Update cosign docs on new bundle format

codysoyland · codysoyland · commit d15415a7bcfd · 2025-04-24T13:35:52.000-04:00
Signed-off-by: Cody Soyland &lt;codysoyland@github.com&gt;
diff --git a/content/en/cosign/verifying/verify.md b/content/en/cosign/verifying/verify.md
@@ -252,9 +252,13 @@ You can override the public good instance CA using the environment variable `SIG
 export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem"
 ```
 
-## New bundle format coming soon
+## New bundle format
 
-There's a new bundle format using [bundle protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) that has a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file.
+Cosign has recently added support for the [Sigstore bundle format]({{< relref "about/bundle" >}}), which is a new format for storing and sharing software signatures, attestations, and other metadata needed to verify an artifact. This carries a number of advantages over the previous bundle format: it supports offline verification, and includes additional information (like signed timestamps and attestations) in a single file. Additionally, language client support for the new format is widely available for Go, Python, Javascript, and Java. 
+
+The new format is disabled by default in Cosign v2.x. As of Cosign v2.4.x, the new bundle format is implemented for `sign-blob`, `verify-blob`, `sign-blob-attestation`, and `verify-blob-attestation` commands. As of Cosign v2.5.x, the new bundle format is implemented for `attest` and `verify-attestation`. Support for `sign` and `verify` is coming soon.
+
+In order to use the new bundle format, you must set `--new-bundle-format=true` when signing or verifying. The new bundle format is coupled with an internal restructuring of the verification logic, including the switch to the Trusted Root file. For users operating a private Sigstore instance, this means that the `--trusted-root` flag is now required for verification.
 
 You can take existing signed material and make a new protobuf bundle with `cosign bundle create ...`.
 
