Bump cosign v2.4.1 to v3.0.4 and use trusted_root.json for verification

[SequeI]

Upgrade from cosign/v2 to cosign/v3 so that ec sigstore initialize produces the modern sigstore TUF cache format (trusted_root.json + signing_config) used by current cosign and gitsign.

In the keyless verification path, ec now loads TrustedMaterial from trusted_root.json via cosign.TrustedRoot() before falling back to fetching individual Fulcio/CTLog/Rekor targets. This unifies the TUF library used for both initialization and verification.

Dependency changes:

• cosign v2.4.1 -> v3.0.4
• conftest v0.57.0 -> v0.66.0 (required for tablewriter v1 compat)
• Go 1.24.6 -> 1.25.3 (required by conftest v0.66.0)

Adapt to breaking API changes:

• cosign.LoadPrivateKey now takes an additional *[]signature.LoadOption
• cosignRemote.WriteSignedImageIndexImages now takes a directory param
• fake.NewSimpleClientset replaced with fake.NewClientset

Fix pre-existing acceptance test bug where the "Effective-time is honored" scenario used embedded quotes that the step regex could not match.

Update OPA snapshot and generated docs to reflect new OPA/conftest help text.

Closes #3107

[qodo-code-review]

Review Summary by Qodo

Upgrade cosign to v3.0.4 and implement TrustedRoot.json verification

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Upgrade cosign from v2.4.1 to v3.0.4 with TrustedRoot.json support
• Implement TUF-based verification using cosign.TrustedRoot() with fallback
• Adapt to breaking API changes in cosign v3 (LoadPrivateKey, WriteSignedImageIndexImages,
  fake.NewClientset)
• Update Go from 1.24.6 to 1.25.3 and conftest v0.57.0 to v0.66.0
• Fix acceptance test regex for "Effective-time is honored" scenario
• Update OPA/conftest documentation to reflect new help text

Diagram

flowchart LR
  A["cosign v2.4.1"] -->|upgrade| B["cosign v3.0.4"]
  B -->|enables| C["TrustedRoot.json support"]
  C -->|provides| D["TUF-based verification"]
  D -->|with fallback| E["Individual Fulcio/CTLog/Rekor targets"]
  F["Breaking API changes"] -->|adapt| G["LoadPrivateKey, WriteSignedImageIndexImages, fake.NewClientset"]
  H["Go 1.24.6"] -->|upgrade| I["Go 1.25.3"]
  J["conftest v0.57.0"] -->|upgrade| K["conftest v0.66.0"]

Loading

File Changes

1. internal/policy/policy.go ✨ Enhancement +32/-17

Implement TrustedRoot.json verification with fallback logic

internal/policy/policy.go

---

2. cmd/validate/image_test.go 🧪 Tests +6/-6

Update LoadPrivateKey mock signature for cosign v3

cmd/validate/image_test.go

---

3. internal/validate/vsa/attest_test.go 🧪 Tests +4/-4

Update LoadPrivateKey and fake.NewClientset for v3 API

internal/validate/vsa/attest_test.go

---

View more (50)

4. acceptance/image/image.go ✨ Enhancement +8/-8

Update cosign imports and WriteSignedImageIndexImages call

acceptance/image/image.go

---

5. internal/validate/vsa/attest.go ✨ Enhancement +3/-3

Update cosign imports and LoadPrivateKey invocation

internal/validate/vsa/attest.go

---

6. internal/evaluation_target/application_snapshot_image/application_snapshot_image_test.go 🧪 Tests +4/-4

Update cosign v2 imports to v3

internal/evaluation_target/application_snapshot_image/application_snapshot_image_test.go

---

7. cmd/sigstore/initialize.go 📝 Documentation +2/-2

Update cosign imports and TUF cache documentation

cmd/sigstore/initialize.go

---

8. internal/image/validate_test.go 🧪 Tests +3/-3

Update cosign v2 imports to v3

internal/image/validate_test.go

---

9. internal/utils/private_key_test.go 🧪 Tests +2/-2

Replace fake.NewSimpleClientset with fake.NewClientset

internal/utils/private_key_test.go

---

10. internal/rego/sigstore/sigstore_test.go 🧪 Tests +4/-4

Update cosign v2 imports to v3

internal/rego/sigstore/sigstore_test.go

---

11. internal/version/version.go ✨ Enhancement +1/-1

Update cosign dependency path from v2 to v3

internal/version/version.go

---

12. internal/utils/oci/client.go ✨ Enhancement +3/-3

Update cosign v2 imports to v3

internal/utils/oci/client.go

---

13. acceptance/rekor/rekor.go ✨ Enhancement +2/-2

Update cosign v2 imports to v3

acceptance/rekor/rekor.go

---

14. internal/validate/vsa/vsa_test.go 🧪 Tests +2/-2

Update cosign v2 imports to v3

internal/validate/vsa/vsa_test.go

---

15. internal/policy/policy_test.go 🧪 Tests +2/-2

Update cosign v2 imports to v3

internal/policy/policy_test.go

---

16. acceptance/crypto/keys.go ✨ Enhancement +2/-2

Update cosign imports and LoadPrivateKey call signature

acceptance/crypto/keys.go

---

17. internal/rego/sigstore/sigstore.go ✨ Enhancement +2/-2

Update cosign v2 imports to v3

internal/rego/sigstore/sigstore.go

---

18. internal/attestation/slsa_provenance_02_test.go 🧪 Tests +2/-2

Update cosign v2 imports to v3

internal/attestation/slsa_provenance_02_test.go

---

19. internal/validate/vsa/rekor_retriever.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/validate/vsa/rekor_retriever.go

---

20. internal/version/version_test.go 🧪 Tests +1/-1

Update cosign dependency path in test expectations

internal/version/version_test.go

---

21. cmd/sigstore/sigstore.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

cmd/sigstore/sigstore.go

---

22. internal/evaluation_target/application_snapshot_image/application_snapshot_image.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/evaluation_target/application_snapshot_image/application_snapshot_image.go

---

23. cmd/validate/image.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

cmd/validate/image.go

---

24. acceptance/attestation/attestation.go ✨ Enhancement +2/-2

Update cosign v2 imports to v3

acceptance/attestation/attestation.go

---

25. internal/utils/oci/fake/client.go ✨ Enhancement +2/-2

Update cosign v2 imports to v3

internal/utils/oci/fake/client.go

---

26. internal/signature/certificate_test.go 🧪 Tests +2/-2

Update cosign v2 imports to v3

internal/signature/certificate_test.go

---

27. internal/validate/vsa/service_test.go 🧪 Tests +1/-1

Update cosign v2 imports to v3

internal/validate/vsa/service_test.go

---

28. internal/attestation/attestation.go ✨ Enhancement +3/-3

Update cosign v2 imports to v3

internal/attestation/attestation.go

---

29. internal/attestation/slsa_provenance_v1_test.go 🧪 Tests +1/-1

Update cosign v2 imports to v3

internal/attestation/slsa_provenance_v1_test.go

---

30. internal/attestation/attestation_test.go 🧪 Tests +1/-1

Update cosign v2 imports to v3

internal/attestation/attestation_test.go

---

31. internal/attestation/slsa_provenance_02.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/attestation/slsa_provenance_02.go

---

32. internal/attestation/slsa_provenance_v1.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/attestation/slsa_provenance_v1.go

---

33. internal/output/output_test.go 🧪 Tests +1/-1

Update cosign v2 imports to v3

internal/output/output_test.go

---

34. internal/output/output.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/output/output.go

---

35. internal/signature/signature.go ✨ Enhancement +1/-1

Update cosign v2 imports to v3

internal/signature/signature.go

---

36. go.mod Dependencies +161/-133

Upgrade Go, cosign, conftest, and related dependencies

go.mod

---

37. acceptance/go.mod Dependencies +91/-90

Upgrade Go and cosign dependencies in acceptance tests

acceptance/go.mod

---

38. docs/modules/ROOT/pages/ec_opa_inspect.adoc 📝 Documentation +8/-8

Update OPA inspect command documentation formatting

docs/modules/ROOT/pages/ec_opa_inspect.adoc

---

39. docs/modules/ROOT/pages/ec_opa_build.adoc 📝 Documentation +6/-6

Fix indentation and formatting in OPA build documentation

docs/modules/ROOT/pages/ec_opa_build.adoc

---

40. docs/modules/ROOT/pages/ec_sigstore_initialize.adoc 📝 Documentation +3/-1

Update TUF cache path and add new initialization flags

docs/modules/ROOT/pages/ec_sigstore_initialize.adoc

---

41. docs/modules/ROOT/pages/ec_opa_test.adoc 📝 Documentation +2/-1

Add fail-on-empty flag to OPA test documentation

docs/modules/ROOT/pages/ec_opa_test.adoc

---

42. docs/modules/ROOT/pages/ec_opa_exec.adoc 📝 Documentation +4/-3

Update OPA exec command documentation and flag descriptions

docs/modules/ROOT/pages/ec_opa_exec.adoc

---

43. Dockerfile.dist ⚙️ Configuration changes +1/-1

Update Go version to 1.25.3 in build image

Dockerfile.dist

---

44. features/task_validate_image.feature 🐞 Bug fix +1/-1

Fix acceptance test regex for effective-time scenario

features/task_validate_image.feature

---

45. Dockerfile ⚙️ Configuration changes +1/-1

Update Go version to 1.25.3 in build image

Dockerfile

---

46. Makefile ⚙️ Configuration changes +1/-1

Update cosign version extraction to use v3

Makefile

---

47. docs/modules/ROOT/pages/ec_opa_bench.adoc 📝 Documentation +1/-0

Add metrics and benchmem flags documentation

docs/modules/ROOT/pages/ec_opa_bench.adoc

---

48. docs/modules/ROOT/pages/ec_opa_run.adoc 📝 Documentation +1/-1

Simplify OPA run command synopsis

docs/modules/ROOT/pages/ec_opa_run.adoc

---

49. tools/go.mod ⚙️ Configuration changes +1/-1

Update Go version to 1.25.3

tools/go.mod

---

50. tools/kubectl/go.mod ⚙️ Configuration changes +1/-1

Update Go version to 1.25.3

tools/kubectl/go.mod

---

51. .tool-versions ⚙️ Configuration changes +1/-1

Update golang version to 1.25.3

.tool-versions

---

52. acceptance/go.sum Additional files +346/-446

...

acceptance/go.sum

---

53. go.sum Additional files +420/-362

...

go.sum

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Empty dir arg to cosignRemote 🐞 Bug ⛯ Reliability

Description

acceptance/image/createAndPushKeylessImage passes "" for the new directory argument to
cosignRemote.WriteSignedImageIndexImages. If cosign v3 uses this directory for
staging/reading/writing, an empty value can cause failures or writes in an unintended location
(e.g., current working directory), making acceptance tests flaky or polluting the workspace.

Code

acceptance/image/image.go[729]

+	if err := cosignRemote.WriteSignedImageIndexImages(ref, sii, ""); err != nil {

Evidence

The function already computes the on-disk OCI layout directory (imageDir) and loads the
SignedImageIndex from it, but does not pass that directory (or any explicit temp directory) to
WriteSignedImageIndexImages; it passes an empty string instead.

acceptance/image/image.go[712-731]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`cosignRemote.WriteSignedImageIndexImages` is called with an empty string for its new directory parameter. This may cause failures or cause the function to read/write from an unintended default location.

### Issue Context
The code already has `imageDir` (the OCI layout directory) and loads `sii` from it, so it’s likely the correct directory to pass, or alternatively a temp staging directory should be used.

### Fix Focus Areas
- acceptance/image/image.go[712-731]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. TrustedRoot fallback not visible 🐞 Bug ✧ Quality

Description

When cosign.TrustedRoot() fails, the code falls back to fetching individual targets but only logs
the failure at debug level. With default logging set to warn, users typically won’t see that they
aren’t using trusted_root.json, reducing debuggability and making verification behavior harder to
reason about in production.

Code

internal/policy/policy.go[R428-434]

+		if !hasSigstoreEnvOverrides() {
+			if trustedRoot, trErr := cosign.TrustedRoot(); trErr == nil {
+				log.Debug("Using trusted root from TUF for verification")
+				opts.TrustedMaterial = trustedRoot
+			} else {
+				log.Debugf("Could not fetch trusted_root.json from TUF, falling back to individual targets: %v", trErr)
+			}

Evidence

The fallback path emits only Debug/Debugf logs. The repository’s logging initialization sets the
default log level to WarnLevel, which suppresses Debug logs unless verbose/debug flags are set.

internal/policy/policy.go[424-447]
internal/logging/logging.go[46-69]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Trusted root loading failures currently only emit debug logs, so users running with default logging won’t know they are on the fallback verification path.

### Issue Context
Default log level is Warn. The fallback is likely OK, but should be observable.

### Fix Focus Areas
- internal/policy/policy.go[428-434]
- internal/logging/logging.go[46-69]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more