changes for cosign v3 compatibility (#2877)

### Problem
   Cosign v3.0.2 removed support for `--output-signature` and
`--output-certificate` flags in favor of bundle format. Workflows were
   failing with:
   ```
Error: must provide --bundle with --signing-config or
--use-signing-config
   ```

   ### Solution
   Updated all `cosign sign-blob` commands to use bundle format:
   ```bash
   cosign sign-blob <file> --yes --bundle=<file>.bundle
   ```

   ### Files Changed

   **compile-docs.yml:**
   - Simplified 3 cosign commands to use --bundle only
   - Created placeholder .sig/.crt files for backward compatibility
   - Updated tar archive to include .bundle files
   - Updated release artifacts to use .bundle
   - Updated verification instructions for bundle format

   **compile-public-docs.yml:**
   - Simplified 2 cosign commands to use --bundle only
   - Created placeholder .sig/.crt files for backward compatibility
   - Updated release to include .bundle files

   ### Why Placeholder Files?
The Dockerfile and some verification scripts still expect .sig/.crt
files.
Created empty placeholders to maintain compatibility during transition.
The
   real verification data is in the .bundle files.

   ### Backward Compatibility
- Tar archives include both .bundle files (real) and .sig/.crt
(placeholders)
   - GitHub releases include .bundle files
   - Verification instructions updated to use bundle format
   - Dockerfile continues to work (copies placeholder files)

Signed-off-by: ltagliaferri <[email protected]>

Author: ltagliaferri

.github/workflows/compile-docs.yml

@@ -143,39 +143,40 @@ jobs:
       run: |
         cd $TEMP_BUILD_DIR
         
-        # Sign the main documentation file
+        # Sign the main documentation file (bundle format for cosign v3)
         cosign sign-blob chainguard-complete-docs.md \
           --yes \
-          --new-bundle-format=false \
-          --output-signature=chainguard-complete-docs.md.sig \
-          --output-certificate=chainguard-complete-docs.md.crt
+          --bundle=chainguard-complete-docs.md.bundle
 
-        # Sign the checksums file
+        # Sign the checksums file (bundle format for cosign v3)
         cosign sign-blob checksums.txt \
           --yes \
-          --new-bundle-format=false \
-          --output-signature=checksums.txt.sig \
-          --output-certificate=checksums.txt.crt
-        
+          --bundle=checksums.txt.bundle
+
+        # Create placeholder .sig/.crt files for backward compatibility
+        # (verification.sh and some tools still expect these)
+        touch chainguard-complete-docs.md.sig chainguard-complete-docs.md.crt
+        touch checksums.txt.sig checksums.txt.crt
+
         # Copy verification script
         cp $GITHUB_WORKSPACE/edu/scripts/verification.sh .
         
         # Create release bundle with all verification files
         tar -czf chainguard-ai-docs.tar.gz \
           chainguard-complete-docs.md \
+          chainguard-complete-docs.md.bundle \
           chainguard-complete-docs.md.sig \
           chainguard-complete-docs.md.crt \
           checksums.txt \
+          checksums.txt.bundle \
           checksums.txt.sig \
           checksums.txt.crt \
           verification.sh
 
-        # Sign the bundle
+        # Sign the bundle (bundle format for cosign v3)
         cosign sign-blob chainguard-ai-docs.tar.gz \
           --yes \
-          --new-bundle-format=false \
-          --output-signature=chainguard-ai-docs.tar.gz.sig \
-          --output-certificate=chainguard-ai-docs.tar.gz.crt
+          --bundle=chainguard-ai-docs.tar.gz.bundle
 
     - name: Build and push container image
       if: github.ref == 'refs/heads/main'
@@ -276,20 +277,19 @@ jobs:
           Cryptographically signed documentation for AI coding assistants.
           
           ### Verification Instructions
-          
+
           ```bash
-          # Download and verify the bundle
           # Download latest release
           curl -LO https://github.com/${{ github.repository }}/releases/latest/download/chainguard-ai-docs.tar.gz
-          curl -LO https://github.com/${{ github.repository }}/releases/latest/download/chainguard-ai-docs.tar.gz.sig
-          
-          # Verify with cosign
+          curl -LO https://github.com/${{ github.repository }}/releases/latest/download/chainguard-ai-docs.tar.gz.bundle
+
+          # Verify with cosign (bundle format)
           cosign verify-blob \
+            --bundle chainguard-ai-docs.tar.gz.bundle \
             --certificate-identity-regexp ".*github.com/${{ github.repository }}.*" \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --signature chainguard-ai-docs.tar.gz.sig \
             chainguard-ai-docs.tar.gz
-          
+
           # Extract and verify contents
           tar -xzf chainguard-ai-docs.tar.gz
           ./verification.sh
@@ -308,8 +308,6 @@ jobs:
           - Build date: ${{ github.event.repository.updated_at }}
         files: |
           ${{ env.TEMP_BUILD_DIR }}/chainguard-ai-docs.tar.gz
-          ${{ env.TEMP_BUILD_DIR }}/chainguard-ai-docs.tar.gz.sig
-          ${{ env.TEMP_BUILD_DIR }}/chainguard-ai-docs.tar.gz.crt
           ${{ env.TEMP_BUILD_DIR }}/chainguard-ai-docs.tar.gz.bundle
         draft: false
         prerelease: false

.github/workflows/compile-public-docs.yml

@@ -114,20 +114,21 @@ jobs:
       run: |
         cd static/downloads
         
-        # Sign the tarball (keyless signing)
+        # Sign the tarball (bundle format for cosign v3)
         cosign sign-blob chainguard-ai-docs.tar.gz \
           --yes \
-          --new-bundle-format=false \
-          --output-signature=chainguard-ai-docs.tar.gz.sig \
-          --output-certificate=chainguard-ai-docs.tar.gz.crt
+          --bundle=chainguard-ai-docs.tar.gz.bundle
 
-        # Sign the markdown file
+        # Sign the markdown file (bundle format for cosign v3)
         cosign sign-blob chainguard-ai-docs.md \
           --yes \
-          --new-bundle-format=false \
-          --output-signature=chainguard-ai-docs.md.sig \
-          --output-certificate=chainguard-ai-docs.md.crt
-        
+          --bundle=chainguard-ai-docs.md.bundle
+
+        # Create placeholder .sig/.crt files for backward compatibility
+        # (Dockerfile and some tools still expect these)
+        touch chainguard-ai-docs.tar.gz.sig chainguard-ai-docs.tar.gz.crt
+        touch chainguard-ai-docs.md.sig chainguard-ai-docs.md.crt
+
         echo "Artifacts signed successfully"
 
     - name: Scan for sensitive data
@@ -213,8 +214,8 @@ jobs:
           --notes-file release-notes.md \
           --latest \
           chainguard-ai-docs.tar.gz \
-          chainguard-ai-docs.tar.gz.sig \
-          chainguard-ai-docs.tar.gz.crt \
+          chainguard-ai-docs.tar.gz.bundle \
+          chainguard-ai-docs.md.bundle \
           checksums.txt
 
     - name: Build and push container image