From a73e922dac305f73d1c53ab6d693c96b1fed53af Mon Sep 17 00:00:00 2001
From: Einier Freyre Corona <einierfreyre60@gmail.com>
Date: Sun, 26 Apr 2026 22:45:19 -0300
Subject: [PATCH 1/2] ci/cd: migrate to cosign v3 bundles for artifact signing

---
 .github/workflows/release.yml | 1 -
 .goreleaser.yml               | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2cddde610..a181bb874 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -435,7 +435,6 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG: ${{ steps.vars.outputs.version_tag }}
-        COSIGN_EXPERIMENTAL: 1
 
     # Only publish on non-special tags (e.g. non-beta)
     # We will continue to push to Gemfury for the foreseeable future, although
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 3c87131bd..db8fcc418 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -90,9 +90,8 @@ builds:
 
 signs:
   - cmd: cosign
-    signature: "${artifact}.sig"
-    certificate: '{{ trimsuffix (trimsuffix .Env.artifact ".zip") ".tar.gz" }}.pem'
-    args: ["sign-blob", "--yes", "--output-signature=${signature}", "--output-certificate", "${certificate}", "${artifact}"]
+    signature: "${artifact}.sigstore"
+    args: ["sign-blob", "--yes", "--bundle=${signature}", "${artifact}"]
     artifacts: all
 
 sboms:

From 62b11d1f39709218766e8b59e6346f61353f7aee Mon Sep 17 00:00:00 2001
From: Einier Freyre Corona <einierfreyre60@gmail.com>
Date: Sun, 26 Apr 2026 22:45:37 -0300
Subject: [PATCH 2/2] ci/cd: update cosign-installer to v4.1.0 verified SHA

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a181bb874..0a155d7d7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -415,7 +415,7 @@ jobs:
       run: pip install --upgrade cloudsmith-cli
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
+      uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
     - name: Cosign version
       run: cosign version
     - name: Install Syft