Skip to content

fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 #1726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jakobmoellerdev merged 19 commits into from
Jan 21, 2026
Merged

fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 #1726

jakobmoellerdev merged 19 commits into from
Jan 21, 2026

Conversation

@morri-son
Copy link
Contributor

@morri-son morri-son commented Dec 5, 2025
edited
Loading

On-behalf-of: Gerald Morrison (SAP) gerald.morrison@sap.com

This PR introduces two breaking changes:

Breaking change 1: Correct Sigstore bundle content in signatures

OCM now bundles the short‑lived Fulcio certificate instead of just a raw public key into signatures when using keyless signing. To preserve backwards compatibility for existing components, we introduced a new signing algorithm sigstore-v2 and retain the legacy sigstore algorithm:

  • sigstore: Stores only the public key in the Rekor entry. Existing signatures remain verifiable.
  • sigstore-v2: Stores the Fulcio certificate in the Rekor entry, conforming to the Sigstore Bundle spec. Recommended algorithm to be used for new signatures.

OCM CLI Examples

Create a new signature using sigstore-v2:
ocm sign componentversion --signature mysig --algorithm sigstore-v2 --keyless <component-version>

Verify a signature (correct algorithm is determined from signature name mysig)
ocm verify componentversion --signature mysig --keyless <component-version>

Breaking change 2: Cosign v3 changes OIDC token handling in GitHub Actions

GitHub no longer auto‑injects an ID token when SIGSTORE_ID_TOKEN is missing; workflows must explicitly request and export it.

Typical CI error if SIGSTORE_ID_TOKEN is missing:
getting ID token: executing OIDC flow: failed to start browser

Migration on GitHub Actions

Add id-token: write permission and explicitly request an OIDC ID token with audience sigstore, then export it as SIGSTORE_ID_TOKEN prior to any ocm sign componentversion --keyless steps.

Below you find a snippet from an example workflow step that gets an OIDC token and exports it to the GitHub env for further use.

- name: Acquire GitHub OIDC ID token
  shell: bash
  run: |
    TOKEN=$(curl -sSf \
      -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
      "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore" \
      | jq -r '.value')

    echo "::add-mask::$TOKEN"
    echo "SIGSTORE_ID_TOKEN=$TOKEN" >> "$GITHUB_ENV"

Other CI platforms are not affected

This problem is specific to GitHub Actions. Other CI/CD platforms have always required explicit handling of OIDC tokens and environment variables for Sigstore keyless flows. Therefore, no migration is needed outside GitHub Actions.

Recommended path forward

  • Continue to verify existing sigstore signatures — they remain valid.
  • For new signatures, use sigstore-v2 to ensure Sigstore Bundle compliance.
  • On GitHub Actions, add explicit OIDC token handling and export SIGSTORE_ID_TOKEN as shown above.

References

@morri-son morri-son requested a review from a team as a code owner December 5, 2025 15:36
@morri-son morri-son added the kind/chore chore, maintenance, etc. label Dec 5, 2025
@github-actions github-actions bot added kind/dependency dependency update, etc. size/s Small labels Dec 5, 2025
@morri-son morri-son linked an issue Dec 5, 2025 that may be closed by this pull request
Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content #1535
Closed
3 tasks
@morri-son morri-son mentioned this pull request Dec 5, 2025
Closed
5 tasks
@morri-son morri-son changed the title chore: Upgrade Sigstore from v2.6.1 to v3.0.2 chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 Dec 7, 2025
morri-son pushed a commit to morri-son/ocm that referenced this pull request Dec 7, 2025
@morrison-sap
docs: Add Sigstore v3 upgrade verification documentation
3d51f71 
Comprehensive documentation of the Sigstore v2 to v3 upgrade compatibility testing.

Includes:
- Pre-signed test component details and creation process
- Automated verification workflow explanation
- Test matrix covering all 4 verification combinations
- Technical details of the upgrade
- Relationship to other PRs (sigstore/sigstore bump)
- Conclusions and recommendations

This documentation serves as proof of compatibility for PR open-component-model#1726.

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son morri-son force-pushed the feat/upgrade-sigstore-v3 branch from dae2fbd to 5ab3744 Compare January 7, 2026 15:21
@github-actions github-actions bot added the size/xs Extra small label Jan 7, 2026
@morri-son morri-son marked this pull request as draft January 8, 2026 07:54
@morri-son morri-son removed the kind/chore chore, maintenance, etc. label Jan 8, 2026
@morri-son morri-son changed the title chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2.6.1 to v3.0.2 Jan 8, 2026
@github-actions github-actions bot added !BREAKING-CHANGE! Breaking change in API or ocm-cli or spec kind/bugfix Bug labels Jan 8, 2026
@morri-son morri-son changed the title fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2.6.1 to v3.0.2 fix!: use Fulcio certificate instead of public key and upgrade Sigstore Cosign from v2 to v3 Jan 8, 2026
@github-actions github-actions bot added the size/l Large label Jan 9, 2026
@morrison-sap
feat: Upgrade Sigstore from v2.6.1 to v3.0.2
a35b479 
Upgrade all Sigstore dependencies from v2 to v3.

- Updated imports from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/options
  - github.com/sigstore/cosign/v3/pkg/cosign

- Updated import from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/pkg/providers/all

- Removed: github.com/sigstore/cosign/v2 v2.6.1
- Added: github.com/sigstore/cosign/v3 v3.0.2

Checked entire codebase for v2 references:
```bash
grep -r "sigstore/cosign/v2" --include="*.go" --include="go.mod" --include="go.sum" .
```

This upgrade maintains signature compatibility:
- v3 can verify signatures created with v2 (backward compatible)
- v2 can verify signatures created with v3 (forward compatible)

Verified by compatibility test workflow using pre-signed components.

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
fix: resolve merge conflicts for sigstore v3 upgrade
0d6519f 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
correct format
fa31f2f 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
add doc after generate
9ae5880 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son morri-son force-pushed the feat/upgrade-sigstore-v3 branch from 0f280ff to 9ae5880 Compare January 9, 2026 19:43
@github-actions github-actions bot added the area/documentation Documentation related label Jan 9, 2026
@morrison-sap
change verify to digest both v2 and v2 signature
6051825 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@frewilhelm frewilhelm mentioned this pull request Jan 16, 2026
Open
9 tasks
jakobmoellerdev
jakobmoellerdev reviewed Jan 18, 2026
View reviewed changes
@morrison-sap
add testing and doc changes
cb3a749 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
add comments about offline testing capability
46c1aab 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son morri-son marked this pull request as ready for review January 19, 2026 19:07
@morrison-sap
resolve conflicts
1ecc235 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
docs: regenerate CLI docs from source after sigstore-v3 handler changes
0e84335 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
sigstore: register sigstore-v3; update attribute description and test…
4f42f3d 
…s; regenerate docs to align

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@github-actions github-actions bot added the component/github-actions Changes on GitHub Actions or within `.github/` directory label Jan 19, 2026
@jakobmoellerdev jakobmoellerdev removed size/s Small size/m Medium size/xs Extra small labels Jan 20, 2026
@morrison-sap
add some more meaningful comments.
9c4e4ef 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@github-actions github-actions bot added the size/m Medium label Jan 20, 2026
jakobmoellerdev
jakobmoellerdev reviewed Jan 20, 2026
View reviewed changes
piotrjanik
piotrjanik reviewed Jan 20, 2026
View reviewed changes
morrison-sap and others added 3 commits January 20, 2026 16:59
@morrison-sap
add even more meaningful comments.
0ec5e07 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morrison-sap
Clearly separate actions for public keys for different algorithms.
b84e26f 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son
Merge branch 'main' into feat/upgrade-sigstore-v3
31894bb
@morri-son
Copy link
Contributor Author

morri-son commented Jan 21, 2026

all comments answered and feedback integrated.

fabianburth
fabianburth reviewed Jan 21, 2026
View reviewed changes
piotrjanik
piotrjanik reviewed Jan 21, 2026
View reviewed changes
piotrjanik
piotrjanik reviewed Jan 21, 2026
View reviewed changes
@fabianburth
Copy link
Contributor

fabianburth commented Jan 21, 2026

Maybe you want to add a test to (or kind of like in

ocm/api/ocm/tools/signing/handler_test.go

Line 66 in 1245fc4

DescribeTable("rsa handlers", func(kind string) {
) that actually shows that your handler is correctly registered and used.

@morrison-sap
correct tests for algorithm and check assertion for defined errors.
1e27f20 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son
Copy link
Contributor Author

morri-son commented Jan 21, 2026

Maybe you want to add a test to (or kind of like in

ocm/api/ocm/tools/signing/handler_test.go

Line 66 in 1245fc4

DescribeTable("rsa handlers", func(kind string) {

) that actually shows that your handler is correctly registered and used.

@fabianburth added a tiny test that just does verifier := signing.DefaultHandlerRegistry().GetVerifier(AlgorithmV2). Do you think this is sufficient to check that the registration works?

@morrison-sap
added test for wrong digest/signature and handler registration.
b9622ff 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
fabianburth
fabianburth previously approved these changes Jan 21, 2026
View reviewed changes
@morrison-sap
deduplicate type assertion
ec180ec 
On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
jakobmoellerdev
jakobmoellerdev approved these changes Jan 21, 2026
View reviewed changes
Copy link
Member

@jakobmoellerdev jakobmoellerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code change okay. if there are other docs on website etc they probably need adjustment. best to double check!

@jakobmoellerdev jakobmoellerdev merged commit 92a409a into open-component-model:main Jan 21, 2026
28 checks passed
@morri-son
Copy link
Contributor Author

morri-son commented Jan 21, 2026

code change okay. if there are other docs on website etc they probably need adjustment. best to double check!

sigstore/cosign is not mentioned on the website in any guide. I can find it only in the reference documentation that we link from ocm/open-component-model CLI docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@piotrjanik piotrjanik piotrjanik left review comments

@jakobmoellerdev jakobmoellerdev jakobmoellerdev approved these changes

@fabianburth fabianburth fabianburth left review comments

Assignees

No one assigned

Labels

area/documentation Documentation related !BREAKING-CHANGE! Breaking change in API or ocm-cli or spec component/github-actions Changes on GitHub Actions or within `.github/` directory kind/bugfix Bug kind/dependency dependency update, etc. size/l Large size/m Medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content

5 participants

@morri-son @fabianburth @piotrjanik @jakobmoellerdev @morrison-sap