Use cosgin instead of gpg to sign scorecard releases

[naveensrinivasan]

Is your feature request related to a problem? Please describe.
The goreleaser right now uses the gpg key to sign scorecard releases.

Describe the solution you'd like
Instead, use cosign to sign scorecard GitHub releases (not signing the container)

Keyless signing

Change that to use cosign to sign the blob COSIGN_EXPERIMENTAL=1 cosign sign-blob <FILE> with the above option we don't have to hold the keys and we could use GitHub OIDC to keyless signing https://github.com/lukehinds/testoidc/blob/d36ee33f2b2662ea27034aacd63f2e8ee04b73c3/.github/workflows/keyless-sign.yml#L12

Part of this means moving away from goreleaser. goreleaser supports cosgin but it doesn't provide an option to keyless

Use goreleaser

The other option is to use goreleaser but instead, use cosign keys similar to gpg keys and generate them using something like cosign generate-key-pair github://owner/project and keep the password for cosign as GitHub secret

[naveensrinivasan]

@dlorenc @developer-guy WDTY?

[developer-guy]

thank you for mentioning me @naveensrinivasan, looks yummy 😋. I don't have much knowledge about Keyless Signing but I can help with the use goreleaser option.

[developer-guy]

If you agree to continue with the GoReleaser option, you can assign this issue to me. I would love to do that. 🤩

[developer-guy]

let me share few examples:

• https://goreleaser.com/customization/sign/#signing-with-cosign
• https://github.com/sigstore/cosign/blob/main/.goreleaser.yml#L127
• https://carlosbecker.com/posts/goreleaser-cosign/
• https://blog.ediri.io/build-trust-with-signing-your-cli-binary-and-container

[azeemshaikh38]

Duplicate of #1201.