cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Missing or no-op Cosign v3 equivalent commands

Open apyrgio opened this issue 3 months ago • 5 comments

While experimenting a bit with Cosign v3, I realized that there are some Cosign v2 commands that no longer have an equivalent, if an image was signed with the new Sigstore bundle format:

  • cosign [download|attach] signature: It will fail since it expects to read/write a manifest with tag sha256-<digest>.sig
  • cosign save: It will download the image layers, but no the Sigstore bundle

Is there a plan to make these commands work with Cosign v3 or v4 in the future?

apyrgio avatar Oct 14 '25 19:10 apyrgio

Also flagging that cosign tree has not been updated.

Hayden-IO avatar Oct 22 '25 12:10 Hayden-IO

Another issue-4507 also mentions that the cosign delete command may have the same problem

b3n3d17 avatar Oct 30 '25 12:10 b3n3d17

cosign save and delete have not been updated, but now that https://github.com/sigstore/cosign/pull/4477 has landed I think everything else mentioned here is covered.

steiza avatar Nov 04 '25 15:11 steiza

Also https://github.com/sigstore/cosign/issues/4553, cosign triangulate

Hayden-IO avatar Dec 01 '25 05:12 Hayden-IO

Also #4564 cosign copy

Munken avatar Dec 07 '25 19:12 Munken