New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): upgrade Cosign to v2.2.3 #12850
chore(deps): upgrade Cosign to v2.2.3 #12850
Conversation
#12828 Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
d43c3dd
to
d6e63d2
Compare
Is there any way to test the release workflow? |
Not easily unfortunately -- I mentioned this in #12775 etc. The closest way would be to either run Much of the release workflow runs on |
Cosign v2 should also upload the transparency log by default, which was previously experimental (see my comment #12828 (comment)) |
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
Cherry-picked into |
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
Fixes #12828
Motivation
Recently, Sigstore has published a new TUF trust root.
https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
https://blog.sigstore.dev/tuf-root-update/
A new TUF trust root doesn't support Cosign v1.13.2, so we should upgrade Cosign to v1.13.6 or v2.
Modifications
-y
Without this option,
cosign sign
andcosign sign-blob
don't work in CI.Verification