chore: cosign v4 upgrade

denis256 · denis256 · commit 485f0fabe4ef · 2026-03-10T20:20:14.000Z
diff --git a/.github/assets/release-assets-config.json b/.github/assets/release-assets-config.json
@@ -62,13 +62,17 @@
       "name": "SHA256SUMS.gpgsig",
       "description": "GPG detached signature"
     },
+    {
+      "name": "SHA256SUMS.sigstore.json",
+      "description": "Cosign sigstore bundle"
+    },
     {
       "name": "SHA256SUMS.sig",
-      "description": "Cosign signature"
+      "description": "Cosign signature (legacy)"
     },
     {
       "name": "SHA256SUMS.pem",
-      "description": "Cosign certificate"
+      "description": "Cosign certificate (legacy)"
     },
     {
       "name": "terragrunt-signing-key.asc",
diff --git a/.github/scripts/release/sign-checksums.sh b/.github/scripts/release/sign-checksums.sh
@@ -11,8 +11,9 @@ set -e
 #
 # Outputs:
 #   SHA256SUMS.gpgsig - GPG detached signature
-#   SHA256SUMS.sig    - Cosign signature
-#   SHA256SUMS.pem    - Cosign certificate
+#   SHA256SUMS.sigstore.json - Cosign sigstore bundle
+#   SHA256SUMS.sig           - Cosign signature (legacy, extracted from bundle)
+#   SHA256SUMS.pem           - Cosign certificate (legacy, extracted from bundle)
 
 function main {
   local -r bin_dir="${1:-bin}"
@@ -51,14 +52,21 @@ function main {
 
   echo "GPG signature created: SHA256SUMS.gpgsig"
 
-  # Cosign signing (keyless OIDC)
+  # Cosign signing (keyless OIDC) - produces sigstore bundle
   echo "Signing SHA256SUMS with Cosign..."
   cosign sign-blob SHA256SUMS \
-      --oidc-issuer=https://token.actions.githubusercontent.com \
-      --output-certificate=SHA256SUMS.pem \
-      --output-signature=SHA256SUMS.sig \
+      --bundle=SHA256SUMS.sigstore.json \
       --yes
 
+  echo "Cosign bundle created: SHA256SUMS.sigstore.json"
+
+  # Extract legacy .sig and .pem from bundle for backward compatibility
+  echo "Extracting legacy signature files from bundle..."
+  jq -r '.messageSignature.signature' SHA256SUMS.sigstore.json > SHA256SUMS.sig
+  jq -r '.verificationMaterial.certificate.rawBytes' SHA256SUMS.sigstore.json | \
+      base64 --decode | \
+      openssl x509 -inform DER -outform PEM -out SHA256SUMS.pem
+
   echo "Cosign signature created: SHA256SUMS.sig"
   echo "Cosign certificate created: SHA256SUMS.pem"
 
diff --git a/.github/workflows/install-script-test.yml b/.github/workflows/install-script-test.yml
@@ -19,7 +19,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y gnupg
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4
 
       - name: Run install script tests
         run: ./docs/tests/install_test.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -82,7 +82,7 @@ jobs:
           gpg --armor --export "${GPG_FINGERPRINT}" > bin/terragrunt-signing-key.asc
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4
 
       - name: Sign SHA256SUMS
         env:
diff --git a/docs/public/install b/docs/public/install
@@ -325,31 +325,36 @@ verify_cosign() {
     local checksums_path="$2"
     local tmpdir="$3"
 
+    # Try bundle verification first (cosign v3+ / sigstore bundle)
+    local bundle_url="https://github.com/${GITHUB_REPO}/releases/download/${version}/SHA256SUMS.sigstore.json"
+    local bundle_path="${tmpdir}/SHA256SUMS.sigstore.json"
+
+    if curl -sL --fail "$bundle_url" -o "$bundle_path" 2>/dev/null; then
+        info "Verifying Cosign signature (bundle)..."
+        cosign verify-blob "$checksums_path" \
+            --bundle "$bundle_path" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            --certificate-identity-regexp "github.com/gruntwork-io/terragrunt" 2>/dev/null
+        return $?
+    fi
+
+    # Legacy .sig/.pem verification (older releases without bundle)
     local sig_url="https://github.com/${GITHUB_REPO}/releases/download/${version}/SHA256SUMS.sig"
     local cert_url="https://github.com/${GITHUB_REPO}/releases/download/${version}/SHA256SUMS.pem"
     local sig_path="${tmpdir}/SHA256SUMS.sig"
     local cert_path="${tmpdir}/SHA256SUMS.pem"
 
     info "Downloading Cosign signature files..."
-    if ! curl -sL --fail "$sig_url" -o "$sig_path" 2>/dev/null; then
-        warn "Failed to download Cosign signature file"
-        return 1
-    fi
-    if ! curl -sL --fail "$cert_url" -o "$cert_path" 2>/dev/null; then
-        warn "Failed to download Cosign certificate file"
-        return 1
-    fi
+    curl -sL --fail "$sig_url" -o "$sig_path" 2>/dev/null || { warn "Failed to download Cosign signature file"; return 1; }
+    curl -sL --fail "$cert_url" -o "$cert_path" 2>/dev/null || { warn "Failed to download Cosign certificate file"; return 1; }
 
     info "Verifying Cosign signature..."
-    if cosign verify-blob "$checksums_path" \
+    cosign verify-blob "$checksums_path" \
         --signature "$sig_path" \
         --certificate "$cert_path" \
         --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-        --certificate-identity-regexp "github.com/gruntwork-io/terragrunt" 2>/dev/null; then
-        return 0
-    else
-        return 1
-    fi
+        --certificate-identity-regexp "github.com/gruntwork-io/terragrunt" 2>/dev/null
+    return $?
 }
 
 # Verify signature using specified method
diff --git a/docs/src/content/docs/01-getting-started/03-install.mdx b/docs/src/content/docs/01-getting-started/03-install.mdx
@@ -74,8 +74,7 @@ uid           [ unknown] Gruntwork (Code Signing Key) <security@gruntwork.io>
 
 ```bash
 cosign verify-blob SHA256SUMS \
-  --signature SHA256SUMS.sig \
-  --certificate SHA256SUMS.pem \
+  --bundle SHA256SUMS.sigstore.json \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   --certificate-identity-regexp "github.com/gruntwork-io/terragrunt"
 ```
