Skip to content

CLOUDP-354456 - Conform kubectl-mongodb signing to new 3.0.2 version of cosign #555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 29, 2025
Merged

CLOUDP-354456 - Conform kubectl-mongodb signing to new 3.0.2 version of cosign #555

merged 6 commits into from
Oct 29, 2025

Conversation

@MaciejKaras
Copy link
Collaborator

@MaciejKaras MaciejKaras commented Oct 27, 2025
edited
Loading

Summary

Due to the bug in cosign we wanted to upgrade it to newer 3.0.2 version. Because of major version change cosign sign-blob and cosign verify-blob commands now require specifying --bundle that will contain both signature and some other information.

In this PR we start using --bundle flag when signing and verifying kubectl-mongodb binaries. The contents of the new bundle:

{
  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
  "verificationMaterial": {
    "publicKey": {
      "hint": "AU1VLmJtWc+qqAKpD3BfZ81beo7rZ2hAI54Z+0Dz8Vw="
    }
  },
  "messageSignature": {
    "messageDigest": {
      "algorithm": "SHA2_256",
      "digest": "XXQAwZCjdATTeHFH29uYN1MSAm1LP27/AiDkl9YKfqs="
    },
    "signature": "TUs36qhf5p2fuVPuogl3bAslg0bycy+I8Ul1JwqHvAffpjKwXDNdXk9/OdjoiZrwhKqVrutQOpLac4JK+NQpEab7EfOZdRfX1SqurM4kE0izPg/SWJ2Me1LLXT6/nCnG+n5buKIJzw6EGOjcAlzC3P6ok08mJp6s57DTeDVv3uBl6RCv3GqR5uLzXNSCHgo/pZBSIUcNzAGqM6FZsgUhH9uiCDH9nzWwyuqfOF8DDJ+W1BT0gqP0Zs+qVtS2+MmYH9mx9a2MQ4ph8PgrTiqgZOxQX6QTmZ8/YTAPj1gmRLrYj+B9QW0XDAEiBuhJC6EyBWU5QpZaT0X5CvtPIhsF3qvCZrIkccnuUKdebHkrKPycGp5vHnkXfFra4SMdQH1yXduGMNrCA+grJ7DQ7uwoRSHIHnkQQlThZC0SjtFb0Qri+D0ExXIPiRcC/86KB5na/9tdaiwrKKEQF0KpV61vUE8iruQxttc1GllRSWPWFKS2do8s/xGc3HzKkriauGkVSI25S72zlvbQxtuosTmqIDHHH6z7jeY0cMUPr+wt1Vg+DU8InpL8SYfgN20swLn9lvBIucu6C/Cax/lC9FkWL8C6rTN8wcD1jsHrSeuais1sT/9grbyUo2pgU701CbpD3NhyFpd9MPO0Lkbzk+/ZYVFgCfQdVLL5ai9dNevX0R4="
  }
}

Previous signature only file:

bsQWZtrco0D3LpUWk0kYcPq1J3hnBl9xez2//gse5M4/4VCQW/5HM7nvBktM9WO1fJDrkKzFqbYk994nj5OHOchSj8vudcyy9TMzTROc0jZyr5wnw3buhTYvCVHvfO50x/0y1ST6fyidxG4IBRz3yidqzxckHn0MecHKvDrrycB2Qzh0oipb6sCLPH7uBhpi6Kjla5FQfjlQ/rRdUW+gk9rnYSBzAJ157tgmsl1ReWlUTwD0lHxeozQ5BTD1AZ7I/Z48wU5YmOjsWO+xyjjq3lW2B+tUB8ddN2u2Sq1uiuH2djFFsOOQutCXclqVgXC7you5jjJ18Tm30oTyRrkLk4xtqIWrqMLa0p15XZpCMErmMv7j0tJr8DsFsXrYq7gep+eBu5i6jEP6y6re1cFNDpOWrFWmLM6PrHBv6I5K/Gfw2sSmqPG10wkQRLMvhhL4lHa7+oevA+x76VpgrYXH8KtVfaGAyw9v+houiVtsYPJJ9NzWAJicIkU9gyVvShsSidQElU7ije7MFhCAWyACJ30sDDOuKEAkKEsEnARMflA5k40ZOT0oIMG03+50UhRC3ERB6Yjff+X4ows59qc8G1i1ArUiL7eIpH3oKvDJsJ9Q6MXE9GdPbLNI/BMupkBucEq0o0dlSW0VXOzJRiAOu4JBg/kv1E1/p4f4z4y2J/I=

Additionally I had to disable sending tlog based on Release Tools team requirement

Please note that all teams should not upload any material to Sigstore's public transparency log by setting the --tlog-upload flag to false

Proof of Work

Passing signing and verifying steps of release_kubectl_mongodb_plugin.

Checklist

@MaciejKaras MaciejKaras changed the base branch from master to maciejk/ar-goreleaser-drop October 27, 2025 10:19
@github-actions
Copy link

github-actions bot commented Oct 27, 2025
edited
Loading

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.6.0 Release Notes

New Features

  • MongoDBCommunity: Added support to configure custom cluster domain via newly introduced spec.clusterDomain resource field. If spec.clusterDomain is not set, environment variable CLUSTER_DOMAIN is used as cluster domain. If the environment variable CLUSTER_DOMAIN is also not set, operator falls back to cluster.local as default cluster domain.
  • Helm Chart: Introduced two new helm fields operator.podSecurityContext and operator.securityContext that can be used to configure securityContext for Operator deployment through Helm Chart.

Bug Fixes

  • Fixed parsing of the customEnvVars Helm value when values contain = characters.
  • ReplicaSet: Blocked disabling TLS and changing member count simultaneously. These operations must now be applied separately to prevent configuration inconsistencies.

Other Changes

  • kubectl-mongodb plugin: cosign, the signing tool that is used to sign kubectl-mongodb plugin binaries, has been updated to version 3.0.2. With this change, released binaries will be bundled with .bundle files containing both signature and certificate information. For more information on how to verify signatures using new cosign version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md

@MaciejKaras MaciejKaras marked this pull request as ready for review October 27, 2025 10:24
@MaciejKaras MaciejKaras requested review from a team and vinilage as code owners October 27, 2025 10:24
@MaciejKaras MaciejKaras requested review from Julien-Ben, m1kola, nammn and viveksinghggits and removed request for a team and nammn October 27, 2025 10:24
mircea-cosbuc
mircea-cosbuc reviewed Oct 27, 2025
View reviewed changes
Julien-Ben
Julien-Ben reviewed Oct 27, 2025
View reviewed changes
Julien-Ben
Julien-Ben reviewed Oct 27, 2025
View reviewed changes
Base automatically changed from maciejk/ar-goreleaser-drop to master October 28, 2025 13:11
@MaciejKaras
Merge branch 'master' into maciejk/ar-cosign-upgrade
28dd2dc 
# Conflicts:
#	scripts/release/kubectl_mongodb/verify.sh
vinilage
vinilage approved these changes Oct 29, 2025
View reviewed changes
Copy link
Collaborator

@vinilage vinilage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

changelog/20251027_other_cosign_version_upgrade.md
date: 2025-10-27
---

* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md
Copy link
Collaborator

@vinilage vinilage Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@MaciejKaras MaciejKaras merged commit b478944 into master Oct 29, 2025
33 of 37 checks passed
@MaciejKaras MaciejKaras deleted the maciejk/ar-cosign-upgrade branch October 29, 2025 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mircea-cosbuc mircea-cosbuc mircea-cosbuc approved these changes

@m1kola m1kola m1kola approved these changes

@Julien-Ben Julien-Ben Julien-Ben approved these changes

@vinilage vinilage vinilage approved these changes

@viveksinghggits viveksinghggits Awaiting requested review from viveksinghggits

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@MaciejKaras @m1kola @mircea-cosbuc @Julien-Ben @vinilage