You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changed
Releases now sign with the modern Sigstore bundle. The release's checksums.txt is
signed with keyless cosign into a single checksums.txt.sigstore.json bundle (via
cosign-installer v4), replacing the separate checksums.txt.sig + .pem files. Verify with cosign verify-blob --bundle checksums.txt.sigstore.json --certificate-identity-regexp … ….
The self-scan, the GitHub Action, and the docs verify the new bundle; the install/quickstart
recipes are updated accordingly.
Added
draugr tools install now verifies upstream cosign signatures (where the upstream
publishes them), on top of the mandatory SHA-256 pin. For Trivy, Draugr verifies the keyless
signature over the release's checksums file — checking the signing certificate identity and
OIDC issuer via the cosign CLI, then confirming the downloaded archive is listed in the
signed checksums — giving signed provenance, not just integrity. It degrades gracefully to
SHA-256-only (with a note) when cosign isn't installed or the upstream isn't signed (e.g.
gitleaks); if cosign is present but verification fails, the install aborts. Each installed
tool reports what was verified.