Verify binary signature using cosign

Signed-off-by: Aditya Sirish <aditya@saky.in>

action.yml

@@ -9,6 +9,8 @@ inputs:
 runs:
   using: 'composite'
   steps:
+    - name: Provision cosign
+      uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
     - shell: bash
       run: |
         #!/bin/bash
@@ -17,6 +19,8 @@ runs:
 
         mkdir -p $HOME/.gittuf
         executable_name="gittuf"
+        cert_name="$executable_name.pem"
+        sig_name="$executable_name.sig"
 
         if [[ ${{ inputs.gittuf-version }} == "main" ]]; then
           GOBIN=$(go env GOPATH)/bin
@@ -63,10 +67,15 @@ runs:
         esac
 
         filename="${filename_prefix}_${filename_suffix}"
-        # cert="${filename}.pem" TODO: verify using cosign
-        # sig="${filename}.sig" TODO: verify using cosign
+        cert="${filename}.pem"
+        sig="${filename}.sig"
 
         curl -sL https://github.com/gittuf/gittuf/releases/download/v${{ inputs.gittuf-version }}/${filename} -o $HOME/.gittuf/$executable_name
+        curl -sL https://github.com/gittuf/gittuf/releases/download/v${{ inputs.gittuf-version }}/${cert} -o $HOME/.gittuf/$cert_name
+        curl -sL https://github.com/gittuf/gittuf/releases/download/v${{ inputs.gittuf-version }}/${sig} -o $HOME/.gittuf/$sig_name
+
+        cosign verify-blob $HOME/.gittuf/$executable_name --certificate $HOME/.gittuf/$cert_name --certificate-identity "https://github.com/gittuf/gittuf/.github/workflows/release.yml@refs/tags/v${{ inputs.gittuf-version }}" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --signature $HOME/.gittuf/$sig_name
+
         chmod +x $HOME/.gittuf/$executable_name
     - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
       run: echo "$HOME/.gittuf" >> $GITHUB_PATH