feat: verify release checksum and cosign signature (#550)

* feat: verify release checksum and cosign signature

Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: use install() for checksum e2e tests

Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/ci.yml

@@ -79,6 +79,9 @@ jobs:
         distribution:
           - goreleaser
           - goreleaser-pro
+        cosign:
+          - true
+          - false
     steps:
       -
         name: Checkout
@@ -90,6 +93,10 @@ jobs:
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
+      -
+        name: Install cosign
+        if: matrix.cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
       -
         name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}

__tests__/goreleaser.test.ts

@@ -1,5 +1,8 @@
 import {describe, expect, it} from '@jest/globals';
 import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import * as io from '@actions/io';
 import * as goreleaser from '../src/goreleaser';
 
 describe('install', () => {
@@ -53,3 +56,92 @@ describe('distribSuffix', () => {
     expect(goreleaser.distribSuffix('goreleaser')).toEqual('');
   });
 });
+
+describe('findChecksum', () => {
+  const sample = [
+    '*malformed-line',
+    '',
+    'abc123  goreleaser_Linux_x86_64.tar.gz',
+    'def456 *goreleaser_Darwin_all.tar.gz',
+    '789xyz  checksums.txt'
+  ].join('\n');
+
+  it('finds a checksum by filename', () => {
+    expect(goreleaser.findChecksum(sample, 'goreleaser_Linux_x86_64.tar.gz')).toEqual('abc123');
+  });
+
+  it('strips a leading asterisk on the filename (binary mode)', () => {
+    expect(goreleaser.findChecksum(sample, 'goreleaser_Darwin_all.tar.gz')).toEqual('def456');
+  });
+
+  it('returns undefined when not present', () => {
+    expect(goreleaser.findChecksum(sample, 'missing.tar.gz')).toBeUndefined();
+  });
+});
+
+describe('getCertificateIdentity', () => {
+  it('returns the OSS workflow identity for tagged releases', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.15.3')).toEqual(
+      'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/v2.15.3'
+    );
+  });
+
+  it('returns the Pro internal workflow identity for tagged releases', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.15.3')).toEqual(
+      'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/v2.15.3'
+    );
+  });
+
+  it('uses nightly-oss.yml@refs/heads/main for OSS nightly', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser', 'nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'
+    );
+  });
+
+  it('uses nightly-pro.yml@refs/heads/main for Pro nightly', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly-pro.yml@refs/heads/main'
+    );
+  });
+});
+
+describe('verifyChecksum', () => {
+  const requireCosign = async (): Promise<void> => {
+    const cosign = await io.which('cosign', false);
+    if (!cosign) {
+      throw new Error(
+        'cosign must be installed in PATH to run this integration test (apk add cosign / sigstore/cosign-installer)'
+      );
+    }
+  };
+
+  it('verifies a tagged OSS release end-to-end with cosign', async () => {
+    await requireCosign();
+    const bin = await goreleaser.install('goreleaser', 'v2.15.3');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 120000);
+
+  it('verifies the OSS nightly release end-to-end with cosign', async () => {
+    await requireCosign();
+    const bin = await goreleaser.install('goreleaser', 'nightly');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 120000);
+
+  it('throws on checksum mismatch', async () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
+    const archive = path.join(dir, 'fake.tar.gz');
+    fs.writeFileSync(archive, 'tampered content');
+    await expect(
+      goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'goreleaser_Linux_x86_64.tar.gz')
+    ).rejects.toThrow(/Checksum mismatch/);
+  }, 60000);
+
+  it('throws when the filename is not in checksums.txt', async () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
+    const archive = path.join(dir, 'whatever.tar.gz');
+    fs.writeFileSync(archive, '');
+    await expect(
+      goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'not-a-real-asset.tar.gz')
+    ).rejects.toThrow(/Could not find not-a-real-asset.tar.gz in checksums.txt/);
+  }, 60000);
+});

dev.Dockerfile

@@ -61,6 +61,7 @@ RUN --mount=type=bind,target=.,rw \
   npm run lint
 
 FROM deps AS test
+RUN apk add --no-cache cosign
 ENV RUNNER_TEMP=/tmp/github_runner
 ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
 RUN --mount=type=bind,target=.,rw \

src/goreleaser.ts

@@ -1,26 +1,26 @@
+import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as path from 'path';
-import * as util from 'util';
 import yaml from 'js-yaml';
 import * as context from './context';
 import * as github from './github';
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
 import * as tc from '@actions/tool-cache';
 
 export async function install(distribution: string, version: string): Promise<string> {
   const release: github.GitHubRelease = await github.getRelease(distribution, version);
   const filename = getFilename(distribution);
-  const downloadUrl = util.format(
+  const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${release.tag_name}`;
-    'https://github.com/goreleaser/%s/releases/download/%s/%s',
+  const downloadUrl = `${baseUrl}/${filename}`;
-    distribution,
-    release.tag_name,
-    filename
-  );
 
   core.info(`Downloading ${downloadUrl}`);
   const downloadPath: string = await tc.downloadTool(downloadUrl);
   core.debug(`Downloaded to ${downloadPath}`);
 
+  await verifyChecksum(distribution, release.tag_name, downloadPath, filename);
+
   core.info('Extracting GoReleaser');
   let extPath: string;
   if (context.osPlat == 'win32') {
@@ -45,6 +45,92 @@ export async function install(distribution: string, version: string): Promise<st
   return exePath;
 }
 
+export async function verifyChecksum(
+  distribution: string,
+  tag: string,
+  archivePath: string,
+  filename: string
+): Promise<void> {
+  const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${tag}`;
+  let checksumsPath: string;
+  try {
+    core.info(`Downloading ${baseUrl}/checksums.txt`);
+    checksumsPath = await tc.downloadTool(`${baseUrl}/checksums.txt`);
+  } catch (e) {
+    core.warning(`Skipping checksum verification: unable to download checksums.txt: ${e.message}`);
+    return;
+  }
+
+  const sha256 = crypto.createHash('sha256').update(fs.readFileSync(archivePath)).digest('hex');
+  const expected = findChecksum(fs.readFileSync(checksumsPath, 'utf8'), filename);
+  if (!expected) {
+    throw new Error(`Could not find ${filename} in checksums.txt`);
+  }
+  if (expected.toLowerCase() !== sha256.toLowerCase()) {
+    throw new Error(`Checksum mismatch for ${filename}: expected ${expected}, got ${sha256}`);
+  }
+  core.info(`Checksum verified for ${filename}`);
+
+  await verifyCosignSignature(distribution, tag, baseUrl, checksumsPath);
+}
+
+export const findChecksum = (checksumsContent: string, filename: string): string | undefined => {
+  const match = checksumsContent
+    .split('\n')
+    .map(line => line.trim().split(/\s+/))
+    .find(parts => parts.length >= 2 && parts[1].replace(/^[*]/, '') === filename);
+  return match ? match[0] : undefined;
+};
+
+async function verifyCosignSignature(
+  distribution: string,
+  tag: string,
+  baseUrl: string,
+  checksumsPath: string
+): Promise<void> {
+  const cosign = await io.which('cosign', false);
+  if (!cosign) {
+    core.info('cosign not found in PATH, skipping signature verification');
+    return;
+  }
+
+  let bundlePath: string;
+  try {
+    core.info(`Downloading ${baseUrl}/checksums.txt.sigstore.json`);
+    bundlePath = await tc.downloadTool(`${baseUrl}/checksums.txt.sigstore.json`);
+  } catch (e) {
+    core.warning(`Skipping cosign signature verification: unable to download sigstore bundle: ${e.message}`);
+    return;
+  }
+
+  const certificateIdentity = getCertificateIdentity(distribution, tag);
+  core.info(`Verifying checksums.txt signature with cosign (identity: ${certificateIdentity})`);
+  await exec.exec(cosign, [
+    'verify-blob',
+    '--certificate-identity',
+    certificateIdentity,
+    '--certificate-oidc-issuer',
+    'https://token.actions.githubusercontent.com',
+    '--bundle',
+    bundlePath,
+    checksumsPath
+  ]);
+  core.info('cosign signature verified');
+}
+
+export const getCertificateIdentity = (distribution: string, tag: string): string => {
+  const pro = isPro(distribution);
+  if (tag === 'nightly') {
+    const workflow = pro ? 'nightly-pro.yml' : 'nightly-oss.yml';
+    const repo = pro ? 'goreleaser-pro-internal' : 'goreleaser';
+    return `https://github.com/goreleaser/${repo}/.github/workflows/${workflow}@refs/heads/main`;
+  }
+  if (pro) {
+    return `https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/${tag}`;
+  }
+  return `https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/${tag}`;
+};
+
 export const distribSuffix = (distribution: string): string => {
   return isPro(distribution) ? '-pro' : '';
 };
@@ -81,7 +167,7 @@ const getFilename = (distribution: string): string => {
   const platform: string = context.osPlat == 'win32' ? 'Windows' : context.osPlat == 'darwin' ? 'Darwin' : 'Linux';
   const ext: string = context.osPlat == 'win32' ? 'zip' : 'tar.gz';
   const suffix: string = distribSuffix(distribution);
-  return util.format('goreleaser%s_%s_%s.%s', suffix, platform, arch, ext);
+  return `goreleaser${suffix}_${platform}_${arch}.${ext}`;
 };
 
 export async function getDistPath(yamlfile: string): Promise<string> {