Merge pull request #1846 from actions/bdehamer/sigstore-3-0-0

`@actions/attest`: bump @sigstore/sign from 2.3.2 to 3.0.0

packages/attest/package.json

@@ -35,8 +35,8 @@
     "url": "https://github.com/actions/toolkit/issues"
   },
   "devDependencies": {
-    "@sigstore/mock": "^0.7.4",
+    "@sigstore/mock": "^0.8.0",
-    "@sigstore/rekor-types": "^2.0.0",
+    "@sigstore/rekor-types": "^3.0.0",
     "@types/jsonwebtoken": "^9.0.6",
     "nock": "^13.5.1",
     "undici": "^5.28.4"
@@ -46,8 +46,8 @@
     "@actions/github": "^6.0.0",
     "@actions/http-client": "^2.2.3",
     "@octokit/plugin-retry": "^6.0.1",
-    "@sigstore/bundle": "^2.3.2",
+    "@sigstore/bundle": "^3.0.0",
-    "@sigstore/sign": "^2.3.2",
+    "@sigstore/sign": "^3.0.0",
     "jose": "^5.2.3"
   },
   "overrides": {

packages/attest/src/sign.ts

@@ -86,7 +86,6 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
     witnesses.push(
       new RekorWitness({
         rekorBaseURL: opts.rekorURL,
-        entryType: 'dsse',
         fetchOnConflict: true,
         timeout,
         retry
@@ -106,5 +105,5 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
 
   // Build the bundle with the singleCertificate option which will
   // trigger the creation of v0.3 DSSE bundles
-  return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
+  return new DSSEBundleBuilder({signer, witnesses})
 }