Bump cosign v2.4.1 to v3.0.4 and use trusted_root.json for verification

.tool-versions

@@ -1 +1 @@
-golang 1.24.6
+golang 1.25.3

Dockerfile

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM docker.io/library/golang:1.24.6 AS build
+FROM docker.io/library/golang:1.25.3 AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile.dist

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.24.6@sha256:6234f572204d672a0ee0686d748fbb9b7b05679368bf0d7a4446e13970e58060 AS build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3@sha256:e8938564f866174a6d79e55dfe577c2ed184b1f53e91d782173fb69b07ce69ef AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Makefile

@@ -12,7 +12,7 @@ _SHELL := bash
 SHELL=$(if $@,$(info ❱ $@))$(_SHELL)
 ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 COPY:=The Conforma Contributors
-COSIGN_VERSION=$(shell go list -f '{{.Version}}' -m github.com/sigstore/cosign/v2)
+COSIGN_VERSION=$(shell go list -f '{{.Version}}' -m github.com/sigstore/cosign/v3)
 E2E_INSTRUMENTATION_FLAGS := $(if $(filter $(E2E_INSTRUMENTATION),true),-cover -covermode atomic)
 
 ##@ Information

acceptance/attestation/attestation.go

@@ -26,8 +26,8 @@ import (
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
-	"github.com/sigstore/cosign/v2/pkg/types"
+	"github.com/sigstore/cosign/v3/pkg/cosign/attestation"
+	"github.com/sigstore/cosign/v3/pkg/types"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 

acceptance/crypto/keys.go

@@ -22,7 +22,7 @@ import (
 	"fmt"
 
 	"github.com/cucumber/godog"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	"github.com/sigstore/sigstore/pkg/signature"
 
 	"github.com/conforma/cli/acceptance/testenv"
@@ -101,7 +101,7 @@ func SignerWithKey(ctx context.Context, keyName string) (signature.SignerVerifie
 		return nil, err
 	}
 
-	return cosign.LoadPrivateKey(key.PrivateBytes, key.Password())
+	return cosign.LoadPrivateKey(key.PrivateBytes, key.Password(), nil)
 }
 
 // PublicKeysFrom returns a map of all public keys encoded in PEM format

acceptance/image/image.go

@@ -46,13 +46,13 @@ import (
 	s "github.com/google/go-containerregistry/pkg/v1/static"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/v2/pkg/oci"
-	"github.com/sigstore/cosign/v2/pkg/oci/layout"
-	cosignRemote "github.com/sigstore/cosign/v2/pkg/oci/remote"
-	"github.com/sigstore/cosign/v2/pkg/oci/static"
-	cosigntypes "github.com/sigstore/cosign/v2/pkg/types"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/v3/pkg/oci"
+	"github.com/sigstore/cosign/v3/pkg/oci/layout"
+	cosignRemote "github.com/sigstore/cosign/v3/pkg/oci/remote"
+	"github.com/sigstore/cosign/v3/pkg/oci/static"
+	cosigntypes "github.com/sigstore/cosign/v3/pkg/types"
 	rc "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -726,7 +726,7 @@ func createAndPushKeylessImage(ctx context.Context, imageName string) (context.C
 		return ctx, err
 	}
 
-	if err := cosignRemote.WriteSignedImageIndexImages(ref, sii); err != nil {
+	if err := cosignRemote.WriteSignedImageIndexImages(ref, sii, ""); err != nil {
 		return ctx, err
 	}
 

acceptance/rekor/rekor.go

@@ -36,8 +36,8 @@ import (
 	"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
 	"github.com/go-openapi/strfmt"
 	"github.com/secure-systems-lab/go-securesystemslib/encrypted"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign/bundle"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	intoto "github.com/sigstore/rekor/pkg/types/intoto/v0.0.2"

cmd/sigstore/initialize.go

@@ -20,7 +20,7 @@ import (
 	"context"
 
 	hd "github.com/MakeNowJust/heredoc"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
 	"github.com/spf13/cobra"
 )
 
@@ -44,7 +44,7 @@ func sigstoreInitializeCmd(f sigstoreInitializeFunc) *cobra.Command {
 			To provide an out-of-band trusted initial root.json, use the --root flag with a file or
 			URL reference. This will enable you to point ec to a separate TUF root.
 
-			Any updated TUF repository will be written to $HOME/.sigstore/root/.
+			Any updated TUF repository will be written to $HOME/.sigstore/root/<mirror_url>.
 
 			Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates
 			with Fulcio root CA) are pulled form the trusted metadata.

cmd/sigstore/sigstore.go

@@ -17,7 +17,7 @@
 package sigstore
 
 import (
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/initialize"
 	"github.com/spf13/cobra"
 
 	_ "github.com/conforma/cli/internal/rego"

cmd/validate/image.go

@@ -31,7 +31,7 @@ import (
 	hd "github.com/MakeNowJust/heredoc"
 	"github.com/google/go-containerregistry/pkg/name"
 	app "github.com/konflux-ci/application-api/api/v1alpha1"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

cmd/validate/image_test.go

@@ -39,7 +39,7 @@ import (
 	"github.com/gkampitakis/go-snaps/snaps"
 	"github.com/google/go-containerregistry/pkg/name"
 	app "github.com/konflux-ci/application-api/api/v1alpha1"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@@ -1438,7 +1438,7 @@ func TestValidateImageCommand_VSAUpload_Success(t *testing.T) {
 	originalLoadPrivateKey := vsa.LoadPrivateKey
 	defer func() { vsa.LoadPrivateKey = originalLoadPrivateKey }()
 
-	vsa.LoadPrivateKey = func(keyBytes, password []byte) (signature.SignerVerifier, error) {
+	vsa.LoadPrivateKey = func(keyBytes, password []byte, _ *[]signature.LoadOption) (signature.SignerVerifier, error) {
 		return &simpleFakeSigner{}, nil
 	}
 
@@ -1499,7 +1499,7 @@ func TestValidateImageCommand_VSAUpload_NoStorageBackends(t *testing.T) {
 	originalLoadPrivateKey := vsa.LoadPrivateKey
 	defer func() { vsa.LoadPrivateKey = originalLoadPrivateKey }()
 
-	vsa.LoadPrivateKey = func(keyBytes, password []byte) (signature.SignerVerifier, error) {
+	vsa.LoadPrivateKey = func(keyBytes, password []byte, _ *[]signature.LoadOption) (signature.SignerVerifier, error) {
 		return &simpleFakeSigner{}, nil
 	}
 
@@ -1643,7 +1643,7 @@ func TestValidateImageCommand_VSAFormat_DSSE(t *testing.T) {
 	originalLoadPrivateKey := vsa.LoadPrivateKey
 	defer func() { vsa.LoadPrivateKey = originalLoadPrivateKey }()
 
-	vsa.LoadPrivateKey = func(keyBytes, password []byte) (signature.SignerVerifier, error) {
+	vsa.LoadPrivateKey = func(keyBytes, password []byte, _ *[]signature.LoadOption) (signature.SignerVerifier, error) {
 		return &simpleFakeSigner{}, nil
 	}
 
@@ -1992,7 +1992,7 @@ func TestGenerateVSAsDSSE_Errors(t *testing.T) {
 		originalLoadPrivateKey := vsa.LoadPrivateKey
 		defer func() { vsa.LoadPrivateKey = originalLoadPrivateKey }()
 
-		vsa.LoadPrivateKey = func(keyBytes, password []byte) (signature.SignerVerifier, error) {
+		vsa.LoadPrivateKey = func(keyBytes, password []byte, _ *[]signature.LoadOption) (signature.SignerVerifier, error) {
 			return &simpleFakeSigner{}, nil
 		}
 
@@ -2118,7 +2118,7 @@ func TestVSAGeneration_WithOutputDir(t *testing.T) {
 	originalLoadPrivateKey := vsa.LoadPrivateKey
 	defer func() { vsa.LoadPrivateKey = originalLoadPrivateKey }()
 
-	vsa.LoadPrivateKey = func(keyBytes, password []byte) (signature.SignerVerifier, error) {
+	vsa.LoadPrivateKey = func(keyBytes, password []byte, _ *[]signature.LoadOption) (signature.SignerVerifier, error) {
 		return &simpleFakeSigner{}, nil
 	}
 

docs/modules/ROOT/pages/ec_opa_bench.adoc

@@ -14,6 +14,7 @@ Example with bundle and input data:
 	opa bench -b ./policy-bundle -i input.json 'data.authz.allow'
 
 To run benchmarks against a running OPA server to evaluate server overhead use the --e2e flag.
+To enable more detailed analysis use the --metrics and --benchmem flags.
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 

docs/modules/ROOT/pages/ec_opa_build.adoc

@@ -64,14 +64,14 @@ The 'build' command supports targets (specified by -t):
             original policy or data files.
 
     plan    The plan target emits a bundle containing a plan, i.e., an intermediate
-            representation compiled from the input files for each specified entrypoint.
-            This is for further processing, OPA cannot evaluate a "plan bundle" like it
-            can evaluate a wasm or rego bundle.
+			representation compiled from the input files for each specified entrypoint.
+			This is for further processing, OPA cannot evaluate a "plan bundle" like it
+			can evaluate a wasm or rego bundle.
 
-The -e flag tells the 'build' command which documents (entrypoints) will be queried by 
-the software asking for policy decisions, so that it can focus optimization efforts and 
+The -e flag tells the 'build' command which documents (entrypoints) will be queried by
+the software asking for policy decisions, so that it can focus optimization efforts and
 ensure that document is not eliminated by the optimizer.
-Note: Unless the --prune-unused flag is used, any rule transitively referring to a 
+Note: Unless the --prune-unused flag is used, any rule transitively referring to a
 package or rule declared as an entrypoint will also be enumerated as an entrypoint.
 
 Signing

docs/modules/ROOT/pages/ec_opa_exec.adoc

@@ -21,6 +21,7 @@ After: Decision Logs
 By default, the 'exec' command executes the "default decision" (specified in
 the OPA configuration) against each input file. This can be overridden by
 specifying the --decision argument and pointing at a specific policy decision,
+
 e.g., opa exec --decision /foo/bar/baz ...
 
 [source,shell]
@@ -30,15 +31,15 @@ ec opa exec <path> [<path> [...]] [flags]
 
 == Examples
   Loading input from stdin:
-    documentation exec [<path> [...]] --stdin-input [flags]
+    opa exec [<path> [...]] --stdin-input [flags]
 
 == Options
 
 -b, --bundle:: set bundle file(s) or directory path(s). This flag can be repeated.
 -c, --config-file:: set path of configuration file
 --decision:: set decision to evaluate
---fail:: exits with non-zero exit code on undefined result and errors (Default: false)
---fail-defined:: exits with non-zero exit code on defined result and errors (Default: false)
+--fail:: exits with non-zero exit code on undefined/empty result and errors (Default: false)
+--fail-defined:: exits with non-zero exit code on defined/non-empty result and errors (Default: false)
 --fail-non-empty:: exits with non-zero exit code on non-empty result and errors (Default: false)
 -f, --format:: set output format (Default: json)
 -h, --help:: help for exec (Default: false)

docs/modules/ROOT/pages/ec_opa_inspect.adoc

@@ -1,13 +1,13 @@
 = ec opa inspect
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s)
 
 == Synopsis
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s).
 
-The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file. Bundles are
-gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
+The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file.
+Bundles are gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
 the following:
 
 * packages that are contributed by .rego files
@@ -23,10 +23,10 @@ Example:
     bundle.tar.gz
     $ opa inspect bundle.tar.gz
 
-You can provide exactly one OPA bundle, path to a bundle directory, or direct path to a Rego file to the 'inspect' command
-on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as a bundle
-and summarize its structure and contents. If you provide a path referring to a Rego file, the 'inspect' command will load
-that file and summarize its structure and contents.
+You can provide exactly one OPA bundle, to a bundle directory, or direct path to a Rego file to the 'inspect'
+command on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as
+a bundle and summarize its structure and contents.  If you provide a path referring to a Rego file, the 'inspect' command
+will load that file and summarize its structure and contents.
 
 [source,shell]
 ----

docs/modules/ROOT/pages/ec_opa_run.adoc

@@ -4,7 +4,7 @@ Start OPA in interactive or server mode
 
 == Synopsis
 
-Start an instance of the Open Policy Agent (OPA).
+Start an instance of OPA.
 
 To run the interactive shell:
 

docs/modules/ROOT/pages/ec_opa_test.adoc

@@ -65,7 +65,7 @@ If used with the '--bench' option then tests will be benchmarked.
 
 Example benchmark run:
 
-	$ opa test --bench ./example/
+	$  opa test --bench ./example/
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 
@@ -87,6 +87,7 @@ ec opa test <path> [path [...]] [flags]
 -c, --coverage:: report coverage (overrides debug tracing) (Default: false)
 -z, --exit-zero-on-skipped:: skipped tests return status 0 (Default: false)
 --explain:: enable query explanations (Default: fails)
+--fail-on-empty:: Whether to fail the test when no test was run (Default: false)
 -f, --format:: set output format (Default: pretty)
 -h, --help:: help for test (Default: false)
 --ignore:: set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])

docs/modules/ROOT/pages/ec_sigstore_initialize.adoc

@@ -13,7 +13,7 @@ The following options are used by default:
 To provide an out-of-band trusted initial root.json, use the --root flag with a file or
 URL reference. This will enable you to point ec to a separate TUF root.
 
-Any updated TUF repository will be written to $HOME/.sigstore/root/.
+Any updated TUF repository will be written to $HOME/.sigstore/root/<mirror_url>.
 
 Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates
 with Fulcio root CA) are pulled form the trusted metadata.
@@ -42,6 +42,8 @@ ec initialize -mirror <url> -root <url>
 -h, --help:: help for initialize (Default: false)
 --mirror:: GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (Default: https://tuf-repo-cdn.sigstore.dev)
 --root:: path to trusted initial root. defaults to embedded root
+--root-checksum:: checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:<checksum>
+--staging:: use the staging TUF repository (Default: false)
 
 == Options inherited from parent commands
 

features/__snapshots__/opa.snap

@@ -14,7 +14,7 @@ Available Commands:
   eval         Evaluate a Rego query
   exec         Execute against input files
   fmt          Format Rego source files
-  inspect      Inspect OPA bundle(s) or Rego files.
+  inspect      Inspect OPA bundle(s)
   parse        Parse Rego source file
   run          Start OPA in interactive or server mode
   sign         Generate an OPA bundle signature