chore: Implement signed releases

[34fathombelow]

This PR implements container images to be signed using sigstore/cosign It also consolidates the checksums of the cli-binaries at release time into a single file that can also be signed at a later time.

Three GitHub secrets will need to be created before this PR is merged. The process to do this is listed below.

TLDR: https://docs.sigstore.dev/cosign/git_support

1. Install Cosign on your workstation. Linux, Homebrew, and container options are available. Execute the command cosign --version to verified it has been installed correctly.
2. Create or have a valid GitHub PAT token available.
3. Export your PAT as the environment variable "GITHUB_TOKEN"
4. Execute cosign generate-key-pair github://argoproj/argocd This will start the process of creating the GitHub Secrets automatically for you, and prompt you to enter a password. This Password will be stored as the Github secret COSIGN_PASSWORD I would recommend to use well respected password generator such as KeePassXC or Bitwarden and use a paranoid level of characters of at least 32.
5. Three GitHub secretes should have been created, please verify. COSIGN_PASSWORD COSIGN_PRIVATE_KEY & COSIGN_PUBLIC_KEY

Todo at a later time

• Add documentation on how end users can verify our signed images
• Publish our public key in documentation, release notes, and in the repository
• Sign additional artifacts such as checksum and release binaries if needed
• Verify the signatures of the containers we use to build images during build time.

More about cosign and how it is used

https://docs.sigstore.dev/
https://blog.sigstore.dev/cosign-image-signatures-77bab238a93
https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images
https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/
https://cloud.redhat.com/blog/software-supply-chain-security-on-openshift-with-kyverno-and-cosign
https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations
https://kyverno.io/docs/writing-policies/verify-images/

[codecov]

Codecov Report

Base: 45.64% // Head: 45.64% // No change to project coverage 👍

Coverage data is based on head (8110ae5) compared to base (254f3b6).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #10925   +/-   ##
=======================================
  Coverage   45.64%   45.64%           
=======================================
  Files         237      237           
  Lines       28719    28719           
=======================================
  Hits        13108    13108           
  Misses      13808    13808           
  Partials     1803     1803           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[crenshaw-dev]

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----

[crenshaw-dev]

Thanks @34fathombelow!

[34fathombelow]

Should complete signed releases #10852

[crenshaw-dev]

@34fathombelow how much work would it be to also sign the checksums file, in effect signing the binaries?

[34fathombelow]

@34fathombelow how much work would it be to also sign the checksums file, in effect signing the binaries?

@crenshaw-dev Not much work at all, it's on my to do list. Was hoping for a patch release or another RC just to double check that things are working smoothly. Will there be another RC before 2.5 become GA?

Todo at a later time

• Add documentation on how end users can verify our signed images
• Publish our public key in documentation, release notes, and in the repository
• Sign additional artifacts such as checksum and release binaries if needed
• Verify the signatures of the containers we use to build images during build time.

Also could this PR at least be cherry picked to 2.4? It's neither a feature or fix.

[crenshaw-dev]

Will there be another RC before 2.5 become GA?

At least one! Bug reports have been kinda low, so we're trying to encourage more folks to take the RCs for a spin.

Todo at a later time

Ah yep, you did mention this

Also could this PR at least be cherry picked to 2.4? It's neither a feature or fix.

I can't think of a reason why it couldn't... I think before 2.5 GA I wanna do one last 2.2 release. I'll plan to cherry-pick this all the way back to 2.2 after we validate the release workflow on 2.5.0-rc3.

[crenshaw-dev]

Cherry-picked onto release-2.2 for 2.2.15, release-2.3 for 2.3.10, release-2.4 for 2.4.15, and release-2.5 for 2.5.0-rc3.