Skip to content

Bump sigstore/cosign-installer from 4.0.0 to 4.1.1; Always use latest version of cosign; Wait 30s between signing and verifying signature#1402

Merged
mickmis merged 2 commits intomainfrom
dependabot/github_actions/sigstore/cosign-installer-4.1.1
Mar 31, 2026
Merged

Bump sigstore/cosign-installer from 4.0.0 to 4.1.1; Always use latest version of cosign; Wait 30s between signing and verifying signature#1402
mickmis merged 2 commits intomainfrom
dependabot/github_actions/sigstore/cosign-installer-4.1.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026

Bumps sigstore/cosign-installer from 4.0.0 to 4.1.1.

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.1

What's Changed

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

v4.1.0

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump sigstore/cosign-installer from 4.0.0 to 4.1.1
e0b7446 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.0.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@faadad0...cad07c2)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 26, 2026
@dependabot dependabot bot mentioned this pull request Mar 26, 2026
Closed
@the-glu the-glu mentioned this pull request Mar 26, 2026
Closed
@the-glu
Copy link
Copy Markdown
Contributor

the-glu commented Mar 26, 2026

@mickmis I tested in #1406 and it does seems to sign correctly, not sure what was failing before, do you know?

@mickmis
Copy link
Copy Markdown
Contributor

mickmis commented Mar 30, 2026

@mickmis I tested in #1406 and it does seems to sign correctly, not sure what was failing before, do you know?

My memory is a bit vague, but I remember that it was due to some subcommands of the CLI binary not being yet compatible with the new formats. So it is very likely that this got fixed in the meantime. Have you managed to verify the signature as well?
But if both signing and verifying are fine, we can go ahead with the upgrade :)

@the-glu
Copy link
Copy Markdown
Contributor

the-glu commented Mar 30, 2026

My memory is a bit vague, but I remember that it was due to some subcommands of the CLI binary not being yet compatible with the new formats. So it is very likely that this got fixed in the meantime. Have you managed to verify the signature as well? But if both signing and verifying are fine, we can go ahead with the upgrade :)

I did not, but I had to signin with my account and it was complaining like this:

Error: no matching attestations: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SAN value "https://github.com/interuss/monitoring/.github/workflows/image-publish.yml@refs/pull/1406/merge", got "zzz@-.org"
error during command execution: no matching attestations: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SAN value "https://github.com/interuss/monitoring/.github/workflows/image-publish.yml@refs/pull/1406/merge", got "zzz@-.org"

Should it be working? I did assume there was some extra in CI's parameters that I don't have access to, pointing to the correct "account/identity"

@mickmis mickmis force-pushed the dependabot/github_actions/sigstore/cosign-installer-4.1.1 branch 11 times, most recently from a5aa4af to f6ab882 Compare March 31, 2026 16:42
@mickmis mickmis changed the title Bump sigstore/cosign-installer from 4.0.0 to 4.1.1 Bump sigstore/cosign-installer from 4.0.0 to 4.1.1; Always use latest version of cosign; Wait 30s between signing and verifying signature Mar 31, 2026
@mickmis
Copy link
Copy Markdown
Contributor

mickmis commented Mar 31, 2026

So the issue with the upgrade was that there now seems to be a delay between the time that the signature is published to the registry and the time it is actually exposed. Since we were verifying it immediately after publishing it, the signature could not be found. The new version of cosign uses a new format to bundle the signature so that's probably why the issue appeared now.

In any case, introducing a 30 seconds delay between signing and verifying signature addresses the issue. I've done so in this PR and will merge it.

@mickmis mickmis force-pushed the dependabot/github_actions/sigstore/cosign-installer-4.1.1 branch from f6ab882 to 0c5acfc Compare March 31, 2026 16:48
@mickmis mickmis merged commit 10ab076 into main Mar 31, 2026
25 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/sigstore/cosign-installer-4.1.1 branch March 31, 2026 17:17
github-actions bot added a commit that referenced this pull request Mar 31, 2026
@github-actions @dependabot
Bump sigstore/cosign-installer from 4.0.0 to 4.1.1; Always use latest…
93958e4 
… version of cosign; Wait 30s between signing and verifying signature (#1402)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mickaël Misbach <mickael@misba.ch> 10ab076
@mickmis mickmis mentioned this pull request Apr 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mickmis mickmis mickmis approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@the-glu @mickmis