chore: Upgrade sigstore and goreleaser binaries (#1104)

* chore: Upgrade sigstore and goreleaser binaries
* Pin to goreleaser's v1 major versions

Author: banjoh

.github/workflows/build-test-deploy.yaml

@@ -285,9 +285,10 @@ jobs:
         with:
           go-version: "1.19"
 
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@v3
         with:
-          cosign-release: "v1.2.1"
+          # DO NOT USE v2 until we decide on whether to use Rekor or not
+          cosign-release: "v1.13.1"  # Binary version to install
 
       - name: Get Cosign Key
         run: |
@@ -305,7 +306,7 @@ jobs:
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
-          version: "v0.183.0"
+          version: "v1.x"  # Binary version to install
           args: release --rm-dist --config deploy/.goreleaser.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -61,7 +61,14 @@ A signed SBOM  that includes Troubleshoot dependencies is included in each relea
 
 The following example illustrates using [cosign](https://github.com/sigstore/cosign) to verify that **troubleshoot-sbom.tgz** has
 not been tampered with.
-```
+```sh
 $ cosign verify-blob --key key.pub --signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz
 Verified OK
 ```
+
+If you were to get an error similar to the one below, it means you are verifying an SBOM signed using cosign `v1` using a newer `v2` of the binary. This version introduced [breaking changes](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md#breaking-changes) which require an additional flag `--insecure-ignore-tlog=true` to successfully verify SBOMs like so.
+```sh
+$ cosign verify-blob --key key.pub --signature troubleshoot-sbom.tgz.sig troubleshoot-sbom.tgz --insecure-ignore-tlog=true
+WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
+Verified OK
+```