From f345eefc7cc29a46b92ab58b919eb258dfb6a1ad Mon Sep 17 00:00:00 2001
From: Jason Nagin <33561705+JasonN3@users.noreply.github.com>
Date: Mon, 17 Jun 2024 10:16:31 -0400
Subject: [PATCH] add code signing

---
 .github/workflows/build_container.yml | 30 ++++++++++++++++++++++++++-
 cosign.pub                            |  4 ++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 cosign.pub

diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
index 705485a..6b2ec21 100644
--- a/.github/workflows/build_container.yml
+++ b/.github/workflows/build_container.yml
@@ -94,6 +94,13 @@ jobs:
           tags: ${{ steps.meta.outputs.tags || steps.meta_pr.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels || steps.meta_pr.outputs.labels }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push image
         uses: redhat-actions/push-to-registry@v2
         with:
@@ -110,4 +117,25 @@ jobs:
           status: ${{ job.status }}
           context: ${{ env.JOB_NAME }}
           sha: ${{ env.sha }}
-          targetUrl: ${{ steps.jobs.outputs.html_url }}
\ No newline at end of file
+          targetUrl: ${{ steps.jobs.outputs.html_url }}
+      
+      - name: Install Cosign
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Sign the images
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          TAGS: ${{ steps.build-image.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          images=""
+          digest=""
+          for tag in ${TAGS}; do
+            if [[ -z "${digest}" ]]
+            then
+              digest=$(cat $(echo ${tag} | tr '/:' '--')_digest.txt)
+            fi
+            images+="${tag}@${digest} "
+          done
+          cosign sign --key env://COSIGN_PRIVATE_KEY --yes ${images}
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000..4d5e06d
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY4ljyIhI2w9DOptB4WT20S+K5ts3
+GJTEKRkXmIYEXGfyKpJMdlGCWeg2kOam5dNhWKXXl46d3eBBo9S53TPpyQ==
+-----END PUBLIC KEY-----