feat: Upgrade Sigstore from v2.6.1 to v3.0.2

morrison-sap · morrison-sap · commit 5ab37446fd49 · 2026-01-07T16:19:21.000+01:00
Upgrade all Sigstore dependencies from v2 to v3.

- Updated imports from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio
  - github.com/sigstore/cosign/v3/cmd/cosign/cli/options
  - github.com/sigstore/cosign/v3/pkg/cosign

- Updated import from cosign/v2 to cosign/v3:
  - github.com/sigstore/cosign/v3/pkg/providers/all

- Removed: github.com/sigstore/cosign/v2 v2.6.1
- Added: github.com/sigstore/cosign/v3 v3.0.2

Checked entire codebase for v2 references:
```bash
grep -r "sigstore/cosign/v2" --include="*.go" --include="go.mod" --include="go.sum" .
```

This upgrade maintains signature compatibility:
- v3 can verify signatures created with v2 (backward compatible)
- v2 can verify signatures created with v3 (forward compatible)

Verified by compatibility test workflow using pre-signed components.

On-behalf-of: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
Signed-off-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
diff --git a/api/tech/signing/handlers/init.go b/api/tech/signing/handlers/init.go
@@ -1,7 +1,7 @@
 package handlers
 
 import (
-	_ "github.com/sigstore/cosign/v2/pkg/providers/all"
+	_ "github.com/sigstore/cosign/v3/pkg/providers/all"
 	_ "ocm.software/ocm/api/tech/signing/handlers/rsa"
 	_ "ocm.software/ocm/api/tech/signing/handlers/rsa-pss"
 	_ "ocm.software/ocm/api/tech/signing/handlers/rsa-pss-signingservice"
diff --git a/api/tech/signing/handlers/sigstore/handler.go b/api/tech/signing/handlers/sigstore/handler.go
@@ -14,9 +14,9 @@ import (
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag/conv"
 	"github.com/mandelsoft/goutils/errors"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	"github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client/entries"
 	"github.com/sigstore/rekor/pkg/generated/models"
