Update cosign signature check

The check of the cosign-based keyless signature check accepted any valid signature. Signed-off-by: Sascha Grunert <[email protected]>
containers · Apr 5, 2023 · d1c2600 · d1c2600
1 parent 555de7c
commit d1c2600
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/scripts/get b/scripts/get
@@ -57,6 +57,7 @@ download_binary() {
     if [[ $COMMIT == "" ]]; then
         COMMIT=$(curl_retry $BASE_URL/latest-main.txt)
     fi
+    echo "Using commit $COMMIT"
 
     mkdir -p "$(dirname "$OUTPUT")"
 
@@ -71,9 +72,14 @@ download_binary() {
             curl_retry "$BASE_URL/$COMMIT/$FILE" -o "$FILE"
         done
 
-        COSIGN_EXPERIMENTAL=1 cosign verify-blob conmonrs \
-            --certificate-identity-regexp '.*' \
-            --certificate-oidc-issuer-regexp '.*' \
+        ORG=${GITHUB_ACTOR:-containers}
+        GIT_REF=refs/heads/main
+        cosign verify-blob conmonrs \
+            --certificate-identity "https://github.com/$ORG/conmon-rs/.github/workflows/ci.yml@$GIT_REF" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-name ci \
+            --certificate-github-workflow-repository "$ORG/conmon-rs" \
+            --certificate-github-workflow-ref $GIT_REF \
             --signature conmonrs.sig \
             --certificate conmonrs.cert