Skip to content

choose different signature filename for KMS-signed release signatures #4448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bobcallaway merged 4 commits into from
Oct 10, 2025
Merged

choose different signature filename for KMS-signed release signatures #4448

bobcallaway merged 4 commits into from
Oct 10, 2025

Conversation

@bobcallaway
Copy link
Member

@bobcallaway bobcallaway commented Oct 8, 2025

Summary

Release Note

Documentation

@bobcallaway bobcallaway requested a review from a team as a code owner October 8, 2025 14:37
@bobcallaway bobcallaway requested a review from cpanato October 8, 2025 14:37
@codecov
Copy link

codecov bot commented Oct 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.27%. Comparing base (2ef6022) to head (f52ebce).
⚠️ Report is 548 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4448      +/-   ##
==========================================
- Coverage   40.10%   34.27%   -5.83%     
==========================================
  Files         155      218      +63     
  Lines       10044    15647    +5603     
==========================================
+ Hits         4028     5363    +1335     
- Misses       5530     9585    +4055     
- Partials      486      699     +213

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@bobcallaway bobcallaway changed the title choose different signature filename for keyless release signatures choose different signature filename for KMS-signed release signatures Oct 8, 2025
@bobcallaway
update README
997b0e6 
Signed-off-by: Bob Callaway <[email protected]>
haydentherapper
haydentherapper reviewed Oct 8, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also link to the format of the bundle, since if a user wants to verify without Cosign they’ll need to know how to interpret that bundle?

@bobcallaway
Copy link
Member Author

bobcallaway commented Oct 8, 2025

Can we also link to the format of the bundle, since if a user wants to verify without Cosign they’ll need to know how to interpret that bundle?

do you have a link?

@haydentherapper
Copy link
Contributor

haydentherapper commented Oct 8, 2025

https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto. Actually, can we link to https://docs.sigstore.dev/cosign/system_config/installation/#verifying-cosign-with-artifact-key, and then update that?

haydentherapper
haydentherapper previously approved these changes Oct 8, 2025
View reviewed changes
@bobcallaway
update README
f52ebce 
Signed-off-by: Bob Callaway <[email protected]>
@bobcallaway bobcallaway enabled auto-merge (squash) October 10, 2025 17:46
@bobcallaway bobcallaway merged commit 8444969 into sigstore:main Oct 10, 2025
40 of 42 checks passed
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Oct 15, 2025
@tmeijn
build(deps): update cosign to v3
c92e0f5 
⚠️ **CAUTION: this is a major update, indicating a breaking change!** ⚠️

This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cosign](https://github.com/sigstore/cosign) | major | `2.6.1` -> `3.0.2` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>sigstore/cosign (cosign)</summary>

### [`v3.0.2`](https://github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v302)

[Compare Source](sigstore/cosign@v3.0.1...v3.0.2)

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

- Note that the `--bundle` flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

#### Changes

- choose different signature filename for KMS-signed release signatures ([#&#8203;4448](sigstore/cosign#4448))
- Update rekor-tiles version path ([#&#8203;4450](sigstore/cosign#4450))

### [`v3.0.1`](https://github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v301)

[Compare Source](sigstore/cosign@v2.6.1...v3.0.1)

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

- Note that the `--bundle` flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

#### Changes

- update goreleaser config for v3.0.0 release ([#&#8203;4446](sigstore/cosign#4446))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDYuMCIsInVwZGF0ZWRJblZlciI6IjQxLjE0Ni4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@truggeri truggeri mentioned this pull request Dec 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@cpanato cpanato Awaiting requested review from cpanato

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bobcallaway @haydentherapper