sign with sigstore-go instead of cosign

[spencerschrock]

This is in anticipation of Rekor v2, which will cause problems with the
current way we verify results in the webapp. In order to verify with
sigstore-go in the webapp, we also need the bundle, so send that over
to the webapp.

Configuration was based on sigstore-go's signing example:

https://github.com/sigstore/sigstore-go/blob/b48a7c15af434de768f6db5d729a9aadafab5060/examples/sigstore-go-signing/main.go

As an added benefit, this drops binary size from 111MiB to 69MiB

[spencerschrock]

Testing this was a challenge due to the OIDC/signing aspect of this, so I tested it by uploading a docker image and testing it from GitHub actions using that.

https://github.com/spencerschrock/actions-test/actions/runs/18658202486/job/53207644946
https://github.com/spencerschrock/actions-test/blob/b1f114307a60fc3c8f8681a33d4fb5ec480a396a/.github/workflows/scorecard.yml#L37-L40

You can see the transparency log entry get created correctly:
https://search.sigstore.dev/?logIndex=623495621

And the webapp reject the results because it came from my fork instead of the real scorecard action:

2025/10/20 19:41:43 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: workflow verification failed: workflow has no job that calls ossf/scorecard-action, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

2025/10/20 19:41:43 retrying in 1s...
2025/10/20 19:41:45 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: workflow verification failed: workflow has no job that calls ossf/scorecard-action, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

2025/10/20 19:41:45 retrying in 3s...
2025/10/20 19:41:48 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: workflow verification failed: workflow has no job that calls ossf/scorecard-action, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

2025/10/20 19:41:48 retrying in 10s...
2025/10/20 19:41:58 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: workflow verification failed: workflow has no job that calls ossf/scorecard-action, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

[spencerschrock]

To help with reviewing, here is a difference between the OIDC I copied over, and the source:

It doesnt need to fulfill the interface, so that functionality was cut, and it hardcodes the audience as sigstore.

1c1
< // Copyright 2025 OpenSSF Authors
---
> //
15,16d14
< //
< // SPDX-License-Identifier: Apache-2.0
18,19c16
< // Package oidc provides functionality to get an OIDC token from github.
< package oidc
---
> package github
28a26,28
> 
>       "github.com/sigstore/cosign/v3/pkg/cosign/env"
>       "github.com/sigstore/cosign/v3/pkg/providers"
32,33c32,35
<       envRequestURL   = "ACTIONS_ID_TOKEN_REQUEST_URL"
<       envRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
---
>       // Deprecated: use `env.VariableGitHubRequestToken` instead
>       RequestTokenEnvKey = env.VariableGitHubRequestToken
>       // Deprecated: use `env.VariableGitHubRequestURL` instead
>       RequestURLEnvKey = env.VariableGitHubRequestURL
36,37c38,59
< func RequestToken(ctx context.Context) (string, error) {
<       url := os.Getenv(envRequestURL) + "&audience=sigstore"
---
> func init() {
>       providers.Register("github-actions", &githubActions{})
> }
> 
> type githubActions struct{}
> 
> var _ providers.Interface = (*githubActions)(nil)
> 
> // Enabled implements providers.Interface
> func (ga *githubActions) Enabled(_ context.Context) bool {
>       if env.Getenv(env.VariableGitHubRequestToken) == "" {
>               return false
>       }
>       if env.Getenv(env.VariableGitHubRequestURL) == "" {
>               return false
>       }
>       return true
> }
> 
> // Provide implements providers.Interface
> func (ga *githubActions) Provide(ctx context.Context, audience string) (string, error) {
>       url := env.Getenv(env.VariableGitHubRequestURL) + "&audience=" + audience
49c71
<               req.Header.Add("Authorization", "bearer "+os.Getenv(envRequestToken))
---
>               req.Header.Add("Authorization", "bearer "+env.Getenv(env.VariableGitHubRequestToken))

[cmurphy]

This looks good to me from a sigstore-go perspective, it matches with the example usage. Glad to see sigstore-go being used instead of cosign for this use case.

[codecov]

Codecov Report

❌ Patch coverage is 7.57576% with 122 lines in your changes missing coverage. Please review.
✅ Project coverage is 23.21%. Comparing base (ee561a8) to head (56d9ebe).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
signing/signing.go	11.36%	78 Missing ⚠️
internal/oidc/oidc.go	0.00%	38 Missing ⚠️
main.go	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1594      +/-   ##
==========================================
- Coverage   26.32%   23.21%   -3.12%     
==========================================
  Files          13       14       +1     
  Lines         775      866      +91     
==========================================
- Hits          204      201       -3     
- Misses        549      643      +94     
  Partials       22       22              

Files with missing lines	Coverage Δ
main.go	0.00% <0.00%> (ø)
internal/oidc/oidc.go	0.00% <0.00%> (ø)
signing/signing.go	34.83% <11.36%> (-15.56%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.