Update release for cosign v3

sabre1041 · sabre1041 · commit 88aa11989d75 · 2026-03-16T21:33:21.000-05:00
Signed-off-by: Andrew Block &lt;andy.block@gmail.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,10 +40,7 @@ jobs:
         uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
 
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
-        with:
-          # TODO: update cosign and go-releaser, and adjust go-releaser config
-          cosign-release: 'v2.6.2'
+        uses: sigstore/cosign-installer@a7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -150,14 +150,10 @@ sboms:
 signs:
   - cmd: cosign
     artifacts: checksum
-    signature: '{{ trimsuffix .Env.artifact ".txt" }}.sig'
-    certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem'
+    signature: '{{ trimsuffix .Env.artifact ".txt" }}.sigstore.json'
     args:
       - "sign-blob"
-      - "--output-signature"
-      - "${signature}"
-      - "--output-certificate"
-      - "${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
     output: true
 
@@ -300,13 +296,11 @@ release:
     ```shell
     # Download the checksums file, certificate and signature
     curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.txt
-    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.pem
-    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sig
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sigstore.json
 
     # Verify the checksums file
     cosign verify-blob {{ .ProjectName }}-v{{ .Version }}.checksums.txt \
-      --certificate {{ .ProjectName }}-v{{ .Version }}.checksums.pem \
-      --signature {{ .ProjectName }}-v{{ .Version }}.checksums.sig \
+      --bundle {{ .ProjectName }}-v{{ .Version }}.checksums.sigstore.json \
       --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
       --certificate-oidc-issuer=https://token.actions.githubusercontent.com
     ```
