From ab7a96d46c09ec4c57d7d5a3911db6ddb535ffa5 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 24 Apr 2025 13:34:33 -0400 Subject: [PATCH 1/3] Update cosign docs on new bundle format Signed-off-by: Cody Soyland --- content/en/cosign/verifying/verify.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md index aa4b61e7..2ecfa55c 100644 --- a/content/en/cosign/verifying/verify.md +++ b/content/en/cosign/verifying/verify.md @@ -252,9 +252,13 @@ You can override the public good instance CA using the environment variable `SIG export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem" ``` -## New bundle format coming soon +## New bundle format -There's a new bundle format using [bundle protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) that has a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file. +Cosign has recently added support for the [Sigstore bundle format]({{< relref "about/bundle" >}}), which is a new format for storing and sharing software signatures, attestations, and other metadata needed to verify an artifact. This carries a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file. Additionally, language client support for the new format is widely available for Go, Python, Javascript, and Java. + +The new format is disabled by default in Cosign v2.x. As of Cosign v2.4.x, the new bundle format is implemented for `sign-blob`, `verify-blob`, `attest-blob`, and `verify-blob-attestation` commands. As of Cosign v2.5.x, the new bundle format is implemented for `attest` and `verify-attestation`. Support for `sign` and `verify` is coming soon. + +In order to use the new bundle format, you must set `--new-bundle-format=true` when signing or verifying. The new bundle format is coupled with an internal restructuring of the verification logic, including the switch to the Trusted Root file. For users operating a private Sigstore instance, this means that the `--trusted-root` flag is now required for verification. You can take existing signed material and make a new protobuf bundle with `cosign bundle create ...`. From 3bca565bf094e41396652938df292055beeb211f Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 24 Apr 2025 13:45:31 -0400 Subject: [PATCH 2/3] Add paragraph about OCI referrers API Signed-off-by: Cody Soyland --- content/en/cosign/verifying/verify.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md index 2ecfa55c..6f588b88 100644 --- a/content/en/cosign/verifying/verify.md +++ b/content/en/cosign/verifying/verify.md @@ -260,6 +260,8 @@ The new format is disabled by default in Cosign v2.x. As of Cosign v2.4.x, the n In order to use the new bundle format, you must set `--new-bundle-format=true` when signing or verifying. The new bundle format is coupled with an internal restructuring of the verification logic, including the switch to the Trusted Root file. For users operating a private Sigstore instance, this means that the `--trusted-root` flag is now required for verification. +When using the new bundle format for signing container image attestations, Cosign now uses the OCI 1.1 Referrers API to store the attestation bundle in the registry as a referrer to the image. This is in contrast to the previous bundle format, which stored the individual signature, certificate, and other metadata as annotations on specially-tagged manifests. This makes image signatures more portable and easier to manage. + You can take existing signed material and make a new protobuf bundle with `cosign bundle create ...`. ## Experimental Features From b2f93a7f1884da3d620b6f5ed3b42dd984ff066f Mon Sep 17 00:00:00 2001 From: ltagliaferri Date: Fri, 10 Oct 2025 12:53:25 -0400 Subject: [PATCH 3/3] Update content/en/cosign/verifying/verify.md Signed-off-by: ltagliaferri --- content/en/cosign/verifying/verify.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md index 6f588b88..d72bc61a 100644 --- a/content/en/cosign/verifying/verify.md +++ b/content/en/cosign/verifying/verify.md @@ -254,7 +254,7 @@ export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem" ## New bundle format -Cosign has recently added support for the [Sigstore bundle format]({{< relref "about/bundle" >}}), which is a new format for storing and sharing software signatures, attestations, and other metadata needed to verify an artifact. This carries a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file. Additionally, language client support for the new format is widely available for Go, Python, Javascript, and Java. +Cosign has recently added support for the [Sigstore bundle format]({{< relref "about/bundle" >}}), which is a new format for storing and sharing software signatures, attestations, and other metadata needed to verify an artifact. This carries a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file. Additionally, language client support for the new format is widely available for Go, Python, JavaScript, and Java. The new format is disabled by default in Cosign v2.x. As of Cosign v2.4.x, the new bundle format is implemented for `sign-blob`, `verify-blob`, `attest-blob`, and `verify-blob-attestation` commands. As of Cosign v2.5.x, the new bundle format is implemented for `attest` and `verify-attestation`. Support for `sign` and `verify` is coming soon.