add signed releases

Author: shibumi

.github/cosign.key

@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiJIYm5Zeno2c1orRytYdlFTUWorTU5PZEhnTmZTQnpR
+NTd4MkRIQWI5emU4PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiIyS1pvUHF1bG9NcDUvcFBsOWg5cDR5VXBsL2M5eFI1OCJ9LCJj
+aXBoZXJ0ZXh0IjoiT1NqZUMvS2dtWUkzQ2ErVlVmQlh1Wm9hU0FkYWxFT0wwWk9G
+UEMrNFFWYWhtMUtNeHM2YUUwNWpvT3hveEF1eDRxaGk2amJmenp0MG5SelhJUUZt
+QjRSblBDTUQ4NmduQ2owR243dE4vc3V0TmpZbVI0c3NORzZpNXVYdTBuWmdseHk3
+K1k5SXU0cW0wOWordXRyNURwODM3RmF2Z0w3ZUhJeU1LQjlZWVd0OWZMV0s4VFps
+b29yTjJpVDYxT1E4Y0diM0JyOGw2ang2YkE9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----

.github/workflows/goreleaser.yml

@@ -0,0 +1,30 @@
+name: release
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      - name: install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}

.github/workflows/build.yml .github/workflows/test.yml

@@ -1,5 +1,5 @@
 on: [push, pull_request]
-name: build
+name: test
 jobs:
   test:
     strategy:

.gitignore

@@ -0,0 +1,8 @@
+# goreleaser distribution directory
+dist
+
+# GoLand idea configuration
+.idea
+
+# VSCode configuration
+.vscode

.goreleaser.yaml

@@ -0,0 +1,26 @@
+project_name: in-toto
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-X main.tag={{.Version}}"
+      - "-X main.commit={{.FullCommit}}"
+      - "-X main.date={{.Date}}"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/in-toto/
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    stdin: '{{ .Env.COSIGN_PWD }}'
+    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    artifacts: all

cmd/in-toto/version.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+)
+
+var (
+	commit = "none"
+	date   = "unknown"
+	tag    = "dev"
+)
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Display the version of the in-toto CLI tool",
+	Long:  `Display the commit ID, the date and the version tag of the in-toto CLI as embedded by the build system.`,
+	RunE:  version,
+}
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}
+
+func version(cmd *cobra.Command, args []string) error {
+	// let us make it as simple as possible.
+	// We could encode the version information as JSON like kubectl does,
+	// but what if the json package has a bug? :/
+	fmt.Println("commit : ", commit)
+	fmt.Println("date   : ", date)
+	fmt.Println("version: ", tag)
+	return nil
+}

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2aAPtd19aLTQNfMnspdWzs2e0ieD
+NxbkxAfrlSrJ7t/CUdQVlzqRydZQ1HnRfGmB6xPW6U7BDFUexVYLMTMOBQ==
+-----END PUBLIC KEY-----