update cosign signing config to support cosign v3 (#2246)

amirejaz · dmjb · web-flow · commit dc27be4b9628 · 2025-11-06T12:31:49.000Z
* add --bundle flag to cosign signing args for v3 compatibility

* revert back to cosign v4

---------

Co-authored-by: Don Browne &lt;dmjb@users.noreply.github.com&gt;
diff --git a/.github/workflows/image-build-and-publish.yml b/.github/workflows/image-build-and-publish.yml
@@ -39,7 +39,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:
@@ -125,7 +125,7 @@ jobs:
 
       - name: Install Cosign
         if: startsWith(github.ref, 'refs/tags/')
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign container image
         if: startsWith(github.ref, 'refs/tags/')
@@ -193,7 +193,7 @@ jobs:
             maintainer=Stacklok
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:
@@ -386,7 +386,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:
diff --git a/.github/workflows/releaser-helm-charts.yml b/.github/workflows/releaser-helm-charts.yml
@@ -43,7 +43,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Publish and Sign OCI Charts
         run: |
diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
@@ -75,7 +75,7 @@ jobs:
         uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Verify Binary Version
         env:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -106,6 +106,7 @@ signs:
       - "sign-blob"
       - "--output-signature=${signature}"
       - "--output-certificate=${certificate}"
+      - "--bundle=${signature}" # added for cosign v3: required when using --output-signature or --signing-config
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: archive
