From 688ea42e72ffbefcca46284eef9442893ec9eede Mon Sep 17 00:00:00 2001
From: James Pace <jpace121@gmail.com>
Date: Tue, 8 Aug 2023 21:36:15 -0400
Subject: [PATCH] Switch to signing with cosign instead of skopeo.

---
 generic-tasks/j7s-buildah.yaml | 21 ++++++---------------
 images/Dockerfile_buildah      |  7 ++++++-
 2 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/generic-tasks/j7s-buildah.yaml b/generic-tasks/j7s-buildah.yaml
index b777208..7d0beca 100644
--- a/generic-tasks/j7s-buildah.yaml
+++ b/generic-tasks/j7s-buildah.yaml
@@ -28,29 +28,20 @@ spec:
       set -x
       # Login
       buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
-      # Setup cosign.
-      mkdir -p ~/.sigstore
-      cp /etc/cosign-credentials/* ~/.sigstore
-      cat <<EOF > ~/.sigstore/param-file.yaml
-      privateKeyFile: "$HOME/.sigstore/cosign.key"
-      privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
-      EOF
-      mkdir -p /etc/containers/registries.d/
-      cat <<EOF > /etc/containers/registries.d/james-registry.yaml
-      docker:
-         $(params.registry):
-            use-sigstore-attachments: true
-      EOF
+      cosign login --username=$USERNAME --password=$PASSWORD $(params.registry)
       # Build
       buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
         -f $(params.containerfile)  -t $(params.name):$(params.version) .
       # Push
-      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
+      skopeo copy --debug --dest-tls-verify=false \
               containers-storage:localhost/$(params.name):$(params.version) \
               docker://$(params.registry)/$(params.name):$(params.version)
-      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
+      skopeo copy --debug --dest-tls-verify=false \
               containers-storage:localhost/$(params.name):$(params.version) \
               docker://$(params.registry)/$(params.name):latest
+
+      export COSIGN_PASSWORD=$(cat /etc/cosign-credentials/cosign.password)
+      cosign sign --allow-insecure-registry --key /etc/cosign-credentials/cosign.key docker://$(params.registry)/$(params.name):$(params.version)
     env:
     - name: USERNAME
       valueFrom:
diff --git a/images/Dockerfile_buildah b/images/Dockerfile_buildah
index b557b05..0f3a3a1 100644
--- a/images/Dockerfile_buildah
+++ b/images/Dockerfile_buildah
@@ -3,4 +3,9 @@ FROM quay.io/buildah/upstream:latest
 # Add skopeo.
 RUN dnf install -y skopeo \
     --exclude container-selinux \
-    --enablerepo=updates-testing
\ No newline at end of file
+    --enablerepo=updates-testing
+
+# Add wget, use it to install cosign.
+RUN dnf install -y wget && \
+    wget https://github.com/sigstore/cosign/releases/download/v2.1.1/cosign-2.1.1.x86_64.rpm && \
+    rpm -ivh cosign*.rpm
\ No newline at end of file