Sign image builds

[mattmoor]

The images we publish here:

go-containerregistry/cloudbuild.yaml

Lines 26 to 37 in 2874338

	# Use the ko binary to build the crane and gcrane builder images.
	ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
	ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
	# Use the ko binary to build the crane and gcrane builder *debug* images.
	export KO_CONFIG_PATH=./.ko/debug/
	ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t "debug"
	ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t "debug"
	# Tag-specific debug images are pushed to gcr.io/go-containerregistry/{g}crane/debug:...
	KO_DOCKER_REPO=gcr.io/$PROJECT_ID/crane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
	KO_DOCKER_REPO=gcr.io/$PROJECT_ID/gcrane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"

... should all be signed with cosign, ideally using the "keyless" flow.

For GCB-based keyless signing we can copy what distroless does here: https://github.com/GoogleContainerTools/distroless/blob/3ecf55603e31c8c01b4da2da8dc34a41757b778c/cloudbuild.yaml#L81-L82

... essentially the GCB SA is used to impersonate [email protected] for the identity challenge. Some IAM needs to be configured, and then things just work 😉

---

I believe @jonjohnsonjr has to do this given the requirement that we futz with the GCP stuff, but @dlorenc or I would be happy to help navigate this.

[developer-guy]

also, we can use GoReleaser to do that 🤩
cross-ref: ko-build/ko#491