Merge pull request #25 from AgoraIO/fix/cosign-bundle-signing

Fix release Cosign bundle signing

Author: plutoless

.goreleaser.yaml

@@ -61,28 +61,26 @@ sboms:
 
 # ---------------------------------------------------------------------------
 # Cosign signatures (keyless / OIDC)
-# Signs every checksum file, archive SBOM, and Linux package SBOM with the
-# release workflow's GitHub Actions OIDC token. The resulting transparency
-# log entries are stored in Sigstore Rekor and verifiable with:
+# Signs the checksum file with the release workflow's GitHub Actions OIDC
+# token. The resulting transparency log entry is stored in Sigstore Rekor and
+# verifiable with:
 #
 #   cosign verify-blob \
 #     --certificate-identity-regexp '^https://github.com/AgoraIO/cli/' \
 #     --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-#     --signature <artifact>.sig --certificate <artifact>.pem <artifact>
+#     --bundle <artifact>.sigstore.json <artifact>
 #
 # Requires `cosign` on the runner and `id-token: write` in release.yml
 # (already granted for npm provenance).
 # ---------------------------------------------------------------------------
 signs:
   - id: cosign-keyless
     cmd: cosign
-    signature: "${artifact}.sig"
-    certificate: "${artifact}.pem"
+    signature: "${artifact}.sigstore.json"
     args:
       - "sign-blob"
       - "--yes"
-      - "--output-signature=${signature}"
-      - "--output-certificate=${certificate}"
+      - "--bundle=${signature}"
       - "${artifact}"
     artifacts: checksum
     output: true

CHANGELOG.md

@@ -15,6 +15,10 @@ Earlier entries pre-date this convention and only carry their version's compare
 
 ## [Unreleased]
 
+### Fixed
+
+- Update GoReleaser Cosign signing to emit `checksums.txt.sigstore.json` with `--bundle`, matching Cosign's current bundle-based signing flow.
+
 ## [0.2.2] - 2026-05-26
 
 Python quickstart repository URL correction.

docs/install.md

@@ -349,17 +349,15 @@ For CI, automation, and reproducible environments, pin `VERSION` explicitly inst
 Every release is signed with [Cosign](https://docs.sigstore.dev/cosign/overview/) using GitHub Actions OIDC (keyless mode) and ships an [SPDX 2.3](https://spdx.dev/) SBOM per archive and per Linux package. To verify the `checksums.txt` file before trusting any artifact:
 
 ```bash
-TAG=v0.2.1
+TAG=vX.Y.Z
 ASSET_BASE="https://github.com/AgoraIO/cli/releases/download/${TAG}"
 curl -fsSLO "${ASSET_BASE}/checksums.txt"
-curl -fsSLO "${ASSET_BASE}/checksums.txt.sig"
-curl -fsSLO "${ASSET_BASE}/checksums.txt.pem"
+curl -fsSLO "${ASSET_BASE}/checksums.txt.sigstore.json"
 
 cosign verify-blob \
   --certificate-identity-regexp '^https://github.com/AgoraIO/cli/' \
   --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-  --certificate checksums.txt.pem \
-  --signature checksums.txt.sig \
+  --bundle checksums.txt.sigstore.json \
   checksums.txt
 ```
 

docs/proposals/supply-chain-hardening.md

@@ -182,8 +182,7 @@ verify_cosign_optional() {
   if command -v cosign >/dev/null 2>&1; then
     say_step "Verifying checksums.txt signature with cosign..."
     cosign verify-blob \
-      --certificate "${CHECKSUMS_PATH}.pem" \
-      --signature   "${CHECKSUMS_PATH}.sig" \
+      --bundle "${CHECKSUMS_PATH}.sigstore.json" \
       --certificate-identity-regexp "https://github.com/AgoraIO/cli/.github/workflows/release.yml@refs/tags/v.*" \
       --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
       "$CHECKSUMS_PATH" >/dev/null