source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard
verified publisher icon fluxcd

Unable to verify signature from cosign v3.x

Open trexx opened this issue 2 months ago • 2 comments

Using the example from here, https://fluxcd.io/flux/flux-gh-action/#push-and-sign-kubernetes-manifests-to-container-registries regarding keyless signing

It seems cosign has introduced and enabled some breaking changes in v3 which renders its signatures incompatible with the latest version of source-controller (1.7.2). The action by default will install the latest version and cause validation with source-controller to fail.

To get syncing working again, I have overridden the default and selected 2.6.1 to be installed which gets syncing back working again.

trexx avatar Oct 19 '25 08:10 trexx

Thanks for the report @trexx we'll update the docs and pin the cosign version to 2.6.1. Cosign v3 was released after Flux 2.7, we'll work on making Flux source-controller compatible with the new signature format in Flux 2.8

stefanprodan avatar Oct 20 '25 12:10 stefanprodan

Another option is to use cosign v3 and force it to use the old bundle format like this:

cosign sign --new-bundle-format=false --use-signing-config=false ...

sebhoss avatar Nov 12 '25 06:11 sebhoss