Skip to content

chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.3 #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 12, 2025
Merged

chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.3 #42

merged 1 commit into from
Mar 12, 2025

Conversation

renovate-rancher[bot]
Copy link
Contributor

@renovate-rancher renovate-rancher bot commented Feb 10, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/sigstore/cosign/v2 require minor v2.2.4 -> v2.4.3

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.3

Compare Source

Features

  • Bump sigstore/sigstore to support KMS plugins (#​4073)
  • Enable fetching signatures without remote get. (#​4047)
  • Feat/file flag completion improvements (#​4028)
  • Update builder to use go1.23.6 (#​4052)

Bug Fixes

  • fix parsing error in --only for cosign copy (#​4049)

Cleanup

  • Refactor verifyNewBundle into library function (#​4013)
  • fix comment typo and imports order (#​4061)
  • sync comment with parameter name in function signature (#​4063)
  • sort properly Go imports (#​4071)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Tomasz Janiszewski
  • Ville Skyttä

v2.4.2

Compare Source

Features

  • Updated open-policy-agent to 1.1.0 library (#​4036)
    • Note that only Rego v0 policies are supported at this time
  • Add UseSignedTimestamps to CheckOpts, refactor TSA options (#​4006)
  • Add support for verifying root checksum in cosign initialize (#​3953)
  • Detect if user supplied a valid protobuf bundle (#​3931)
  • Add a log message if user doesn't provide --trusted-root (#​3933)
  • Support mTLS towards container registry (#​3922)
  • Add bundle create helper command (#​3901)
  • Add trusted-root create helper command (#​3876)

Bug Fixes

  • fix: set tls config while retaining other fields from default http transport (#​4007)
  • policy fuzzer: ignore known panics (#​3993)
  • Fix for multiple WithRemote options (#​3982)
  • Add nightly conformance test workflow (#​3979)
  • Fix copy --only for signatures + update/align docs (#​3904)

Documentation

  • Remove usage.md from spec, point to client spec (#​3918)
  • move reference from gcr to ghcr (#​3897)

Contributors

  • AdamKorcz
  • Aditya Sirish
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Hayden B
  • Jussi Kukkonen
  • Marco Franssen
  • Nianyu Shen
  • Slavek Kabrda
  • Søren Juul
  • Warren Hodgkinson
  • Zach Steindler

v2.4.1

Compare Source

v2.4.1 largely contains bug fixes and updates dependencies.

Features

  • Added fuzzing coverage to multiple packages

Bug Fixes

  • Fix bug in attest-blob when using a timestamp authority with new bundles (#​3877)
  • fix: documentation link for installation guide (#​3884)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Hayden B
  • Hemil K
  • Sota Sugiura
  • Zach Steindler

v2.4.0

Compare Source

v2.4.0 begins the modernization of the Cosign client, which includes:

  • Support for the newer Sigstore specification-compliant bundle format
  • Support for providing trust roots (e.g. Fulcio certificates, Rekor keys)
    through a trust root file, instead of many different flags
  • Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

  • General support for the trust root file, instead of only when using the bundle
    format during verification
  • Simplification of trust root flags and deprecation of the
    Cosign-specific bundle format
  • Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

  • Add new bundle support to verify-blob and verify-blob-attestation (#​3796)
  • Adding protobuf bundle support to sign-blob and attest-blob (#​3752)
  • Bump sigstore/sigstore to support email_verified as string or boolean (#​3819)
  • Conformance testing for cosign (#​3806)
  • move incremental builds per commit to GHCR instead of GCR (#​3808)
  • Add support for recording creation timestamp for cosign attest (#​3797)
  • Include SCT verification failure details in error message (#​3799)

Contributors

  • Bob Callaway
  • Hayden B
  • Slavek Kabrda
  • Zach Steindler
  • Zsolt Horvath

v2.3.0

Compare Source

Features

  • Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
  • add registry options to cosign save (#​3645)
  • Add debug providers command. (#​3728)
  • Make config layers in ociremote mountable (#​3741)
  • upgrade to go1.22 (#​3739)
  • adds tsa cert chain check for env var or tuf targets. (#​3600)
  • add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
  • add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

  • fix: close attestationFile (#​3679)
  • Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

  • Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

  • Refactor KMS E2E tests (#​3684)
  • Remove sign_blob_test.sh test (#​3707)
  • Remove KMS E2E test script (#​3702)
  • Refactor insecure registry E2E tests (#​3701)

Contributors

  • Billy Lynch
  • bminahan73
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Dmitry Savintsev
  • guangwu
  • Hayden B
  • Hector Fernandez
  • ian hundere
  • Jason Power
  • Jon Johnson
  • Max Lambrecht
  • Meeki1l

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-rancher renovate-rancher
Copy link
Contributor Author

renovate-rancher bot commented Feb 10, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 36 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.0 -> 1.23.4
github.com/google/go-containerregistry v0.19.1 -> v0.20.3
github.com/sigstore/rekor v1.3.6 -> v1.3.9
github.com/sigstore/sigstore v1.8.3 -> v1.8.15
github.com/containerd/stargz-snapshotter/estargz v0.14.3 -> v0.16.3
github.com/docker/cli v24.0.7+incompatible -> v27.5.0+incompatible
github.com/docker/docker-credential-helpers v0.8.0 -> v0.8.2
github.com/fsnotify/fsnotify v1.7.0 -> v1.8.0
github.com/go-logr/logr v1.4.1 -> v1.4.2
github.com/google/certificate-transparency-go v1.1.8 -> v1.3.1
github.com/klauspost/compress v1.17.4 -> v1.17.11
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 -> v0.0.0-20240620165639-de9c06129bec
github.com/magiconair/properties v1.8.7 -> v1.8.9
github.com/mitchellh/mapstructure v1.5.0 -> v1.5.1-0.20231216201459-8508981c8b6c
github.com/pelletier/go-toml/v2 v2.1.0 -> v2.2.3
github.com/secure-systems-lab/go-securesystemslib v0.8.0 -> v0.9.0
github.com/spf13/cast v1.6.0 -> v1.7.0
github.com/spf13/cobra v1.8.0 -> v1.9.1
github.com/spf13/pflag v1.0.5 -> v1.0.6
github.com/spf13/viper v1.18.2 -> v1.19.0
github.com/vbatts/tar-split v0.11.5 -> v0.11.6
go.opentelemetry.io/otel v1.24.0 -> v1.34.0
go.opentelemetry.io/otel/metric v1.24.0 -> v1.34.0
go.opentelemetry.io/otel/trace v1.24.0 -> v1.34.0
golang.org/x/crypto v0.31.0 -> v0.33.0
golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 -> v0.0.0-20241108190413-2d47ceb2692f
golang.org/x/mod v0.17.0 -> v0.22.0
golang.org/x/net v0.33.0 -> v0.35.0
golang.org/x/oauth2 v0.19.0 -> v0.26.0
golang.org/x/sync v0.10.0 -> v0.11.0
golang.org/x/sys v0.28.0 -> v0.30.0
golang.org/x/term v0.27.0 -> v0.29.0
golang.org/x/text v0.21.0 -> v0.22.0
golang.org/x/time v0.5.0 -> v0.10.0
google.golang.org/protobuf v1.33.0 -> v1.36.5
k8s.io/klog/v2 v2.120.1 -> v2.130.1
k8s.io/utils v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240502163921-fe8a2dddb1d0

@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-sigstore-cosign-v2-2.x branch from 8a19110 to 7489b0c Compare February 20, 2025 04:36
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.2 chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.3 Feb 20, 2025
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-sigstore-cosign-v2-2.x branch from 7489b0c to 541ea64 Compare March 12, 2025 18:48
@holyspectral holyspectral merged commit 13a32bd into main Mar 12, 2025
2 of 3 checks passed
@holyspectral holyspectral deleted the renovate/github.com-sigstore-cosign-v2-2.x branch March 12, 2025 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holyspectral holyspectral holyspectral approved these changes

Assignees

@alopez-suse alopez-suse

Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@holyspectral @alopez-suse