From a2b9ff276afc874956b8cdadadf50c1e966c6b1c Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@redhat.com>
Date: Wed, 5 Apr 2023 10:04:17 +0200
Subject: [PATCH] Update cosign signature check

The check of the cosign-based keyless signature check accepted any valid
signature.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
---
 scripts/get | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/scripts/get b/scripts/get
index 7becd50339..963b065da4 100755
--- a/scripts/get
+++ b/scripts/get
@@ -57,6 +57,7 @@ download_binary() {
     if [[ $COMMIT == "" ]]; then
         COMMIT=$(curl_retry $BASE_URL/latest-main.txt)
     fi
+    echo "Using commit $COMMIT"
 
     mkdir -p "$(dirname "$OUTPUT")"
 
@@ -71,9 +72,13 @@ download_binary() {
             curl_retry "$BASE_URL/$COMMIT/$FILE" -o "$FILE"
         done
 
-        COSIGN_EXPERIMENTAL=1 cosign verify-blob conmonrs \
-            --certificate-identity-regexp '.*' \
-            --certificate-oidc-issuer-regexp '.*' \
+        GIT_REF=refs/heads/main
+        cosign verify-blob conmonrs \
+            --certificate-identity https://github.com/saschagrunert/conmon-rs/.github/workflows/ci.yml@$GIT_REF \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-name ci \
+            --certificate-github-workflow-repository saschagrunert/conmon-rs \
+            --certificate-github-workflow-ref $GIT_REF \
             --signature conmonrs.sig \
             --certificate conmonrs.cert