CLI compatibility tracker WRT rekor v2 #4684
Description
I wanted to track and document the "compatibility" of cosign CLI as rekor v2 and related changes start to happen. The main question being: "will existing workflows that are based on calling cosign CLI break because the CLI changes?"
Current state WRT CLI changes:
- cosign < 3.0:
- existing workflows are unlikely to break when rekorv2 is enabled in signingconfig (as the client does not work with rekor v2 at all without some specific flags)
- things will obviously start breaking for old cosign when the rekor v1 instance is made read-only but that's a future problem
- cosign 3.0 - 3.0.4:
- existing bundle signing flows (at least with public good instance) should keep working when signingconfig contains rekor v2 and a TSA: cosign will start signing with rekor 2 and will use a TSA -- @Hayden-IO was there anything to note here?
- existing bundle verify flows will break when rekor v2 bundles appear because an additional
--use-signed-timestampsis needed (fixed in Automatically require signed timestamp with Rekor v2 entries #4666)
I'm not very familiar with cosign and especially with the non-bundle flows so am not sure how they are affected: would appreciate insights on this.