#!/usr/bin/env bash
# =============================================================================
# Container Image Signing — Cosign + Keyless (Fulcio)
# =============================================================================
set -euo pipefail

IMAGE="${1:?Usage: $0 <image>}"
COSIGN_EXPERIMENTAL=1

echo "=== Signing ${IMAGE} ==="

# Sign with keyless mode (OIDC identity)
cosign sign \
  --yes \
  "${IMAGE}"

# Verify signature
echo "Verifying signature..."
cosign verify \
  "${IMAGE}"

# Attach SBOM
echo "Attaching SBOM..."
cosign attach sbom \
  --sbom ./scan-reports/sbom.spdx.json \
  "${IMAGE}"

# Sign SBOM attestation
cosign attest \
  --yes \
  --predicate ./scan-reports/sbom.spdx.json \
  --type spdxjson \
  "${IMAGE}"

echo "=== Image signed and SBOM attached ==="