Skip to content

Bump sigstore lib from v2 to v3 #810

New issue
New issue
Closed as duplicate of#1535
Closed as duplicate of#1535
Bump sigstore lib from v2 to v3#810
Labels
area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic
@morri-son

Description

@morri-son
morri-son
opened on Jan 8, 2026

Description
Sigstore cosign introduced a new major release v3 that we should consume.

Impact
Scenarios using the CLI in interactive mode are not effected at all. For CI usage in GH actions, users now need to actively handover the OIDC token using env variable SIGSTORE_ID_TOKEN. In all other CI environments this was already required with cosign v2, so no change required.

Task

  • Change import from cosign v2 to v3
  • Give very detailed description in PR about the CI breaking change and how to mitigate it.

Dependencies
open-component-model/ocm#1535 should be done with the same release as it will also introduce a breaking change when correcting the public key issue which will change the signature / validation.

Done Criteria

  • ...
  • Code has been reviewed by other team members
  • Analysis of existing tests (Unit and Integration)
  • Unit Tests created for new code or existing Unit Tests updated
  • Integration Test Suite updated (includes deletion of existing unnecessary Integration Test and/or creation of new ones if required)
  • Enduser Documentation updated (if applicable)
  • Internal technical Documentation created/updated (if applicable)
  • Successful demonstration in Review

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic

    Type

    No type

    Projects

    OCM Backlog Board

    Status

    🔍 Review

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions