fix(aqua): support cosign v3 bundle verification#7314
Merged
Conversation
Update sigstore-verification to 0.1.8 which adds support for cosign v3 message signature bundles. Cosign v3 changed from using DSSE envelopes to messageSignature for direct blob signing. Fixes #6655 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
7e489dd to
744770b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the sigstore-verification dependency from version 0.1.7 to 0.1.8 to add support for cosign v3 bundle verification. Cosign v3 introduced a breaking change by switching from DSSE envelopes to messageSignature for direct blob signing, which was causing installation failures for packages using the new v3 bundle format.
- Updated sigstore-verification dependency to version 0.1.8 in both workspace and vfox crate
- Enables installation of cosign v3 packages (e.g.,
aqua:sigstore/cosign@3.0.2) - Maintains backward compatibility with cosign v2 packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| crates/vfox/Cargo.toml | Updates sigstore-verification dependency to 0.1.8 |
| Cargo.toml | Updates workspace-level sigstore-verification dependency to 0.1.8 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 x -- echo |
20.9 ± 0.5 | 19.8 | 23.2 | 1.03 ± 0.04 |
mise x -- echo |
20.4 ± 0.6 | 19.2 | 24.6 | 1.00 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 env |
20.3 ± 0.7 | 19.3 | 27.1 | 1.02 ± 0.05 |
mise env |
19.9 ± 0.6 | 18.6 | 21.3 | 1.00 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 hook-env |
20.4 ± 0.6 | 19.4 | 27.9 | 1.02 ± 0.05 |
mise hook-env |
20.1 ± 0.6 | 18.8 | 22.3 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 ls |
17.3 ± 0.4 | 16.3 | 18.9 | 1.00 |
mise ls |
17.7 ± 0.7 | 16.5 | 26.8 | 1.03 ± 0.05 |
xtasks/test/perf
| Command | mise-2025.12.7 | mise | Variance |
|---|---|---|---|
| install (cached) | 109ms | 110ms | +0% |
| ls (cached) | 65ms | 66ms | -1% |
| bin-paths (cached) | 72ms | 72ms | +0% |
| task-ls (cached) | 438ms | -80% |
jdx
pushed a commit
that referenced
this pull request
Dec 15, 2025
### 🚀 Features - **(conda)** add dependency resolution for conda packages by @jdx in [#7280](#7280) - **(go)** add created_at support to ls-remote --json by @jdx in [#7305](#7305) - **(hook-env)** add hook_env.cache_ttl and hook_env.chpwd_only settings for NFS optimization by @jdx in [#7312](#7312) - **(hooks)** add MISE_TOOL_NAME and MISE_TOOL_VERSION to preinstall/postinstall hooks by @jdx in [#7311](#7311) - **(shell_alias)** add shell_alias support for cross-shell aliases by @jdx in [#7316](#7316) - **(tool)** add security field to mise tool --json by @jdx in [#7303](#7303) - add --before flag for date-based version filtering by @jdx in [#7298](#7298) ### 🐛 Bug Fixes - **(aqua)** support cosign v3 bundle verification by @jdx in [#7314](#7314) - **(config)** use correct config_root in tera context for hooks by @jdx in [#7309](#7309) - **(nu)** fix nushell deactivation script on Windows by @fu050409 in [#7213](#7213) - **(python)** apply uv_venv_create_args in auto-venv code path by @jdx in [#7310](#7310) - **(shell)** escape exe path in activation scripts for paths with spaces by @jdx in [#7315](#7315) - **(task)** parallelize exec_env loading to fix parallel task execution by @jdx in [#7313](#7313) - track downloads for python and java by @jdx in [#7304](#7304) - include full tool ID in download track by @jdx in [#7320](#7320) ### 📚 Documentation - Switch `postinstall` code to be shell-agnostic by @thejcannon in [#7317](#7317) ### 🧪 Testing - **(e2e)** disable debug mode by default for windows-e2e by @jdx in [#7318](#7318) ### New Contributors - @fu050409 made their first contribution in [#7213](#7213)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
messageSignaturefor direct blob signingaqua:sigstore/cosign@3.0.2and other packages using the new v3 bundle formatFixes #6655
Changes in sigstore-verification 0.1.8
MessageSignatureandMessageDigesttypes for parsing v3 bundlesdsse_envelopeoptional inSigstoreBundlestructmessageSignaturebundlesmessageSignatureTest plan
mise install aqua:sigstore/cosign@3.0.2- succeedsmise install aqua:sigstore/cosign@2.6.1- still worksmise run test:e2e test_aqua_cosign- passes🤖 Generated with Claude Code
Note
Bumps sigstore-verification to 0.1.8 and relaxes vfox's dependency to the 0.1 range.
sigstore-verificationto0.1.8inCargo.lock.crates/vfox/Cargo.tomldependency onsigstore-verificationfrom"0.1.7"to"0.1".Written by Cursor Bugbot for commit 744770b. This will update automatically on new commits. Configure here.