Don't sign yet, plus attempt to shell to cosign version at start + fix install in gcb

cmd/cmrel/cmd/gcb_publish.go

@@ -286,6 +286,11 @@ func runGCBPublish(rootOpts *rootOptions, o *gcbPublishOptions) error {
 		if _, err := sign.NewGCPKMSKey(o.SigningKMSKey); err != nil {
 			return err
 		}
+
+		log.Printf("getting cosign version information")
+		if err := cosign.Version(ctx, o.CosignPath); err != nil {
+			return fmt.Errorf("failed to query cosign version: %w", err)
+		}
 	}
 
 	// fetch the staged release from GCS
@@ -523,9 +528,13 @@ func pushContainerImages(ctx context.Context, o *gcbPublishOptions, rel *release
 		log.Printf("Pushed multi-arch manifest list %q", manifestListName)
 	}
 
-	if err := signRegistryContent(ctx, o, pushedContent); err != nil {
-		return fmt.Errorf("failed to sign images: %w", err)
-	}
+	// TODO: since cert-manager images are currently pushed to quay.io, we can't actually sign
+	// the images since quay doesn't support cosign signatures. when it's upgraded to 3.6, we can
+	// uncomment this and sign.
+	// see: https://github.com/sigstore/cosign/issues/40#issuecomment-833217878
+	// if err := signRegistryContent(ctx, o, pushedContent); err != nil {
+	// 	return fmt.Errorf("failed to sign images: %w", err)
+	// }
 
 	return nil
 }

gcb/publish/cloudbuild.yaml

@@ -19,7 +19,22 @@ secrets:
 
 steps:
 
-## Clone & checkout the cert-manager release repository
+## Clone & checkout the cosign repository, then build and install
+# You'd think we could just use "go install" but the gopath setup in this builder container
+# is roughly equivalent to a labyrinth. Nothing works as expected in this image; running it
+# locally won't help. The original cmrel build below works, so I'm just copying that to end
+# the nightmares and the pain.
+- name: gcr.io/cloud-builders/go:alpine-1.16
+  dir: "go/src/github.com/sigstore/cosign"
+  entrypoint: sh
+  args:
+  - -c
+  - |
+    set -e
+    git clone "${_COSIGN_REPO_URL}" . && git checkout "${_COSIGN_REPO_REF}"
+    CGO_ENABLED=0 go build -o /workspace/go/bin/cosign ./cmd/cosign
+
+## Clone & checkout the cert-manager release repository, then build and install
 - name: gcr.io/cloud-builders/go:alpine-1.16
   dir: "go/src/github.com/cert-manager/release"
   entrypoint: sh
@@ -29,7 +44,6 @@ steps:
     set -e
     git clone "${_RELEASE_REPO_URL}" . && git checkout "${_RELEASE_REPO_REF}"
     CGO_ENABLED=0 go build -o /workspace/go/bin/cmrel ./cmd/cmrel
-    GOBIN=/workspace/go/bin go install github.com/sigstore/cosign/cmd/cosign@v1.2.1
 
 ## Write DOCKER_CONFIG file to $HOME/.docker/config.json
 - name: gcr.io/cloud-builders/docker:19.03.8
@@ -92,5 +106,7 @@ substitutions:
   _PUBLISH_ACTIONS: "*"
   ## Used as a tag to identify the build more easily later
   _TAG_RELEASE_NAME: ""
-  ## Points to cosign
+  ## Cosign details
+  _COSIGN_REPO_URL: https://github.com/sigstore/cosign
+  _COSIGN_REPO_REF: "v1.2.1"
   _COSIGN_PATH: "/workspace/go/bin/cosign"

pkg/sign/cosign/cosign.go

@@ -33,3 +33,8 @@ func Sign(ctx context.Context, cosignPath string, containers []string, key sign.
 
 	return shell.Command(ctx, "", cosignPath, args...)
 }
+
+// Version calls "cosign version", both for informational purposes and as a check that the binary exists
+func Version(ctx context.Context, cosignPath string) error {
+	return shell.Command(ctx, "", cosignPath, []string{"version"}...)
+}