Update cosign to 3.0+

.github/workflows/publish-packages-1.0.yml

@@ -51,7 +51,7 @@ jobs:
       uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
     - name: dotnet restore
       run: dotnet restore ./build/OpenTelemetry.proj -p:RunningDotNetPack=true
@@ -72,7 +72,7 @@ jobs:
                 $fileFullPath = $_.FullName
                 Write-Output "Signing $fileFullPath"
 
-                cosign.exe sign-blob $fileFullPath --yes --output-signature $fileFullPath-keyless.sig --output-certificate $fileFullPath-keyless.pem
+                cosign.exe sign-blob --yes --bundle "$fileFullPath.sigstore.json" $fileFullPath
             }
         }
 
@@ -146,10 +146,10 @@ jobs:
             $dllFilePath = $dllFile.FullName
             Write-Output "Verifying $dllFilePath"
             cosign.exe verify-blob `
-              --signature $dllFilePath-keyless.sig `
-              --certificate $dllFilePath-keyless.pem `
+              --bundle "$dllFilePath.sigstore.json" `
               --certificate-identity "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/.github/workflows/publish-packages-1.0.yml@${env:GITHUB_REF}" `
               --certificate-oidc-issuer "https://token.actions.githubusercontent.com" `
+              --use-signed-timestamps `
               $dllFilePath
             if ($LASTEXITCODE -ne 0) {
                 Write-Output "::error::Signature verification failed for $dllFilePath."

README.md

@@ -188,18 +188,36 @@ and can be installed using the
 
 Starting with the `1.10.0` release the DLLs included in the packages pushed to
 NuGet are digitally signed using [Sigstore](https://www.sigstore.dev/). Within
-each NuGet package the digital signature and its corresponding certificate file
-are placed alongside the shipped DLL(s) in the `/lib` folder. When a project
-targets multiple frameworks each target outputs a dedicated DLL and signing
-artifacts into a sub folder based on the
-[TFM](https://learn.microsoft.com/dotnet/standard/frameworks).
+each NuGet package the digital signature artifacts are placed alongside the
+shipped DLL(s) in the `/lib` folder. When a project targets multiple frameworks
+each target outputs a dedicated DLL and signing artifacts into a sub folder
+based on the [TFM](https://learn.microsoft.com/dotnet/standard/frameworks).
 
-The digital signature and certificate files share the same name prefix as the
-DLL to ensure easy identification and association.
+The digital signature files share the same name prefix as the DLL to ensure
+easy identification and association.
 
 To verify the integrity of a DLL inside a NuGet package use the
 [cosign](https://github.com/sigstore/cosign) tool from Sigstore:
 
+#### Version 1.14.0 and later
+
+These versions are using bundle format known from cosign 3.0+.
+
+```bash
+$TAG="core-1.14.0"
+cosign verify-blob \
+    --bundle OpenTelemetry.dll.sigstore.json \
+    --certificate-identity "https://github.com/open-telemetry/opentelemetry-dotnet/.github/workflows/publish-packages-1.0.yml@refs/tags/$TAG" \
+    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+    --use-signed-timestamps \
+    OpenTelemetry.dll
+```
+
+#### Versions 1.10.0 - 1.14.0-rc.1
+
+These versions are using separate signature and certificate files format known
+from cosign 2.x.
+
 ```bash
 $TAG="core-1.12.0"
 cosign verify-blob \

build/Common.prod.props

@@ -54,17 +54,12 @@
   <Target Name="IncludeSigningSignaturesInPackages" BeforeTargets="_GetTargetFrameworksOutput">
     <!-- Note: This target adds any signatures found to NuGet packages -->
     <ItemGroup>
-      <SignatureFiles Include="$(ArtifactsPath)\bin\$(MSBuildProjectName)\$(Configuration.ToLower())_*\$(MSBuildProjectName).dll-keyless.sig" />
-      <CertificateFiles Include="$(ArtifactsPath)\bin\$(MSBuildProjectName)\$(Configuration.ToLower())_*\$(MSBuildProjectName).dll-keyless.pem" />
+      <SigstoreBundle Include="$(ArtifactsPath)\bin\$(MSBuildProjectName)\$(Configuration.ToLower())_*\$(MSBuildProjectName).dll.sigstore.json" />
       <!-- RecursiveDir is equal to e.g. `release_net8.0` so we need to strip it out -->
-      <SignatureFilesWithTfm Include="@(SignatureFiles)">
+      <SigstoreBundleWithTfm Include="@(SigstoreBundle)">
         <TargetFramework>$([System.String]::Copy('%(RecursiveDir)').Replace(`$(Configuration.ToLower())_`, ''))</TargetFramework>
-      </SignatureFilesWithTfm>
-      <CertificateFilesWithTfm Include="@(CertificateFiles)">
-        <TargetFramework>$([System.String]::Copy('%(RecursiveDir)').Replace(`$(Configuration.ToLower())_`, ''))</TargetFramework>
-      </CertificateFilesWithTfm>
-      <Content Include="@(SignatureFilesWithTfm)" Pack="True" PackagePath="lib\%(SignatureFilesWithTfm.TargetFramework)%(Filename)%(Extension)" />
-      <Content Include="@(CertificateFilesWithTfm)" Pack="True" PackagePath="lib\%(CertificateFilesWithTfm.TargetFramework)%(Filename)%(Extension)" />
+      </SigstoreBundleWithTfm>
+      <Content Include="@(SigstoreBundleWithTfm)" Pack="True" PackagePath="lib\%(SigstoreBundleWithTfm.TargetFramework)%(Filename)%(Extension)" />
     </ItemGroup>
 
     <Message Importance="high" Text="**IncludeSignaturesInPackagesDebug** SignatureFiles: @(SignatureFilesWithTfm)" />

src/OpenTelemetry.Api.ProviderBuilderExtensions/CHANGELOG.md

@@ -7,6 +7,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Api/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Exporter.Console/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Exporter.InMemory/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/CHANGELOG.md

@@ -7,6 +7,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Exporter.Prometheus.AspNetCore/CHANGELOG.md

@@ -19,6 +19,13 @@ Notes](../../RELEASENOTES.md).
 * Added the possibility to disable timestamps via the `PrometheusAspNetCoreOptions`.
   ([#6600](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6600))
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.13.1-beta.1
 
 Released 2025-Oct-10

src/OpenTelemetry.Exporter.Prometheus.HttpListener/CHANGELOG.md

@@ -19,6 +19,13 @@ Notes](../../RELEASENOTES.md).
 * Added the possibility to disable timestamps via the `PrometheusHttpListenerOptions`.
   ([#6600](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6600))
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.13.1-beta.1
 
 Released 2025-Oct-10

src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Extensions.Hosting/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Extensions.Propagators/CHANGELOG.md

@@ -6,6 +6,13 @@ covering all components see: [Release Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21

src/OpenTelemetry.Shims.OpenTracing/CHANGELOG.md

@@ -9,6 +9,13 @@ Notes](../../RELEASENOTES.md).
 * Add support for .NET 10.0.
   ([#6307](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6307))
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.13.1-beta.1
 
 Released 2025-Oct-10

src/OpenTelemetry/CHANGELOG.md

@@ -6,6 +6,13 @@ Notes](../../RELEASENOTES.md).
 
 ## Unreleased
 
+* **Breaking Change** NuGet packages now use the Sigstore bundle format
+  (`.sigstore.json`) for digital signatures instead of separate signature
+  (`.sig`) and certificate (`.pem`) files. This requires cosign 3.0 or later
+  for verification. See the [Digital signing
+  section](../../README.md#digital-signing) for updated verification instructions.
+  ([#6623](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6623))
+
 ## 1.14.0-rc.1
 
 Released 2025-Oct-21