Fix the release

.github/workflows/validate-release.yml

@@ -50,7 +50,7 @@ jobs:
             -v /var/run/docker.sock:/var/run/docker.sock \
             -w /go/src/sigstore/cosign \
             --entrypoint="" \
-            ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f \
+            ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a \
             make snapshot
 
       - name: check binaries

.goreleaser.yml

@@ -3,6 +3,7 @@ project_name: cosign
 env:
   - GO111MODULE=on
   - CGO_ENABLED=1
+  - DOCKER_CLI_EXPERIMENTAL=enabled
 
 # Prevents parallel builds from stepping on eachothers toes downloading modules
 before:
@@ -166,59 +167,68 @@ dockers:
   # cosign Image
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-amd64"
-    use: buildx
     dockerfile: Dockerfile
+    goos: linux
+    goarch: amd64
     build_flag_templates:
       - "--platform=linux/amd64"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=amd64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
+      - "--build-arg=TARGETARCH=amd64"
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-arm64v8"
-    use: buildx
+    goos: linux
     goarch: arm64
     dockerfile: Dockerfile
     build_flag_templates:
       - "--platform=linux/arm64/v8"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=arm64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
+      - "--build-arg=TARGETARCH=arm64"
 
   # cosigned Image
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-amd64"
-    use: buildx
     dockerfile: Dockerfile.cosigned
+    goos: linux
+    goarch: amd64
     build_flag_templates:
       - "--platform=linux/amd64"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=amd64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
+      - "--build-arg=TARGETARCH=amd64"
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-arm64v8"
-    use: buildx
+    goos: linux
     goarch: arm64
     dockerfile: Dockerfile.cosigned
     build_flag_templates:
       - "--platform=linux/arm64/v8"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=arm64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
+      - "--build-arg=TARGETARCH=arm64"
 
   # sget Image
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-amd64"
-    use: buildx
     dockerfile: Dockerfile.sget
+    goos: linux
+    goarch: amd64
     build_flag_templates:
       - "--platform=linux/amd64"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=amd64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
+      - "--build-arg=TARGETARCH=amd64"
   - image_templates:
       - "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-arm64v8"
-    use: buildx
+    goos: linux
     goarch: arm64
     dockerfile: Dockerfile.sget
     build_flag_templates:
       - "--platform=linux/arm64/v8"
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
-      - "--build-arg=ARCH=arm64"
+      # TODO(dekkagaijin): remove suffix when race condition fixed
+      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
+      - "--build-arg=TARGETARCH=arm64"
 
 docker_manifests:
   - name_template: gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}
@@ -236,6 +246,7 @@ docker_manifests:
 
 docker_signs:
   - artifacts: all
+    cmd: ./dist/cosign-linux-amd64
     args: [ "sign", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
 
 archives:

Dockerfile

@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
 
 FROM $RUNTIME_IMAGE
 
-ARG ARCH
-COPY cosign-linux-${ARCH} /bin/cosign
+ARG TARGETARCH
+COPY cosign-linux-${TARGETARCH} /bin/cosign
 
 USER nobody
 ENTRYPOINT [ "/bin/cosign" ]

Dockerfile.cosigned

@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
 
 FROM $RUNTIME_IMAGE
 
-ARG ARCH
-COPY cosigned-linux-${ARCH} /bin/cosigned
+ARG TARGETARCH
+COPY cosigned-linux-${TARGETARCH} /bin/cosigned
 
 USER nobody
 ENTRYPOINT [ "/bin/cosigned" ]

Dockerfile.sget

@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
 
 FROM $RUNTIME_IMAGE
 
-ARG ARCH
-COPY sget-linux-${ARCH} /bin/sget
+ARG TARGETARCH
+COPY sget-linux-${TARGETARCH} /bin/sget
 
 USER nobody
 ENTRYPOINT [ "/bin/sget" ]

Makefile

@@ -39,7 +39,7 @@ ifeq ($(DIFF), 1)
     GIT_TREESTATE = "dirty"
 endif
 
-PKG=github.com/sigstore/cosign/cmd/cosign/cli
+PKG=github.com/sigstore/cosign/cmd/cosign/cli/options
 
 LDFLAGS="-X $(PKG).GitVersion=$(GIT_VERSION) -X $(PKG).gitCommit=$(GIT_HASH) -X $(PKG).gitTreeState=$(GIT_TREESTATE) -X $(PKG).buildDate=$(BUILD_DATE)"
 

release/cloudbuild.yaml

@@ -32,7 +32,7 @@ steps:
     echo "Checking out ${_TOOL_REF}"
     git checkout ${_TOOL_REF}
 
-- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
+- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
   dir: "go/src/sigstore/cosign"
   env:
   - RUNTIME_IMAGE=${_RUNTIME_IMAGE}
@@ -43,9 +43,8 @@ steps:
   - '-key'
   - 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
   - './Dockerfile'
-  waitFor: ['-']
 
-- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
+- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
   dir: "go/src/sigstore/cosign"
   env:
   - RUNTIME_IMAGE=${_RUNTIME_IMAGE}
@@ -56,19 +55,29 @@ steps:
   - '-key'
   - 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
   - './Dockerfile.cosigned'
-  waitFor: ['-']
 
-- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
+- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
+  dir: "go/src/sigstore/cosign"
+  env:
+  - RUNTIME_IMAGE=${_RUNTIME_IMAGE}
+  args:
+  - 'dockerfile'
+  - 'verify'
+  - '-base-image-only'
+  - '-key'
+  - 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
+  - './Dockerfile.sget'
+
+- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
   dir: "go/src/sigstore/cosign"
   args:
   - 'verify'
   - '-key'
   - 'https://raw.githubusercontent.com/gythialy/golang-cross/master/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f'
-  waitFor: ['-']
+  - 'ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a'
 
 # maybe we can build our own image and use that to be more in a safe side
-- name: ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f
+- name: ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a
   entrypoint: /bin/sh
   dir: "go/src/sigstore/cosign"
   env: