From a8fa5dc17162121fe849f37c036eabb8f959ef90 Mon Sep 17 00:00:00 2001
From: Christoph Voigt <voigt.christoph@gmail.com>
Date: Thu, 28 Sep 2023 23:31:56 +0200
Subject: [PATCH] add verify instructions

---
 .github/workflows/docker-build-push.yml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
index f61244f..1d849d2 100644
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -79,24 +79,30 @@ jobs:
           cosign sign \
             --yes \
             --output-certificate crt.pem \
-            --output-signature kwasm-image.sig \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            --output-signature kwasm.sig \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.workflow_sha }}
       -
         name: prepare assets for upload
         if: runner.os != 'Windows'
         shell: bash
         run: |
-          echo "+++ debug +++"
-          cat crt.pem
-          cat kwasm-image.sig
           mkdir _dist
-          cp crt.pem kwasm-image.sig _dist/
+          cat <<EOF > verify.txt
+          cosign verify \
+              --signature kwasm.sig --certificate crt.pem \
+              --certificate-identity https://github.com/${{ github.workflow_ref }} \
+              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+              --certificate-github-workflow-sha ${{ github.workflow_sha }} \
+              --certificate-github-workflow-repository voigt/kwasm-operator \
+              ghcr.io/voigt/kwasm-operator:${{ github.workflow_sha }}
+          EOF
+          cp crt.pem kwasm.sig verify.txt _dist/
       -
         name: upload binary as GitHub artifact
         if: runner.os != 'Windows'
         uses: actions/upload-artifact@v3
         with:
-          name: kwasm-certs
+          name: kwasm
           path: _dist/
       - 
         name: Configure Git