fix(release): cosign v4 emits a single sigstore bundle

kanywst · kanywst · commit 6455d8637eeb · 2026-04-29T20:44:21.000+09:00
cosign v4 deprecates --output-signature / --output-certificate and writes
a single .sigstore.json bundle via --bundle. without that flag the run
crashes with "create bundle file: open : no such file or directory".
emit `&lt;tarball&gt;.sigstore.json`, attach it to the github release, and teach
verify.sh to fetch and verify against the bundle instead of the split
.sig + .crt pair.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -134,15 +134,15 @@ jobs:
           name: tarball
 
       - name: sign
+        # cosign v4 emits a single sigstore bundle (.sigstore.json) by default;
+        # --output-signature / --output-certificate are deprecated and ignored.
         run: |
           cosign sign-blob --yes \
-            --output-signature "${{ needs.build.outputs.tarball-name }}.sig" \
-            --output-certificate "${{ needs.build.outputs.tarball-name }}.crt" \
+            --bundle "${{ needs.build.outputs.tarball-name }}.sigstore.json" \
             "${{ needs.build.outputs.tarball-name }}"
 
       - name: attach signature to release
         uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         with:
           files: |
-            ${{ needs.build.outputs.tarball-name }}.sig
-            ${{ needs.build.outputs.tarball-name }}.crt
+            ${{ needs.build.outputs.tarball-name }}.sigstore.json
diff --git a/scripts/verify.sh b/scripts/verify.sh
@@ -54,20 +54,18 @@ TARBALL="$(cd "$WORK" && npm pack "$SPEC" --silent | tail -n 1)"
 gh release download "v${VERSION}" \
   -R "$GH_REPO" \
   -D "$WORK" \
-  -p "${TARBALL}.sig" \
-  -p "${TARBALL}.crt" \
+  -p "${TARBALL}.sigstore.json" \
   -p "${TARBALL}.intoto.jsonl" 2>/dev/null || true
 
-if [ ! -f "$WORK/${TARBALL}.sig" ] || [ ! -f "$WORK/${TARBALL}.crt" ]; then
-  echo "    missing ${TARBALL}.sig / .crt on github release v${VERSION} of ${GH_REPO}"
+if [ ! -f "$WORK/${TARBALL}.sigstore.json" ]; then
+  echo "    missing ${TARBALL}.sigstore.json on github release v${VERSION} of ${GH_REPO}"
   exit 1
 fi
 
 cosign verify-blob \
   --certificate-identity-regexp "$EXPECTED_SUBJECT_REGEX" \
   --certificate-oidc-issuer "$EXPECTED_ISSUER" \
-  --certificate "$WORK/${TARBALL}.crt" \
-  --signature "$WORK/${TARBALL}.sig" \
+  --bundle "$WORK/${TARBALL}.sigstore.json" \
   "$WORK/${TARBALL}"
 echo "    ok"
 
