From 31210e00d5502b802f649e188eafdfd15f592937 Mon Sep 17 00:00:00 2001
From: Rob Zolkos <rob@zolkos.com>
Date: Thu, 4 Jun 2026 13:29:59 -0400
Subject: [PATCH] Use cosign bundle for release checksum signing

---
 .goreleaser.yaml | 5 +++--
 RELEASING.md     | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 7768df3..ec3fa34 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -49,11 +49,12 @@ signs:
   - cmd: cosign
     artifacts: checksum
     output: true
+    signature: "${artifact}.bundle"
     args:
       - sign-blob
       - --yes
-      - --output-certificate=${certificate}
-      - --output-signature=${signature}
+      - --new-bundle-format=true
+      - --bundle=${signature}
       - ${artifact}
 
 notarize:
diff --git a/RELEASING.md b/RELEASING.md
index beb27f4..b322197 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -14,7 +14,7 @@ Pushing the tag triggers the GitHub Actions release workflow, which:
 1. Runs the full test suite
 2. Builds binaries for all platforms (linux/darwin/windows/freebsd/openbsd x amd64/arm64)
 3. Signs macOS binaries (Developer ID + notarization)
-4. Signs checksums with cosign (keyless, OIDC)
+4. Signs checksums with a cosign keyless bundle (OIDC)
 5. Generates SBOMs with Syft
 6. Builds .deb and .rpm packages
 7. For stable tags only, publishes the Homebrew cask to `basecamp/homebrew-tap`