Remove cosign verify commands and update cosign-installed action to v4.0.0 (#239)

.github/workflows/build.yml

@@ -116,7 +116,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image with Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@@ -130,7 +130,6 @@ jobs:
             images+=("${tag}@${DIGEST}")
           done
           cosign sign --yes "${images[@]}"
-          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
 
       - name: Scan Docker image
         id: container-scan

.github/workflows/publish.yml

@@ -56,7 +56,7 @@ jobs:
       packages: write
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
@@ -75,13 +75,5 @@ jobs:
         if: ${{ inputs.publish_type != 'Dry Run' }}
         run: docker push "ghcr.io/bitwarden/key-connector:latest"
 
-      - name: Verify the signed image with Cosign
-        if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: |
-          cosign verify \
-            --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/key-connector:latest"
-
       - name: Log out of Docker
         run: docker logout ghcr.io