Skip to content

Choose a tag to compare

@github-actions github-actions released this 16 Jul 03:58
e2dbfa7

Changed

  • Releases now sign with the modern Sigstore bundle. The release's checksums.txt is
    signed with keyless cosign into a single checksums.txt.sigstore.json bundle (via
    cosign-installer v4), replacing the separate checksums.txt.sig + .pem files. Verify with
    cosign verify-blob --bundle checksums.txt.sigstore.json --certificate-identity-regexp … ….
    The self-scan, the GitHub Action, and the docs verify the new bundle; the install/quickstart
    recipes are updated accordingly.

Added

  • draugr tools install now verifies upstream cosign signatures (where the upstream
    publishes them), on top of the mandatory SHA-256 pin. For Trivy, Draugr verifies the keyless
    signature over the release's checksums file — checking the signing certificate identity and
    OIDC issuer via the cosign CLI, then confirming the downloaded archive is listed in the
    signed checksums — giving signed provenance, not just integrity. It degrades gracefully to
    SHA-256-only (with a note) when cosign isn't installed or the upstream isn't signed (e.g.
    gitleaks); if cosign is present but verification fails, the install aborts. Each installed
    tool reports what was verified.