Sign cosign release images against Fulcio

[mattmoor]

Description

I was demoing https://chainguard.dev/posts/2021-11-03-zero-friction-keyless-signing with cosigned enabled, and it didn't let the cosign release container through because it wasn't signed against Fulcio 🤦

We should start signing the images we release against Fulcio as well as with the stuff in KMS.

cc @cpanato @dlorenc

[cpanato]

@mattmoor should we use GitHub actions with a workflow dispatch to run the releases instead of cloudbuild or we should see how to get a token in cloudbuild? what are your thoughts on this?

and if we use keyless do we need to keep signing with KMS as well?

[mattmoor]

Sorry I thought I replied to this earlier. @dlorenc did this in cloudbuild for distroless, so we can continue doing this there with a little help from an admin on that project to set up IAM.

https://github.com/GoogleContainerTools/distroless/blob/b654a39142a2f21119ad5ad8db6fd86eac204550/cloudbuild.yaml#L82

[cpanato]

ok, I think I don't have that permission.

@dlorenc would you mind setting up that and sharing the service account

also to learn that, if you can share the steps to set up that will be great as well, then I can do the same in my rehearsal account to try out

[dlorenc]

Sorry - which project is this again? The GCP project that the cosign release images are hosted inside of?

[dlorenc]

I think we should be good to go with keyless@projectsigstore.iam.gserviceaccount.com now!

[cpanato]

cool thanks
i will do the same in my account to make a rehearsal and then update upstream properly