CLOUDP-354456 - Conform kubectl-mongodb signing to new 3.0.2 version of cosign (#555)

MaciejKaras · Julien-Ben · web-flow · commit b47894435713 · 2025-10-29T16:58:42.000+01:00
# Summary Due to the [bug](sigstore/cosign#3371) in `cosign` we wanted to upgrade it to newer `3.0.2` version. Because of major version change `cosign sign-blob` and `cosign verify-blob` commands now [require](https://github.com/sigstore/cosign/releases/tag/v3.0.1) specifying `--bundle` that will contain both signature and some other information. In this PR we start using `--bundle` flag when signing and verifying `kubectl-mongodb` binaries. The contents of the new bundle: ```json { "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": { "publicKey": { "hint": "AU1VLmJtWc+qqAKpD3BfZ81beo7rZ2hAI54Z+0Dz8Vw=" } }, "messageSignature": { "messageDigest": { "algorithm": "SHA2_256", "digest": "XXQAwZCjdATTeHFH29uYN1MSAm1LP27/AiDkl9YKfqs=" }, "signature": "TUs36qhf5p2fuVPuogl3bAslg0bycy+I8Ul1JwqHvAffpjKwXDNdXk9/OdjoiZrwhKqVrutQOpLac4JK+NQpEab7EfOZdRfX1SqurM4kE0izPg/SWJ2Me1LLXT6/nCnG+n5buKIJzw6EGOjcAlzC3P6ok08mJp6s57DTeDVv3uBl6RCv3GqR5uLzXNSCHgo/pZBSIUcNzAGqM6FZsgUhH9uiCDH9nzWwyuqfOF8DDJ+W1BT0gqP0Zs+qVtS2+MmYH9mx9a2MQ4ph8PgrTiqgZOxQX6QTmZ8/YTAPj1gmRLrYj+B9QW0XDAEiBuhJC6EyBWU5QpZaT0X5CvtPIhsF3qvCZrIkccnuUKdebHkrKPycGp5vHnkXfFra4SMdQH1yXduGMNrCA+grJ7DQ7uwoRSHIHnkQQlThZC0SjtFb0Qri+D0ExXIPiRcC/86KB5na/9tdaiwrKKEQF0KpV61vUE8iruQxttc1GllRSWPWFKS2do8s/xGc3HzKkriauGkVSI25S72zlvbQxtuosTmqIDHHH6z7jeY0cMUPr+wt1Vg+DU8InpL8SYfgN20swLn9lvBIucu6C/Cax/lC9FkWL8C6rTN8wcD1jsHrSeuais1sT/9grbyUo2pgU701CbpD3NhyFpd9MPO0Lkbzk+/ZYVFgCfQdVLL5ai9dNevX0R4=" } } ``` Previous signature only file: >bsQWZtrco0D3LpUWk0kYcPq1J3hnBl9xez2//gse5M4/4VCQW/5HM7nvBktM9WO1fJDrkKzFqbYk994nj5OHOchSj8vudcyy9TMzTROc0jZyr5wnw3buhTYvCVHvfO50x/0y1ST6fyidxG4IBRz3yidqzxckHn0MecHKvDrrycB2Qzh0oipb6sCLPH7uBhpi6Kjla5FQfjlQ/rRdUW+gk9rnYSBzAJ157tgmsl1ReWlUTwD0lHxeozQ5BTD1AZ7I/Z48wU5YmOjsWO+xyjjq3lW2B+tUB8ddN2u2Sq1uiuH2djFFsOOQutCXclqVgXC7you5jjJ18Tm30oTyRrkLk4xtqIWrqMLa0p15XZpCMErmMv7j0tJr8DsFsXrYq7gep+eBu5i6jEP6y6re1cFNDpOWrFWmLM6PrHBv6I5K/Gfw2sSmqPG10wkQRLMvhhL4lHa7+oevA+x76VpgrYXH8KtVfaGAyw9v+houiVtsYPJJ9NzWAJicIkU9gyVvShsSidQElU7ije7MFhCAWyACJ30sDDOuKEAkKEsEnARMflA5k40ZOT0oIMG03+50UhRC3ERB6Yjff+X4ows59qc8G1i1ArUiL7eIpH3oKvDJsJ9Q6MXE9GdPbLNI/BMupkBucEq0o0dlSW0VXOzJRiAOu4JBg/kv1E1/p4f4z4y2J/I= Additionally I had to disable sending tlog based on [Release Tools team requirement](https://docs.devprod.prod.corp.mongodb.com/release-tools-container-images/garasign/garasign_signing#:~:text=Please%20note%20that%20all%20teams%20should%20not%20upload%20any%20material%20to%20Sigstore%27s%20public%20transparency%20log%20by%20setting%20the%20%2D%2Dtlog%2Dupload%20flag%20to%20false.) >Please note that all teams should not upload any material to Sigstore's public transparency log by setting the --tlog-upload flag to false ## Proof of Work Passing signing and verifying steps of [release_kubectl_mongodb_plugin](https://spruce.mongodb.com/task/mongodb_kubernetes_release_kubectl_mongodb_plugin_release_kubectl_mongodb_plugin_patch_061775975fc7f55815982e3119c1a9fed60a4297_68ff916a0254e00007fdb89b_25_10_27_15_36_12/logs?execution=0). ## Checklist - [x] Have you linked a jira ticket and/or is the ticket in the title? - [x] Have you checked whether your jira ticket required DOCSP changes? - [x] https://jira.mongodb.org/browse/DOCSP-55017 - [x] Have you added changelog file? - use `skip-changelog` label if not needed - refer to [Changelog files and Release Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes) section in CONTRIBUTING.md for more details --------- Co-authored-by: Julien-Ben <33035980+Julien-Ben@users.noreply.github.com>
diff --git a/changelog/20251027_other_cosign_version_upgrade.md b/changelog/20251027_other_cosign_version_upgrade.md
@@ -0,0 +1,6 @@
+---
+kind: other
+date: 2025-10-27
+---
+
+* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md
diff --git a/scripts/release/kubectl_mongodb/sign.sh b/scripts/release/kubectl_mongodb/sign.sh
@@ -8,7 +8,7 @@ set -euo pipefail
 # Sign a binary using garasign credentials
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 TMPDIR=${TMPDIR:-/tmp}
 SIGNING_ENVFILE="${TMPDIR}/signing-envfile"
@@ -21,7 +21,7 @@ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI}
 ARTIFACTORY_PASSWORD=${ARTIFACTORY_PASSWORD}
 ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME}
 
-echo "Signing artifact ${ARTIFACT} and saving signature to ${SIGNATURE}"
+echo "Signing artifact ${ARTIFACT} and saving signature bundle to ${SIGNATURE_BUNDLE}"
 
 {
   echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}";
@@ -40,4 +40,4 @@ docker run \
   -v "$(pwd)":"$(pwd)" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign sign-blob --key "${PKCS11_URI}" --output-signature "${SIGNATURE}" "${ARTIFACT}" --yes
+  cosign sign-blob --key "${PKCS11_URI}" --tlog-upload=false --use-signing-config=false --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}" --yes
diff --git a/scripts/release/kubectl_mongodb/verify.sh b/scripts/release/kubectl_mongodb/verify.sh
@@ -2,10 +2,10 @@
 
 set -euo pipefail
 
-# Verify the signature of a binary with the operator's public key
+# Verify the signature bundle of a binary with the operator's public key
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 HOSTED_SIGN_PUBKEY="https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem" # to complete
 TMPDIR=${TMPDIR:-/tmp}
@@ -14,19 +14,19 @@ KEY_FILE="${TMPDIR}/host-public.key"
 SIGNING_IMAGE_URI="${SIGNING_IMAGE_URI}"
 
 curl -o "${KEY_FILE}" "${HOSTED_SIGN_PUBKEY}"
-echo "Verifying signature ${SIGNATURE} of artifact ${ARTIFACT}"
+echo "Verifying signature bundle ${SIGNATURE_BUNDLE} of artifact ${ARTIFACT}"
 echo "Keyfile is ${KEY_FILE}"
 
 # When working locally, the following command can be used instead of Docker
-# cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT}
+# cosign verify-blob --key ${KEY_FILE} --insecure-ignore-tlog --bundle ${SIGNATURE_BUNDLE} ${ARTIFACT}
 
 docker run \
   --rm \
   -v "$(pwd)":"$(pwd)" \
   -v "${KEY_FILE}":"${KEY_FILE}" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign verify-blob --key "${KEY_FILE}" --signature "${SIGNATURE}" "${ARTIFACT}"
+  cosign verify-blob --key "${KEY_FILE}" --insecure-ignore-tlog --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}"
 
-# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.sig: permission denied
-sudo chmod 666 "${SIGNATURE}"
+# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.bundle: permission denied
+sudo chmod 666 "${SIGNATURE_BUNDLE}"
