Breaking Change: image sign annotations from dev.cosignproject.cosign to dev.sigstore.cosign
#1532
Labels
enhancement
New feature or request
Comments
|
+1 for supporting both for some time. I'm not sure we can make the change though without a major version bump, since signatures generated with one version need to validate in previous ones. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
In layout/index.go and signature/layer.go we are using
dev.cosignproject.cosignkey. I think it would be nice to change these names as we are already usingdev.sigstore.cosignforcertkey,chainkeyandBundleKey.Migration
This would be breaking change. I'm not sure what is the right way to handle this, but the first thing I thought is that we can check for
dev.cosignproject.cosignlabel at first and if not exist falling back todev.sigstore.cosignfor second check (or send 2 reqs concurrently) would solve the problem. (We can reverse the order after a few new version released) That would be a workaround because we are not pinning cosign's version in labels. That said, we do not know which version of cosign the user is using.The text was updated successfully, but these errors were encountered: