Update signing bundles for cosign v3

2026-02-05 02:49:08 +08:00 · 2025-10-28 23:11:35 +00:00 · 2025-10-28 23:11:35 +00:00 · 0f4611efd6
commit 0f4611efd6
parent b724c60181
2 changed files with 6 additions and 6 deletions
--- a/6
+++ b/6
@ -50,9 +50,9 @@ RUN --mount=type=bind,from=cosign-bin,source=/ko-app/cosign,target=/usr/local/bi
    /tmp/lychee.zip -L \
    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip" && \
  curl -o \
-    /tmp/lychee.zip.asc -L \
-    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip.asc" && \
-  cosign verify-blob --key /config/lychee.pub --signature /tmp/lychee.zip.asc /tmp/lychee.zip && \
+    /tmp/lychee.zip.sigstore.json -L \
+    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip.sigstore.json" && \
+  cosign verify-blob --key /config/lychee.pub --bundle /tmp/lychee.zip.sigstore.json /tmp/lychee.zip && \
  unzip -q /tmp/lychee.zip -d /app && \
  mv /app/Lychee /app/www && \
  echo "**** install composer dependencies ****" && \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@ -50,9 +50,9 @@ RUN --mount=type=bind,from=cosign-bin,source=/ko-app/cosign,target=/usr/local/bi
    /tmp/lychee.zip -L \
    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip" && \
  curl -o \
-    /tmp/lychee.zip.asc -L \
-    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip.asc" && \
-  cosign verify-blob --key /config/lychee.pub --signature /tmp/lychee.zip.asc /tmp/lychee.zip && \
+    /tmp/lychee.zip.sigstore.json -L \
+    "https://github.com/LycheeOrg/Lychee/releases/download/${LYCHEE_VERSION}/Lychee.zip.sigstore.json" && \
+  cosign verify-blob --key /config/lychee.pub --bundle /tmp/lychee.zip.sigstore.json /tmp/lychee.zip && \
  unzip -q /tmp/lychee.zip -d /app && \
  mv /app/Lychee /app/www && \
  echo "**** install composer dependencies ****" && \