action.yml

# action.yml
name: cosign-installer
author: sigstore
description: 'Installs cosign and includes it in your path'
branding:
  icon: 'package'
  color: 'blue'
# This is pinned to the last major release, we have to bump it for each action version.
inputs:
  cosign-release:
    description: 'cosign release version to be installed'
    required: false
    default: 'v1.4.1'
  install-dir:
    description: 'Where to install the cosign binary'
    required: false
    default: '$HOME/.cosign'
runs:
  using: "composite"
  steps:
    # We verify the version against a SHA **in the published action itself**, not in the GCS bucket.
    - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
      shell: bash
      run: |
        bootstrap_version='v1.4.1'    
        bootstrap_linux_amd64_sha='08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268'
        bootstrap_linux_arm_sha='d13f12dea3b65ec4bcd25fe23d35772f7b0b5997dba14947ce242e1260b3a15d'
        bootstrap_linux_arm64_sha='b0c02b607e722b9d2b1807f6efb73042762e77391c51c8948710e7f571ceaa73'
        bootstrap_darwin_amd64_sha='0908ffd3ceea5534c27059e30276094d63ed9339c2bf75e38e3d88d0a34502f3'
        bootstrap_darwin_arm64_sha='f8162aba987e1afddb20a672e47fb070ec6bf1547f65f23159e0f4a61e4ea673'

        trap "popd" EXIT

        mkdir -p ${{ inputs.install-dir }}
        pushd ${{ inputs.install-dir }}

        case ${{ runner.os }} in
          Linux)
            shaprog='sha256sum'
            case ${{ runner.arch }} in
              X64)
                bootstrap_filename='cosign-linux-amd64'
                bootstrap_sha=${bootstrap_linux_amd64_sha}
                desired_cosign_filename='cosign-linux-amd64'
                # v0.6.0 had different filename structures from all other releases
                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
                  desired_cosign_filename='cosign_linux_amd64'
                  desired_cosign_v060_signature='cosign_linux_amd64_0.6.0_linux_amd64.sig'
                fi
                ;;
              
              ARM)
                bootstrap_filename='cosign-linux-arm'
                bootstrap_sha=${bootstrap_linux_arm_sha}
                desired_cosign_filename='cosign-linux-arm'
                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
                  echo "ERROR: linux-arm build not available at v0.6.0"
                  exit 1
                fi
                ;;
              
              ARM64)
                bootstrap_filename='cosign-linux-arm64'
                bootstrap_sha=${bootstrap_linux_arm64_sha}
                desired_cosign_filename='cosign-linux-amd64'
                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
                  echo "ERROR: linux-arm64 build not available at v0.6.0"
                  exit 1
                fi
                ;;
              
              *)
                echo "ERROR: unsupported architecture $arch"
                exit 1
                ;;
            esac
            ;;
          
          macOS)
            shaprog='shasum -a256'
            case ${{ runner.arch }} in
              X64)
                bootstrap_filename='cosign-darwin-amd64'
                bootstrap_sha=${bootstrap_darwin_amd64_sha}
                desired_cosign_filename='cosign-darwin-amd64'
                # v0.6.0 had different filename structures from all other releases
                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
                  desired_cosign_filename='cosign_darwin_amd64'
                  desired_cosign_v060_signature='cosign_darwin_amd64_0.6.0_darwin_amd64.sig'
                fi
                ;;
              
              ARM64)
                bootstrap_filename='cosign-darwin-arm64'
                bootstrap_sha=${bootstrap_darwin_arm64_sha}
                desired_cosign_filename='cosign-darwin-arm64'
                # v0.6.0 had different filename structures from all other releases
                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
                  desired_cosign_filename='cosign_darwin_arm64'
                  desired_cosign_v060_signature='cosign_darwin_arm64_0.6.0_darwin_arm64.sig'
                fi
                ;;
              
              *)
                echo "ERROR: unsupported architecture $arch"
                exit 1
                ;;
            esac
            ;;

          *)
            echo "ERROR: unsupported architecture $arch"
            exit 1
            ;;
        esac

        expected_bootstrap_version_digest=${bootstrap_sha}
        curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/${bootstrap_filename} -o cosign
        shaBootstrap=$(${shaprog} cosign | cut -d' ' -f1);
        if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then
          echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}'"
          exit 1
        fi
        chmod +x cosign

        # If the bootstrap and specified `cosign` releases are the same, we're done.
        if [[ ${{ inputs.cosign-release }} == ${bootstrap_version} ]]; then exit 0; fi

        semver='^v([0-9]+\.){0,2}(\*|[0-9]+)$'
        if [[ ${{ inputs.cosign-release }} =~ $semver ]]; then
          echo "INFO: Custom Cosign Version ${{ inputs.cosign-release }}"
        else
          echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}'"
          exit 1
        fi

        # Download custom cosign
        curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }}
        shaCustom=$(${shaprog} cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);

        # same hash means it is the same release
        if [[ $shaCustom != $shaBootstrap ]]; then
          if [[ ${{ inputs.cosign-release }} == 'v0.6.0' && ${{ runner.os }} == 'Linux' ]]; then
            # v0.6.0's linux release has a dependency on `libpcsclite1`
            set +e
            sudo dpkg -s libpcsclite1
            if [ $? -eq 0 ]; then
                echo "INFO: libpcsclite1 package is already installed"
            else
                 echo "INFO: libpcsclite1 package is not installed, installing it now."
                 sudo apt-get update -q
                 sudo apt-get install -yq libpcsclite1
            fi
          fi
          if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
            curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig
          else
            curl -LO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig
          fi

          if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then
            RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/.github/workflows/cosign.pub
          else
            RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub
          fi

          set -x
          ./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
          if [[ $? != 0 ]]; then
            echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}' using release public key"
            exit 1
          fi

          rm cosign
          mv cosign_${{ inputs.cosign-release }} cosign
          chmod +x cosign
        fi
    - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
      run:  echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
      shell: bash