From 12f7a92bb42c36083e64672057ba21153c6772d6 Mon Sep 17 00:00:00 2001 From: Thales Maciel Date: Wed, 29 Apr 2026 13:27:23 -0300 Subject: [PATCH] publish-script: don't clobber COSIGN_PASSWORD with empty default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous form did COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign sign-blob ... which set COSIGN_PASSWORD to "" when the caller hadn't exported one. cosign sees an explicit empty password and tries to decrypt with it instead of prompting interactively, so any real password-protected offline key fails with "decryption failed". Drop the prefix entirely. If COSIGN_PASSWORD is already in env, it gets inherited normally; if it isn't, cosign prompts on the terminal — which is the right UX for a maintainer running the publish script locally with the offline private key. Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/publish-banger-release.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/publish-banger-release.sh b/scripts/publish-banger-release.sh index dd468bd..89610b4 100755 --- a/scripts/publish-banger-release.sh +++ b/scripts/publish-banger-release.sh @@ -112,8 +112,12 @@ log "cosign sign-blob → SHA256SUMS.sig" # via crypto/ecdsa.VerifyASN1. # These flags also work on cosign v2.x, so the script is forward- and # backward-compatible across the v2→v3 boundary. -COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ - cosign sign-blob --yes \ +# If COSIGN_PASSWORD is set in the environment, cosign uses it. +# Otherwise cosign prompts on the terminal — which is what we want +# for a password-protected offline key. Don't pre-set it to empty: +# that suppresses the prompt and makes cosign try to decrypt with +# the empty password, failing with "decryption failed". +cosign sign-blob --yes \ --key "$COSIGN_KEY" \ --use-signing-config=false \ --tlog-upload=false \