Updating the cosign library for Github Actions (#1752)

Johannes Tuchscherer · laverya · web-flow · commit 69889c376a9f · 2025-03-10T21:12:17.000Z
* Updating the cosign library for Github Actions

* we have decided to use rekor

---------

Co-authored-by: Andrew Lavery &lt;laverya@umich.edu&gt;
diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml
@@ -233,10 +233,9 @@ jobs:
         with:
           go-version: "1.23"
 
-      - uses: sigstore/cosign-installer@v3
+      - uses: sigstore/cosign-installer@v3.8.1
         with:
-          # DO NOT USE v2 until we decide on whether to use Rekor or not
-          cosign-release: "v1.13.1"  # Binary version to install
+          cosign-release: "v2.4.3"  # Binary version to install
 
       - name: Get Cosign Key
         run: |
diff --git a/Makefile b/Makefile
@@ -241,8 +241,13 @@ sbom/assets/troubleshoot-sbom.tgz: generate-sbom
 	tar -czf sbom/assets/troubleshoot-sbom.tgz sbom/spdx/*.spdx
 
 sbom: sbom/assets/troubleshoot-sbom.tgz
-	cosign sign-blob -key cosign.key sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
-	cosign public-key -key cosign.key -outfile sbom/assets/key.pub
+	cosign sign-blob \
+		--key ./cosign.key \
+		--tlog-upload \
+		--yes \
+		--rekor-url=https://rekor.sigstore.dev \
+		sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
+	cosign public-key --key cosign.key --outfile sbom/assets/key.pub
 
 .PHONY: scan
 scan:
