Sign chart with cosign (#356)

* feat(ci): sign chart with cosign
* doc: add artifacthub notice and details on how to verify the signed artifacts

---------

Signed-off-by: Matheus Pimenta <[email protected]>
Signed-off-by: Jan Larwig <[email protected]>
Co-authored-by: Jan Larwig <[email protected]>

Author: matheuscscp

.github/workflows/release.yaml

@@ -8,15 +8,19 @@ on:
 jobs:
   release:
     permissions:
-      contents: write
-      packages: write
+      contents: write # for pushing to gh-pages (HTTPS Helm repository)
+      packages: write # for pushing to GHCR     (OCI Helm repository)
+      id-token: write # for signing with keyless cosign
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
+      - name: Setup Cosign
+        uses: sigstore/[email protected]
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
@@ -42,12 +46,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push Charts to GHCR
+      - name: Push Charts to GHCR and Sign
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*; do
             if [ -z "${pkg:-}" ]; then
               break
             fi
-            helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
+            chart_name=$(echo "${pkg##*/}" | sed 's/-[0-9].*$//')
+            repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt
+            cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)"
           done

README.md

@@ -18,3 +18,24 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch
 ct lint --all --config ct.yaml
 ct install --all --config ct.yaml
 ```
+
+## Verify Signed Helm Charts
+
+With the introduction of cosign for signing artifacts you can verify the
+integrity of our artifacts using the following command:
+
+```
+VERSION=8.2.2
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-github-workflow-repository oauth2-proxy/manifests \
+    --certificate-github-workflow-name "Release Charts" \
+    --certificate-github-workflow-ref main \
+    --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \
+    "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq
+```
+
+Note:
+
+We utilize cosign to sign and verify artifacts with the KEYLESS mode. To learn
+more about how keyless signing is done, visit the official documentation about 
+[Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process).

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 8.2.1
+version: 8.2.2
 apiVersion: v2
 appVersion: 7.12.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -31,8 +31,8 @@ maintainers:
 kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: Add support for new container resize policy feature
+    - kind: security
+      description: Adding cosign keyless signing for helm chart artifact
       links:
         - name: Github PR
-          url: https://github.com/oauth2-proxy/manifests/pull/346
+          url: https://github.com/oauth2-proxy/manifests/pull/356