Bump sigstore/cosign-installer from 3.10.0 to 4.0.0

.github/workflows/add-remove-new-fulcio.yaml

@@ -73,7 +73,7 @@ jobs:
 
     - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
-    - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+    - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9
@@ -141,15 +141,9 @@ jobs:
 
     - name: Get the endpoints on the cluster
       run: |
-        REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
-        echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
-
         FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
         echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
 
-        #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
-        #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
-
         CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
         echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
 
@@ -160,21 +154,18 @@ jobs:
 
     - name: Sign with cosign from the action using k8s token
       run: |
-        cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
+        cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
-        FULCIO_URL: ${{ env.FULCIO_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
 
     - name: Verify with cosign from the action using k8s token
       run: |
-        cosign verify --rekor-url "${REKOR_URL}" \
+        cosign verify \
         --allow-insecure-registry "${DEMOIMAGE}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
 
     - name: Spin up a new Fulcio with new keys

.github/workflows/fulcio-rekor-kind.yaml

@@ -73,7 +73,7 @@ jobs:
 
     - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
-    - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+    - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9
@@ -143,18 +143,6 @@ jobs:
 
     - name: Get the endpoints on the cluster
       run: |
-        REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
-        echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
-
-        FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
-        echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
-
-        #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
-        #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
-
-        CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
-        echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
-
         ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
         echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
         OIDC_TOKEN=`curl -s $ISSUER_URL`
@@ -165,26 +153,23 @@ jobs:
 
     - name: Sign with cosign from the action using k8s token
       run: |
-        cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
+        cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
-        FULCIO_URL: ${{ env.FULCIO_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
 
     - name: Verify with cosign from the action using k8s token
       run: |
-        cosign verify --rekor-url "${REKOR_URL}" \
+        cosign verify \
         --allow-insecure-registry "${DEMOIMAGE}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
 
     - name: Sign a blob with signature bundle format
       run: |
-        cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL --identity-token $OIDC_TOKEN README.md
+        cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --identity-token $OIDC_TOKEN README.md
 
     - name: Verify blob with signature bundle format using trusted_root.json
       run: |
@@ -197,7 +182,6 @@ jobs:
             --certificate-identity-regexp="https://kubernetes.io/namespaces/default/serviceaccounts/default" \
             --certificate-oidc-issuer-regexp="https://kubernetes.default.svc.cluster.local" \
             --bundle=bundle.json  --new-bundle-format \
-            --rekor-url $REKOR_URL \
             --trusted-root=$HOME/.sigstore/root/$TUF_MIRROR/targets/trusted_root.json \
             README.md
       env:
@@ -225,7 +209,7 @@ jobs:
     #    ROOT=${PWD}/repository/1.root.json
     #    REPOSITORY=${PWD}/repository
     #    ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}
-    #    ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
+    #    ./cosign verify --allow-insecure-registry ${{ env.demoimage }}
 
     - name: Checkout TSA for testing.
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

.github/workflows/release.yaml

@@ -37,7 +37,7 @@ jobs:
       uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: Install GoReleaser
       uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0

.github/workflows/test-action-tuf.yaml

@@ -47,7 +47,7 @@ jobs:
 
     # Install cosign
     - name: Install cosign
-      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: Set up Go
       uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
@@ -80,21 +80,18 @@ jobs:
 
     - name: Sign with cosign from the action using k8s token
       run: |
-        cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
+        cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
-        FULCIO_URL: ${{ env.FULCIO_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
 
     - name: Verify with cosign from the action using k8s token
       run: |
-        cosign verify --rekor-url "${REKOR_URL}" \
+        cosign verify \
         --allow-insecure-registry "${DEMOIMAGE}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
 
     - name: Checkout TSA for testing.

.github/workflows/test-release.yaml

@@ -38,7 +38,7 @@ jobs:
     steps:
     - uses: chainguard-dev/actions/setup-mirror@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9
 
-    - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+    - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: Set up Go
       uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
@@ -74,18 +74,10 @@ jobs:
         /tmp/setup-scaffolding-from-release.sh --release-version ${RELEASE_VERSION}
 
         # TODO(vaikas): Figure out how these could be exposed by above.
-        REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
-        FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
-        FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
-        CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
         TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
         TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')
 
         # Set the endopints
-        echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
-        echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
-        echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
-        echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
         echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
         echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV
 
@@ -132,21 +124,18 @@ jobs:
 
     - name: Sign with cosign from the action using k8s token
       run: |
-        cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
+        cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN}
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
-        FULCIO_URL: ${{ env.FULCIO_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
 
     - name: Verify with cosign from the action using k8s token
       run: |
-        cosign verify --rekor-url "${REKOR_URL}" \
+        cosign verify \
         --allow-insecure-registry "${DEMOIMAGE}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
       env:
-        REKOR_URL: ${{ env.REKOR_URL }}
         DEMOIMAGE: ${{ env.demoimage }}
 
     - name: Checkout TSA for testing.

.github/workflows/test-setup-sigstore-env.yml

@@ -17,36 +17,38 @@ jobs:
           persist-credentials: false
       - id: setup-sigstore-env
         uses: ./actions/setup-sigstore-env
-      - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: main
       - name: Create artifact to sign
         run: head -c 128 < /dev/urandom > artifact
       - name: Run cosign sign-blob
         env:
           SIGSTORE_CT_LOG_PUBLIC_KEY_FILE: ${{ steps.setup-sigstore-env.outputs.ct-log-key }}
-          STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }}
-          STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }}
+          OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }}
+          OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }}
+          TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
+          SIGNING_CONFIG: ${{ steps.setup-sigstore-env.outputs.signing-config }}
         run: |
           echo token:
-          curl -f ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL}/token
+          curl -f ${OIDC_URL}/token
           cosign sign-blob \
             -y \
             --bundle=bundle.json \
             --new-bundle-format=true \
-            --rekor-url http://localhost:3000 \
-            --fulcio-url http://localhost:5555 \
-            --identity-token ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN} \
+            --trusted-root ${TRUSTED_ROOT} \
+            --signing-config ${SIGNING_CONFIG} \
+            --identity-token ${OIDC_TOKEN} \
             artifact
       - name: Run cosign verify-blob with trusted root
         run: |
           cosign verify-blob \
-            --trusted-root ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT} \
+            --trusted-root ${TRUSTED_ROOT} \
             --bundle bundle.json \
             --new-bundle-format=true \
             --certificate-identity [email protected] \
-            --certificate-oidc-issuer ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL} \
+            --certificate-oidc-issuer ${ISSUER_URL} \
             artifact
         env:
-          STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
-          STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }}
+          TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }}
+          ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }}