Signature verification added for kapp-controller artifacts

[rcmadhankumar]

What this PR does / why we need it:

Added signature verification for Kapp-controller's release artifacts.

Which issue(s) this PR fixes:

Fixes #1341 #1343

Does this PR introduce a user-facing change?

NONE

Additional Notes for your reviewer:

Release notes will looks like this:

Installation and signature verification

Installation of kctrl

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate, and signature
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt.pem
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt --certificate checksums.txt.pem --signature checksums.txt.sig --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com 

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

Installation of kapp-controller

kapp-controller can be installed by using kapp

kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/v0.0.1/download/release.yml

or by using kubectl

kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/v0.0.1/download/release.yml

Container Images

Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.

OCI Image URLs

• ghcr.io/rcmadhankumar/kapp-controller@sha256:e8004f14f25cb2cc4687f1c342837f4f394a3d73d72d37ba278d8737fa90d6d7
• ghcr.io/rcmadhankumar/kapp-controller-package-bundle@sha256:b6e022201a8f73fa9ea47cd6fa58727bd574d6a88a5532918129fc04d9428995

Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of OCI images, run the following commands:

# Verifying kapp-controller image
cosign verify ghcr.io/rcmadhankumar/kapp-controller@sha256:e8004f14f25cb2cc4687f1c342837f4f394a3d73d72d37ba278d8737fa90d6d7 --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

# Verifying kapp-controller-package-bundle image
cosign verify ghcr.io/rcmadhankumar/kapp-controller-package-bundle@sha256:b6e022201a8f73fa9ea47cd6fa58727bd574d6a88a5532918129fc04d9428995 --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

📂 Files Checksum

5a0ed07054c8428f6609503fdbd55247b0d4ad7e7144ed859b2497380016fc8c  ./release.yml
b6556f6c17091d8211a7bab50c3e82c8295caf6df8319c64ded21d80c3bc8e15  ./kctrl-darwin-amd64
ae848f7a977058499e55b1e14a9e896cea768273db3b61f0d0113e89b0b9ee83  ./kctrl-darwin-arm64
6a1873ca050f35bc9476daca193e193810b3d795cd342bae21606840c63a5e21  ./kctrl-linux-amd64
533e03e512107364eadf5aa34e2e07fc4b9447ae30f89796a947183b5aaa2a1b  ./kctrl-linux-arm64
4abc9e17b1c9da9e312f6ea7494a2b497598302251b3d777ae79a2e79ba6c582  ./kctrl-windows-amd64.exe
ae6f53a2e07c66c42752041f2fd15e74038b3bbc654464061356d83a1e01629c  ./package.yml
7a6aa35600459a1797a6f0564ae89954e6da035fe54e19b72c573f5b31938a8c  ./package-metadata.yml

Full Changelog: https://github.com/rcmadhankumar/kapp-controller/commits/v0.0.1

Review Checklist:

• Follows the developer guidelines
• Relevant tests are added or updated
• Relevant docs in this repo added or updated
• Relevant carvel.dev docs added or updated in a separate PR and there's
  a link to that PR
• Code is at least as readable and maintainable as it was before this
  change

Additional documentation e.g., Proposal, usage docs, etc.:

Proposal: https://github.com/carvel-dev/carvel/tree/develop/proposals/carvel/002-artifact-signatures

[praveenrewar]

Overall looks good. Suggested a small change, we can do it later in a separate PR as well.

[praveenrewar]

Do we need these permissions?

[praveenrewar]

Currently we generate a file checksums-formatted.txt in the ``Add to formatted checksum` step, and then use this as the body while creating the draft release. Maybe we should have one common file to aggregate everything and then create a draft release? (We won't have to update the release notes then.)

[rcmadhankumar]

created a new PR and it is merged: #1463