From bcddd7297a2ad6db2226dfa8333da2ba9bfb64d1 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 10 Sep 2023 01:13:26 +0200
Subject: [PATCH] ci(earthly): Add simply target to verify distroless images

---
 images/mirror/Earthfile | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/images/mirror/Earthfile b/images/mirror/Earthfile
index a5f71671b..9feab9cbc 100644
--- a/images/mirror/Earthfile
+++ b/images/mirror/Earthfile
@@ -24,3 +24,14 @@ trivy:
 fedora:
     DO +MIRROR --image=quay.io/fedora/fedora:38@sha256:1972716109b1c906120061063bd4cb50a46c2138d95002ccb90126928d98e013
 
+cosign:
+    DO +MIRROR --image=gcr.io/projectsigstore/cosign:v2.2.0
+    SAVE ARTIFACT /ko-app/cosign ./cosign
+
+# verify-distroless allows to use cosign to verify all mirrored distroless images against Google's build identity
+verify-distroless:
+    FROM +fedora
+    COPY +cosign/cosign /usr/local/bin/cosign
+    COPY ./Earthfile ./
+    RUN cat ./Earthfile | grep 'DO +MIRROR --image=gcr.io/distroless/' | grep -Po 'gcr.io/distroless/[a-z0-9-.@/:]+' | xargs /usr/local/bin/cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com
+
-- 
GitLab