Enable mistakenly disabled image signing + conform to new cosign version (#563)

MaciejKaras · web-flow · commit 1f94ac396a49 · 2025-11-04T16:04:55.000+01:00
# Summary Image signing was disabled globally by mistake. This change fixes the issue while adjusting to the new cosign version. ## Proof of Work On staging we now successfully signs images -> https://evergreen.mongodb.com/version/6903557435b1f60007ee8cfa?redirect_spruce_users=true ``` [2025/10/30 13:23:52.472] Login Succeeded [2025/10/30 13:23:52.472] INFO 2025-10-30 12:23:52,472 [atomic_pipeline] Signing image [2025/10/30 13:23:52.472] DEBUG 2025-10-30 12:23:52,472 [image_signing] Signing image 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-init-appdb:1.6.0-mk [2025/10/30 13:24:17.675] DEBUG 2025-10-30 12:24:17,675 [image_signing] Signing successful [2025/10/30 13:24:17.675] DEBUG 2025-10-30 12:24:17,675 [image_signing] Verifying signature of 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-init-appdb:1.6.0-mk [2025/10/30 13:24:21.009] DEBUG 2025-10-30 12:24:18,491 [image_signing] Successful verification [2025/10/30 13:24:21.009] Finished command 'subprocess.exec' in function 'pipeline' (step 3 of 3) in 5m3.441945822s. ``` ## Checklist - [ ] Have you linked a jira ticket and/or is the ticket in the title? - [ ] Have you checked whether your jira ticket required DOCSP changes? - [x] Have you added changelog file? - use `skip-changelog` label if not needed - refer to [Changelog files and Release Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes) section in CONTRIBUTING.md for more details
diff --git a/scripts/release/build/image_signing.py b/scripts/release/build/image_signing.py
@@ -195,6 +195,8 @@ def sign_image(repository: str, tag: str) -> None:
         "sign",
         f"--key={pkcs11_uri}",
         f"--sign-container-identity={image}",
+        f"--use-signing-config=false",
+        f"--new-bundle-format=false",
         f"--tlog-upload=false",
         image_ref,
     ]
diff --git a/scripts/release/pipeline.py b/scripts/release/pipeline.py
@@ -241,7 +241,7 @@ def main():
     parser.add_argument(
         "-s",
         "--sign",
-        action="store_true",
+        action=argparse.BooleanOptionalAction,
         help="If set force image signing. Default is to infer from build scenario.",
     )
     parser.add_argument(

Original file line number	Diff line number	Diff line change
`@@ -195,6 +195,8 @@ def sign_image(repository: str, tag: str) -> None:`
`195`	`195`	`"sign",`
`196`	`196`	`f"--key={pkcs11_uri}",`
`197`	`197`	`f"--sign-container-identity={image}",`
	`198`	`+ f"--use-signing-config=false",`
	`199`	`+ f"--new-bundle-format=false",`
`198`	`200`	`f"--tlog-upload=false",`
`199`	`201`	`image_ref,`
`200`	`202`	`]`
Original file line number	Diff line number	Diff line change
`@@ -241,7 +241,7 @@ def main():`
`241`	`241`	`parser.add_argument(`
`242`	`242`	`"-s",`
`243`	`243`	`"--sign",`
`244`		`- action="store_true",`
	`244`	`+ action=argparse.BooleanOptionalAction,`
`245`	`245`	`help="If set force image signing. Default is to infer from build scenario.",`
`246`	`246`	`)`
`247`	`247`	`parser.add_argument(`