Skip to content

Fix release verification docs and ship .bundle signing artifact#1068

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/update-release-verification-instructions
Draft

Fix release verification docs and ship .bundle signing artifact#1068
Copilot wants to merge 2 commits intomainfrom
copilot/update-release-verification-instructions

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 24, 2026
edited
Loading

Release verification instructions had wrong certificate identity (release.yml@refs/tags/...) and referenced .bundle files that weren't shipped. Users couldn't verify releases.

Documentation fixes

  • RELEASE.md: Corrected certificate identity to action-build.yml@refs/heads/main (GitHub OIDC tokens for reusable workflows use the called workflow's identity, not the caller's). Replaced .bundle instructions with .sig/.pem flags matching what's actually in the tarball. Added download/unpack/verify steps.
  • installation.md: Added context about signing artifacts in tarballs and explanatory note about certificate identity.

Workflow fix

  • .github/actions/sign/action.yml: The sign action generates .bundle files but never copied them to dist/bin/. Added cp *.bundle dist/bin/ alongside the existing .sig/.pem copies.

Corrected verification command

$ cosign verify-blob \
    --certificate containerd-shim-wasmtime-v1.pem \
    --signature containerd-shim-wasmtime-v1.sig \
    --certificate-identity \
      "https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main" \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    containerd-shim-wasmtime-v1
Original prompt

This section details on the original issue you should resolve

<issue_title>Unclear release verification instructions</issue_title>
<issue_description>I am trying to verify the latest wasmtime shim release. The release docs, point to verifying a sample app produced by releases rather than the actual artifact using the provided certificate and signature. I would expect instructions like the following:

# Download release
wget https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv0.6.0/containerd-shim-wasmtime-aarch64-linux-musl.tar.gz

# Unpack release
$ tar -xvf containerd-shim-wasmtime-aarch64-linux-musl.tar.gz

# Note that there are signature and certificate files
$ ls
-rw-r--r--@ 1 kgoldenr  staff   9067423 May 20  2025 containerd-shim-wasmtime-aarch64-linux-musl.tar.gz
-rwxr-xr-x@ 1 kgoldenr  staff  22408144 May 20  2025 containerd-shim-wasmtime-v1
-rw-------@ 1 kgoldenr  staff      3232 May 20  2025 containerd-shim-wasmtime-v1.pem
-rw-------@ 1 kgoldenr  staff        96 May 20  2025 containerd-shim-wasmtime-v1.sig

# Verify with cosign 
$ cosign verify-blob \
  --certificate containerd-shim-wasmtime-v1.pem \
  --signature containerd-shim-wasmtime-v1.sig \
  --certificate-identity https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  containerd-shim-wasmtime-v1

I also find it strange that the release was signed by the action-build.yml instead of release.yaml and that it points to the one on main rather than a tagged release. I would have expected the following to work:

$ cosign verify-blob --certificate containerd-shim-wasmtime-v1.pem \
--signature containerd-shim-wasmtime-v1.sig \
--certificate-identity  https://github.com/containerd/runwasi/.github/workflows/release.yml@refs/tags/containerd-shim-wasmtime/v0.6.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
containerd-shim-wasmtime-v1

Error: none of the expected identities matched what was in the certificate, got subjects [https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com
error during command execution: none of the expected identities matched what was in the certificate, got subjects [https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@Mossaka
Fix release verification instructions and include .bundle in artifacts
178a938 
- RELEASE.md: Correct certificate identity from release.yml@refs/tags/... to
  action-build.yml@refs/heads/main (matching actual OIDC behavior for reusable
  workflows). Replace .bundle-based instructions with .sig/.pem flags matching
  what is actually shipped in releases. Add step-by-step download/unpack/verify
  flow with explanatory note.
- installation.md: Add context about signing artifacts included in tarballs,
  link to cosign docs, and add explanatory note about certificate identity.
- sign/action.yml: Also copy .bundle file to dist/bin/ so it ships alongside
  .sig and .pem in release tarballs.

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Update release verification instructions for wasmtime shim Fix release verification docs and ship .bundle signing artifact Feb 24, 2026
@Mossaka Mossaka requested a review from Copilot February 24, 2026 23:33
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes critical issues in the release verification documentation where the certificate identity was incorrect and referenced non-existent .bundle files in verification commands. Users attempting to verify releases would have failed with the old documentation.

Changes:

  • Corrected the certificate identity from release.yml@refs/tags/... to action-build.yml@refs/heads/main to reflect how GitHub OIDC tokens work for reusable workflows
  • Updated verification commands to use .sig and .pem files instead of .bundle files, matching standard cosign patterns
  • Added .bundle files to the release tarball by copying them to dist/bin/ in the sign action

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
RELEASE.md Updated verification instructions with correct certificate identity, replaced .bundle references with .sig/.pem flags, and added comprehensive download/unpack/verify steps with explanation of why action-build.yml@refs/heads/main is the correct identity
docs/src/getting-started/installation.md Updated installation verification section with correct certificate identity and .sig/.pem flags, added explanatory note about reusable workflow behavior
.github/actions/sign/action.yml Added cp *.bundle dist/bin/ to include bundle files in release artifacts alongside existing .sig and .pem files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unclear release verification instructions

3 participants

@Mossaka