choose different signature filename for KMS-signed release signatures (#4448)

* choose different signature filename for keyless release signatures

Signed-off-by: Bob Callaway <[email protected]>

* switch, rename the kms-signed objects

Signed-off-by: Bob Callaway <[email protected]>

* update README

Signed-off-by: Bob Callaway <[email protected]>

* update README

Signed-off-by: Bob Callaway <[email protected]>

---------

Signed-off-by: Bob Callaway <[email protected]>

Author: bobcallaway

.goreleaser.yml

@@ -155,7 +155,7 @@ signs:
   - id: cosign
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--bundle", "${signature}", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
-    signature: "${artifact}.sigstore.json"
+    signature: "${artifact}-kms.sigstore.json"
     artifacts: binary
   # Keyless
   - id: cosign-keyless

README.md

@@ -761,8 +761,6 @@ will be released when there are breaking features.
 Should you discover any security issues, please refer to sigstore's [security
 process](https://github.com/sigstore/.github/blob/main/SECURITY.md)
 
-## PEM files in GitHub Release Assets
+## Bundle files in GitHub Release Assets
 
-The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries.
-
-By default, cosign output these PEM files in [base64 encoded format](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md#options), this approach might be good for air-gapped environments where the PEM file is stored in a file system. So, you should decode these PEM files before using them to verify the blobs.
+The GitHub release assets for `cosign` contain Sigstore bundle files produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to [verify the integrity of the release binaries](https://docs.sigstore.dev/cosign/system_config/installation/#verifying-cosign-with-artifact-key).