Introduce signature verification

cba22d1d · Timo Furrer · 23527d23 · cba22d1d
Unverified Commit cba22d1d authored 7 months ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -55,6 +55,7 @@ stages:
  - quality
  - deploy
  - sign
+  - verify
  - release
  - cleanup

@@ -271,6 +272,22 @@ gitlab-opentofu-image:sign:
  rules:
    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'

+gitlab-opentofu-image:verify-signature:
+  extends: '.image-matrix:deploy'
+  stage: verify
+  image: alpine:3.20.3
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+  script:
+    - cosign verify
+      --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG"
+      --certificate-oidc-issuer "https://gitlab.com"
+      "$RELEASE_IMAGE"
+      "$(crane digest --full-ref "$RELEASE_IMAGE")"
+  rules:
+    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
+
 .release:base:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0