aquaproj · suzuki-shunsuke · Mar 21, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -9,7 +9,7 @@ on:
       - aqua/imports/reviewdog.yaml
 jobs:
   actionlint:
-    uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@b6a5f966d4504893b2aeb60cf2b0de8946e48504 # v0.5.0
+    uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@beaeeecc42b2645b4c8ecf9d9692fabb16a5eadd # v0.5.1
     with:
       aqua_version: v2.25.0
       aqua_policy_allow: true

diff --git a/.github/workflows/debug-with-action-tmate.yaml b/.github/workflows/debug-with-action-tmate.yaml
@@ -23,7 +23,7 @@ jobs:
         if: inputs.pr_number != ''
         env:
           GITHUB_TOKEN: ${{github.token}}
-      - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0
+      - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2
         with:
           aqua_version: v2.25.0
         env:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,7 +6,7 @@ on:
 permissions: {}
 jobs:
   release:
-    uses: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml@dc7096a64b1f1f8426fe836000f291e8b37dae3a # v0.5.0
+    uses: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml@054a40b66dd01c1fd552c915e31a5ecbfe801791 # v0.5.1
     with:
       homebrew: true
       go-version: 1.22.1

diff --git a/.github/workflows/wc-ghalint.yaml b/.github/workflows/wc-ghalint.yaml
@@ -10,7 +10,7 @@ jobs:
     permissions: {}
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0
+      - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2
         with:
           aqua_version: v2.25.0
         env:

diff --git a/.github/workflows/wc-go-mod-tidy.yaml b/.github/workflows/wc-go-mod-tidy.yaml
@@ -9,7 +9,7 @@ on:
         required: true
 jobs:
   go-mod-tidy:
-    uses: suzuki-shunsuke/go-mod-tidy-workflow/.github/workflows/go-mod-tidy.yaml@8facac38f5b2008648c14e31c632c3a709439b9c # v0.1.1
+    uses: suzuki-shunsuke/go-mod-tidy-workflow/.github/workflows/go-mod-tidy.yaml@a5c2fa84515541e6abd8d746d948e251400404a6 # v0.1.2
     with:
       go-version: 1.22.1
       aqua_version: v2.25.0

diff --git a/.github/workflows/wc-integration-test.yaml b/.github/workflows/wc-integration-test.yaml
@@ -1,6 +1,9 @@
 ---
 name: integration-test
 on: workflow_call
+env:
+  AQUA_DISABLE_COSIGN: "true"
+  AQUA_DISABLE_SLSA: "true"
 jobs:
   integration-test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml
@@ -10,7 +10,7 @@ on:
 jobs:
   update-aqua-checksums:
     # Update aqua-checksums.json and push a commit
-    uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@3598c506108a2e0e9e31a0c6ef9c202c77049420 # v0.1.9
+    uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@6b620c8ceb97e4ae8f256ea24056edc4d2524bd3 # v0.1.10
     permissions:
       contents: read
     with:

diff --git a/.github/workflows/windows-test.yaml b/.github/workflows/windows-test.yaml
@@ -34,7 +34,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{github.token}}
 
-      - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0
+      - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2
         if: inputs.aqua_version != ''
         with:
           aqua_version: ${{inputs.aqua_version}}
@@ -121,7 +121,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{github.token}}
 
-      - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0
+      - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2
         if: inputs.aqua_version != ''
         with:
           aqua_version: ${{inputs.aqua_version}}

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -31,10 +31,9 @@ signs:
     signature: ${artifact}.sig
     certificate: ${artifact}.pem
     output: true
-    env:
-      - COSIGN_EXPERIMENTAL=1
     args:
       - sign-blob
+      - "-y"
       - --output-signature
       - ${signature}
       - --output-certificate

diff --git a/aqua/aqua-checksums.json b/aqua/aqua-checksums.json
@@ -131,28 +131,28 @@
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-darwin-amd64",
-      "checksum": "5A77CF6F5411AC8038F3DD2EB96E54E879026F6038A5D6A385DE2351E17F34EF",
+      "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-darwin-amd64",
+      "checksum": "2429F4B027FC311A6324E9DB6FB3A937D559DC61DE906A1C2D0D1E0671685E4C",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-darwin-arm64",
-      "checksum": "68703D61A1E8006E4EBEF4222B82C1214DF446795FF39CD081CA5D59384A5A60",
+      "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-darwin-arm64",
+      "checksum": "3D95AB46D4C4CC55E6465758C238DC03F830CC8A1FC38BC7A33BC203E0FB2C3B",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-linux-amd64",
-      "checksum": "9B0F52ABB2E6D79529F37646E524A35A409DC811D2CDEC7EF5BE2DC5130489C0",
+      "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-linux-amd64",
+      "checksum": "F669F41176CB1D58BB6A3FDB06E24861540CFDB5A571B4EC5EB2218B0DF5D304",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-linux-arm64",
-      "checksum": "3C109B66788686DD81F3E445439215532A8BB3E14A54EFB6B65382B0E3578F5E",
+      "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-linux-arm64",
+      "checksum": "B088D676F0C0123B8C348E18D421CF966020EDC4977A486115A12643DEA99A3F",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/sigstore/cosign/v1.13.2/cosign-windows-amd64.exe",
-      "checksum": "F16868B69C85BBA30CBAF023885398A2A258002BAABB0709CCE1D60491171765",
+      "id": "github_release/github.com/sigstore/cosign/v2.2.3/cosign-windows-amd64.exe",
+      "checksum": "F7F272D56C580B0EC96F59BFE9F88EC5F42B6E195DF009CE3417428E0E0DEAD1",
       "algorithm": "sha256"
     },
     {

diff --git a/aqua/imports/cosign.yaml b/aqua/imports/cosign.yaml
@@ -1,4 +1,2 @@
 packages:
-  - name: sigstore/cosign@v1.13.2
-    update:
-      enabled: false
+  - name: sigstore/cosign@v2.2.3
diff --git a/pkg/config/cosign.go b/pkg/config/cosign.go
@@ -20,10 +20,9 @@ func (p *Package) RenderCosign(cos *registry.Cosign, rt *runtime.Runtime) (*regi
 	}
 
 	return &registry.Cosign{
-		CosignExperimental: cos.CosignExperimental,
-		Signature:          cos.Signature,
-		Certificate:        cos.Certificate,
-		Key:                cos.Key,
-		Opts:               opts,
+		Signature:   cos.Signature,
+		Certificate: cos.Certificate,
+		Key:         cos.Key,
+		Opts:        opts,
 	}, nil
 }
diff --git a/pkg/config/registry/cosign.go b/pkg/config/registry/cosign.go
@@ -8,12 +8,11 @@ import (
 )
 
 type Cosign struct {
-	Enabled            *bool           `json:"enabled,omitempty"`
-	CosignExperimental bool            `yaml:"cosign_experimental" json:"cosign_experimental,omitempty"`
-	Opts               []string        `json:"opts,omitempty"`
-	Signature          *DownloadedFile `json:"signature,omitempty"`
-	Certificate        *DownloadedFile `json:"certificate,omitempty"`
-	Key                *DownloadedFile `json:"key,omitempty"`
+	Enabled     *bool           `json:"enabled,omitempty"`
+	Opts        []string        `json:"opts,omitempty"`
+	Signature   *DownloadedFile `json:"signature,omitempty"`
+	Certificate *DownloadedFile `json:"certificate,omitempty"`
+	Key         *DownloadedFile `json:"key,omitempty"`
 }
 
 type DownloadedFile struct {
@@ -31,7 +30,7 @@ func (c *Cosign) GetEnabled() bool {
 	if c.Enabled != nil {
 		return *c.Enabled
 	}
-	return len(c.Opts) != 0 || c.Signature != nil || c.Certificate != nil || c.Key != nil || c.CosignExperimental
+	return len(c.Opts) != 0 || c.Signature != nil || c.Certificate != nil || c.Key != nil
 }
 
 func (c *Cosign) RenderOpts(rt *runtime.Runtime, art *template.Artifact) ([]string, error) {

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -55,6 +55,7 @@ func (v *Verifier) Verify(ctx context.Context, logE *logrus.Entry, rt *runtime.R
 		logE.Debug("verification with cosign is disabled")
 		return nil
 	}
+
 	opts, err := cos.RenderOpts(rt, art)
 	if err != nil {
 		return fmt.Errorf("render cosign options: %w", err)
@@ -118,14 +119,12 @@ func (v *Verifier) Verify(ctx context.Context, logE *logrus.Entry, rt *runtime.R
 	}
 
 	if err := v.verify(ctx, logE, &ParamVerify{
-		Opts:               opts,
-		CosignExperimental: cos.CosignExperimental,
-		Target:             verifiedFilePath,
+		Opts:   opts,
+		Target: verifiedFilePath,
 	}); err != nil {
 		return fmt.Errorf("verify a signature file with Cosign: %w", logerr.WithFields(err, logrus.Fields{
-			"cosign_opts":         strings.Join(opts, ", "),
-			"cosign_experimental": cos.CosignExperimental,
-			"target":              verifiedFilePath,
+			"cosign_opts": strings.Join(opts, ", "),
+			"target":      verifiedFilePath,
 		}))
 	}
 	return nil
@@ -136,19 +135,18 @@ type Executor interface {
 }
 
 type ParamVerify struct {
-	CosignExperimental bool
-	Opts               []string
-	Target             string
-	CosignExePath      string
+	Opts          []string
+	Target        string
+	CosignExePath string
 }
 
 var errVerify = errors.New("verify with Cosign")
 
-func (v *Verifier) exec(ctx context.Context, args, envs []string) (string, error) {
+func (v *Verifier) exec(ctx context.Context, args []string) (string, error) {
 	// https://github.com/aquaproj/aqua/issues/1555
 	mutex.Lock()
 	defer mutex.Unlock()
-	out, _, err := v.executor.ExecWithEnvsAndGetCombinedOutput(ctx, v.cosignExePath, args, envs)
+	out, _, err := v.executor.ExecWithEnvsAndGetCombinedOutput(ctx, v.cosignExePath, args, nil)
 	return out, err //nolint:wrapcheck
 }
 
@@ -166,14 +164,10 @@ func wait(ctx context.Context, logE *logrus.Entry, retryCount int) error {
 }
 
 func (v *Verifier) verify(ctx context.Context, logE *logrus.Entry, param *ParamVerify) error {
-	envs := []string{}
-	if param.CosignExperimental {
-		envs = []string{"COSIGN_EXPERIMENTAL=1"}
-	}
 	args := append([]string{"verify-blob"}, append(param.Opts, param.Target)...)
 	for i := 0; i < 5; i++ {
 		// https://github.com/aquaproj/aqua/issues/1554
-		if _, err := v.exec(ctx, args, envs); err == nil {
+		if _, err := v.exec(ctx, args); err == nil {
 			return nil
 		}
 		if i == 4 { //nolint:gomnd

diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go
@@ -57,7 +57,6 @@ func TestVerifier_Verify(t *testing.T) { //nolint:funlen
 				RootDir: "/home/foo/.local/share/aquaproj-aqua",
 			},
 			cos: &registry.Cosign{
-				CosignExperimental: true,
 				Opts: []string{
 					"--signature",
 					"https://github.com/aquaproj/aqua-installer/releases/download/{{.Version}}/aqua-installer.sig",
@@ -96,7 +95,6 @@ func TestVerifier_Verify(t *testing.T) { //nolint:funlen
 				RootDir: "/home/foo/.local/share/aquaproj-aqua",
 			},
 			cos: &registry.Cosign{
-				CosignExperimental: true,
 				Signature: &registry.DownloadedFile{
 					Type:  "github_release",
 					Asset: ptr.String("aqua-installer.sig"),

diff --git a/pkg/cosign/version.go b/pkg/cosign/version.go
@@ -1,13 +1,13 @@
 package cosign
 
-const Version = "v1.13.2"
+const Version = "v2.2.3"
 
 func Checksums() map[string]string {
 	return map[string]string{
-		"darwin/amd64":  "5A77CF6F5411AC8038F3DD2EB96E54E879026F6038A5D6A385DE2351E17F34EF",
-		"darwin/arm64":  "68703D61A1E8006E4EBEF4222B82C1214DF446795FF39CD081CA5D59384A5A60",
-		"linux/amd64":   "9B0F52ABB2E6D79529F37646E524A35A409DC811D2CDEC7EF5BE2DC5130489C0",
-		"linux/arm64":   "3C109B66788686DD81F3E445439215532A8BB3E14A54EFB6B65382B0E3578F5E",
-		"windows/amd64": "F16868B69C85BBA30CBAF023885398A2A258002BAABB0709CCE1D60491171765",
+		"darwin/amd64":  "2429F4B027FC311A6324E9DB6FB3A937D559DC61DE906A1C2D0D1E0671685E4C",
+		"darwin/arm64":  "3D95AB46D4C4CC55E6465758C238DC03F830CC8A1FC38BC7A33BC203E0FB2C3B",
+		"linux/amd64":   "F669F41176CB1D58BB6A3FDB06E24861540CFDB5A571B4EC5EB2218B0DF5D304",
+		"linux/arm64":   "B088D676F0C0123B8C348E18D421CF966020EDC4977A486115A12643DEA99A3F",
+		"windows/amd64": "F7F272D56C580B0EC96F59BFE9F88EC5F42B6E195DF009CE3417428E0E0DEAD1",
 	}
 }