Please provide release signatures in the new bundle format #549
Description
The .cosign-bundle format used by apsw to sign releases appears to be obsolete and incompatible with other sigstore clients:
$ sigstore verify identity --cert-identity [email protected] --cert-oidc-issuer https://github.com/login/oauth apsw-3.47.2.0.zip --bundle apsw-3.47.2.0.cosign-bundle
[20:29:57] ERROR An issue occurred while parsing the Sigstore bundle. errors.py:41
The provided bundle is malformed and may have been modified maliciously.
Additional context:
unsupported bundle format:
For detailed error information, run sigstore with the `--verbose` flag.
Please consider using the modern sigstore format that works both with sigstore and cosign and is used e.g. by CPython:
$ cosign verify-blob --new-bundle-format --bundle=Python-3.14.0a3.tar.xz.sigstore Python-3.14.0a3.tar.xz --certificate-identity [email protected] --certificate-oidc-issuer https://github.com/login/oauth
Verified OK
$ sigstore verify identity --cert-identity [email protected] --cert-oidc-issuer https://github.com/login/oauth Python-3.14.0a3.tar.xz --bundle Python-3.14.0a3.tar.xz.sigstore
OK: Python-3.14.0a3.tar.xz
Note that cosign requires explicit --new-bundle-format for this.