From e73a8866ca02d12f5e90439a6732d70864def1da Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 27 Oct 2025 13:59:04 -0400
Subject: [PATCH] Remove cosign verify commands

---
 .github/workflows/build-unified.yml | 15 +--------------
 .github/workflows/release.yml       | 24 ------------------------
 2 files changed, 1 insertion(+), 38 deletions(-)

diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml
index 9e2b3f3..f3d8ae1 100644
--- a/.github/workflows/build-unified.yml
+++ b/.github/workflows/build-unified.yml
@@ -203,11 +203,10 @@ jobs:
 
       - name: Install Cosign
         if: env.is_publish_branch == 'true'
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image with Cosign
         if: env.is_publish_branch == 'true'
-        id: sign
         env:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
           TAGS: ${{ steps.tag-list.outputs.tags }}
@@ -218,18 +217,6 @@ jobs:
             images+=("${tag}@${DIGEST}")
           done
           cosign sign --yes "${images[@]}"
-          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
-
-      - name: Verify the signed image(s) with Cosign
-        if: env.is_publish_branch == 'true'
-        env:
-          IMAGES: ${{ steps.sign.outputs.images }}
-        run: |
-          read -r -a images_array <<< "${COSIGN_IMAGES}"
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "${images_array[@]}"
 
       - name: Scan Docker image
         id: container-scan
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b246de0..3325791 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -299,18 +299,6 @@ jobs:
           cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
           cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
 
-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
-
       - name: Log out of Docker
         run: |
           docker logout ghcr.io
@@ -363,18 +351,6 @@ jobs:
           cosign sign --yes "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
           cosign sign --yes "ghcr.io/bitwarden/self-host:latest"
 
-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
-
-          cosign verify \
-            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/self-host:latest"
-
       - name: Log out of skopeo and ghcr.io
         run: |
           skopeo logout --all