chore(ci): remove verify-release-attestation.sh script and update attest-release-assets.sh to exclude .cosign.bundle files

2026-04-23 08:45:43 +00:00 · 2026-04-22 13:23:22 -05:00
parent cffabc7146
commit cbb041f06e
2 changed files with 1 additions and 22 deletions
--- a/scripts/ci/attest-release-assets.sh
+++ b/scripts/ci/attest-release-assets.sh
@@ -19,7 +19,7 @@ trap 'rm -f "$PRED"' EXIT INT

 python3 scripts/ci/slsa-predicate.py > "$PRED"

-find "$DIR" -type f ! -name '*.sha256' ! -name '*.cosign.bundle' | while IFS= read -r f; do
+find "$DIR" -type f ! -name '*.cosign.bundle' | while IFS= read -r f; do
    case "$f" in
        */.git/*) continue ;;
    esac
--- a/scripts/ci/verify-release-attestation.sh
+++ b/scripts/ci/verify-release-attestation.sh
@@ -1,21 +0,0 @@
-#!/bin/sh
-# Verify a cosign SLSA bundle for a release binary using the repository public key.
-# Checks Sigstore Rekor (public log) unless COSIGN_REKOR_URL points elsewhere.
-# Usage: verify-release-attestation.sh <blob-file> <bundle-file>
-# Env: COSIGN_PUBLIC_KEY (default cosign.pub)
-set -eu
-
-BLOB="${1:?blob path}"
-BUNDLE="${2:?bundle path}"
-PUB="${COSIGN_PUBLIC_KEY:-cosign.pub}"
-
-if [ ! -f "$PUB" ]; then
-    echo "Missing $PUB (generate a key pair with cosign and commit the .pub file)" >&2
-    exit 1
-fi
-
-exec cosign verify-blob-attestation \
-    --key "$PUB" \
-    --bundle "$BUNDLE" \
-    --type slsaprovenance1 \
-    "$BLOB"