Sign images using Cosign v2

alemorcuq · alemorcuq · commit 845b4dff5796 · 2023-04-12T11:11:40.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -128,7 +128,7 @@ jobs:
       uses: actions/checkout@v3.1.0
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@v2.7.0
+      uses: sigstore/cosign-installer@v3.0.2
 
     - name: Distroless verify
       run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -60,7 +60,7 @@ jobs:
 
       # Setup Cosign
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v2.7.0
+        uses: sigstore/cosign-installer@v3.0.2
       - name: Write Cosign key
         run: echo "$COSIGN_KEY" > /tmp/cosign.key
         env:
@@ -134,7 +134,7 @@ jobs:
           tags: ${{ steps.meta_kubeseal.outputs.tags }}
       - name: Sign controller image with a key in GHCR
         run: |
-          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key $TAG_CURRENT
+          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
diff --git a/README.md b/README.md
@@ -716,6 +716,8 @@ kubeseal <mysecret.json >mysealedsecret.json
 
 Our images are being signed using [cosign](https://github.com/sigstore/cosign). The signatures have been saved in our [GitHub Container Registry](https://ghcr.io/bitnami-labs/sealed-secrets-controller/signs).
 
+> Images up to and including v0.20.2 were signed using Cosign v1. Newer images are signed with Cosign v2.
+
 It is pretty simple to verify the images:
 
 ```bash
