feat(ci): add cosign to sign the released binaries

.github/workflows/release.yml

@@ -29,7 +29,10 @@ jobs:
         shell: bash
         run: ./scripts/parse_ref.sh ${{ github.ref }} >> ${GITHUB_OUTPUT}
 
-  build:
+  build-and-sign:
+    permissions:
+      # cosign uses the GitHub OIDC token
+      id-token: write
     needs:
       - parse
     strategy:
@@ -38,30 +41,67 @@ jobs:
     runs-on: "ubuntu-22.04"
     steps:
       - uses: actions/checkout@v3
+
       - name: Setup build env
         run: ./scripts/setup-linux.sh
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Setup rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
         env:
           RUST_CACHE_KEY_OS: rust-release-cache-${{ needs.parse.outputs.crate }}-${{ matrix.arch }}
         with:
           rustflags: '' #Disable.  By default this action sets environment variable is set to -D warnings.  We manage this in the Makefile
+
       - name: Setup cross-rs
         run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl
+
       - name: Setup build profile
         shell: bash
         run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}
+
+      - name: Setup cosign for signing
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.2'
+
       - name: Build
         timeout-minutes: 20
         run: make build-${{ needs.parse.outputs.runtime }}
+
       - name: Test
         if: ${{ matrix.arch == 'x86_64' }}
         timeout-minutes: 10
         run: make test-${{ needs.parse.outputs.runtime }}
+
+      - name: Sign the binary
+        if: ${{ needs.parse.outputs.runtime != 'wasm' }}
+        run: |
+          make dist-${{ needs.parse.outputs.runtime }}
+          # Check if there's any files to archive as tar fails otherwise
+          if stat dist/bin/* >/dev/null 2>&1; then
+            cosign sign-blob --yes \
+              --bundle containerd-shim-${{ needs.parse.outputs.runtime }}-v1.bundle \
+              dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}-v1
+
+            cosign sign-blob --yes \
+              --bundle containerd-shim-${{ needs.parse.outputs.runtime }}d-v1.bundle \
+              dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}d-v1
+
+            cosign sign-blob --yes \
+              --bundle containerd-${{ needs.parse.outputs.runtime }}d.bundle \
+              dist/bin/containerd-${{ needs.parse.outputs.runtime }}d
+
+            # Copy the certs to the dist/bin folder
+            cp *.sig dist/bin/
+            cp *.pem dist/bin/
+          else
+            echo "No files to sign"
+          fi
+
       - name: Package artifacts
         if: ${{ needs.parse.outputs.runtime != 'wasm' }}
         shell: bash
         run: |
-          make dist-${{ needs.parse.outputs.runtime }}
           # Check if there's any files to archive as tar fails otherwise
           if stat dist/bin/* >/dev/null 2>&1; then
             tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin .
@@ -79,7 +119,7 @@ jobs:
     permissions:
       contents: write
     needs:
-      - build
+      - build-and-sign
       - parse
     runs-on: ubuntu-latest
     steps:

RELEASE.md

@@ -38,13 +38,26 @@ containerd-shim-wasm = { path = "crates/containerd-shim-wasm", version = "0.4.0"
 2. PR can be merged after 2 LGTMs
 3. Tag the release with the format `<crate>/v<version>` (e.g. `containerd-shim-wasm/v0.2.0`)
 4. Wait for the release workflow to complete
-5. Manually verify the release on crates.io and on the GitHub releases page.
+5. Manually verify the release on crates.io and on the GitHub releases page (See [Verify signing](#Verify-signing) section for more details on verifying the release on GitHub releases page.)
 6. If this is the first time publishing this crate, see the [First release of a crate](#First-release-of-a-crate) section.
 
 > Note: If step 1 and/or 2 is skipped, the release workflow will fail because the version in the Cargo.toml will not match the tag.
 >
 > For step 5, some crates have binaries, such as the containerd-shim-wasmtime crate. These binaries are built as part of the release workflow and uploaded to the GitHub release page. You can download the binaries from the release page and verify that they work as expected.
 
+## Verify signing
+
+The release pipeline uses `cosign` to sign the release blobs, if any. It uses Github's OIDC token to authenticate with Sigstore to prove identity and outputs a `.bundle` file, which contains a signature and a key. This file can be verified using `cosign verify-blob` command, providing the workflow tag and Github as the issuer. The full command looks like this (e.g. wasmtime shim):
+
+```sh
+cosign verify-blob --bundle containerd-shim-wasmtime-v1.bundle \
+--certificate-identity https://github.com/containerd/runwasi/.github/workflows/release.yml@refs/tags/containerd-shim-wasmtime/<tag> \ 
+--certificate-oidc-issuer https://token.actions.githubusercontent.com \
+containerd-shim-wasmtime-v1
+```
+
+In the Github release page, please provide the above command in the instructions for the consumer to verify the release.
+
 ## First release of a crate
 
 If the crate has never been published to crates.io before then ownership of the crate will need to be configured.