From 8763ddbd60628fd511eafde72397b251d95211c0 Mon Sep 17 00:00:00 2001
From: Lan Liang <gcslyp@gmail.com>
Date: Thu, 20 Apr 2023 09:00:05 +0800
Subject: [PATCH] Sign images by cosign.

Signed-off-by: Lan Liang <gcslyp@gmail.com>
---
 .github/workflows/dockerhub-latest-image.yml   | 5 +++++
 .github/workflows/dockerhub-released-image.yml | 5 +++++
 hack/docker.sh                                 | 8 ++++++++
 3 files changed, 18 insertions(+)

diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
index 0eb6456e827c..0eabbc1db230 100644
--- a/.github/workflows/dockerhub-latest-image.yml
+++ b/.github/workflows/dockerhub-latest-image.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     # prevent job running from forked repository, otherwise
     # 1. running on the forked repository would fail as missing necessary secret.
     # 2. running on the forked repository would use unnecessary GitHub Action time.
@@ -36,6 +38,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.3
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -49,4 +53,5 @@ jobs:
         env:
           REGISTRY: karmada
           VERSION: latest
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
index 20241cab942d..bc9f9a4f133f 100644
--- a/.github/workflows/dockerhub-released-image.yml
+++ b/.github/workflows/dockerhub-released-image.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     strategy:
       matrix:
         target:
@@ -32,6 +34,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19.5
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.3
       - name: install QEMU
         uses: docker/setup-qemu-action@v2
       - name: install Buildx
@@ -45,4 +49,5 @@ jobs:
         env:
           REGISTRY: karmada
           VERSION: ${{ github.ref_name }}
+          COSIGN_EXPERIMENTAL: 1
         run: make mp-image-${{ matrix.target }}
diff --git a/hack/docker.sh b/hack/docker.sh
index a45d570c7ff2..c3ade4ff6069 100755
--- a/hack/docker.sh
+++ b/hack/docker.sh
@@ -66,6 +66,7 @@ function build_local_image() {
 
   if [[ "$output_type" == "registry" ]]; then
     docker push "${image_name}"
+    signImage ${image_name}
   fi
 }
 
@@ -85,9 +86,16 @@ function build_cross_image() {
           --tag "${image_name}" \
           --file "${REPO_ROOT}/cluster/images/buildx.Dockerfile" \
           "${REPO_ROOT}/_output/bin"
+  signImage ${image_name}
   set +x
 }
 
+function signImage(){
+  local -r target=$1
+  echo "signing image: "${target}
+  cosign sign --yes ${target}
+}
+
 function isCross() {
   local platforms=$1