[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 268 commits intoReality2byte:mainfrom
Open
Conversation
This supports signing and verification with Rekor v2 with a user-provided signing key. Timestamps will only be required for verifying Fulcio certificates. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler <steiza@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.246.0 to 0.247.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.246.0...v0.247.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.247.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.137.0 to 0.140.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.137.0...v0.140.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.140.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
One of the dependencies has hardcoded a specific version of go, which forces all clients to use that version of Go in their own modules. This is unnecessarily restrictive, rather libraries should specify the minimum Go version necessary to build, and consumers should use the latest patch release when building to pick up bug fixes. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@b1933e3...1df2b55) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 4 updates: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.9 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.9) Updates `k8s.io/api` from 0.33.3 to 0.33.4 - [Commits](kubernetes/api@v0.33.3...v0.33.4) Updates `k8s.io/apimachinery` from 0.33.3 to 0.33.4 - [Commits](kubernetes/apimachinery@v0.33.3...v0.33.4) Updates `k8s.io/client-go` from 0.33.3 to 0.33.4 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.33.3...v0.33.4) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4365) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.98.2 to 3.103.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.98.2...v3.103.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4363) Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `chainguard-dev/actions` from 1.4.11 to 1.4.12 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@de82dfd...be7b31a) Updates `codecov/codecov-action` from 5.4.3 to 5.5.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@18283e0...fdcc847) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4362) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.140.0 to 0.142.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.140.0...v0.142.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.247.0 to 0.248.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.247.0...v0.248.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.248.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
The signing config will now be provided on the sign path to test Rekor v2, along with the trusted root for verifying bundles on the sign path. This also adds support for providing a trusted root with sign-blob/attest-blob. Currently, you can either provide just the CT log key or we'll fetch the trusted root from the initialized TUF repo. Since we are providing the trusted root for staging during signing now, this PR also lets the user provide the trusted root they'll use for verifying during signing. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
When developing locally, with the e2e build tag set, there's an import cycle. test/helpers.go imports "cmd/cosign/cli/verify", which imports "test" in test files in the verify package. This change breaks the import cycle by moving certificate utilities to an internal test directory. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* refactor: extract function to write referrer attestations The only way that we can generate attestations is when we also produce protobuf bundles. While we are working to use bundles by default from the CLI, we should enable the cosign api to be used as a dependency to also assist in migrating to the referrer's api from the tag-based strategy. Co-Authored-By: Gemini Signed-off-by: arewm <arewm@users.noreply.github.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED * test: add test coverage for WriteReferrer functions Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: arewm <arewm@users.noreply.github.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.33.4 to 0.34.0. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.33.4...v0.34.0) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.4.0` | `1.4.1` | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.9` | `0.1.10` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.9.5` | `1.9.6-0.20250729224751-181c5d3339b3` | | [github.com/spf13/pflag](https://github.com/spf13/pflag) | `1.0.7` | `1.0.9` | | [github.com/stretchr/testify](https://github.com/stretchr/testify) | `1.11.0` | `1.11.1` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.142.1` | `0.142.5` | Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.4.0...v1.4.1) Updates `github.com/sigstore/rekor-tiles` from 0.1.9 to 0.1.10 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v0.1.9...v0.1.10) Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/commits) Updates `github.com/spf13/pflag` from 1.0.7 to 1.0.9 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.7...v1.0.9) Updates `github.com/stretchr/testify` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.11.0...v1.11.1) Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.1 to 0.142.5 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.1...v0.142.5) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-version: 1.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.9.6-0.20250729224751-181c5d3339b3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/stretchr/testify dependency-version: 1.11.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.12 to 3.0.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@b7593ed...7c6bc77) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.9.1 to 1.10.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.9.1...v1.10.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…m go.mod (#4369) Signed-off-by: Carlos Panato <ctadeu@gmail.com>
#4379) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.7.1 to 1.8.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.7.1...v1.8.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Use sigstore/sigstore signature.LoadSignerVerifierFromPrivateKey to load default verifiers given a private key. Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
…oup (#4385) Bumps the gomod group with 1 update: [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go). Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.5 to 0.142.6 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.5...v0.142.6) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Support self-managed keys when signing with sigstore-go This creates a wrapper around the Keypair interface when a SignerVerifier is provided for signing with KMS or any other provided keys. This also retains support for --issue-certificate to request a certificate for a managed key. Fixes #4327 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Add issue-certificate flags to attest and attest-blob This is for uniformity with sign/sign-blob. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Refactor SignerFromKeyOpts to split Fulcio signer into its own method Now, we can generate a SignerVerifier from a provided key without mandating that we also request a Fulcio certificate when "issue-certificate" is provided. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Use default options to load key material Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Without this change, a certificate annotation for a signed container that contains only whitespace will trigger a panic, because LoadCertificatesFromPEM doesn't throw an error with an empty or whitespace-only string. Thanks to Ziyu Lin for reporting this. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.9.0 to 0.10.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
The update of in-toto-golang to 0.10.0 deprecated the Statement type in favor of a protobuf-generated Statement type in the attestation package. The types are not identical, so some translation is needed to support arbitrarily typed predicates for some attestations. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...ba7bc0a) Updates `chainguard-dev/actions` from 1.6.5 to 1.6.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@71714a7...5e84f02) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.19.0 to 0.20.0. - [Commits](golang/sync@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.13.2 to 1.14.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.13.2...v1.14.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.14.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps cuelang.org/go from 0.15.4 to 0.16.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…-login Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.11.0 to 0.12.0. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.6.7 to 1.6.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@5e84f02...7440e20) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.6.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4784) Bumps the actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.0` | `4.1.1` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.4` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.8` | `1.6.11` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.52.4` | `4.52.5` | Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@ba7bc0a...cad07c2) Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) Updates `chainguard-dev/actions` from 1.6.8 to 1.6.11 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@7440e20...8bb24c2) Updates `mikefarah/yq` from 4.52.4 to 4.52.5 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@5a7e72a...0f4fb8d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.52.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Simon Josefsson <simon@josefsson.org>
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer. For more details see: https://www.cve.org/CVERecord?id=CVE-2026-1849 On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
…4789) * chore(deps): bump the gomod group across 1 directory with 18 updates Bumps the gomod group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) | `4.1.3` | `4.1.4` | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.29.2` | `0.29.3` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.2` | `0.21.3` | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.0` | `1.5.1` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.35.2` | `0.35.3` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.2` | `0.35.3` | | [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) | `0.12.3` | `0.12.4` | Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) Updates `github.com/go-openapi/runtime` from 0.29.2 to 0.29.3 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.2...v0.29.3) Updates `github.com/go-openapi/strfmt` from 0.25.0 to 0.26.0 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.25.0...v0.26.0) Updates `github.com/google/go-containerregistry` from 0.21.2 to 0.21.3 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.2...v0.21.3) Updates `github.com/sigstore/rekor` from 1.5.0 to 1.5.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.0...v1.5.1) Updates `github.com/sigstore/sigstore` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](golang/crypto@v0.48.0...v0.49.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) Updates `golang.org/x/term` from 0.40.0 to 0.41.0 - [Commits](golang/term@v0.40.0...v0.41.0) Updates `google.golang.org/api` from 0.267.0 to 0.269.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.267.0...v0.269.0) Updates `k8s.io/api` from 0.35.2 to 0.35.3 - [Commits](kubernetes/api@v0.35.2...v0.35.3) Updates `k8s.io/apimachinery` from 0.35.2 to 0.35.3 - [Commits](kubernetes/apimachinery@v0.35.2...v0.35.3) Updates `k8s.io/client-go` from 0.35.2 to 0.35.3 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.2...v0.35.3) Updates `sigs.k8s.io/release-utils` from 0.12.3 to 0.12.4 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/api dependency-version: 0.269.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * Bump grpc depdendency due to vulnerability Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 1.41.0 to 1.46.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v1.41.0...v1.46.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 1.46.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AttestationToPayloadJSON parses the attestation and checks that the predicate type matches the expected type provided by the user. Previously, when this function was called for old-format bundles and detached signatures, any error returned was silently ignored, so malformed attestations would be accepted and cosign would report a successful verification. For new-format bundles, this check was never performed at all, so the attestaion would be accepted even if it did not match the type given by the user. This change ensures that errors are handled correctly and that the check is performed for both paths. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Signed-off-by: Kynson Szetau <46522440+Kynson@users.noreply.github.com>
This change refactors the signing path in all signing and attestation commands such that all signing events occur via sigstore-go, not just those in which a signing config is used. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
This change updates the bundle create command to prevent the user from enabling --ignore-tlog if the provided bundle contains a Signed Entry Timestamp (SET). The presence of a SET in an old-format bundle indicates that there should be a corresponding Rekor entry, which should be fetched for the creation of a new-format bundle. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
LoadCmd was calling name.ParseReference without the name.Insecure option, so --allow-http-registry had no effect: the command always tried to connect over HTTPS regardless of the flag. The RegistryOptions.NameOptions() helper already returns name.Insecure when AllowHTTPRegistry is set; the load command simply wasn't calling it, unlike the symmetric save, clean, and tree commands which do. Pass opts.Registry.NameOptions()... to name.ParseReference so that plain-HTTP registries are reachable when the flag is supplied. Fixes #4134 Signed-off-by: Tommy <tommy@bejara.net> Co-authored-by: Tommy <tommy@bejara.net>
…#4813) * fix: honor --digestAlg when hashing a blob in verify-blob-attestation verify-blob-attestation always hashed the artifact with SHA-256, so attestations produced against other digest algorithms could not be verified — npm provenance bundles, for example, use SHA-512. The command already exposed --digestAlg but only honored it when both --digest and --digestAlg were passed without a blob. Thread --digestAlg through the artifact-hashing branch as well: when set, parse it into a crypto.Hash and use it for the HashReader and the Subject digest algorithm label; default stays SHA-256 for backward compatibility. Invalid values are rejected up front with a clear error. Adds TestParseBlobHashAlgorithm covering sha256/sha384/sha512 plus rejection of sha1, md5, empty, and upper-case inputs. Fixes #4805 Signed-off-by: Ali <alliasgher123@gmail.com> * verify-blob-attestation: use WithArtifact when artifact path is given When a bundle is used and an artifact path is provided, pass the file directly to sgverify.WithArtifact so sigstore-go can peek at the bundle and select the correct hash algorithm automatically. This removes the need for the user to supply --digestAlg when verifying against a bundle. The --digestAlg flag is still honored for the legacy (non-bundle) verification path. Fixes #4805 Signed-off-by: Ali <ali@kscope.ai> --------- Signed-off-by: Ali <alliasgher123@gmail.com> Signed-off-by: Ali <ali@kscope.ai>
…4840) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | cuelang.org/go | `0.16.0` | `0.16.1` | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.29.3` | `0.29.4` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.3` | `0.21.5` | | [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) | `0.5.0` | `0.5.1` | | [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) | `2.0.5` | `2.0.6` | Updates `cuelang.org/go` from 0.16.0 to 0.16.1 Updates `github.com/go-openapi/runtime` from 0.29.3 to 0.29.4 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.3...v0.29.4) Updates `github.com/go-openapi/strfmt` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.0...v0.26.1) Updates `github.com/go-openapi/swag/conv` from 0.25.5 to 0.26.0 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.5...v0.26.0) Updates `github.com/google/go-containerregistry` from 0.21.3 to 0.21.5 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.3...v0.21.5) Updates `github.com/sigstore/protobuf-specs` from 0.5.0 to 0.5.1 - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](sigstore/protobuf-specs@v0.5.0...v0.5.1) Updates `github.com/sigstore/timestamp-authority/v2` from 2.0.5 to 2.0.6 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.5...v2.0.6) Updates `golang.org/x/crypto` from 0.49.0 to 0.50.0 - [Commits](golang/crypto@v0.49.0...v0.50.0) Updates `golang.org/x/term` from 0.41.0 to 0.42.0 - [Commits](golang/term@v0.41.0...v0.42.0) Updates `google.golang.org/api` from 0.269.0 to 0.272.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.269.0...v0.272.0) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.16.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/protobuf-specs dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/api dependency-version: 0.272.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
cosign copy does not copy referring artifacts, so we'll use oras instead as part of the build step. Fixes #4818 Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )