

[JamieMagee]

Tool name

cosign

Tool license

Apache License 2.0

Add or update?

• Add
• Update

Desired version

1.4.1

Approximate size

80MB

Brief description of tool

Container Signing, Verification and Storage in an OCI registry.

It is promoted in a GitHub blog post¹ and in starter workflows²

URL for tool's homepage

https://github.com/sigstore/cosign

Provide a basic test case to validate the tool's functionality.

No response

Virtual environments affected

• Ubuntu 18.04
• Ubuntu 20.04
• macOS 10.15
• macOS 11
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Can this tool be installed during the build?

See https://github.com/sigstore/cosign-installer

Tool installation time in runtime

a couple of seconds

Are you willing to submit a PR?

yes

Footnotes

1. https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/ ↩

2. https://github.com/actions/starter-workflows/blob/5104ac42744c84c675b2f9e1168e89f1dd60c059/ci/docker-publish.yml#L40-L46 ↩

[miketimofeev]

Hi @JamieMagee!
The started workflow example executes install action and this is a recommended way to use consign as you can set up any version you like or stay on the latest. The installation takes not more than 2-3 seconds:

jobs:
  build:
    runs-on: ubuntu-latest

    name: Install Cosign and test presence in path
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.4.1'
      - name: Check install!
        run: cosign version

However, the action doesn't support other OSs at the moment and we recommend creating an issue in the https://github.com/sigstore/cosign-installer repository to add the support.
Until that you can use the following snippets to install consign in runtime, it won't take more than 5 seconds for macOS and 20 for windows:

macOS

csDownloadUrl=$(curl -s https://api.github.com/repos/sigstore/cosign/releases/latest | jq -r '.assets[].browser_download_url | select(contains("darwin-amd64"))' | head -n 1)
curl -L -o /tmp/cosign "$csDownloadUrl"
sudo xattr -rd com.apple.quarantine /tmp/cosign
mv /tmp/cosign /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
cosign version

windows

$csBinary = Get-GitHubPackageDownloadUrl -RepoOwner "sigstore" -RepoName "cosign" -BinaryName "cosign-windows-amd64.exe" -Version "latest" -UrlFilter "*{Version}/{BinaryName}"
Start-DownloadWithRetry -Url $csBinary -DownloadPath "." -Name "cosign.exe"
./cosign.exe version

Considering fast installation time in runtime and maintenance concerns we would not like to add the tool to the image. Please use the action\snippets provided.
I'm going to close the issue, feel free to contact us if you have any concerns.
Thank you!

[JamieMagee]

@miketimofeev Thanks for the quick response and detailed feedback.

My aim with adding cosign to the default image was to simplify the whole process for users to start using it. The starter action is simple, but could be simpler 😄 I totally understand the maintenance aspect, and the need to keep the VM images small as well.

Thanks again!