From 4354c38d7e59182c96e952312ff339cd8d231dd8 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Fri, 30 Sep 2022 10:46:25 +0200
Subject: [PATCH] sign binaries and images with sigstore cosign

also generate sboms for archives and packages

Signed-off-by: cpanato <ctadeu@gmail.com>
---
 .goreleaser.yaml                     | 24 ++++++++++++++
 cmd/goreleaser/internal/configure.go | 49 +++++++++++++++++++++++++++-
 2 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index de655434..d48fbde6 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,4 +1,6 @@
 project_name: opentelemetry-collector-releases
+env:
+- COSIGN_EXPERIMENTAL=true
 builds:
 - id: otelcol
   goos:
@@ -290,3 +292,25 @@ docker_manifests:
     .Version }}-arm64
   - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:{{
     .Version }}-ppc64le
+signs:
+- cmd: cosign
+  args:
+  - sign-blob
+  - --output-signature
+  - ${artifact}.sig
+  - --output-certificate
+  - ${artifact}.pem
+  - ${artifact}
+  signature: ${artifact}.sig
+  artifacts: all
+  certificate: ${artifact}.pem
+docker_signs:
+- args:
+  - sign
+  - ${artifact}
+  artifacts: all
+sboms:
+- id: archive
+  artifacts: archive
+- id: package
+  artifacts: package
diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go
index 6d2ed57b..2ebf0980 100644
--- a/cmd/goreleaser/internal/configure.go
+++ b/cmd/goreleaser/internal/configure.go
@@ -39,12 +39,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
 		Checksum: config.Checksum{
 			NameTemplate: "{{ .ProjectName }}_checksums.txt",
 		},
-
+		Env:             []string{"COSIGN_EXPERIMENTAL=true"},
 		Builds:          Builds(dists),
 		Archives:        Archives(dists),
 		NFPMs:           Packages(dists),
 		Dockers:         DockerImages(imagePrefixes, dists),
 		DockerManifests: DockerManifests(imagePrefixes, dists),
+		Signs:           Sign(),
+		DockerSigns:     DockerSigns(),
+		SBOMs:           SBOM(),
 	}
 }
 
@@ -214,3 +217,47 @@ func DockerManifest(imagePrefixes []string, dist string) (manifests []config.Doc
 func imageName(dist string) string {
 	return strings.Replace(dist, "otelcol", "opentelemetry-collector", 1)
 }
+
+func Sign() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts:   "all",
+			Signature:   "${artifact}.sig",
+			Certificate: "${artifact}.pem",
+			Cmd:         "cosign",
+			Args: []string{
+				"sign-blob",
+				"--output-signature",
+				"${artifact}.sig",
+				"--output-certificate",
+				"${artifact}.pem",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func DockerSigns() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts: "all",
+			Args: []string{
+				"sign",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func SBOM() []config.SBOM {
+	return []config.SBOM{
+		{
+			ID:        "archive",
+			Artifacts: "archive",
+		},
+		{
+			ID:        "package",
+			Artifacts: "package",
+		},
+	}
+}