Skip to content

Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 #1766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
dependabot wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 #1766

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
29ab708
Bump sigstore/cosign-installer from 3.10.0 to 4.0.0
dependabot[bot] Nov 17, 2025
71cb8c5
workflows: Update cosign use in fulcio-rekor-kind
jku Nov 17, 2025
9ae32b4
workflows: Update test-action-tuf for new cosign
jku Nov 17, 2025
69242ae
workflows: Make test-release comtpaible with cosign 4
jku Nov 17, 2025
ea50e46
workflows: Update test-setup-sigstore-env for cosign 4
jku Nov 17, 2025
669bc98
workflows: Avoid using TUF when "cosign sign"
jku Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 14 additions & 17 deletions .github/workflows/fulcio-rekor-kind.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:

- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

- uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10
Expand Down Expand Up @@ -143,18 +143,6 @@ jobs:

- name: Get the endpoints on the cluster
run: |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV

FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV

#FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
#echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV

CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV

ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
Expand All @@ -165,7 +153,13 @@ jobs:

- name: Sign with cosign from the action using k8s token
run: |
## Once the generated TUF repository contains a signing config, this should be used:
# cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}

## work around for now
cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}


env:
REKOR_URL: ${{ env.REKOR_URL }}
FULCIO_URL: ${{ env.FULCIO_URL }}
Expand All @@ -174,18 +168,22 @@ jobs:

- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${REKOR_URL}" \
cosign verify \
--allow-insecure-registry "${DEMOIMAGE}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
env:
REKOR_URL: ${{ env.REKOR_URL }}
DEMOIMAGE: ${{ env.demoimage }}

- name: Sign a blob with signature bundle format
run: |
## Once the generated TUF repository contains a signing config, this should be used:
# cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --identity-token $OIDC_TOKEN README.md

# workaround for now
cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL --identity-token $OIDC_TOKEN README.md


- name: Verify blob with signature bundle format using trusted_root.json
run: |
# remove scheme from TUF_MIRROR if present
Expand All @@ -197,7 +195,6 @@ jobs:
--certificate-identity-regexp="https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer-regexp="https://kubernetes.default.svc.cluster.local" \
--bundle=bundle.json --new-bundle-format \
--rekor-url $REKOR_URL \
--trusted-root=$HOME/.sigstore/root/$TUF_MIRROR/targets/trusted_root.json \
README.md
env:
Expand Down Expand Up @@ -225,7 +222,7 @@ jobs:
# ROOT=${PWD}/repository/1.root.json
# REPOSITORY=${PWD}/repository
# ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}
# ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
# ./cosign verify --allow-insecure-registry ${{ env.demoimage }}

- name: Checkout TSA for testing.
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

- name: Install cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Install GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/test-action-tuf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:

# Install cosign
- name: Install cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
Expand Down Expand Up @@ -82,6 +82,10 @@ jobs:

- name: Sign with cosign from the action using k8s token
run: |
## Once the generated TUF repository contains a signing config, this should be used:
# cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}

# workaround for now
cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
env:
REKOR_URL: ${{ env.REKOR_URL }}
Expand All @@ -91,12 +95,11 @@ jobs:

- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${REKOR_URL}" \
cosign verify \
--allow-insecure-registry "${DEMOIMAGE}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
env:
REKOR_URL: ${{ env.REKOR_URL }}
DEMOIMAGE: ${{ env.demoimage }}

- name: Checkout TSA for testing.
Expand Down
18 changes: 7 additions & 11 deletions .github/workflows/test-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
steps:
- uses: chainguard-dev/actions/setup-mirror@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10

- uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
Expand Down Expand Up @@ -74,18 +74,10 @@ jobs:
/tmp/setup-scaffolding-from-release.sh --release-version ${RELEASE_VERSION}

# TODO(vaikas): Figure out how these could be exposed by above.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')

# Set the endopints
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV

Expand Down Expand Up @@ -132,7 +124,12 @@ jobs:

- name: Sign with cosign from the action using k8s token
run: |
## Once the generated TUF repository contains a signing config, this should be used:
# cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}

# workaround for now
cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}

env:
REKOR_URL: ${{ env.REKOR_URL }}
FULCIO_URL: ${{ env.FULCIO_URL }}
Expand All @@ -141,12 +138,11 @@ jobs:

- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${REKOR_URL}" \
cosign verify \
--allow-insecure-registry "${DEMOIMAGE}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
env:
REKOR_URL: ${{ env.REKOR_URL }}
DEMOIMAGE: ${{ env.demoimage }}

- name: Checkout TSA for testing.
Expand Down
24 changes: 13 additions & 11 deletions .github/workflows/test-setup-sigstore-env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,36 +17,38 @@ jobs:
persist-credentials: false
- id: setup-sigstore-env
uses: ./actions/setup-sigstore-env
- uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
with:
cosign-release: main
- name: Create artifact to sign
run: head -c 128 < /dev/urandom > artifact
- name: Run cosign sign-blob
env:
SIGSTORE_CT_LOG_PUBLIC_KEY_FILE: ${{ steps.setup-sigstore-env.outputs.ct-log-key }}
STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }}
STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }}
OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }}
OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }}
TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
SIGNING_CONFIG: ${{ steps.setup-sigstore-env.outputs.signing-config }}
run: |
echo token:
curl -f ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL}/token
curl -f ${OIDC_URL}/token
cosign sign-blob \
-y \
--bundle=bundle.json \
--new-bundle-format=true \
--rekor-url http://localhost:3000 \
--fulcio-url http://localhost:5555 \
--identity-token ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN} \
--trusted-root ${TRUSTED_ROOT} \
--signing-config ${SIGNING_CONFIG} \
--identity-token ${OIDC_TOKEN} \
artifact
- name: Run cosign verify-blob with trusted root
run: |
cosign verify-blob \
--trusted-root ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT} \
--trusted-root ${TRUSTED_ROOT} \
--bundle bundle.json \
--new-bundle-format=true \
--certificate-identity foo@bar.com \
--certificate-oidc-issuer ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL} \
--certificate-oidc-issuer ${ISSUER_URL} \
artifact
env:
STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }}
TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }}
Loading