From ad9a598edd8bb137889dd3f7ee894cae7012a8aa Mon Sep 17 00:00:00 2001
From: Jan De Dobbeleer <jan.de.dobbeleer@gmail.com>
Date: Thu, 4 Jul 2024 10:20:49 +0200
Subject: [PATCH] chore(build): sign checksums with openssl

---
 .github/workflows/release.yml | 15 +++++----------
 .gitignore                    |  1 +
 cosign.pub                    |  4 ----
 src/.goreleaser.yml           |  7 ++++---
 4 files changed, 10 insertions(+), 17 deletions(-)
 delete mode 100644 cosign.pub

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bede054..c23e9cb3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
     if: ${{ needs.changelog.outputs.skipped == 'false' }}
     runs-on: ubuntu-latest
     env:
-      COSIGN_KEY_LOCATION: "/tmp/cosign.key"
+      SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
     defaults:
       run:
         shell: pwsh
@@ -49,25 +49,19 @@ jobs:
           git config --global user.name "GitHub Actions"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git tag ${{ needs.changelog.outputs.tag }}
-      - name: Install cosign 🔑
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
-        with:
-          cosign-release: 'v1.4.0'
       - name: Private Key 🔐
         run: |
           $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
-          $env:COSIGN_KEY > $env:COSIGN_KEY_LOCATION
+          $env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
         env:
-          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+          SIGNING_KEY: ${{secrets.SIGNING_KEY}}
       - name: Run GoReleaser 🚀
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
         with:
           distribution: goreleaser
           version: latest
-          args: build --clean
+          args: release --clean --skip publish
           workdir: src
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Zip theme files 🤐
         run: |
           $compress = @{
@@ -94,3 +88,4 @@ jobs:
           files: |
             src/dist/posh-*
             src/dist/themes.*
+            src/dist/checksums.txt
diff --git a/.gitignore b/.gitignore
index 7fdd9fb2..4bbce7be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 
 .fleet/
 src/test/umbraco/obj/
+src/keys
 
 # Created by https://www.toptal.com/developers/gitignore/api/node,go,visualstudiocode
 # Edit at https://www.toptal.com/developers/gitignore?templates=node,go,visualstudiocode
diff --git a/cosign.pub b/cosign.pub
deleted file mode 100644
index 3260c768..00000000
--- a/cosign.pub
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLQ9sj71/ignxPXEa072vezEZf5D
-X1fO3KuoFCtzYTLc/c3rwVGtIdzc02qUoXABysJ0Ok8lsmWvwKvC7yWblg==
------END PUBLIC KEY-----
diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml
index 370573b1..a34713e7 100644
--- a/src/.goreleaser.yml
+++ b/src/.goreleaser.yml
@@ -37,14 +37,15 @@ builds:
         goarch: arm
       - goos: windows
         goarch: arm
-    hooks:
-      post:
-      - sh -c "cosign sign-blob --key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .Name }}.sig"
 archives:
   - id: oh-my-posh
     format: binary
     name_template: "posh-{{ .Os }}-{{ .Arch }}"
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - cmd: openssl
+    args: [ "dgst", "-sha256", "-sign", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "${artifact}" ]
+    artifacts: checksum
 changelog:
   disable: true