feat: verify installer downloads with cosign

Author: scop

.github/workflows/post-release.yml

@@ -74,4 +74,5 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
+      - uses: sigstore/cosign-installer@v3
       - run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "./install-golangci-lint"

.github/workflows/pr-checks.yml

@@ -51,6 +51,7 @@ jobs:
         os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
+      - uses: sigstore/cosign-installer@v3
       - uses: actions/checkout@v4
       - name: Check installation script
         run: cat ./install.sh | sh -s -- -d -b "./install-golangci-lint"

docs/src/docs/welcome/install.mdx

@@ -54,6 +54,8 @@ wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/insta
 golangci-lint --version
 ```
 
+If [`cosign`](https://github.com/sigstore/cosign) is installed, the installer will verify downloads with it. This is highly recommended.
+
 It is advised that you periodically update the version of golangci-lint as the project is under active development and is constantly being improved.
 For any problems with golangci-lint, check out recent [GitHub issues](https://github.com/golangci/golangci-lint/issues) and update if needed.
 
@@ -70,6 +72,8 @@ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install
 golangci-lint --version
 ```
 
+If [`cosign`](https://github.com/sigstore/cosign) is installed, the installer will verify downloads with it. This is highly recommended.
+
 On Windows, you can run the above commands with Git Bash, which comes with [Git for Windows](https://git-scm.com/download/win).
 
 ### Linux

install.sh

@@ -42,6 +42,7 @@ execute() {
   log_debug "downloading files into ${tmpdir}"
   http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
   http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
+  cosign_verify "${tmpdir}/${CHECKSUM}"
   hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
   srcdir="${tmpdir}/${NAME}"
   rm -rf "${srcdir}"
@@ -390,6 +391,20 @@ End of functions from https://github.com/client9/shlib
 ------------------------------------------------------------------------
 EOF
 
+cosign_verify() {
+  if ! is_command cosign; then
+    log_info "cosign is not available, skipping verify"
+    return 0
+  fi
+  checksums=$1
+  http_download "${tmpdir}/${CHECKSUM_COSIGN_BUNDLE}" "${CHECKSUM_COSIGN_BUNDLE_URL}"
+  cosign verify-blob \
+   --bundle="${tmpdir}/${CHECKSUM_COSIGN_BUNDLE}" \
+   --certificate-identity="https://github.com/$PREFIX/.github/workflows/release.yml@refs/tags/$TAG" \
+   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+   "$checksums"
+}
+
 PROJECT_NAME="golangci-lint"
 OWNER=golangci
 REPO="golangci-lint"
@@ -428,6 +443,8 @@ TARBALL=${NAME}.${FORMAT}
 TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
 CHECKSUM=${PROJECT_NAME}-${VERSION}-checksums.txt
 CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
+CHECKSUM_COSIGN_BUNDLE=${CHECKSUM}.cosign.bundle
+CHECKSUM_COSIGN_BUNDLE_URL=${CHECKSUM_URL}.cosign.bundle
 
 
 execute