fix: cosign verify does not use signing config

[gusfcarvalho]

Changes

Removed the --use-signing-config=false flag from the cosign verify command in the push_chart step of the Helm workflow. The verification now respects the signing configuration instead of explicitly disabling it, while keeping the --new-bundle-format=false flag and certificate identity/OIDC issuer options intact.

File affected: .github/workflows/helm.yml

[coderabbitai]

Walkthrough

The pull request removes the --use-signing-config=false flag from the cosign verify command in the Helm workflow, while preserving other signing and verification options like --new-bundle-format=false and certificate configurations.

Changes

Cohort / File(s)	Summary
Cosign verification flag removal .github/workflows/helm.yml	Removed --use-signing-config=false flag from the cosign verify invocation in the push_chart step, simplifying the command while maintaining other signing-related parameters.

Possibly related PRs

• fix: attempt to fix cosign compatibility issues #5959: Directly modifies the same --use-signing-config flag in the cosign verify command, but adds it instead of removing it—inverse operation on the same configuration parameter.
• fix: update cosign and syft for signing #5958: Updates cosign usage and adjusts signing/verification flags in the same workflow file, addressing related signing configuration changes.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/helm.yml (2)

160-163: Consider removing --use-signing-config=false from cosign sign as well.

After this fix cosign verify will use the signing config (the v3 default), but cosign sign on line 160 still explicitly opts out. The --use-signing-config flag enables "the transparency log shards can be rotated without having to update your client", and starting in Cosign v3 it is on by default — so the sign command is the one diverging from defaults, not verify.

The asymmetry is safe today (both paths resolve to the same public-good Sigstore TUF roots), but keeping --use-signing-config=false on sign means cosign won't auto-discover log-shard rotations during the signing step. Removing it from sign would make both commands consistent with v3 defaults:

♻️ Suggested alignment

-            cosign sign --yes --new-bundle-format=false --use-signing-config=false "$artifact_digest_uri"
+            cosign sign --yes --new-bundle-format=false "$artifact_digest_uri"
             cosign verify --new-bundle-format=false "$artifact_digest_uri" \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm.yml around lines 160 - 163, Remove the explicit
opt-out flag from the signing command so both cosign sign and cosign verify use
the signing config by default: delete the --use-signing-config=false option from
the cosign sign invocation (the line invoking cosign sign
"$artifact_digest_uri") so signing can auto-discover transparency-log shard
rotations and match the behavior of the cosign verify call.

---

132-135: Cosign pinned to v3.0.2; v3.0.4 is the latest stable release.

v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional commands, and v3.0.4 was released on 2026-01-09. Consider upgrading the pinned release to get those fixes, and update the action's commit SHA accordingly.

♻️ Suggested update

       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
-          cosign-release: 'v3.0.2'
+          cosign-release: 'v3.0.4'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm.yml around lines 132 - 135, The workflow pins the
cosign installer action to an older release and cosign version; update the
"Install cosign" step by changing the cosign-release input from 'v3.0.2' to
'v3.0.4' and also update the uses:
sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad to the commit
SHA that corresponds to the cosign-installer revision for v3.0.4 (i.e., replace
the hardcoded commit with the correct commit for that release) so the Install
cosign step and the cosign-release input are consistent with v3.0.4.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/helm.yml:
- Around line 160-163: Remove the explicit opt-out flag from the signing command
so both cosign sign and cosign verify use the signing config by default: delete
the --use-signing-config=false option from the cosign sign invocation (the line
invoking cosign sign "$artifact_digest_uri") so signing can auto-discover
transparency-log shard rotations and match the behavior of the cosign verify
call.
- Around line 132-135: The workflow pins the cosign installer action to an older
release and cosign version; update the "Install cosign" step by changing the
cosign-release input from 'v3.0.2' to 'v3.0.4' and also update the uses:
sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad to the commit
SHA that corresponds to the cosign-installer revision for v3.0.4 (i.e., replace
the hardcoded commit with the correct commit for that release) so the Install
cosign step and the cosign-release input are consistent with v3.0.4.