From 0486bdd90e8100c20d64d3ac4e34a61c262bd04d Mon Sep 17 00:00:00 2001 From: Taiki Endo Date: Wed, 8 Apr 2026 00:10:16 +0900 Subject: [PATCH] Support cosign --- CHANGELOG.md | 2 + TOOLS.md | 1 + main.sh | 4 +- manifests/cosign.json | 243 +++++++++++++++++++++++++++++++++ tools/codegen/base/cosign.json | 34 +++++ tools/codegen/src/main.rs | 57 +++++++- 6 files changed, 335 insertions(+), 6 deletions(-) create mode 100644 manifests/cosign.json create mode 100644 tools/codegen/base/cosign.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 21a6c74d..7e83ec17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com ## [Unreleased] +- Support `cosign`. ([#1677](https://github.com/taiki-e/install-action/pull/1677)) + ## [2.74.1] - 2026-04-07 - Update `mise@latest` to 2026.4.5. diff --git a/TOOLS.md b/TOOLS.md index f106b8c2..92e77cad 100644 --- a/TOOLS.md +++ b/TOOLS.md @@ -47,6 +47,7 @@ See the [Supported tools section in README.md](README.md#supported-tools) for ho | [**cargo-xwin**](https://github.com/rust-cross/cargo-xwin) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rust-cross/cargo-xwin/releases) | Linux, macOS, Windows | [MIT](https://github.com/rust-cross/cargo-xwin/blob/main/LICENSE) | | [**cargo-zigbuild**](https://github.com/rust-cross/cargo-zigbuild) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rust-cross/cargo-zigbuild/releases) | Linux, macOS, Windows | [MIT](https://github.com/rust-cross/cargo-zigbuild/blob/main/LICENSE) | | [**coreutils**](https://github.com/uutils/coreutils) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/uutils/coreutils/releases) | Linux, macOS, Windows | [MIT](https://github.com/uutils/coreutils/blob/main/LICENSE) | +| [**cosign**](https://github.com/sigstore/cosign) | `$HOME/.install-action/bin` | [GitHub Releases](https://github.com/sigstore/cosign/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sigstore/cosign/blob/main/LICENSE) | | [**covgate**](https://github.com/jesse-black/covgate) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/jesse-black/covgate/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/jesse-black/covgate/blob/main/LICENSE) | | [**cross**](https://github.com/cross-rs/cross) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/cross-rs/cross/releases) | Linux, macOS, Windows | [MIT](https://github.com/cross-rs/cross/blob/main/LICENSE-MIT) OR [Apache-2.0](https://github.com/cross-rs/cross/blob/main/LICENSE-APACHE) | | [**cyclonedx**](https://github.com/CycloneDX/cyclonedx-cli) | `$HOME/.install-action/bin` | [GitHub Releases](https://github.com/CycloneDX/cyclonedx-cli/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/CycloneDX/cyclonedx-cli/blob/main/LICENSE) | diff --git a/main.sh b/main.sh index f9584842..6522f2fc 100755 --- a/main.sh +++ b/main.sh @@ -875,8 +875,8 @@ for tool in "${tools[@]}"; do iai-callgrind-runner) ;; # cargo-zigbuild/cargo-insta has no --version flag on `cargo $tool_bin_stem` subcommand. cargo-zigbuild | cargo-insta) rx "${tool_bin_stem}" --version ;; - # deepsource has version command instead of --version flag. - deepsource | vacuum) rx "${tool_bin_stem}" version ;; + # these packages have version command instead of --version flag. + cosign | deepsource | vacuum) rx "${tool_bin_stem}" version ;; cargo-*) case "${tool_bin_stem}" in # cargo-valgrind 2.1.0's --version flag just calls cargo's --version flag diff --git a/manifests/cosign.json b/manifests/cosign.json new file mode 100644 index 00000000..fa4ea6b2 --- /dev/null +++ b/manifests/cosign.json @@ -0,0 +1,243 @@ +{ + "rust_crate": null, + "template": { + "x86_64_linux_musl": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-amd64" + }, + "x86_64_macos": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-darwin-amd64" + }, + "x86_64_windows": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-windows-amd64.exe" + }, + "aarch64_linux_musl": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-arm64" + }, + "aarch64_macos": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-darwin-arm64" + }, + "powerpc64le_linux_musl": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-ppc64le" + }, + "riscv64_linux_musl": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-riscv64" + }, + "s390x_linux_musl": { + "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-s390x" + } + }, + "license_markdown": "[Apache-2.0](https://github.com/sigstore/cosign/blob/main/LICENSE)", + "latest": { + "version": "3.0.5" + }, + "3": { + "version": "3.0.5" + }, + "3.0": { + "version": "3.0.5" + }, + "3.0.6": { + "x86_64_linux_musl": { + "etag": "0x8DE9427E4F4F66D", + "hash": "c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" + }, + "x86_64_macos": { + "etag": "0x8DE942809604B8D", + "hash": "4c3e7af8372d3ca3296e62fa56f23fcbb5721cc6ac1827900d398f110d7cd280" + }, + "x86_64_windows": { + "etag": "0x8DE9427FF1A8F49", + "hash": "9b85a88ebff2d9dd30ff4984a6f61f2cedc232dd87d81fa7f2ff3c0ed96c241c" + }, + "aarch64_linux_musl": { + "etag": "0x8DE94280251A997", + "hash": "bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" + }, + "aarch64_macos": { + "etag": "0x8DE9427F9B353E4", + "hash": "5fadd012ae6381a6a29ff86a7d39aa873878852f1073fc90b15995961ecfb084" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE9427F2F77DC2", + "hash": "08c3e5e0a09c440f49e9a69d8639d37fbec522ec8c5c0ac805243b098e6ea512" + }, + "riscv64_linux_musl": { + "etag": "0x8DE9427F6775D14", + "hash": "e25952e798958b0f9168d044153ccc353f5469ca4b71a1707dffad0534d27017" + }, + "s390x_linux_musl": { + "etag": "0x8DE9427EF733685", + "hash": "3cf4b769258ed9cc3c2a93268c0d5c1cc3fbd094af8df21035cbac8fb0d7c088" + } + }, + "3.0.5": { + "x86_64_linux_musl": { + "etag": "0x8DE6FF25F78B056", + "hash": "db15cc99e6e4837daabab023742aaddc3841ce57f193d11b7c3e06c8003642b2" + }, + "x86_64_macos": { + "etag": "0x8DE6FF25A90279D", + "hash": "e032c44d3f7c247bbb2966b41239f88ffba002497a4516358d327ad5693c386f" + }, + "x86_64_windows": { + "etag": "0x8DE6FF2745A020C", + "hash": "44e9e44202b67ddfaaf5ea1234f5a265417960c4ae98c5b57c35bc40ba9dd714" + }, + "aarch64_linux_musl": { + "etag": "0x8DE6FF265833D25", + "hash": "d098f3168ae4b3aa70b4ca78947329b953272b487727d1722cb3cb098a1a20ab" + }, + "aarch64_macos": { + "etag": "0x8DE6FF25CFDD02F", + "hash": "4888c898e2901521a6bd4cf4f0383c9465588a6a46ecd2465ad34faf13f09eb7" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE6FF26DA417A7", + "hash": "ccd07709a25fd549dc3987eb378c4fecc1d7b851c904a59528cae8144f725c36" + }, + "riscv64_linux_musl": { + "etag": "0x8DE6FF27042D22A", + "hash": "9d108e72249dacb6ef5685320f34efcd0d85b842df90552b8fd7903a39a11c98" + }, + "s390x_linux_musl": { + "etag": "0x8DE6FF26AFDC493", + "hash": "45ebd52e4cb3c1c5dc0661f76728fa9ee7a510ae211b0cde3c43e4d8bebade86" + } + }, + "3.0.4": { + "x86_64_linux_musl": { + "etag": "0x8DE4FCA2BF218E5", + "hash": "10dab2fd2170b5aa0d5c0673a9a2793304960220b314f6a873bf39c2f08287aa" + }, + "x86_64_macos": { + "etag": "0x8DE4FCA39840E0E", + "hash": "4dbafca16d29be06a6a740d517a9f63de67c78be3a64d048e42520401d88facc" + }, + "x86_64_windows": { + "etag": "0x8DE4FCA28D7404D", + "hash": "a3a0dc4e8c745f9bd855ec18db346538b78ab2c4d6d510ae4186bb4a03f35438" + }, + "aarch64_linux_musl": { + "etag": "0x8DE4FCA1C26496E", + "hash": "c12fc6150195758ec0b1aeb1aade3381a1d3a299584982b66543f22bab04535b" + }, + "aarch64_macos": { + "etag": "0x8DE4FCA3CB7AA05", + "hash": "7098c46809c0818d970e63f7acd10f44c6919d3b4a261a63972a60694a9c9f66" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE4FCA2210A074", + "hash": "784dc5461a588dd8611e7969a4c988620f08bcb7f173beb77321b7acfc9a2b5f" + }, + "riscv64_linux_musl": { + "etag": "0x8DE4FCA250DB25B", + "hash": "9ec0c4ec477aaed0dbf6d3a294405441b2cc93fff0d23482eba5c2e84af5aba4" + }, + "s390x_linux_musl": { + "etag": "0x8DE4FCA35FC9609", + "hash": "0516fe2ea7d3c039cb6ed99aefbd86b69d661ff35956484c16fb480c29f3897d" + } + }, + "3.0.3": { + "x86_64_linux_musl": { + "etag": "0x8DE378193840B57", + "hash": "052363a0e23e2e7ed53641351b8b420918e7e08f9c1d8a42a3dd3877a78a2e10" + }, + "x86_64_macos": { + "etag": "0x8DE378184E3D243", + "hash": "6c75981e85e081a73f0b4087f58e0ad5fd4712c71b37fa0b6ad774c1f965bafa" + }, + "x86_64_windows": { + "etag": "0x8DE37818A249E3E", + "hash": "2593655025b52b5b1c99e43464459b645a3acbe5d4a5a9f3a766e77beec5a441" + }, + "aarch64_linux_musl": { + "etag": "0x8DE37819892DC0D", + "hash": "81398231362031e3c7afd6a7508c57049460cd7e02736f1ebe89a452102253e5" + }, + "aarch64_macos": { + "etag": "0x8DE378186BF54D2", + "hash": "38349e45a8bb0d1ed3a7affb8bdd2e9d597cee08b6800c395a926b4d9adb84d2" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE37819135D5B6", + "hash": "6af9ed378d289ffd1bce9b6de02a47a25f9bf32d01a2f6b0f43f0fbb544f14c6" + }, + "riscv64_linux_musl": { + "etag": "0x8DE3781829B3B92", + "hash": "86bbb2c0da0a80107fbe6d500da4148c3f84fa2595f76db68d4499664da2b90d" + }, + "s390x_linux_musl": { + "etag": "0x8DE37818ED171E1", + "hash": "e8cda1bb6b6719e46fe72a89789852971a228d364063cc961d065c3cd4e3db4b" + } + }, + "3.0.2": { + "x86_64_linux_musl": { + "etag": "0x8DE082BF53266ED", + "hash": "46dbdcb5467a3dfec2526923d0b3365e40c8d9dc00ec23d5aca3437449e8cbfd" + }, + "x86_64_macos": { + "etag": "0x8DE082BF2D094CE", + "hash": "0fc2b6f16b900abdfda3153b11fc435a8cbe3830e8e820fe8ad5fe4149a5b472" + }, + "x86_64_windows": { + "etag": "0x8DE082C03974CE8", + "hash": "7a137280d8686665ceb4d8565df2a0ac63f28031e014cdcae5d56891a6c8a400" + }, + "aarch64_linux_musl": { + "etag": "0x8DE082C0648458F", + "hash": "17fd784737ca54d7d8a343c82da6c5d6dbdee971e66644d923d1b057fb97d7ed" + }, + "aarch64_macos": { + "etag": "0x8DE082C0064BD15", + "hash": "3823b044de184da21e300bc5e20dd29d3fa9243af3ba70c4a5da1712f3385d46" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE082C0B62CF31", + "hash": "650aefe9d2bf0ee5282e8e40a7fc93ef6d66ef718a83ac3c3ec06b22b797ff00" + }, + "riscv64_linux_musl": { + "etag": "0x8DE082C0E28E598", + "hash": "0ffd9125ada732d3d3f0f1702fefd8031c04383d070cda895c5df2dfaca6e7b8" + }, + "s390x_linux_musl": { + "etag": "0x8DE082BFDC4C845", + "hash": "f45331cfa5dfb6f908a5ed4f20f6fda4f31716028d6f0dcff9c775f006d486df" + } + }, + "3.0.1": { + "x86_64_linux_musl": { + "etag": "0x8DE05F22B41933C", + "hash": "23c9ff889672f03676b673539de07d5ad4e8efc8247a3ad55c9bc00169aa2305" + }, + "x86_64_macos": { + "etag": "0x8DE05F23E3EC0F5", + "hash": "260c174b80d6401a7d2703109eb32f6a0bdbddd2ac91d3268dc96a51238d96ab" + }, + "x86_64_windows": { + "etag": "0x8DE05F21CA08FF9", + "hash": "21843dbb2e910097531ca23e9f87d0ca2ae9a412e056009eae670b090418e8ed" + }, + "aarch64_linux_musl": { + "etag": "0x8DE05F232E5B6D9", + "hash": "8f5bb6899118d521d7b12252f06d5808fba4e6cb0a23ff120ed6c14d7c87863a" + }, + "aarch64_macos": { + "etag": "0x8DE05F2419FF210", + "hash": "dad2a161d91fba199d1ebae7e5652a4c2dd412cbb1ab6b4cc8ad6a15378319fe" + }, + "powerpc64le_linux_musl": { + "etag": "0x8DE05F2278FB689", + "hash": "82ed1e2c4b37927fc39c488dd1871f2a51ea40140a8c7911ed90026b8d8bf2cd" + }, + "riscv64_linux_musl": { + "etag": "0x8DE05F23A221742", + "hash": "07b7ce941bf9918bf245153bf029d53873f4f0b1bc5e8f9141876b3523c1de0b" + }, + "s390x_linux_musl": { + "etag": "0x8DE05F22438B32A", + "hash": "6e30ae5e33014197a888b9492728e49aaf72343e31e26da8f7b3720518e8f6df" + } + } +} diff --git a/tools/codegen/base/cosign.json b/tools/codegen/base/cosign.json new file mode 100644 index 00000000..cc92ded6 --- /dev/null +++ b/tools/codegen/base/cosign.json @@ -0,0 +1,34 @@ +{ + "repository": "https://github.com/sigstore/cosign", + "tag_prefix": "v", + "version_range": ">= 3.0.0", + "signing": { + "kind": "custom" + }, + "platform": { + "x86_64_linux_musl": { + "asset_name": "${package}-linux-amd64" + }, + "x86_64_macos": { + "asset_name": "${package}-darwin-amd64" + }, + "x86_64_windows": { + "asset_name": "${package}-windows-amd64.exe" + }, + "aarch64_linux_musl": { + "asset_name": "${package}-linux-arm64" + }, + "aarch64_macos": { + "asset_name": "${package}-darwin-arm64" + }, + "powerpc64le_linux_musl": { + "asset_name": "${package}-linux-ppc64le" + }, + "riscv64_linux_musl": { + "asset_name": "${package}-linux-riscv64" + }, + "s390x_linux_musl": { + "asset_name": "${package}-linux-s390x" + } + } +} diff --git a/tools/codegen/src/main.rs b/tools/codegen/src/main.rs index 71ef81ff..0b48a868 100644 --- a/tools/codegen/src/main.rs +++ b/tools/codegen/src/main.rs @@ -385,6 +385,58 @@ fn main() { ); eprintln!("done"); } + "cosign" => { + let [checksum, bundle] = + ["cosign_checksums.txt", "cosign_checksums.txt.sigstore.json"].map( + |f| { + let asset = release + .assets + .iter() + .find(|asset| asset.name.ends_with(f)) + .unwrap(); + let download_cache = + download_cache_dir.join(format!("{version}-{f}")); + let url = &asset.browser_download_url; + eprint!( + "downloading {url} for signature verification ... " + ); + if download_cache.is_file() { + eprintln!("already downloaded"); + } else { + download_to_buf(url, &mut buf); + eprintln!("download complete"); + fs::write(&download_cache, &buf).unwrap(); + buf.clear(); + } + download_cache + }, + ); + eprint!("verifying checksum file for {package}@{version} ... "); + cmd!( + "cosign", + "verify-blob", + &checksum, + "--bundle", + bundle, + "--certificate-identity", + "keyless@projectsigstore.iam.gserviceaccount.com", + "--certificate-oidc-issuer", + "https://accounts.google.com" + ) + .run() + .unwrap(); + verified_checksum = Some( + fs::read_to_string(checksum) + .unwrap() + .lines() + .filter_map(|l| l.split_once(" ")) + .map(|(h, f)| { + (f.trim_ascii().to_owned(), h.trim_ascii().to_owned()) + }) + .collect(), + ); + eprintln!("done"); + } "syft" => { // Refs: https://oss.anchore.com/docs/installation/verification/ let [checksum, certificate, signature] = @@ -572,10 +624,7 @@ fn main() { ); }; let url = url.clone() + ".sig"; - let sig_download_cache = &download_cache.with_extension(format!( - "{}.sig", - download_cache.extension().unwrap_or_default().to_str().unwrap() - )); + let sig_download_cache = &download_cache.with_added_extension("sig"); eprint!("downloading {url} for signature validation ... "); let sig = if sig_download_cache.is_file() { eprintln!("already downloaded");