chore: sign container images and checksum assets

[34fathombelow]

Signed-off-by: Justin Marquis [email protected]
Closes #2330

This PR implements container images and argo-rollouts-checksums.txt to be signed using sigstore/cosign

Three GitHub secrets will need to be created before this PR is merged. The process to do this is listed below.

TLDR: https://docs.sigstore.dev/cosign/git_support

1. Install Cosign on your workstation. Linux, Homebrew, and container options are available. Execute the command cosign --version to verified it has been installed correctly.
2. Create or have a valid GitHub PAT token available.
3. Export your PAT as the environment variable "GITHUB_TOKEN"
4. Execute cosign generate-key-pair github://argoproj/argo-rollouts This will start the process of creating the GitHub Secrets automatically for you, and prompt you to enter a password. This Password will be stored as the Github secret COSIGN_PASSWORD I would recommend to use well respected password generator such as KeePassXC or Bitwarden and use a paranoid level of characters of at least 32.
5. Three GitHub secretes should have been created, please verify. COSIGN_PASSWORD COSIGN_PRIVATE_KEY & COSIGN_PUBLIC_KEY
6. Please comment on this PR with the newly created public key (cosign.pub)

[github-actions]

Go Published Test Results

1 778 tests   1 778 ✔️  2m 31s ⏱️
   101 suites         0 💤
       1 files           0 ❌

Results for commit 835c305.

♻️ This comment has been updated with latest results.

[github-actions]

E2E Tests Published Test Results

89 tests   86 ✔️  44m 14s ⏱️
  1 suites    3 💤
  1 files      0 ❌

Results for commit 835c305.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

Base: 82.76% // Head: 82.76% // Decreases project coverage by -0.00% ⚠️

Coverage data is based on head (835c305) compared to base (fd6dcc1).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2334      +/-   ##
==========================================
- Coverage   82.76%   82.76%   -0.01%     
==========================================
  Files         121      121              
  Lines       18522    18536      +14     
==========================================
+ Hits        15330    15341      +11     
- Misses       2408     2410       +2     
- Partials      784      785       +1     

Impacted Files	Coverage Δ
metricproviders/webmetric/webmetric.go	68.88% <0.00%> (+1.12%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[jessesuen]

The COSIGN_PASSWORD COSIGN_PRIVATE_KEY & COSIGN_PUBLIC_KEY secrets have been added. Here is the public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElm4DvuUfW6x0jB8vZ5wO+XeyaAbK
3/VjNMOsZ2svjls3mc/1eg2cP3MR9kOA7HD75nERY+U82vqhGsZ8bwnMLQ==
-----END PUBLIC KEY-----

I've announced the above public key, but in the future this might change (if we for example switch from github actions), right?

I've discarded the private key and password so they only exist in GitHub now.

[jessesuen]

I'll merge this in after conflict is resolved. Thanks!

[34fathombelow]

I'll merge this in after conflict is resolved. Thanks!

@jessesuen thanks for all your help. Conflicts have been resolved.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[zachaller]

@jessesuen I went over these changes again and they LGTM with the digest changes.

[zachaller]

part of #2329