fix: oci registry format signing auth [HYB-731]

.github/workflows/sigstore.yml

@@ -15,19 +15,26 @@ jobs:
         uses: actions/checkout@main
         with:
           fetch-depth: 0
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.7.0
       - name: Check Cosign
         run: cosign version
-      - name: Cosign with OIDC
+      - name: Get latest tag
+        run: echo "LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1` | tr -d 'v')" >> $GITHUB_ENV
+      - name: Get digest
         run: |
-          # Get the latest tag
-          LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1` | tr -d 'v')
-          # Obtain the digest from this tag
           DIGEST=$(curl "https://hub.docker.com/v2/repositories/snyk/snyk-universal-broker/tags/${LATEST_TAG}" | jq '.digest' -r)
-          # Sign the image, using GitHub as an OIDC provider
-          cosign sign --yes oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${DIGEST}
+          echo "DIGEST=${DIGEST}" >> $GITHUB_ENV
+      - name: Cosign with OIDC
+        run: |
+          cosign sign --yes snyk/snyk-universal-broker@${DIGEST}
+          cosign sign --yes snyk/snyk-universal-broker:${LATEST_TAG}
       - name: Verify signature
         run: |
-          cosign verify oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${DIGEST}
-          cosign verify oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${LATEST_TAG}
+          cosign verify snyk/snyk-universal-broker@${DIGEST} --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+          cosign verify snyk/snyk-universal-broker:${LATEST_TAG} --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

README.md

@@ -32,6 +32,30 @@ Pull the Helm Chart, and provide any configuration necessary:
 helm pull oci://registry-1.docker.io/snyk/snyk-universal-broker
 ```
 
+### Verifying the Helm Chart
+
+The Helm Chart for Snyk Universal Broker is signed with `cosign`. Optionally validate the Helm Chart with the following methods.
+
+#### By tag
+
+Replace `x.y.z` with the value of the tag:
+
+```
+cosign verify snyk/snyk-universal-broker:x.y.z \
+  --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+```
+
+#### By digest
+
+Replace `@sha256:...` with the digest of the tag:
+
+```
+cosign verify snyk/snyk-universal-broker@sha256:... \
+  --certificate-identity-regexp="https://github.com/snyk/snyk-universal-broker-helm/.*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+```
+
 ## Basic Configuration
 
 ### Selecting your Snyk Region