diff --git a/scripts/publish-banger-release.sh b/scripts/publish-banger-release.sh index 24d76e4..dd468bd 100755 --- a/scripts/publish-banger-release.sh +++ b/scripts/publish-banger-release.sh @@ -101,23 +101,41 @@ log "computing SHA256SUMS" ) >&2 log "cosign sign-blob → SHA256SUMS.sig" +# Flag rationale (cosign v3.x): +# --use-signing-config=false bypasses the new signing-config flow that +# otherwise insists on bundle output + Rekor. +# --tlog-upload=false skip the public transparency log; banger's +# trust model is "embedded public key", not +# "Rekor lookup", so the log adds nothing. +# --new-bundle-format=false emit a bare base64 ASN.1 DER signature, +# which is what internal/updater consumes +# via crypto/ecdsa.VerifyASN1. +# These flags also work on cosign v2.x, so the script is forward- and +# backward-compatible across the v2→v3 boundary. COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ cosign sign-blob --yes \ --key "$COSIGN_KEY" \ + --use-signing-config=false \ + --tlog-upload=false \ + --new-bundle-format=false \ --output-signature "$OUT_DIR/SHA256SUMS.sig" \ "$OUT_DIR/SHA256SUMS" log "verifying signature against the embedded public key" EMBEDDED_PUB="$OUT_DIR/embedded-pubkey.pem" -awk '/BEGIN PUBLIC KEY/,/END PUBLIC KEY/' \ +# verify_signature.go embeds the PEM inside a Go raw-string literal, so the +# BEGIN line is prefixed with `var ... = ` + backtick and the END line has a +# trailing backtick. Strip those so the result is a clean PEM. +sed -n '/-----BEGIN PUBLIC KEY-----/,/-----END PUBLIC KEY-----/p' \ "$REPO_ROOT/internal/updater/verify_signature.go" \ - | grep -v '"' | grep -v '^//' \ + | sed -E 's/.*(-----BEGIN PUBLIC KEY-----)/\1/; s/(-----END PUBLIC KEY-----).*/\1/' \ > "$EMBEDDED_PUB" if grep -q PLACEHOLDER "$EMBEDDED_PUB"; then die "BangerReleasePublicKey is the placeholder in verify_signature.go; replace it with cosign.pub before publishing" fi cosign verify-blob \ --key "$EMBEDDED_PUB" \ + --insecure-ignore-tlog \ --signature "$OUT_DIR/SHA256SUMS.sig" \ "$OUT_DIR/SHA256SUMS"