modelcontextprotocol · tadasant · Dec 11, 2025 · Dec 10, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,9 +25,7 @@ jobs:
           cache: true
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad
-        with:
-          cosign-release: "v2.6.1"
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Install Syft
         uses: anchore/sbom-action/[email protected]

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -95,26 +95,24 @@ signs:
     cmd: cosign
     args:
       - "sign-blob"
-      - "--output-signature=${signature}"
-      - "--output-certificate=${certificate}"
+      - "--bundle=${signature}" # cosign v3+: bundles signature and certificate together
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: archive
     output: true
-    certificate: '{{ trimsuffix (trimsuffix .Env.artifact ".zip") ".tar.gz" }}.pem'
-    
+    signature: "${artifact}.sigstore.json"
+
   # Also sign checksums file for additional verification
   - id: checksums
     cmd: cosign
     args:
       - "sign-blob"
-      - "--output-signature=${signature}"
-      - "--output-certificate=${certificate}"
+      - "--bundle=${signature}" # cosign v3+: bundles signature and certificate together
       - "${artifact}"
       - "--yes"
     artifacts: checksum
     output: true
-    certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem'
+    signature: "${artifact}.sigstore.json"
 
 # This section defines the release format.
 archives: