From cba22d1de4a790ad57e07c6bcc6e226234be87d2 Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Wed, 30 Oct 2024 14:04:10 +0100
Subject: [PATCH] Introduce signature verification

---
 .gitlab-ci.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6ff8184..36cc5ff 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -55,6 +55,7 @@ stages:
   - quality
   - deploy
   - sign
+  - verify
   - release
   - cleanup
 
@@ -271,6 +272,22 @@ gitlab-opentofu-image:sign:
   rules:
     - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
 
+gitlab-opentofu-image:verify-signature:
+  extends: '.image-matrix:deploy'
+  stage: verify
+  image: alpine:3.20.3
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+  script:
+    - cosign verify
+      --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG"
+      --certificate-oidc-issuer "https://gitlab.com"
+      "$RELEASE_IMAGE"
+      "$(crane digest --full-ref "$RELEASE_IMAGE")"
+  rules:
+    - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG'
+
 .release:base:
   stage: release
   image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0
-- 
GitLab