CLOUDP-354456 - Conform kubectl-mongodb signing to new 3.0.2 version of cosign

changelog/20251027_other_cosign_version_upgrade.md

@@ -0,0 +1,6 @@
+---
+kind: other
+date: 2025-10-27
+---
+
+* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md

scripts/release/kubectl_mongodb/sign.sh

@@ -8,7 +8,7 @@ set -euo pipefail
 # Sign a binary using garasign credentials
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 TMPDIR=${TMPDIR:-/tmp}
 SIGNING_ENVFILE="${TMPDIR}/signing-envfile"
@@ -21,7 +21,7 @@ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI}
 ARTIFACTORY_PASSWORD=${ARTIFACTORY_PASSWORD}
 ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME}
 
-echo "Signing artifact ${ARTIFACT} and saving signature to ${SIGNATURE}"
+echo "Signing artifact ${ARTIFACT} and saving signature bundle to ${SIGNATURE_BUNDLE}"
 
 {
   echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}";
@@ -40,4 +40,4 @@ docker run \
   -v "$(pwd)":"$(pwd)" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign sign-blob --key "${PKCS11_URI}" --output-signature "${SIGNATURE}" "${ARTIFACT}" --yes
+  cosign sign-blob --key "${PKCS11_URI}" --tlog-upload=false --use-signing-config=false --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}" --yes

scripts/release/kubectl_mongodb/verify.sh

@@ -2,10 +2,10 @@
 
 set -euo pipefail
 
-# Verify the signature of a binary with the operator's public key
+# Verify the signature bundle of a binary with the operator's public key
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 HOSTED_SIGN_PUBKEY="https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem" # to complete
 TMPDIR=${TMPDIR:-/tmp}
@@ -14,19 +14,19 @@ KEY_FILE="${TMPDIR}/host-public.key"
 SIGNING_IMAGE_URI="${SIGNING_IMAGE_URI}"
 
 curl -o "${KEY_FILE}" "${HOSTED_SIGN_PUBKEY}"
-echo "Verifying signature ${SIGNATURE} of artifact ${ARTIFACT}"
+echo "Verifying signature bundle ${SIGNATURE_BUNDLE} of artifact ${ARTIFACT}"
 echo "Keyfile is ${KEY_FILE}"
 
 # When working locally, the following command can be used instead of Docker
-# cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT}
+# cosign verify-blob --key ${KEY_FILE} --insecure-ignore-tlog --bundle ${SIGNATURE_BUNDLE} ${ARTIFACT}
 
 docker run \
   --rm \
   -v "$(pwd)":"$(pwd)" \
   -v "${KEY_FILE}":"${KEY_FILE}" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign verify-blob --key "${KEY_FILE}" --signature "${SIGNATURE}" "${ARTIFACT}"
+  cosign verify-blob --key "${KEY_FILE}" --insecure-ignore-tlog --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}"
 
-# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.sig: permission denied
-sudo chmod 666 "${SIGNATURE}"
+# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.bundle: permission denied
+sudo chmod 666 "${SIGNATURE_BUNDLE}"