Fix artifact signing, use default runner #375
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GPG signing was broken as
--detach-sign
does not itself take an argument to a file to sign; instead this should be a separate positional argument to the CLI as a whole. This means that stdin was signed instead of the specified file, resulting in bogus signatures.While the existing cosign signatures work, they require additional calls to rekor to fetch the corresponding certificate used to sign. Mirroring with what OpenTofu does, we can save the certificates directly so that users can verify without additional calls to the rekor network.
Lastly, switch to GitHub-hosted runners to avoid needing to use a self-hosted runner for this release stage.
Thanks to @JanMa and @janosdebugs for their help.