CI: Add an option to attach container signatures to the registry

The `build-push-image.yml` reusable workflow can generate keypairs and
sign the container images with them.

This is only used by the CI, to test that a valid signature is actually
detected as such.

.github/workflows/build-push-image.yml

@@ -29,10 +29,6 @@ on:
     secrets:
       registry_token:
         required: true
-    outputs:
-      image_uri:
-        description: "The published container image location, with the tag and checksum"
-        value: ${{ jobs.merge.outputs.image_uri }}
 
 jobs:
   lint:
@@ -75,7 +71,7 @@ jobs:
 
           echo "debian_archive_date=${DEBIAN_ARCHIVE_DATE}" >> $GITHUB_OUTPUT
           echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
-          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
           echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
           echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT
 
@@ -156,7 +152,6 @@ jobs:
       debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
       source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
       image: ${{ needs.build.outputs.image }}
-      image_uri: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.build.outputs.tag }}@${{ steps.image.outputs.digest_root }}"
       tag: ${{ needs.build.outputs.tag }}
       digest_root: ${{ steps.image.outputs.digest_root }}
       digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
@@ -290,16 +285,6 @@ jobs:
           path: "${{ inputs.key_name }}.*"
           key: ${{ inputs.key_cache }}
           enableCrossOsArchive: true
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ inputs.registry_user }}
-          password: ${{ secrets.registry_token }}
-
       - name: Sign container
         run: |-
-          export IMAGE_URI="${{ needs.merge.image_uri }}"
+          cosign sign --key ${{ inputs.key_name }}.key ${{ inputs.registry }}/${{ inputs.image_name }}:${{ needs.merge.outputs.tag }}@${{ needs.merge.outputs.digest_root }}
-          cosign sign --yes --key=${{ inputs.key_name }}.key "$IMAGE_URI"
-        shell: bash

.github/workflows/ci.yml

@@ -205,17 +205,12 @@ jobs:
         id: date
         run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
 
-      - name: Install Cosign
+      - name: Restore container cache
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+        uses: actions/cache/restore@v4
         with:
-          cosign-release: 'v2.5.0'
+          key: v5-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }}
-
+          path: share/container.tar
-      - name: Get the container image from the registry
+          fail-on-cache-miss: true
-        run: |-
-          cosign save ${{ needs.build-container-image.outputs.image_uri }} --dir tmp
-          cd tmp
-          tar -cvf ../share/container.tar
-          cd ..
 
       - name: Build Dangerzone .deb
         run: |