Skip to content

chore(deps): update module github.com/sigstore/cosign/v2 to v2.6.0 #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/sigstore/cosign/v2 to v2.6.0 #94

wants to merge 1 commit into from

Conversation

renovate-rancher[bot]
Copy link
Contributor

@renovate-rancher renovate-rancher bot commented Jul 18, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/sigstore/cosign/v2 require minor v2.5.2 -> v2.6.0

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.6.0

Compare Source

v2.6.0 introduces a number of new features, including:

  • Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#​4306)
  • Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #​3927 (#​4316)
  • Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#​4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be
updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

Features

  • Add to attest-blob the ability to supply a complete in-toto statement, and add to verify-blob-attestation the ability to verify with just a digest (#​4306)
  • Have cosign sign support bundle format (#​4316)
  • Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#​4319)
  • Add support for SigningConfig in sign/attest (#​4371)
  • Support self-managed keys when signing with sigstore-go (#​4368)
  • Don't require timestamps when verifying with a key (#​4337)
  • Don't load content from TUF if trusted root path is specified (#​4347)
  • Add a terminal spinner while signing with sigstore-go (#​4402)
  • Require exclusively a SigningConfig or service URLs when signing (#​4403)
  • Remove SHA256 assumption in sign-blob/verify-blob (#​4050)
  • Bump sigstore-go, support alternative hash algorithms with keys (#​4386)

Breaking API Changes

  • sign.SignerFromKeyOpts no longer generates a key. Instead, it returns whether or not the client needs to generate a key, and if so, clients
    should call sign.KeylessSigner. This allows clients to more easily manage key generation.

Bug Fixes

  • Verify subject with bundle only when checking claims (#​4320)
  • Fixes to cosign sign / verify for the new bundle format (#​4346)

v2.5.3

Compare Source

Features

  • Add signing-config create command (#​4280)
  • Allow multiple services to be specified for trusted-root create (#​4285)
  • feat: Add OCI 1.1+ experimental support to tree (#​4205)
  • Add validity period end for trusted-root create (#​4271)

Bug Fixes

  • Fix cert verification logic for trusted-root/SCTs (#​4294)
  • force when copying the latest image to overwrite (#​4298)
  • avoid double-loading trustedroot from file (#​4264)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-rancher renovate-rancher
Copy link
Contributor Author

renovate-rancher bot commented Jul 18, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 32 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.0 -> 1.24.6
github.com/sigstore/rekor v1.3.10 -> v1.4.2
github.com/sigstore/sigstore v1.9.5 -> v1.9.6-0.20250729224751-181c5d3339b3
github.com/cenkalti/backoff/v5 v5.0.2 -> v5.0.3
github.com/emicklei/go-restful/v3 v3.11.0 -> v3.12.2
github.com/fxamacker/cbor/v2 v2.7.0 -> v2.9.0
github.com/go-jose/go-jose/v4 v4.0.5 -> v4.1.2
github.com/go-openapi/errors v0.22.1 -> v0.22.2
github.com/go-openapi/swag v0.23.1 -> v0.24.1
github.com/google/gnostic-models v0.6.9 -> v0.7.0
github.com/hashicorp/go-retryablehttp v0.7.7 -> v0.7.8
github.com/in-toto/attestation v1.1.1 -> v1.1.2
github.com/modern-go/reflect2 v1.0.2 -> v1.0.3-0.20250322232337-35a7c28c31ee
github.com/secure-systems-lab/go-securesystemslib v0.9.0 -> v0.9.1
github.com/sigstore/protobuf-specs v0.4.3 -> v0.5.0
github.com/sigstore/sigstore-go v1.0.0 -> v1.1.2
github.com/spf13/cobra v1.9.1 -> v1.10.1
github.com/spf13/pflag v1.0.6 -> v1.0.10
gitlab.com/gitlab-org/api/client-go v0.130.1 -> v0.143.3
golang.org/x/crypto v0.39.0 -> v0.42.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20250620022241-b7579e27df2b
golang.org/x/mod v0.25.0 -> v0.28.0
golang.org/x/net v0.41.0 -> v0.43.0
golang.org/x/oauth2 v0.30.0 -> v0.31.0
golang.org/x/sync v0.15.0 -> v0.17.0
golang.org/x/sys v0.33.0 -> v0.36.0
k8s.io/api v0.33.1 -> v0.34.1
k8s.io/apimachinery v0.33.1 -> v0.34.1
k8s.io/client-go v0.33.1 -> v0.34.1
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff -> v0.0.0-20250710124328-f3f2b991d03b
k8s.io/utils v0.0.0-20241210054802-24370beab758 -> v0.0.0-20250604170112-4c0f3b243397
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/yaml v1.4.0 -> v1.6.0

@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-sigstore-cosign-v2-2.x branch from c7c8605 to e79dc82 Compare September 13, 2025 04:39
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/sigstore/cosign/v2 to v2.5.3 chore(deps): update module github.com/sigstore/cosign/v2 to v2.6.0 Sep 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants