From a8ccf0b5b90df09ab16cde61fda91b4597230020 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Wed, 13 May 2026 05:38:25 +0000 Subject: [PATCH] fix(release): cosign v4 bundle format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit v0.3.0 release run #25779630060 succeeded through the linux builds but failed at the cosign signing step: Error: signing dist/checksums.sha256: create bundle file: open : no such file or directory Root cause: cosign v4 deprecated `--output-signature` and `--output-certificate` in favor of a single `--bundle` file (DSSE- style envelope carrying both the cert and the sig). The deprecated flags were silently ignored when the new bundle format was active, leaving the output path unset — hence the empty filename in the error. Updates `.goreleaser.yml` to emit `.cosign.bundle` and points the verification recipes in README.md and shared/runbooks/release-go.md at the new `--bundle` flag. Verification command change: - Before: --certificate .pem --signature .sig - After: --bundle .cosign.bundle Co-Authored-By: Claude Opus 4.7 (1M context) --- .goreleaser.yml | 15 ++++++++------- README.md | 3 +-- shared/runbooks/release-go.md | 5 ++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 2b37ca1d..092a4f1f 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -98,19 +98,21 @@ sboms: # supplies the OIDC token via `id-token: write`; cosign records the # signature transparency entry in Rekor (public Sigstore log). No # long-lived signing key required. +# +# Cosign v4 deprecated `--output-signature` and `--output-certificate` +# in favor of a single `--bundle` file (DSSE-style). The bundle carries +# both the signature and the cert; users verify with one flag. signs: - id: cosign cmd: cosign args: - sign-blob - '--yes' - - '--output-signature=${signature}' - - '--output-certificate=${certificate}' + - '--bundle=${signature}' - '${artifact}' artifacts: checksum output: true - certificate: '${artifact}.pem' - signature: '${artifact}.sig' + signature: '${artifact}.cosign.bundle' # Homebrew tap publish — opt-in via $HOMEBREW_TAP_GITHUB_TOKEN. When the # env var is empty (forks, dry runs), the upload is skipped so the same @@ -152,10 +154,9 @@ release: # Checksum sha256sum -c checksums.sha256 - # Signature (Sigstore keyless) + # Signature (Sigstore keyless, bundle format) cosign verify-blob \ - --certificate checksums.sha256.pem \ - --signature checksums.sha256.sig \ + --bundle checksums.sha256.cosign.bundle \ --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ checksums.sha256 diff --git a/README.md b/README.md index 656f3a5d..c8bd356e 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,7 @@ Verify (Sigstore keyless): ```bash sha256sum -c checksums.sha256 cosign verify-blob \ - --certificate checksums.sha256.pem \ - --signature checksums.sha256.sig \ + --bundle checksums.sha256.cosign.bundle \ --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ checksums.sha256 diff --git a/shared/runbooks/release-go.md b/shared/runbooks/release-go.md index c8beff86..f0ec7031 100644 --- a/shared/runbooks/release-go.md +++ b/shared/runbooks/release-go.md @@ -54,10 +54,9 @@ End-users should verify both checksum AND signature: # Checksum sha256sum -c checksums.sha256 -# Signature (Sigstore keyless — no key material needed locally) +# Signature (Sigstore keyless, bundle format — no key material needed locally) cosign verify-blob \ - --certificate checksums.sha256.pem \ - --signature checksums.sha256.sig \ + --bundle checksums.sha256.cosign.bundle \ --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ checksums.sha256