Skip to content

cosign invocation API has changed for v3#73

Merged
philpennock merged 1 commit intomainfrom
pdp/unbreak-cosign-v3
Mar 12, 2026
Merged

cosign invocation API has changed for v3#73
philpennock merged 1 commit intomainfrom
pdp/unbreak-cosign-v3

Conversation

@philpennock
Copy link
Contributor

@philpennock philpennock commented Mar 12, 2026

We should look at what our guarantees are around signature verification and switch to keyless signing via OIDC-derived claims in public transparency logs. But not today and not this week. So for now, get cosign sign-blob working almost as it used to, when using a static signing key.

Tested on my laptop with:

export NIGHTLY_SIGNING_KEY_COSIGN="$(cat file_downloaded_from_1password)"
export NIGHTLY_SIGNING_KEY_SSH="$(cat another_file_from_1password)"
export COSIGN_PASSWORD=''
./build-nightlies.sh -rPp 2

which got me working signatures, which I could verify:

cd build/nightly-20260311
cosign verify-blob \
  --key ../../public-keys/nightlies-cosign.pub \
  --signature SHA256SUMS-20260311.txt.cosign.sig \
  SHA256SUMS-20260311.txt

@philpennock
cosign invocation API has changed for v3
0ac7051 
We should look at what our guarantees are around signature verification and
switch to keyless signing via OIDC-derived claims in public transparency logs.
But not today and not this week.  So for now, get `cosign sign-blob` working
almost as it used to, when using a static signing key.

Tested on my laptop with:

    export NIGHTLY_SIGNING_KEY_COSIGN="$(cat file_downloaded_from_1password)"
    export NIGHTLY_SIGNING_KEY_SSH="$(cat another_file_from_1password)"
    export COSIGN_PASSWORD=''
    ./build-nightlies.sh -rPp 2

which got me working signatures, which I could verify:

    cd build/nightly-20260311
    cosign verify-blob \
      --key ../../public-keys/nightlies-cosign.pub \
      --signature SHA256SUMS-20260311.txt.cosign.sig \
      SHA256SUMS-20260311.txt
@philpennock philpennock requested a review from wallyqs March 12, 2026 00:00
@philpennock philpennock enabled auto-merge March 12, 2026 00:02
@philpennock philpennock added this pull request to the merge queue Mar 12, 2026
Merged via the queue into main with commit c59515a Mar 12, 2026
2 of 3 checks passed
@philpennock philpennock deleted the pdp/unbreak-cosign-v3 branch March 12, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wallyqs wallyqs wallyqs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@philpennock @wallyqs