Update cosign docs on new bundle format#385
Open
codysoyland wants to merge 3 commits intosigstore:mainfrom
Open
Update cosign docs on new bundle format#385codysoyland wants to merge 3 commits intosigstore:mainfrom
codysoyland wants to merge 3 commits intosigstore:mainfrom
Conversation
❌ Deploy Preview for docssigstore failed.
|
Signed-off-by: Cody Soyland <codysoyland@github.com>
codysoyland
force-pushed
the
cosign-bundle-format-doc-update
branch
from
d15415a to
ab7a96d
Compare
Signed-off-by: Cody Soyland <codysoyland@github.com>
ltagliaferri
previously approved these changes
May 9, 2025
Contributor
ltagliaferri
left a comment
ltagliaferri
left a comment
There was a problem hiding this comment.
nit on JS typecasing
vszakats
added a commit
to curl/curl-for-win
that referenced
this pull request
Oct 7, 2025
The signature suffix (`.sigstore`) is subject to change. This is so new, there is no documentation yet. Existing documentation and its pending update do not mention or specify a suffix (or I couldn't find it.) An internet or GitHub search also didn't help. I've seen so far: .sigstore.json, .bundle, .sig TODO: also update this in curl/curl-www once decided or before the next release latest. It's also an option to stay with the `.cosign` suffix and format, though not recommended. Ref: sigstore/cosign#4440 Ref: sigstore/sigstore-blog#89 Ref: sigstore/docs#385
vszakats
added a commit
to vszakats/curl-www
that referenced
this pull request
Oct 10, 2025
The suffix is entirely arbitrary on my part. I could find no mention of what this should be, and it's also brand new, with no clear practice or convention I could find. Anyway, the content of the .sigstore file is the "new bundle" format, which allows offline verification. It has been released in full last month by cosign and made the default in yesterday's release (3.0.1). It's also the officially recommanded format. This was preceded by a slipped out 3.0.0 release 2 days ago, triggering a quick fix downstream in curl-for-win. Ref: curl/curl-for-win@aaf54db Docs page not yet updated: https://docs.sigstore.dev/about/bundle/ Pending PR: sigstore/docs#385 Neither says mentions a filename convention.
vszakats
added a commit
to vszakats/curl-www
that referenced
this pull request
Oct 10, 2025
The suffix is entirely arbitrary on my part. I could find no mention of what this should be, and it's also brand new, with no clear practice or convention I could find. Anyway, the content of the .sigstore file is the "new bundle" format, which allows offline verification. It has been released in full last month by cosign and made the default in yesterday's release (3.0.1). It's also the officially recommanded format. This was preceded by a slipped out 3.0.0 release 2 days ago, triggering a quick fix downstream in curl-for-win. Ref: curl/curl-for-win@aaf54db Docs page not yet updated: https://docs.sigstore.dev/about/bundle/ Pending PR: sigstore/docs#385 Neither mentions a filename convention.
vszakats
added a commit
to curl/curl-www
that referenced
this pull request
Oct 10, 2025
…mat) (#494) The suffix is entirely arbitrary on my part. I could find no mention of what this should be, and it's also brand new, with no clear practice or convention I could find. Anyway, the content of the `.sigstore` file is the "new bundle" format, which allows offline verification. It has been released in full last month by cosign and made the default in yesterday's release (3.0.1). It's also the officially recommanded format. This was preceded by a slipped out 3.0.0 release 2 days ago, triggering a quick fix downstream in curl-for-win. Ref: curl/curl-for-win@aaf54db Docs page not yet updated: https://docs.sigstore.dev/about/bundle/ Pending PR: sigstore/docs#385
|
Is there a standard or recommended filename suffix for a new bundle signature? (as was |
Signed-off-by: ltagliaferri <lisa.tagliaferri@gmail.com>
ltagliaferri
approved these changes
Oct 10, 2025
Hayden-IO
requested changes
Oct 10, 2025
Contributor
Hayden-IO
left a comment
Hayden-IO
left a comment
There was a problem hiding this comment.
Hold on merging, this is now out of date given Cosign v3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adding a bit more detail to the Cosign bundle format section.
Release Note
Documentation