git.stella-ops.org/tools/cosign/README.md

# Cosign binaries (runtime/signals signing)

## Preferred (system)
- Version: `v3.0.2`
- Path: `/usr/local/bin/cosign` (installed on WSL Debian host)
- Breaking change: v3 requires `--bundle <file>` when signing blobs; older `--output-signature`/`--output-certificate` pairs are deprecated.

## Offline fallback (repo-pinned)
- Version: `v2.6.0`
- Binary: `tools/cosign/cosign` → `tools/cosign/v2.6.0/cosign-linux-amd64`
- SHA256: `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`
- Check: `cd tools/cosign/v2.6.0 && sha256sum -c cosign_checksums.txt --ignore-missing`

## Usage examples
- v3 DSSE blob: `cosign sign-blob --key cosign.key --predicate-type stella.ops/confidenceDecayConfig@v1 --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
- v3 verify: `cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
- To force offline fallback, export `PATH=./tools/cosign:$PATH` (ensures v2.6.0 is used).

## CI / secrets
- CI should provide a base64-encoded private key via secret `COSIGN_PRIVATE_KEY_B64` and optional password in `COSIGN_PASSWORD`.
- Example bootstrap in jobs:
  ```bash
  echo \"$COSIGN_PRIVATE_KEY_B64\" | base64 -d > /tmp/cosign.key
  chmod 600 /tmp/cosign.key
  COSIGN_PASSWORD=\"${COSIGN_PASSWORD:-}\" cosign version
  ```
- For local dev, copy your own key to `tools/cosign/cosign.key` or export `COSIGN_PRIVATE_KEY_B64` before running signing scripts. Never commit real keys; only `cosign.key.example` lives in git.