2.0.3 - cosign auth fix for container-image signing container-image template: cosign now does an explicit registry login before signing the pushed image. buildah and cosign use different auth conventions (podman auth.json vs docker config.json), so the buildah login from before_script was not visible to cosign. Bairn v0.5.0 hit this; the cli image was pushed unsigned. No template inputs change. Consumers on 2.0.2 can bump to 2.0.3 with no other edits.