Background
Per ADR-0004, v0.2 adopts cosign-keyless (Sigstore + GitHub Actions OIDC) as the sole signing mechanism for CLI release artifacts. No Apple Developer ID / no Windows EV cert this round; native signing is deferred to v0.3+ pending audience signal (download volume / xattr-friction reports / enterprise asks).
This issue tracks the implementation tasks for the v0.2 release cut.
Acceptance criteria
The v0.2 release page must show, for each release tag cli-v0.2.x:
- 5 archives (existing):
dovecote-bun-{linux-x64,linux-arm64,darwin-x64,darwin-arm64,windows-x64}.{tar.gz,zip}
- 1
SHA256SUMS (existing)
- 6 new
<artifact>.sig files (one per archive + one for SHA256SUMS)
- 6 new
<artifact>.pem files (Fulcio-issued certificate per signature)
cosign verify-blob against any of the 6 signed artifacts must succeed with OIDC claims matching:
subject ends with musingfox/dovecote/.github/workflows/release-cli.yml@refs/tags/cli-v0.2.*
issuer = https://token.actions.githubusercontent.com
Task list
Release pipeline
Consumer side
Documentation
Validation
Out of scope
- Apple Developer ID signing / notarization (v0.3+ pending re-eval)
- Windows code signing / Azure Trusted Signing (v0.3+ pending re-eval)
- Server-side signing (
/v1/* API payloads) — unrelated; this issue is binary-artifact only
- Re-signing existing v0.1.x releases — no retro action; v0.1 stays SHA-only with
xattr workaround in release notes
References
Re-evaluation triggers for native signing (per ADR-0004)
Re-open this issue's scope (or file a follow-up) to add Apple Developer ID / Windows code signing if ANY of:
- CLI binary monthly downloads > 1000 for 3 consecutive months
-
5 issues report xattr workaround friction
- A named enterprise consumer explicitly requests Windows EV signing
Background
Per ADR-0004, v0.2 adopts cosign-keyless (Sigstore + GitHub Actions OIDC) as the sole signing mechanism for CLI release artifacts. No Apple Developer ID / no Windows EV cert this round; native signing is deferred to v0.3+ pending audience signal (download volume / xattr-friction reports / enterprise asks).
This issue tracks the implementation tasks for the v0.2 release cut.
Acceptance criteria
The v0.2 release page must show, for each release tag
cli-v0.2.x:dovecote-bun-{linux-x64,linux-arm64,darwin-x64,darwin-arm64,windows-x64}.{tar.gz,zip}SHA256SUMS(existing)<artifact>.sigfiles (one per archive + one forSHA256SUMS)<artifact>.pemfiles (Fulcio-issued certificate per signature)cosign verify-blobagainst any of the 6 signed artifacts must succeed with OIDC claims matching:subjectends withmusingfox/dovecote/.github/workflows/release-cli.yml@refs/tags/cli-v0.2.*issuer=https://token.actions.githubusercontent.comTask list
Release pipeline
sigstore/cosign-installer@v3to.github/workflows/release-cli.ymlbefore theCreate GitHub ReleasestepSign artifactsstep in thereleasejob:softprops/action-gh-release@v2files:glob to includerelease/*.sigandrelease/*.pemid-token: writeto the workflow's top-levelpermissions(required for OIDC token issuance)Consumer side
setup-dovecoteaction: add new optional inputverify(enum:"none"(default) |"cosign")verify: cosignis passed, the action additionally downloads the matching.sig+.pemand runscosign verify-blob --certificate-identity-regexp ... --certificate-oidc-issuer https://token.actions.githubusercontent.comverify: nonekeeps cli-v0.1.x consumers working (those releases have no sig sidecar)Documentation
cosign verify-blobfrom a workstationverify: cosignaction input usagecli-v0.2.0: mention cosign sidecars + link to runbook sectionValidation
cli-v0.2.0-rc1tag in a fork (or dedicated test tag) and verify all sidecars appearrelease-smokeworkflow against the rc tag withverify: cosigninput set on the action — must pass on ubuntu/macos/windowsOut of scope
/v1/*API payloads) — unrelated; this issue is binary-artifact onlyxattrworkaround in release notesReferences
Re-evaluation triggers for native signing (per ADR-0004)
Re-open this issue's scope (or file a follow-up) to add Apple Developer ID / Windows code signing if ANY of: