Upgrading to Cosign v3¶
Cosign v3 streamlined its signing workflow by introducing the --bundle flag, replacing the previous approach that required separate certificate and signature files.
What Changed¶
Previously, signing artifacts with cosign required managing two separate outputs:
- A
.pemcertificate file via--output-certificate - A
.sigsignature file via--output-signature
Now, the --bundle flag combines both into a single .sigstore.json file, simplifying both signing and verification workflows.
Updating Your GoReleaser Configuration¶
Here's how to update your .goreleaser.yaml:
# https://goreleaser.com/customization/sign
signs:
- cmd: cosign
- certificate: "${artifact}.pem"
+ signature: "${artifact}.sigstore.json"
args:
- sign-blob
- - "--output-certificate=${certificate}"
- - "--output-signature=${signature}"
+ - "--bundle=${signature}"
- "${artifact}"
- "--yes"
artifacts: checksum
The key changes:
- Remove the
certificatefield - Update
signatureto use.sigstore.jsonextension - Replace
--output-certificateand--output-signatureflags with a single--bundleflag
Verifying Signatures¶
Verification is now simpler too. Instead of:
cosign verify-blob \
--certificate artifact.pem \
--signature artifact.sig \
artifact
You now just need:
cosign verify-blob \
--bundle artifact.sigstore.json \
artifact
Try It Out¶
Check out the complete working example at github.com/goreleaser/example-secure to see the new bundle-based signing in action.
This change reduces complexity and makes artifact signing more straightforward for everyone.
For more details, see goreleaser/goreleaser#6195.