From 3d748b87c88222cef5e6512d3acd4caba6dbee72 Mon Sep 17 00:00:00 2001 From: Thales Maciel Date: Wed, 29 Apr 2026 13:23:09 -0300 Subject: [PATCH] publish-script: fix pubkey extraction and cosign v3 compatibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two bugs found while dry-running the publish flow end-to-end: 1. The awk pipeline that pulled BangerReleasePublicKey out of verify_signature.go didn't strip Go's raw-string-literal wrapping (`var ... = ` + backtick on the BEGIN line, trailing backtick on the END line). The "verify against embedded pub key" step thus compared sigs against a malformed PEM. Replaced with a sed pair that yields a clean PEM block byte-identical to cosign.pub. 2. cosign v3.x defaults sign-blob to a new bundle format and pushes signatures to Rekor; both are incompatible with banger's "embedded pub key, raw ASN.1 DER signature" trust model. Add --use-signing-config=false / --tlog-upload=false / --new-bundle-format=false to opt out, and --insecure-ignore-tlog on verify-blob. These flags also work on cosign v2.x, so the script is forward- and backward-compatible across the v2→v3 boundary. Validated by an end-to-end dry-run on this machine: built binaries, tarred, sha256summed, cosign-signed, verified against the embedded pub key, then re-verified through internal/updater's crypto/ecdsa.VerifyASN1 path — all green. Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/publish-banger-release.sh | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/scripts/publish-banger-release.sh b/scripts/publish-banger-release.sh index 24d76e4..dd468bd 100755 --- a/scripts/publish-banger-release.sh +++ b/scripts/publish-banger-release.sh @@ -101,23 +101,41 @@ log "computing SHA256SUMS" ) >&2 log "cosign sign-blob → SHA256SUMS.sig" +# Flag rationale (cosign v3.x): +# --use-signing-config=false bypasses the new signing-config flow that +# otherwise insists on bundle output + Rekor. +# --tlog-upload=false skip the public transparency log; banger's +# trust model is "embedded public key", not +# "Rekor lookup", so the log adds nothing. +# --new-bundle-format=false emit a bare base64 ASN.1 DER signature, +# which is what internal/updater consumes +# via crypto/ecdsa.VerifyASN1. +# These flags also work on cosign v2.x, so the script is forward- and +# backward-compatible across the v2→v3 boundary. COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ cosign sign-blob --yes \ --key "$COSIGN_KEY" \ + --use-signing-config=false \ + --tlog-upload=false \ + --new-bundle-format=false \ --output-signature "$OUT_DIR/SHA256SUMS.sig" \ "$OUT_DIR/SHA256SUMS" log "verifying signature against the embedded public key" EMBEDDED_PUB="$OUT_DIR/embedded-pubkey.pem" -awk '/BEGIN PUBLIC KEY/,/END PUBLIC KEY/' \ +# verify_signature.go embeds the PEM inside a Go raw-string literal, so the +# BEGIN line is prefixed with `var ... = ` + backtick and the END line has a +# trailing backtick. Strip those so the result is a clean PEM. +sed -n '/-----BEGIN PUBLIC KEY-----/,/-----END PUBLIC KEY-----/p' \ "$REPO_ROOT/internal/updater/verify_signature.go" \ - | grep -v '"' | grep -v '^//' \ + | sed -E 's/.*(-----BEGIN PUBLIC KEY-----)/\1/; s/(-----END PUBLIC KEY-----).*/\1/' \ > "$EMBEDDED_PUB" if grep -q PLACEHOLDER "$EMBEDDED_PUB"; then die "BangerReleasePublicKey is the placeholder in verify_signature.go; replace it with cosign.pub before publishing" fi cosign verify-blob \ --key "$EMBEDDED_PUB" \ + --insecure-ignore-tlog \ --signature "$OUT_DIR/SHA256SUMS.sig" \ "$OUT_DIR/SHA256SUMS"