From 279fef9e0683905f76c5e7a76530241fbe627e13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Skytt=C3=A4?= Date: Sun, 11 May 2025 16:17:53 +0300 Subject: [PATCH] feat: verify installer downloads with cosign --- .github/workflows/post-release.yml | 1 + .github/workflows/pr-checks.yml | 1 + docs/src/docs/welcome/install.mdx | 4 ++++ install.sh | 17 +++++++++++++++++ 4 files changed, 23 insertions(+) diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index d618b4c58c11..00bf7619293e 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -74,4 +74,5 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: + - uses: sigstore/cosign-installer@v3 - run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "./install-golangci-lint" diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index f5c69841abef..7611c46b3a23 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -51,6 +51,7 @@ jobs: os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: + - uses: sigstore/cosign-installer@v3 - uses: actions/checkout@v4 - name: Check installation script run: cat ./install.sh | sh -s -- -d -b "./install-golangci-lint" diff --git a/docs/src/docs/welcome/install.mdx b/docs/src/docs/welcome/install.mdx index c67c1dbf971a..6b123acf929e 100644 --- a/docs/src/docs/welcome/install.mdx +++ b/docs/src/docs/welcome/install.mdx @@ -54,6 +54,8 @@ wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/insta golangci-lint --version ``` +If [`cosign`](https://github.com/sigstore/cosign) is installed, the installer will verify downloads with it. This is highly recommended. + It is advised that you periodically update the version of golangci-lint as the project is under active development and is constantly being improved. For any problems with golangci-lint, check out recent [GitHub issues](https://github.com/golangci/golangci-lint/issues) and update if needed. @@ -70,6 +72,8 @@ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install golangci-lint --version ``` +If [`cosign`](https://github.com/sigstore/cosign) is installed, the installer will verify downloads with it. This is highly recommended. + On Windows, you can run the above commands with Git Bash, which comes with [Git for Windows](https://git-scm.com/download/win). ### Linux diff --git a/install.sh b/install.sh index 4076fc35aed0..6afd1eb62e1a 100755 --- a/install.sh +++ b/install.sh @@ -42,6 +42,7 @@ execute() { log_debug "downloading files into ${tmpdir}" http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}" http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}" + cosign_verify "${tmpdir}/${CHECKSUM}" hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}" srcdir="${tmpdir}/${NAME}" rm -rf "${srcdir}" @@ -390,6 +391,20 @@ End of functions from https://github.com/client9/shlib ------------------------------------------------------------------------ EOF +cosign_verify() { + if ! is_command cosign; then + log_info "cosign is not available, skipping verify" + return 0 + fi + checksums=$1 + http_download "${tmpdir}/${CHECKSUM_COSIGN_BUNDLE}" "${CHECKSUM_COSIGN_BUNDLE_URL}" + cosign verify-blob \ + --bundle="${tmpdir}/${CHECKSUM_COSIGN_BUNDLE}" \ + --certificate-identity="https://github.com/$PREFIX/.github/workflows/release.yml@refs/tags/$TAG" \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + "$checksums" +} + PROJECT_NAME="golangci-lint" OWNER=golangci REPO="golangci-lint" @@ -428,6 +443,8 @@ TARBALL=${NAME}.${FORMAT} TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL} CHECKSUM=${PROJECT_NAME}-${VERSION}-checksums.txt CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM} +CHECKSUM_COSIGN_BUNDLE=${CHECKSUM}.cosign.bundle +CHECKSUM_COSIGN_BUNDLE_URL=${CHECKSUM_URL}.cosign.bundle execute