publish-script: fix pubkey extraction and cosign v3 compatibility

Two bugs found while dry-running the publish flow end-to-end: 1. The awk pipeline that pulled BangerReleasePublicKey out of verify_signature.go didn't strip Go's raw-string-literal wrapping (`var ... = ` + backtick on the BEGIN line, trailing backtick on the END line). The "verify against embedded pub key" step thus compared sigs against a malformed PEM. Replaced with a sed pair that yields a clean PEM block byte-identical to cosign.pub. 2. cosign v3.x defaults sign-blob to a new bundle format and pushes signatures to Rekor; both are incompatible with banger's "embedded pub key, raw ASN.1 DER signature" trust model. Add --use-signing-config=false / --tlog-upload=false / --new-bundle-format=false to opt out, and --insecure-ignore-tlog on verify-blob. These flags also work on cosign v2.x, so the script is forward- and backward-compatible across the v2→v3 boundary. Validated by an end-to-end dry-run on this machine: built binaries, tarred, sha256summed, cosign-signed, verified against the embedded pub key, then re-verified through internal/updater's crypto/ecdsa.VerifyASN1 path — all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 13:23:09 -03:00 · 2026-04-29 13:23:09 -03:00 · 3d748b87c8
commit 3d748b87c8
parent b7c9661c99
1 changed files with 20 additions and 2 deletions
--- a/scripts/publish-banger-release.sh
+++ b/scripts/publish-banger-release.sh
@ -101,23 +101,41 @@ log "computing SHA256SUMS"
 ) >&2

 log "cosign sign-blob → SHA256SUMS.sig"
+# Flag rationale (cosign v3.x):
+#   --use-signing-config=false  bypasses the new signing-config flow that
+#                               otherwise insists on bundle output + Rekor.
+#   --tlog-upload=false         skip the public transparency log; banger's
+#                               trust model is "embedded public key", not
+#                               "Rekor lookup", so the log adds nothing.
+#   --new-bundle-format=false   emit a bare base64 ASN.1 DER signature,
+#                               which is what internal/updater consumes
+#                               via crypto/ecdsa.VerifyASN1.
+# These flags also work on cosign v2.x, so the script is forward- and
+# backward-compatible across the v2→v3 boundary.
 COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
    cosign sign-blob --yes \
    --key "$COSIGN_KEY" \
+    --use-signing-config=false \
+    --tlog-upload=false \
+    --new-bundle-format=false \
    --output-signature "$OUT_DIR/SHA256SUMS.sig" \
    "$OUT_DIR/SHA256SUMS"

 log "verifying signature against the embedded public key"
 EMBEDDED_PUB="$OUT_DIR/embedded-pubkey.pem"
-awk '/BEGIN PUBLIC KEY/,/END PUBLIC KEY/' \
+# verify_signature.go embeds the PEM inside a Go raw-string literal, so the
+# BEGIN line is prefixed with `var ... = ` + backtick and the END line has a
+# trailing backtick. Strip those so the result is a clean PEM.
+sed -n '/-----BEGIN PUBLIC KEY-----/,/-----END PUBLIC KEY-----/p' \
    "$REPO_ROOT/internal/updater/verify_signature.go" \
-  | grep -v '"' | grep -v '^//' \
+  | sed -E 's/.*(-----BEGIN PUBLIC KEY-----)/\1/; s/(-----END PUBLIC KEY-----).*/\1/' \
  > "$EMBEDDED_PUB"
 if grep -q PLACEHOLDER "$EMBEDDED_PUB"; then
    die "BangerReleasePublicKey is the placeholder in verify_signature.go; replace it with cosign.pub before publishing"
 fi
 cosign verify-blob \
    --key "$EMBEDDED_PUB" \
+    --insecure-ignore-tlog \
    --signature "$OUT_DIR/SHA256SUMS.sig" \
    "$OUT_DIR/SHA256SUMS"