diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml index 7b546454..b37d30fc 100644 --- a/.github/workflows/build-test-deploy.yaml +++ b/.github/workflows/build-test-deploy.yaml @@ -285,9 +285,10 @@ jobs: with: go-version: "1.19" - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@v3 with: - cosign-release: "v1.2.1" + # DO NOT USE v2 until we decide on whether to use Rekor or not + cosign-release: "v1.13.1" # Binary version to install - name: Get Cosign Key run: | @@ -305,7 +306,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v4 with: - version: "v0.183.0" + version: "v1.x" # Binary version to install args: release --rm-dist --config deploy/.goreleaser.yaml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 2b545d1b..9695c117 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,14 @@ A signed SBOM that includes Troubleshoot dependencies is included in each relea The following example illustrates using [cosign](https://github.com/sigstore/cosign) to verify that **troubleshoot-sbom.tgz** has not been tampered with. -``` +```sh $ cosign verify-blob --key key.pub --signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz Verified OK ``` + +If you were to get an error similar to the one below, it means you are verifying an SBOM signed using cosign `v1` using a newer `v2` of the binary. This version introduced [breaking changes](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md#breaking-changes) which require an additional flag `--insecure-ignore-tlog=true` to successfully verify SBOMs like so. +```sh +$ cosign verify-blob --key key.pub --signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz --insecure-ignore-tlog=true +WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob. +Verified OK +```