From d42753a701785dfbffc0ad79bc0d921821c2d080 Mon Sep 17 00:00:00 2001 From: plutoless Date: Thu, 28 May 2026 09:21:48 -0700 Subject: [PATCH] fix release cosign bundle signing --- .goreleaser.yaml | 14 ++++++-------- CHANGELOG.md | 4 ++++ docs/install.md | 8 +++----- docs/proposals/supply-chain-hardening.md | 3 +-- 4 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 8f21dc2..c9d0a5b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -61,14 +61,14 @@ sboms: # --------------------------------------------------------------------------- # Cosign signatures (keyless / OIDC) -# Signs every checksum file, archive SBOM, and Linux package SBOM with the -# release workflow's GitHub Actions OIDC token. The resulting transparency -# log entries are stored in Sigstore Rekor and verifiable with: +# Signs the checksum file with the release workflow's GitHub Actions OIDC +# token. The resulting transparency log entry is stored in Sigstore Rekor and +# verifiable with: # # cosign verify-blob \ # --certificate-identity-regexp '^https://github.com/AgoraIO/cli/' \ # --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ -# --signature .sig --certificate .pem +# --bundle .sigstore.json # # Requires `cosign` on the runner and `id-token: write` in release.yml # (already granted for npm provenance). @@ -76,13 +76,11 @@ sboms: signs: - id: cosign-keyless cmd: cosign - signature: "${artifact}.sig" - certificate: "${artifact}.pem" + signature: "${artifact}.sigstore.json" args: - "sign-blob" - "--yes" - - "--output-signature=${signature}" - - "--output-certificate=${certificate}" + - "--bundle=${signature}" - "${artifact}" artifacts: checksum output: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c04714..40b436a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,10 @@ Earlier entries pre-date this convention and only carry their version's compare ## [Unreleased] +### Fixed + +- Update GoReleaser Cosign signing to emit `checksums.txt.sigstore.json` with `--bundle`, matching Cosign's current bundle-based signing flow. + ## [0.2.2] - 2026-05-26 Python quickstart repository URL correction. diff --git a/docs/install.md b/docs/install.md index 197b3b3..6e93894 100644 --- a/docs/install.md +++ b/docs/install.md @@ -349,17 +349,15 @@ For CI, automation, and reproducible environments, pin `VERSION` explicitly inst Every release is signed with [Cosign](https://docs.sigstore.dev/cosign/overview/) using GitHub Actions OIDC (keyless mode) and ships an [SPDX 2.3](https://spdx.dev/) SBOM per archive and per Linux package. To verify the `checksums.txt` file before trusting any artifact: ```bash -TAG=v0.2.1 +TAG=vX.Y.Z ASSET_BASE="https://github.com/AgoraIO/cli/releases/download/${TAG}" curl -fsSLO "${ASSET_BASE}/checksums.txt" -curl -fsSLO "${ASSET_BASE}/checksums.txt.sig" -curl -fsSLO "${ASSET_BASE}/checksums.txt.pem" +curl -fsSLO "${ASSET_BASE}/checksums.txt.sigstore.json" cosign verify-blob \ --certificate-identity-regexp '^https://github.com/AgoraIO/cli/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ - --certificate checksums.txt.pem \ - --signature checksums.txt.sig \ + --bundle checksums.txt.sigstore.json \ checksums.txt ``` diff --git a/docs/proposals/supply-chain-hardening.md b/docs/proposals/supply-chain-hardening.md index 8f24ecb..fb0425a 100644 --- a/docs/proposals/supply-chain-hardening.md +++ b/docs/proposals/supply-chain-hardening.md @@ -182,8 +182,7 @@ verify_cosign_optional() { if command -v cosign >/dev/null 2>&1; then say_step "Verifying checksums.txt signature with cosign..." cosign verify-blob \ - --certificate "${CHECKSUMS_PATH}.pem" \ - --signature "${CHECKSUMS_PATH}.sig" \ + --bundle "${CHECKSUMS_PATH}.sigstore.json" \ --certificate-identity-regexp "https://github.com/AgoraIO/cli/.github/workflows/release.yml@refs/tags/v.*" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ "$CHECKSUMS_PATH" >/dev/null