Skip to content

Commit e87eb65

Browse files
sabre1041sabre1041
committed
Update release for cosign v3
Signed-off-by: Andrew Block <andy.block@gmail.com>
1 parent e3e51e9 commit e87eb65

2 files changed

Lines changed: 4 additions & 13 deletions

File tree

.github/workflows/release.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,9 +41,6 @@ jobs:
4141

4242
- name: Setup Cosign
4343
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
44-
with:
45-
# TODO: update cosign and go-releaser, and adjust go-releaser config
46-
cosign-release: 'v2.6.2'
4744

4845
- name: Setup QEMU
4946
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

.goreleaser.yaml

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -150,14 +150,10 @@ sboms:
150150
signs:
151151
- cmd: cosign
152152
artifacts: checksum
153-
signature: '{{ trimsuffix .Env.artifact ".txt" }}.sig'
154-
certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem'
153+
signature: '{{ trimsuffix .Env.artifact ".txt" }}.sigstore.json'
155154
args:
156155
- "sign-blob"
157-
- "--output-signature"
158-
- "${signature}"
159-
- "--output-certificate"
160-
- "${certificate}"
156+
- "--bundle=${signature}"
161157
- "${artifact}"
162158
output: true
163159

@@ -300,13 +296,11 @@ release:
300296
```shell
301297
# Download the checksums file, certificate and signature
302298
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.txt
303-
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.pem
304-
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sig
299+
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sigstore.json
305300
306301
# Verify the checksums file
307302
cosign verify-blob {{ .ProjectName }}-v{{ .Version }}.checksums.txt \
308-
--certificate {{ .ProjectName }}-v{{ .Version }}.checksums.pem \
309-
--signature {{ .ProjectName }}-v{{ .Version }}.checksums.sig \
303+
--bundle {{ .ProjectName }}-v{{ .Version }}.checksums.sigstore.json \
310304
--certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \
311305
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
312306
```

0 commit comments

Comments
 (0)