sigstore · bobcallaway · Dec 29, 2021 · Dec 28, 2021 · Dec 28, 2021 · Dec 28, 2021
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -4,7 +4,10 @@ on: [pull_request]
 
 jobs:
   test_cosign_action:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -33,7 +36,11 @@ jobs:
         fi
 
   test_existing_release_action:
-    runs-on: ubuntu-latest
+    # this does not run on macOS as the support for multi-arch was not added yet
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -62,7 +69,10 @@ jobs:
         fi
 
   test_cosign_action_custom:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -93,7 +103,10 @@ jobs:
         fi
 
   test_cosign_action_0_6_0:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -124,7 +137,11 @@ jobs:
         fi
 
   test_cosign_action_0_6_0_with_pre_installed_libpcsclite1_package:
-    runs-on: ubuntu-latest
+    # this test is specifically for linux and pcsclite1 dependencies
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -159,7 +176,10 @@ jobs:
         fi
 
   test_cosign_action_wrong:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
     permissions:
       actions: none
       checks: none
@@ -179,8 +199,12 @@ jobs:
       with:
         cosign-release: 'honk'
       continue-on-error: true
+
   test_cosign_action_custom_dir:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
     permissions:
       actions: none
       checks: none

diff --git a/action.yml b/action.yml
@@ -1,13 +1,14 @@
 # action.yml
-name: install-cosign
-description: 'Install Cosign and put it on your path'
+name: cosign-installer
+author: sigstore
+description: 'Installs cosign and includes it in your path'
 branding:
   icon: 'package'
   color: 'blue'
 # This is pinned to the last major release, we have to bump it for each action version.
 inputs:
   cosign-release:
-    description: 'Cosign release version to use in the actions.'
+    description: 'cosign release version to be installed'
     required: false
     default: 'v1.4.1'
   install-dir:
@@ -18,17 +19,108 @@ runs:
   using: "composite"
   steps:
     # We verify the version against a SHA **in the published action itself**, not in the GCS bucket.
-    - run: |
+    - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
+      shell: bash
+      run: |
+        bootstrap_version='v1.4.1'    
+        bootstrap_linux_amd64_sha='08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268'
+        bootstrap_linux_arm_sha='d13f12dea3b65ec4bcd25fe23d35772f7b0b5997dba14947ce242e1260b3a15d'
+        bootstrap_linux_arm64_sha='b0c02b607e722b9d2b1807f6efb73042762e77391c51c8948710e7f571ceaa73'
+        bootstrap_darwin_amd64_sha='0908ffd3ceea5534c27059e30276094d63ed9339c2bf75e38e3d88d0a34502f3'
+        bootstrap_darwin_arm64_sha='f8162aba987e1afddb20a672e47fb070ec6bf1547f65f23159e0f4a61e4ea673'
+
         trap "popd" EXIT
 
         mkdir -p ${{ inputs.install-dir }}
         pushd ${{ inputs.install-dir }}
 
-        bootstrap_version='v1.4.1'
-        expected_bootstrap_version_digest='08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268'
-        curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/cosign-linux-amd64 -o cosign
-        shaBootstrap=$(sha256sum cosign | cut -d' ' -f1);
-        if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then exit 1; fi
+        case ${{ runner.os }} in
+          Linux)
+            shaprog='sha256sum'
+            case ${{ runner.arch }} in
+              X64)
+                bootstrap_filename='cosign-linux-amd64'
+                bootstrap_sha=${bootstrap_linux_amd64_sha}
+                desired_cosign_filename='cosign-linux-amd64'
+                # v0.6.0 had different filename structures from all other releases
+                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+                  desired_cosign_filename='cosign_linux_amd64'
+                  desired_cosign_v060_signature='cosign_linux_amd64_0.6.0_linux_amd64.sig'
+                fi
+                ;;
+
+              ARM)
+                bootstrap_filename='cosign-linux-arm'
+                bootstrap_sha=${bootstrap_linux_arm_sha}
+                desired_cosign_filename='cosign-linux-arm'
+                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+                  echo "ERROR: linux-arm build not available at v0.6.0"
+                  exit 1
+                fi
+                ;;
+
+              ARM64)
+                bootstrap_filename='cosign-linux-arm64'
+                bootstrap_sha=${bootstrap_linux_arm64_sha}
+                desired_cosign_filename='cosign-linux-amd64'
+                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+                  echo "ERROR: linux-arm64 build not available at v0.6.0"
+                  exit 1
+                fi
+                ;;
+
+              *)
+                echo "ERROR: unsupported architecture $arch"
+                exit 1
+                ;;
+            esac
+            ;;
+
+          macOS)
+            shaprog='shasum -a256'
+            case ${{ runner.arch }} in
+              X64)
+                bootstrap_filename='cosign-darwin-amd64'
+                bootstrap_sha=${bootstrap_darwin_amd64_sha}
+                desired_cosign_filename='cosign-darwin-amd64'
+                # v0.6.0 had different filename structures from all other releases
+                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+                  desired_cosign_filename='cosign_darwin_amd64'
+                  desired_cosign_v060_signature='cosign_darwin_amd64_0.6.0_darwin_amd64.sig'
+                fi
+                ;;
+
+              ARM64)
+                bootstrap_filename='cosign-darwin-arm64'
+                bootstrap_sha=${bootstrap_darwin_arm64_sha}
+                desired_cosign_filename='cosign-darwin-arm64'
+                # v0.6.0 had different filename structures from all other releases
+                if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+                  desired_cosign_filename='cosign_darwin_arm64'
+                  desired_cosign_v060_signature='cosign_darwin_arm64_0.6.0_darwin_arm64.sig'
+                fi
+                ;;
+
+              *)
+                echo "ERROR: unsupported architecture $arch"
+                exit 1
+                ;;
+            esac
+            ;;
+
+          *)
+            echo "ERROR: unsupported architecture $arch"
+            exit 1
+            ;;
+        esac
+
+        expected_bootstrap_version_digest=${bootstrap_sha}
+        curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/${bootstrap_filename} -o cosign
+        shaBootstrap=$(${shaprog} cosign | cut -d' ' -f1);
+        if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then
+          echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}'"
+          exit 1
+        fi
         chmod +x cosign
 
         # If the bootstrap and specified `cosign` releases are the same, we're done.
@@ -43,17 +135,12 @@ runs:
         fi
 
         # Download custom cosign
-        if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
-          curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
-        else
-          curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
-        fi
-        shaCustom=$(sha256sum cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);
+        curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }}
+        shaCustom=$(${shaprog} cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);
 
         # same hash means it is the same release
-        if [[ $shaCustom != $shaBootstrap ]];
-        then
-          if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+        if [[ $shaCustom != $shaBootstrap ]]; then
+          if [[ ${{ inputs.cosign-release }} == 'v0.6.0' && ${{ runner.os }} == 'Linux' ]]; then
             # v0.6.0's linux release has a dependency on `libpcsclite1`
             set +e
             sudo dpkg -s libpcsclite1
@@ -64,10 +151,11 @@ runs:
                  sudo apt-get update -q
                  sudo apt-get install -yq libpcsclite1
             fi
-            set -e
-            curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign_linux_amd64_0.6.0_linux_amd64.sig -o cosign-linux-amd64.sig
+          fi
+          if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
+            curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig
           else
-            curl -LO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign-linux-amd64.sig
+            curl -LO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig
           fi
 
           if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then
@@ -76,13 +164,17 @@ runs:
             RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub
           fi
 
-          ./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature cosign-linux-amd64.sig cosign_${{ inputs.cosign-release }}
-          if [[ $? != 0 ]]; then exit 1; fi
+          set -x
+          ./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
+          if [[ $? != 0 ]]; then
+            echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}' using release public key"
+            exit 1
+          fi
 
           rm cosign
           mv cosign_${{ inputs.cosign-release }} cosign
           chmod +x cosign
         fi
-      shell: bash
-    - run:  echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
+    - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
+      run:  echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
       shell: bash