Improve security of contrib/install.sh by support validating the binaries with sigstore/cosign or provided checksum

[lhotari]

Description

In the current contrib/install.sh script, the checksum is fetched from the download location:

trivy/contrib/install.sh

Lines 59 to 61 in bda9710

	http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
	http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
	hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"

I'd like to be able to either use cosign or pass a checksum as an argument to contrib/install.sh to ensure that the binaries don't change. This would help prevent tampering of the binaries.

After this feature has been added to contrib/install.sh, it would be useful to support this in https://github.com/aquasecurity/setup-trivy and https://github.com/aquasecurity/trivy-action. It would prevent modifications to the binaries when using pinned hashes for the actions.

Example of validating with sigstore/cosign:
https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23#:~:text=How%20to%20Verify%20Existing%20Installations

# Download binary and sigstore bundle
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz"
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json"

# Verify signature
$ cosign verify-blob \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \
  trivy_0.69.2_Linux-64bit.tar.gz
Verified OK

# Check signing timestamp
$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)
Sat Mar  1 19:11:02 UTC 2026
# ✅ Signed on Mar 1, before the attack on Mar 19

Target

None

Scanner

None

[knqyf263]

The checksum-argument part of this proposal is now tracked in #10589. The cosign verification part remains under discussion here.