Currently we sign our artifact twice. Once with cosign v2 format and another with the v3 (bundle format). This is necessary to ensure that all the cosign clients and other verification tools (e.g. slsactl and ArtifactHub) will be able to verify the signatures. The good news is that ArtifactHub team contacted us telling that they now support v3 format verification. Therefore, we can consider remove v2 format signatures in the future.
Acceptance criteira
- Check if all known verification tools (e.g. slsactl) support v3 signature format
- If all tool support v3 format, remove the double signing from our CI files
Currently we sign our artifact twice. Once with cosign v2 format and another with the v3 (bundle format). This is necessary to ensure that all the cosign clients and other verification tools (e.g. slsactl and ArtifactHub) will be able to verify the signatures. The good news is that ArtifactHub team contacted us telling that they now support v3 format verification. Therefore, we can consider remove v2 format signatures in the future.
Acceptance criteira