Merge branch 'sign-images' into 'main'

Sign images using cosign

See merge request components/opentofu!148

.gitlab-ci.yml

@@ -182,7 +182,7 @@ shellcheck:
 .gitlab-opentofu-image:deploy:base:
   stage: deploy
   image:
-    name: gcr.io/go-containerregistry/crane:debug
+    name: alpine/crane:0.20.0
     entrypoint: [""]
   variables:
     GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
@@ -219,8 +219,18 @@ shellcheck:
 
 gitlab-opentofu-image:deploy:
   extends: ['.gitlab-opentofu-image:deploy:base']
+  variables:
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   script:
+    # Install dependencies, can't use before_script because of the job we are extending.
+    - apk add --update cosign
+    # Release image
     - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
+    # Sign image
+    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
     - export image_digest="$(crane digest $RELEASE_IMAGE)"
     - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
   artifacts:

.gitlab/README.md.template

@@ -328,6 +328,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).

.gitlab/release-notes.md.template

@@ -43,6 +43,8 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
 
+The images have been signed with `cosign`.
+
 > **Note:**
 >
 > When using the component with the inputs `version` and `opentofu_version`,<br>

README.md

@@ -347,6 +347,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).