cast release incompatible with Cosign v3.x - --tlog-upload flag deprecated #359
Description
cast release fails when using Cosign v3.x due to the use of deprecated flags.
Error Message
FATA[0001] sign: cosign failed: exit status 1: Flag --tlog-upload has been deprecated, prefer using a --signing-config file with no transparency log services
Error: --tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config with --signing-config without a transparency log service, which can be created with `cosign signing-config create` or `curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | jq 'del(.rekorTlogUrls)'` for the public instance
Steps to Reproduce
- Install Cosign v3.x
- Run cast release
Workaround
Downgrade to Cosign v2.4.1.
Suggested Fix
Update Cast to use --signing-config instead of the deprecated --tlog-upload=false flag when calling Cosign. Disabling transparency log uploads now requires providing a signing config without rekorTlogUrls (see sigstore/cosign#4458).