BRE-1276 - Remove cosign verify commands (#420)

.github/workflows/build-unified.yml

@@ -203,11 +203,10 @@ jobs:
 
       - name: Install Cosign
         if: env.is_publish_branch == 'true'
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image with Cosign
         if: env.is_publish_branch == 'true'
-        id: sign
         env:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
           TAGS: ${{ steps.tag-list.outputs.tags }}
@@ -217,19 +216,7 @@ jobs:
           for tag in "${tags_array[@]}"; do
             images+=("${tag}@${DIGEST}")
           done
-          cosign sign --yes "${images[@]}"
-          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
-
-      - name: Verify the signed image(s) with Cosign
-        if: env.is_publish_branch == 'true'
-        env:
-          IMAGES: ${{ steps.sign.outputs.images }}
-        run: |
-          read -r -a images_array <<< "${COSIGN_IMAGES}"
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "${images_array[@]}"
+          cosign sign --yes ${images[@]}
 
       - name: Scan Docker image
         id: container-scan

.github/workflows/release.yml

@@ -252,7 +252,7 @@ jobs:
           persist-credentials: false
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -299,18 +299,6 @@ jobs:
           cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
           cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
 
-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
-
       - name: Log out of Docker
         run: |
           docker logout ghcr.io
@@ -347,7 +335,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Push version and latest image
         if: ${{ inputs.release_type != 'Dry Run' }}
@@ -363,18 +351,6 @@ jobs:
           cosign sign --yes "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
           cosign sign --yes "ghcr.io/bitwarden/self-host:latest"
 
-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:latest"
-
       - name: Log out of skopeo and ghcr.io
         run: |
           skopeo logout --all