From 6c5d91d17c4f89853c32e7cf06916437f163273d Mon Sep 17 00:00:00 2001
From: Christian Kotzbauer <git@ckotzbauer.de>
Date: Wed, 2 Aug 2023 19:57:20 +0200
Subject: [PATCH] cleanup: updated build-tools

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
---
 .github/scripts/goreleaser-install.sh | 11 +----------
 .github/workflows/on-main-push.yaml   |  7 ++-----
 .github/workflows/on-tag.yaml         |  7 ++-----
 Makefile                              | 14 +++++++-------
 4 files changed, 12 insertions(+), 27 deletions(-)

diff --git a/.github/scripts/goreleaser-install.sh b/.github/scripts/goreleaser-install.sh
index 2b6ce903e..dc7b9b099 100644
--- a/.github/scripts/goreleaser-install.sh
+++ b/.github/scripts/goreleaser-install.sh
@@ -19,19 +19,10 @@ export TAR_FILE
         "$RELEASES_URL/download/$VERSION/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
     cd "$TMPDIR"
     curl -sfLo "checksums.txt" "$RELEASES_URL/download/$VERSION/checksums.txt"
-    curl -sfLo "checksums.txt.sig" "$RELEASES_URL/download/$VERSION/checksums.txt.sig"
     echo "Verifying checksums..."
     sha256sum --ignore-missing --quiet --check checksums.txt
-    if command -v cosign >/dev/null 2>&1; then
-        echo "Verifying signatures..."
-        COSIGN_EXPERIMENTAL=1 cosign verify-blob \
-            --signature checksums.txt.sig \
-            checksums.txt
-    else
-        echo "Could not verify signatures, cosign is not installed."
-    fi
 )
 
 tar -xf "$TAR_FILE" -O goreleaser > "$TMPDIR/goreleaser"
-rm "$TMPDIR/checksums.txt" "$TMPDIR/checksums.txt.sig"
+rm "$TMPDIR/checksums.txt"
 rm "$TAR_FILE"
diff --git a/.github/workflows/on-main-push.yaml b/.github/workflows/on-main-push.yaml
index 691f97dd9..6cea5a6c2 100644
--- a/.github/workflows/on-main-push.yaml
+++ b/.github/workflows/on-main-push.yaml
@@ -57,7 +57,6 @@ jobs:
         run: make kured-release-snapshot
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_EXPERIMENTAL: 1
 
       - name: Build image
         uses: docker/build-push-action@v4
@@ -75,11 +74,9 @@ jobs:
 
       - name: Sign and attest artifacts
         run: |
-          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+          .tmp/cosign sign -y -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
 
           .tmp/cosign sign-blob --output-signature kured.sbom.sig --output-certificate kured.sbom.pem kured.sbom
 
-          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+          .tmp/cosign attest -y --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
           .tmp/cosign attach sbom --type spdx --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
-        env:
-          COSIGN_EXPERIMENTAL: 1
diff --git a/.github/workflows/on-tag.yaml b/.github/workflows/on-tag.yaml
index 70eaf9c0a..1cda529d7 100644
--- a/.github/workflows/on-tag.yaml
+++ b/.github/workflows/on-tag.yaml
@@ -40,7 +40,6 @@ jobs:
         run: make kured-release-tag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_EXPERIMENTAL: 1
       - name: Build single image for scan
         uses: docker/build-push-action@v4
         with:
@@ -90,11 +89,9 @@ jobs:
 
       - name: Sign and attest artifacts
         run: |
-          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+          .tmp/cosign sign -y -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
 
           .tmp/cosign sign-blob --output-signature kured.sbom.sig kured.sbom
 
-          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+          .tmp/cosign attest -y --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
           .tmp/cosign attach sbom --type spdx --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
-        env:
-          COSIGN_EXPERIMENTAL: 1
diff --git a/Makefile b/Makefile
index 23677d6e2..7ba912db6 100644
--- a/Makefile
+++ b/Makefile
@@ -14,25 +14,25 @@ $(TEMPDIR):
 
 .PHONY: bootstrap-tools
 bootstrap-tools: $(TEMPDIR)
-	VERSION=v1.11.4 TMPDIR=.tmp bash .github/scripts/goreleaser-install.sh
-	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .tmp v0.58.0
-	curl -sSfL https://github.com/sigstore/cosign/releases/download/v1.12.1/cosign-linux-amd64 -o .tmp/cosign
+	VERSION=v1.19.2 TMPDIR=.tmp bash .github/scripts/goreleaser-install.sh
+	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .tmp v0.86.1
+	curl -sSfL https://github.com/sigstore/cosign/releases/download/v2.1.1/cosign-linux-amd64 -o .tmp/cosign
 	chmod +x .tmp/goreleaser .tmp/cosign .tmp/syft
 
 clean:
 	rm -rf ./dist
 
 kured:
-	$(GORELEASER_CMD) build --rm-dist --single-target --snapshot
+	$(GORELEASER_CMD) build --clean --single-target --snapshot
 
 kured-all:
-	$(GORELEASER_CMD) build --rm-dist --snapshot
+	$(GORELEASER_CMD) build --clean --snapshot
 
 kured-release-tag:
-	$(GORELEASER_CMD) release --rm-dist
+	$(GORELEASER_CMD) release --clean
 
 kured-release-snapshot:
-	$(GORELEASER_CMD) release --rm-dist --snapshot
+	$(GORELEASER_CMD) release --clean --snapshot
 
 image: kured
 	$(SUDO) docker buildx build --load -t ghcr.io/$(DH_ORG)/kured:$(VERSION) .