From 1e7f1aac8c07263b6e8760f664b8dec559b1d073 Mon Sep 17 00:00:00 2001
From: Javier Marcos <1271349+javuto@users.noreply.github.com>
Date: Sat, 26 Feb 2022 01:04:55 +0100
Subject: [PATCH] Using keyless in cosign

---
 .../build-sign-publish-chainlink/action.yml   | 43 ++++++++++++-------
 .github/workflows/build-publish.yml           |  3 +-
 2 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
index 0d0b61b55ad..a7d3cbd7b0b 100644
--- a/.github/actions/build-sign-publish-chainlink/action.yml
+++ b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -38,13 +38,9 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
+  verify-signature:
+    description: When set to the string boolean value of "true", the resulting build image signature will be verified
+    default: "false"
     required: false
 
 runs:
@@ -151,29 +147,46 @@ runs:
       cosign-release: 'v1.4.0'
 
   - if: inputs.sign-images == 'true'
-    name: Write signing key to disk (only needed for `cosign sign --key`)
+    name: Sign the published root Docker image
     shell: sh
-    run: echo "${{ inputs.cosign-private-key }}" > cosign.key
+    env:
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
+      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-  - if: inputs.sign-images == 'true'
-    name: Sign the published root Docker image
+      cosign sign "$IMAGE_NAME"
+
+  - if: inputs.verify-signature == 'true'
+    name: Verify the signature of the published root Docker image
     shell: sh
     env:
-      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+      COSIGN_EXPERIMENTAL: 1
     run: |
       IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
       IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+      cosign verify "$IMAGE_NAME"
 
   - if: inputs.sign-images == 'true'
     name: Sign the published non-root Docker image
     shell: sh
     env:
-      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
+      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+
+      cosign sign "$IMAGE_NAME"
+
+  - if: inputs.verify-signature == 'true'
+    name: Verify the signature of the published non-root Docker image
+    shell: sh
+    env:
+      COSIGN_EXPERIMENTAL: 1
     run: |
       IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
       IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+      cosign verify "$IMAGE_NAME"
 
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
index 4bc6dea7300..d6c151300e1 100644
--- a/.github/workflows/build-publish.yml
+++ b/.github/workflows/build-publish.yml
@@ -29,5 +29,4 @@ jobs:
           aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
           aws-region: ${{ secrets.AWS_REGION }}
           sign-images: true
-          cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+          verify-signature: true