Skip to content

chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 #1726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
morri-son wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 #1726

morri-son wants to merge 1 commit into from
+10 −10

Conversation

@morri-son
Copy link
Contributor

@morri-son morri-son commented Dec 5, 2025
edited
Loading

On-behalf-of: Gerald Morrison (SAP) gerald.morrison@sap.com

What this PR does / why we need it

Upgrade all Sigstore Cosign dependencies from v2 to v3.

Changes

Handler (api/tech/signing/handlers/sigstore/handler.go)

  • Updated imports from cosign/v2 to cosign/v3:
    • github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio
    • github.com/sigstore/cosign/v3/cmd/cosign/cli/options
    • github.com/sigstore/cosign/v3/pkg/cosign

Providers (api/tech/signing/handlers/init.go)

  • Updated import from cosign/v2 to cosign/v3:
    • github.com/sigstore/cosign/v3/pkg/providers/all

Dependencies (go.mod/go.sum)

  • Removed: github.com/sigstore/cosign/v2 v2.6.1
  • Added: github.com/sigstore/cosign/v3 v3.0.2

@morrison-sap
feat: Upgrade Sigstore from v2.6.1 to v3.0.2
dae2fbd 
Upgrade all Sigstore dependencies from v2 to v3.

## Changes

### Handler (api/tech/signing/handlers/sigstore/handler.go)
- Updated imports from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/options
  - github.com/sigstore/cosign/v3/pkg/cosign

### Providers (api/tech/signing/handlers/init.go)
- Updated import from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/pkg/providers/all

### Dependencies (go.mod/go.sum)
- Removed: github.com/sigstore/cosign/v2 v2.6.1
- Added: github.com/sigstore/cosign/v3 v3.0.2

## Verification

Checked entire codebase for v2 references:
```bash
grep -r "sigstore/cosign/v2" --include="*.go" --include="go.mod" --include="go.sum" .
# No results - clean upgrade ✅
```

## Compatibility

This upgrade maintains signature compatibility:
- v3 can verify signatures created with v2 (backward compatible)
- v2 can verify signatures created with v3 (forward compatible)

Verified by compatibility test workflow using pre-signed components.

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
@morri-son morri-son requested a review from a team as a code owner December 5, 2025 15:36
@morri-son morri-son added the kind/chore chore, maintenance, etc. label Dec 5, 2025
@github-actions github-actions bot added kind/dependency dependency update, etc. size/s Small labels Dec 5, 2025
@morri-son morri-son linked an issue Dec 5, 2025 that may be closed by this pull request
Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content #1535
Open
3 tasks
@morri-son morri-son mentioned this pull request Dec 5, 2025
Open
5 tasks
@morri-son morri-son changed the title chore: Upgrade Sigstore from v2.6.1 to v3.0.2 chore: Upgrade Sigstore Cosign from v2.6.1 to v3.0.2 Dec 7, 2025
morri-son pushed a commit to morri-son/ocm that referenced this pull request Dec 7, 2025
@morrison-sap
docs: Add Sigstore v3 upgrade verification documentation
3d51f71 
Comprehensive documentation of the Sigstore v2 to v3 upgrade compatibility testing.

Includes:
- Pre-signed test component details and creation process
- Automated verification workflow explanation
- Test matrix covering all 4 verification combinations
- Technical details of the upgrade
- Relationship to other PRs (sigstore/sigstore bump)
- Conclusions and recommendations

This documentation serves as proof of compatibility for PR open-component-model#1726.

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. size/s Small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content

2 participants

@morri-son @morrison-sap