From cb308bb4c7d626d76d565ea76f7ef21e5bbd7412 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Sat, 18 Apr 2026 09:29:20 +0000 Subject: [PATCH] ci(release): migrate cosign sign-blob to --bundle (cosign v3.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cosign v3.0 (shipped by default with sigstore/cosign-installer@cad07c2e, release v3.0.5) removed --output-signature and --output-certificate from the sign-blob subcommand. The replacement is a single --bundle flag that emits a unified Sigstore bundle (.sigstore.json) containing the signature, certificate chain, and Rekor inclusion proof in one file. This change migrates both sign-blob invocations in .github/workflows/ release.yml (per-binary matrix signing and aggregate checksums.txt signing), updates the artefact upload paths, the artefact aggregation case filter, the GitHub Release asset list, and the release-notes body verify-blob example. The README cosign verification snippet and sidecar description are also updated to the --bundle / .sigstore.json shape. No cosign version pinning. No legacy fallback. OCI image signing (cosign sign on image digest) is unchanged — only sign-blob flags changed in v3.0. See M-11 in certctl-audit-report.md. Verification gates: - YAML parse: OK - go vet ./...: exit 0 - go build ./...: exit 0 - grep 'cosign sign-blob' release.yml: 2 (expected: 2) - grep '.sigstore.json' release.yml: 9 (expected: >=5) - grep '.sig/.pem' release.yml non-comment: 0 (expected: 0) - README legacy cosign refs: 0 (expected: 0) - docs/ legacy cosign refs: 0 (expected: 0) Coverage: unchanged (CI workflow edit + README — zero Go code touched). --- .github/workflows/release.yml | 27 +++++++++++++++------------ README.md | 10 ++++++---- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ccb7fb9..1d364c2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -79,10 +79,14 @@ jobs: OUTPUT_NAME: ${{ steps.build.outputs.output_name }} run: | set -euo pipefail + # Cosign v3.0 (shipped by cosign-installer@v4.1.1 default + # cosign-release=v3.0.5) removed --output-signature/--output-certificate + # on sign-blob. The replacement is --bundle, which emits a unified + # Sigstore bundle (signature + cert chain + Rekor inclusion proof) as + # a single .sigstore.json artefact. M-11. cosign sign-blob \ --yes \ - --output-signature "dist/${OUTPUT_NAME}.sig" \ - --output-certificate "dist/${OUTPUT_NAME}.pem" \ + --bundle "dist/${OUTPUT_NAME}.sigstore.json" \ "dist/${OUTPUT_NAME}" - name: Compute SHA-256 sidecar @@ -100,8 +104,7 @@ jobs: name: binary-${{ steps.build.outputs.output_name }} path: | dist/${{ steps.build.outputs.output_name }} - dist/${{ steps.build.outputs.output_name }}.sig - dist/${{ steps.build.outputs.output_name }}.pem + dist/${{ steps.build.outputs.output_name }}.sigstore.json dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json dist/${{ steps.build.outputs.output_name }}.sha256 if-no-files-found: error @@ -138,7 +141,7 @@ jobs: : > checksums.txt for f in certctl-*; do case "$f" in - *.sig|*.pem|*.sbom.spdx.json|*.sha256|checksums.txt) + *.sigstore.json|*.sbom.spdx.json|*.sha256|checksums.txt) continue ;; esac sha256sum "$f" >> checksums.txt @@ -156,10 +159,11 @@ jobs: run: | set -euo pipefail cd artifacts + # Cosign v3.0 --bundle replaces the removed v2 flag pair + # --output-signature / --output-certificate. See M-11. cosign sign-blob \ --yes \ - --output-signature checksums.txt.sig \ - --output-certificate checksums.txt.pem \ + --bundle checksums.txt.sigstore.json \ checksums.txt - name: Upload artefacts to GitHub Release @@ -169,8 +173,7 @@ jobs: files: | artifacts/certctl-* artifacts/checksums.txt - artifacts/checksums.txt.sig - artifacts/checksums.txt.pem + artifacts/checksums.txt.sigstore.json # ---------------------------------------------------------------------- # provenance-binaries (M-3): SLSA Level 3 provenance for every binary. @@ -402,15 +405,15 @@ jobs: ```bash cosign verify-blob \ - --certificate checksums.txt.pem \ - --signature checksums.txt.sig \ + --bundle checksums.txt.sigstore.json \ --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ checksums.txt ``` Replace `checksums.txt` with any individual binary name to verify that - artefact directly (each binary ships with its own `.sig` + `.pem` sidecar). + artefact directly (each binary ships with its own `.sigstore.json` + bundle, e.g. `cosign verify-blob --bundle certctl-agent-linux-amd64.sigstore.json …`). **3. Verify SLSA Level 3 provenance (binaries):** diff --git a/README.md b/README.md index 4c73ee7..3c91bf8 100644 --- a/README.md +++ b/README.md @@ -260,15 +260,17 @@ sha256sum -c checksums.txt ```bash cosign verify-blob \ - --certificate checksums.txt.pem \ - --signature checksums.txt.sig \ + --bundle checksums.txt.sigstore.json \ --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ checksums.txt ``` -Every individual binary has its own `.sig` + `.pem` sidecar; swap -`checksums.txt` for any binary name to verify it directly. +Every individual binary ships with its own `.sigstore.json` bundle +(unified Sigstore bundle containing signature, certificate chain, and +Rekor inclusion proof). Swap `checksums.txt` for any binary name and +point `--bundle` at the matching `.sigstore.json` to verify it +directly. **3. Verify SLSA Level 3 provenance on a binary:**