Container images are no longer signed

[lbroudoux]

Since a few weeks (after the 1.13.0 release), we moved to sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 (previous was 3.10.0) that now pulls a new version of cosign in version 3.0.2.

Previously, we had version 2.6.0 of cosign that produces the following logs:

Run images=""
  images=""
  for tag in ${TAGS}; do
    images+="${tag}@${DIGEST} "
  done
  cosign sign --yes ${images}
  shell: /usr/bin/bash -e {0}
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.8-9/x64
    JAVA_HOME_21_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.8-9/x64
    IMAGE_TAG: nightly
    DIGEST: sha256:359ee5e8da4fe41e1d3de33bf25b5867aad28d73e51c2614a2c31956129c1d30
    TAGS: quay.io/microcks/microcks:nightly docker.io/microcks/microcks:nightly
    COSIGN_EXPERIMENTAL: true
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 635232193
Pushing signature to: quay.io/microcks/microcks
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
tlog entry created with index: 635232483
Pushing signature to: index.docker.io/microcks/microcks

and signed the image correctly.

Now with the new cosign 3.0.2we just have the following log:

Run images=""
  images=""
  for tag in ${TAGS}; do
    images+="${tag}@${DIGEST} "
  done
  cosign sign --yes ${images}
  shell: /usr/bin/bash -e {0}
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.9-10/x64
    JAVA_HOME_21_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.9-10/x64
    IMAGE_TAG: nightly
    DIGEST: sha256:979188833bf1d42be07cd96a0bccfd290c2da85e0f9a8d70398f0d5afc312d05
    TAGS: quay.io/microcks/microcks:nightly docker.io/microcks/microcks:nightly
    COSIGN_EXPERIMENTAL: true
Signing artifact...
Signing artifact...

where nothing happens but that doesn't sign the container image ...