docs(release): cosign.pub URL must be anonymously fetchable + clarify verify "offline" (#83) #84
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!84
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "83-cosign-pub-public-docs"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #83.
Summary
Documentation cleanup capturing the actual root cause that #81 / #82 chased: the "no known key found for this signature in database" symptom was repo-visibility, not anything cosign was doing wrong.
What changed in
docs/ci.md"Release pipeline"cosign.pubURL must return the raw PEM to an unauthenticated GET. Either the repo is public, orcosign.pubis republished from a separate world-readable location.SignedEntryTimestampinto the signature bundle at sign time and validates it against Sigstore's well-known Rekor public key at verify time, without a network call. Same cryptographic guarantee.What changed in ADR-0014
A new negative-consequence bullet capturing the repo-visibility coupling: the release-notes verify command assumes anonymous reachability of
cosign.pub. Points at the new troubleshooting section.Acceptance criteria
docs/ci.mdhas the prerequisite callout under "Verifying a published image".docs/ci.mdhas a Troubleshooting section for the "no known key" symptom.Why not also fix #82's stated cause?
PR #82's
--tlog-upload=truechange was still correct — sigs are now genuinely in Rekor (logIndex: 1854384861confirmed on the rc.2 sign step output), andcosign verifyreportsExistence of the claims in the transparency log was verified offlineagainst the embedded proof. That fix earns its keep; we just attributed the user-visible symptom to it incorrectly. This PR leaves #82 alone and adds the missing prereq separately.