Skip to content

fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 #1726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
morri-son wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 #1726

morri-son wants to merge 5 commits into from
+151 −1,494

Conversation

@morri-son
Copy link
Contributor

@morri-son morri-son commented Dec 5, 2025
edited
Loading

On-behalf-of: Gerald Morrison (SAP) [email protected]

What this PR does / why we need it

Breaking Change:
Fixes current content of the Cosign bundle by replacing the raw public key with the the expected short-lived Fulcio certificate. This will change the signature of signed components.

At the same time we upgrade all Sigstore Cosign dependencies from v2 to v3. To be backwards-compatible we introduce a new signing algorithm sigstore-v3. Exisiting OCM components signed with sigstore algorithm can still be validated.

Due to changes in cosing v3 existing CI setups using ocm sign cv on GitHub workflows require to explicitly set SIGSTORE_ID_TOKEN in the environment.

Potentially CI/CD Migration for GitHub workflows required

Breaking Change:
Cosign v3 requires SIGSTORE_ID_TOKEN environment variable to be explicitly set in CI using GH workflows as no OIDC token is auto-magically retrieved when SIGSTORE_ID_TOKEN is not set. In v2 when no token was available, GH workflows automatically requested an OIDC token and injected it. In other CI environments the token always had to be requested, so no change required there.

Typical CI error without SIGSTORE_ID_TOKEN configuration:

  • getting ID token: executing OIDC flow: failed to start browser

Required Actions:

GitHub Actions:

permissions:
  id-token: write
  contents: read
steps:
  - run: |
      TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
        "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r .value)
      echo "SIGSTORE_ID_TOKEN=$TOKEN" >> $GITHUB_ENV
  - run: ocm sign cv --algorithm sigstore-v3 --keyless ...

Resources

@morri-son morri-son requested a review from a team as a code owner December 5, 2025 15:36
@morri-son morri-son added the kind/chore chore, maintenance, etc. label Dec 5, 2025
@github-actions github-actions bot added kind/dependency dependency update, etc. size/s Small labels Dec 5, 2025
@morri-son morri-son linked an issue Dec 5, 2025 that may be closed by this pull request
Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content #1535
Open
3 tasks
@morri-son morri-son mentioned this pull request Dec 5, 2025
Closed
5 tasks
@morri-son morri-son changed the title chore: Upgrade Sigstore from v2.6.1 to v3.0.2 chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 Dec 7, 2025
morri-son pushed a commit to morri-son/ocm that referenced this pull request Dec 7, 2025
@morrison-sap
docs: Add Sigstore v3 upgrade verification documentation
3d51f71 
Comprehensive documentation of the Sigstore v2 to v3 upgrade compatibility testing.

Includes:
- Pre-signed test component details and creation process
- Automated verification workflow explanation
- Test matrix covering all 4 verification combinations
- Technical details of the upgrade
- Relationship to other PRs (sigstore/sigstore bump)
- Conclusions and recommendations

This documentation serves as proof of compatibility for PR open-component-model#1726.

On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morri-son morri-son force-pushed the feat/upgrade-sigstore-v3 branch from dae2fbd to 5ab3744 Compare January 7, 2026 15:21
@github-actions github-actions bot added the size/xs Extra small label Jan 7, 2026
@morri-son morri-son marked this pull request as draft January 8, 2026 07:54
@morri-son morri-son removed the kind/chore chore, maintenance, etc. label Jan 8, 2026
@morri-son morri-son changed the title chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2.6.1 to v3.0.2 Jan 8, 2026
@github-actions github-actions bot added !BREAKING-CHANGE! Breaking change in API or ocm-cli or spec kind/bugfix Bug labels Jan 8, 2026
@morri-son morri-son changed the title fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2.6.1 to v3.0.2 fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 Jan 8, 2026
@github-actions github-actions bot added the size/l Large label Jan 9, 2026
@morrison-sap
feat: Upgrade Sigstore from v2.6.1 to v3.0.2
a35b479 
Upgrade all Sigstore dependencies from v2 to v3.

- Updated imports from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/options
  - github.com/sigstore/cosign/v3/pkg/cosign

- Updated import from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/pkg/providers/all

- Removed: github.com/sigstore/cosign/v2 v2.6.1
- Added: github.com/sigstore/cosign/v3 v3.0.2

Checked entire codebase for v2 references:
```bash
grep -r "sigstore/cosign/v2" --include="*.go" --include="go.mod" --include="go.sum" .
```

This upgrade maintains signature compatibility:
- v3 can verify signatures created with v2 (backward compatible)
- v2 can verify signatures created with v3 (forward compatible)

Verified by compatibility test workflow using pre-signed components.

On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morrison-sap
fix: resolve merge conflicts for sigstore v3 upgrade
0d6519f 
On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morrison-sap
correct format
fa31f2f 
On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morrison-sap
add doc after generate
9ae5880 
On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morri-son morri-son force-pushed the feat/upgrade-sigstore-v3 branch from 0f280ff to 9ae5880 Compare January 9, 2026 19:43
@github-actions github-actions bot added the area/documentation Documentation related label Jan 9, 2026
@morrison-sap
change verify to digest both v2 and v2 signature
6051825 
On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/documentation Documentation related !BREAKING-CHANGE! Breaking change in API or ocm-cli or spec kind/bugfix Bug kind/dependency dependency update, etc. size/l Large size/s Small size/xs Extra small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content

2 participants

@morri-son @morrison-sap