add artifacts sign

Signed-off-by: Stavros Foteinopoulos <stafot@gmail.com>

Author: stafot

.github/workflows/ci.yml

@@ -12,6 +12,7 @@ env:
  BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
  EXCLUDE_ENTERPRISE: true
  GO_VERSION: 1.24.6
+ COSIGN_VERSION: 2.2.2
 
 jobs:
   webapp-test:
@@ -104,11 +105,84 @@ jobs:
         GO_VERSION: ${{ env.GO_VERSION }}
       run: cd focalboard; make dist-all
 
+    - name: ci/setup-cosign
+      uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      with:
+        cosign-release: v${{ env.COSIGN_VERSION }}
+
+    - name: ci/sign-plugin-artifacts
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      run: |
+        cd focalboard
+        echo "Signing plugin artifacts with cosign..."
+        
+        # Sign normal distribution
+        if [ -f dist/*.tar.gz ]; then
+          for package in dist/*.tar.gz; do
+            echo "Signing ${package}..."
+            if [ -n "$COSIGN_PRIVATE_KEY" ]; then
+              # Use private key signing if available
+              cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature "${package}.sig" "${package}"
+            else
+              echo "Warning: COSIGN_PRIVATE_KEY not available, skipping signing for ${package}"
+            fi
+          done
+        fi
+        
+        # Sign FIPS distribution
+        if [ -f dist-fips/*.tar.gz ]; then
+          for package in dist-fips/*.tar.gz; do
+            echo "Signing ${package}..."
+            if [ -n "$COSIGN_PRIVATE_KEY" ]; then
+              # Use private key signing if available
+              cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature "${package}.sig" "${package}"
+            else
+              echo "Warning: COSIGN_PRIVATE_KEY not available, skipping signing for ${package}"
+            fi
+          done
+        fi
+        
+        echo "Artifact signing completed"
+
+    - name: ci/verify-signatures
+      if: ${{ secrets.COSIGN_PRIVATE_KEY != '' && secrets.COSIGN_PUBLIC_KEY != '' }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+      run: |
+        cd focalboard
+        echo "Verifying artifact signatures..."
+        
+        # Verify normal distribution signatures
+        if [ -f dist/*.tar.gz ]; then
+          for package in dist/*.tar.gz; do
+            if [ -f "${package}.sig" ] && [ -n "$COSIGN_PUBLIC_KEY" ]; then
+              echo "Verifying ${package}..."
+              cosign verify-blob --key env://COSIGN_PUBLIC_KEY --signature "${package}.sig" "${package}"
+            fi
+          done
+        fi
+        
+        # Verify FIPS distribution signatures
+        if [ -f dist-fips/*.tar.gz ]; then
+          for package in dist-fips/*.tar.gz; do
+            if [ -f "${package}.sig" ] && [ -n "$COSIGN_PUBLIC_KEY" ]; then
+              echo "Verifying ${package}..."
+              cosign verify-blob --key env://COSIGN_PUBLIC_KEY --signature "${package}.sig" "${package}"
+            fi
+          done
+        fi
+        
+        echo "Signature verification completed"
+
     - name: Upload all artifacts
       uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.5.0
       with:
         name: all-plugin-artifacts
         path: |
           focalboard/dist/*.tar.gz
+          focalboard/dist/*.tar.gz.sig
           focalboard/dist-fips/*.tar.gz
+          focalboard/dist-fips/*.tar.gz.sig
         retention-days: 7