Hayden B

``` head -c 128 < /dev/urandom > artifact cosign sign-blob --signing-config signing_config_v0.2.json --trusted-root trusted_root.json --bundle artifact.sigstore.json --yes --key cosign.key artifact cosign verify-blob --new-bundle-format --trusted-root trusted_root.json --bundle artifact.sigstore.json --key cosign.pub artifact...

Thanks y'all for the comments. I was a little preemptive putting this up, I need to fix e2e tests (they're failing because when the tlog isn't used, we use ed25519...

OCI 1.1 support is planned - https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md

I'll also point out https://github.com/sigstore/cosign/issues/3927 as a solution for signatures as OCI artifacts, as the spec I linked is for attestations. @ChristianCiach, adapting based on feedback from consumers and evolving...

Note: This is necessary for testing Rekor v2.

I'm supportive of this! A few thoughts: * This verifier should be written based on sigstore-go and we should further prune dependencies there * I think this verifier should be...

We should confirm that local/offline verification of container images still works, and update `save` to pull referring artifacts.

> `--new-bundle-format` in V3 breaks current bootc images that use cosign verification. It also breaks cosign v2 verification without changing args. > > To avoid stranded users, we will need...

> > ``` > > * How are we making people's lives easier? > > ``` > > Congrats on v3! > > Speaking as Debian maintainer of Sigstore-related packages...

We touched on some of these points in https://blog.sigstore.dev/cosign-3-0-available/, but I'll highlight the main ones. One of the goals with Cosign v3 was conformance with other Sigstore SDKs. The bundle...