From d1c88c53a84d5af68cf6d70b80fbc7e4783cd6c8 Mon Sep 17 00:00:00 2001 From: Hermes Agent Date: Wed, 27 May 2026 02:09:51 -0500 Subject: [PATCH] fix(release): emit cosign certificate file alongside signature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v26.08 release published .sig files but no .pem files, which made the cosign verify-blob command in README.md unusable — keyless verification needs the Fulcio-issued certificate that ties the signature back to the OIDC issuer. Goreleaser only expands ${signature} and ${certificate} in the args list when the signs: block has matching `signature:` and `certificate:` keys declared. Without `certificate:`, the substitution resolved to empty string and cosign silently wrote to "". Adding both keys produces ${artifact}.sig + ${artifact}.pem for every artefact at release time. A re-tag of v26.08 would regenerate the release with both files. Co-Authored-By: Claude Opus 4.7 (1M context) --- .goreleaser.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 26486a0..5873f98 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -91,9 +91,16 @@ checksum: # cosign keyless OIDC signing. Requires GitHub Actions OIDC tokens, so this # only works from the .github/workflows/release.yml job — never from a # laptop. The transparency log entry is uploaded to Rekor by default. +# +# Both ${signature} and ${certificate} must be declared at this level for +# goreleaser to expand them in the args list; without `certificate:` +# declared, cosign would write to an empty filename and the README's +# verify-blob command would have no .pem to consume. signs: - cmd: cosign artifacts: all + signature: '${artifact}.sig' + certificate: '${artifact}.pem' output: true args: - sign-blob