diff --git a/changelog/20251027_other_cosign_version_upgrade.md b/changelog/20251027_other_cosign_version_upgrade.md new file mode 100644 index 000000000..eca5bbc2f --- /dev/null +++ b/changelog/20251027_other_cosign_version_upgrade.md @@ -0,0 +1,6 @@ +--- +kind: other +date: 2025-10-27 +--- + +* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md diff --git a/scripts/release/kubectl_mongodb/sign.sh b/scripts/release/kubectl_mongodb/sign.sh index 6a346689a..27936905c 100755 --- a/scripts/release/kubectl_mongodb/sign.sh +++ b/scripts/release/kubectl_mongodb/sign.sh @@ -8,7 +8,7 @@ set -euo pipefail # Sign a binary using garasign credentials ARTIFACT=$1 -SIGNATURE="${ARTIFACT}.sig" +SIGNATURE_BUNDLE="${ARTIFACT}.bundle" TMPDIR=${TMPDIR:-/tmp} SIGNING_ENVFILE="${TMPDIR}/signing-envfile" @@ -21,7 +21,7 @@ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI} ARTIFACTORY_PASSWORD=${ARTIFACTORY_PASSWORD} ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME} -echo "Signing artifact ${ARTIFACT} and saving signature to ${SIGNATURE}" +echo "Signing artifact ${ARTIFACT} and saving signature bundle to ${SIGNATURE_BUNDLE}" { echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}"; @@ -40,4 +40,4 @@ docker run \ -v "$(pwd)":"$(pwd)" \ -w "$(pwd)" \ "${SIGNING_IMAGE_URI}" \ - cosign sign-blob --key "${PKCS11_URI}" --output-signature "${SIGNATURE}" "${ARTIFACT}" --yes + cosign sign-blob --key "${PKCS11_URI}" --tlog-upload=false --use-signing-config=false --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}" --yes diff --git a/scripts/release/kubectl_mongodb/verify.sh b/scripts/release/kubectl_mongodb/verify.sh index 91292a711..23f9be2cd 100755 --- a/scripts/release/kubectl_mongodb/verify.sh +++ b/scripts/release/kubectl_mongodb/verify.sh @@ -2,10 +2,10 @@ set -euo pipefail -# Verify the signature of a binary with the operator's public key +# Verify the signature bundle of a binary with the operator's public key ARTIFACT=$1 -SIGNATURE="${ARTIFACT}.sig" +SIGNATURE_BUNDLE="${ARTIFACT}.bundle" HOSTED_SIGN_PUBKEY="https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem" # to complete TMPDIR=${TMPDIR:-/tmp} @@ -14,11 +14,11 @@ KEY_FILE="${TMPDIR}/host-public.key" SIGNING_IMAGE_URI="${SIGNING_IMAGE_URI}" curl -o "${KEY_FILE}" "${HOSTED_SIGN_PUBKEY}" -echo "Verifying signature ${SIGNATURE} of artifact ${ARTIFACT}" +echo "Verifying signature bundle ${SIGNATURE_BUNDLE} of artifact ${ARTIFACT}" echo "Keyfile is ${KEY_FILE}" # When working locally, the following command can be used instead of Docker -# cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT} +# cosign verify-blob --key ${KEY_FILE} --insecure-ignore-tlog --bundle ${SIGNATURE_BUNDLE} ${ARTIFACT} docker run \ --rm \ @@ -26,7 +26,7 @@ docker run \ -v "${KEY_FILE}":"${KEY_FILE}" \ -w "$(pwd)" \ "${SIGNING_IMAGE_URI}" \ - cosign verify-blob --key "${KEY_FILE}" --signature "${SIGNATURE}" "${ARTIFACT}" + cosign verify-blob --key "${KEY_FILE}" --insecure-ignore-tlog --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}" -# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.sig: permission denied -sudo chmod 666 "${SIGNATURE}" +# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.bundle: permission denied +sudo chmod 666 "${SIGNATURE_BUNDLE}"