fix: get cosign from sigstore (#578)

Author: m2Giles

Justfile

@@ -46,7 +46,7 @@ rechunker := "ghcr.io/hhd-dev/rechunk:v1.2.4@sha256:8a84bd5a029681aa8db523f927b7
 [private]
 qemu := "ghcr.io/qemus/qemu:7.23@sha256:43993c9772b3cd2325829587f4dd01901388b7fcdc335bb817af714957d81e61"
 [private]
-cosign-installer := "cgr.dev/chainguard/cosign:latest@sha256:29d514586cc8a82899b5856362f61188e19d05df420ae7f0f2b1288486bf5c02"
+cosign-installer := "ghcr.io/sigstore/cosign/cosign:v2.4.1"
 [private]
 syft-installer := "ghcr.io/anchore/syft:v1.33.0@sha256:f94e5d9fce1f2278491a8e3a63bd5f6ddb81fdfdbb8bf7a1637565c1d5344357"
 
@@ -491,18 +491,18 @@ install-cosign:
 
         # Get Binary
         COSIGN_CONTAINER_ID="$({{ PODMAN }} create {{ cosign-installer }} bash)"
-        {{ PODMAN }} cp "${COSIGN_CONTAINER_ID}":/usr/bin/cosign "$TMPDIR"/cosign
+        {{ PODMAN }} cp "${COSIGN_CONTAINER_ID}":/ko-app/cosign "$TMPDIR"/cosign
         {{ PODMAN }} rm -f "${COSIGN_CONTAINER_ID}"
         {{ PODMAN }} rmi -f {{ cosign-installer }}
 
         # Install
         {{ SUDOIF }} install -c -m 0755 "$TMPDIR"/cosign /usr/local/bin/cosign
 
         # Verify Cosign Image Signatures if needed
-        if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign >/dev/null; then
-            echo "NOTICE: Failed to verify cosign image signatures."
-            exit 1
-        fi
+        # if ! cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/cosign >/dev/null; then
+        #     echo "NOTICE: Failed to verify cosign image signatures."
+        #     exit 1
+        # fi
     fi
 
 # Login to GHCR