Sign the artifacts (binaries/images) using cosign

[cpanato]

Describe the feature

The idea is to sign the release artifacts using cosign when doing the release.
The project is already using GoReleaser and GitHub actions and that makes things easier to implement 😃

I can help to implement this feature if the team decides to move this idea forward.

What problem does this feature address?
How does this benefit users of Mage?
This is an initial step for a more secure release and lets the consumers have the ability to verify the release artifacts.

Additional context

Using the current GoRelease config and we can create a GitHub Actions to make the release and we can sign the binaries/images using a keyless approach and push the signed artifacts all together to the GitHub release.

and thanks for this amazing project I use that in some projects :)

[natefinch]

How does this benefit users of mage over the current published binaries on github and installations available through other systems, like homebrew?

[cpanato]

sorry for the delay @natefinch signing the image/binaries or even the checksums, will make the release a bit safer and downstream users can check if the signature matches with who signed and if the binary/image generated. homebrew does not check signatures right now, but maybe in the future.
This is just a suggestion and if you think that is not useful feel free to close this issue.

[natefinch]

Signing is usually a good thing. I'm all for it, but it's not high on my list :)

[cpanato]

Signing is usually a good thing. I'm all for it, but it's not high on my list :)

I can work on that if you don't mind