ci(earthly): Add simply target to verify distroless images

images/mirror/Earthfile

@@ -24,3 +24,14 @@ trivy:
 fedora:
     DO +MIRROR --image=quay.io/fedora/fedora:38@sha256:1972716109b1c906120061063bd4cb50a46c2138d95002ccb90126928d98e013
 
+cosign:
+    DO +MIRROR --image=gcr.io/projectsigstore/cosign:v2.2.0
+    SAVE ARTIFACT /ko-app/cosign ./cosign
+
+# verify-distroless allows to use cosign to verify all mirrored distroless images against Google's build identity
+verify-distroless:
+    FROM +fedora
+    COPY +cosign/cosign /usr/local/bin/cosign
+    COPY ./Earthfile ./
+    RUN cat ./Earthfile | grep 'DO +MIRROR --image=gcr.io/distroless/' | grep -Po 'gcr.io/distroless/[a-z0-9-.@/:]+' | xargs /usr/local/bin/cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com
+