From 28a964d8ed47ba2071b5959fdd5955366fc3dffd Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Sat, 6 Jan 2024 20:02:17 -0700
Subject: [PATCH] feat: Use Chainguard's cosign image instead of
 cosign-installer

---
 sign/action.yml   | 6 +-----
 verify/action.yml | 8 ++------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/sign/action.yml b/sign/action.yml
index 5b06b44..bba3e6e 100644
--- a/sign/action.yml
+++ b/sign/action.yml
@@ -28,18 +28,14 @@ runs:
         username: ${{ github.actor }}
         password: ${{ inputs.registry-token }}
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Sign container image
       shell: bash
       run: |
         REGISTRY=$(echo ${{ inputs.registry }} | awk '{print tolower($0)}')
         for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
+          podman run -w $PWD --env-host cgr.dev/chainguard/cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY/${CONTAINER}@${TAGS}
         done
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}
diff --git a/verify/action.yml b/verify/action.yml
index e20a7ed..6fe6863 100644
--- a/verify/action.yml
+++ b/verify/action.yml
@@ -26,9 +26,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.3.0
-
     - name: Verify container
       shell: bash
       run: |
@@ -36,7 +33,7 @@ runs:
         set -o pipefail
         if [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
+            if ! podman run -w $PWD --env-host cgr.dev/chainguard/cosign verify $REGISTRY/${CONTAINER} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} | jq; then
               echo "NOTICE: Verification failed. Please ensure your public key is correct."
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
                 exit 1
@@ -45,7 +42,7 @@ runs:
           done
         elif [[ -n "${{ inputs.pubkey }}" ]]; then
           for CONTAINER in $(echo "${CONTAINERS}" | tr "," "\n"); do
-            if ! cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
+            if ! podman run -w $PWD --env-host cgr.dev/chainguard/cosign verify --key ${{ inputs.pubkey }} $REGISTRY/${CONTAINER} | jq; then
               echo "NOTICE: Verification failed. Please ensure your public key is correct."
               if [[ "${{ matrix.fail-silently }}" != 'true' ]]; then
                 exit 1
@@ -57,4 +54,3 @@ runs:
         fi
       env:
         CONTAINERS: ${{ inputs.containers }}
-        COSIGN_EXPERIMENTAL: false