Open
Conversation
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.243.0 to 0.244.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.243.0...v0.244.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.244.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…r v2 (#4319) * Refactor fetching an ID token into its own package This will allow these functions to be reused by other parts of the codebase, and eventually we can move these into an external package for use by other libraries. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Add support for SigningConfig for sign-blob/attest-blob Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Refactor identity token retrieval into its own method Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Disallow self-managed keys with a signing config temporarily Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
--------- Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 3 updates: [actions/cache](https://github.com/actions/cache), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/cache` from 4.2.3 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) Updates `sigstore/sigstore-conformance` from 0.0.18 to 0.0.19 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@fd90e6b...a7ac671) Updates `chainguard-dev/actions` from 1.4.8 to 1.4.9 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@df684a7...b1933e3) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.1-0.20250801180901-37e45ae9c250 to 1.1.1. - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](https://github.com/sigstore/sigstore-go/commits/v1.1.1) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 4 updates: cuelang.org/go, [github.com/buildkite/agent/v3](https://github.com/buildkite/agent), google.golang.org/protobuf and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `cuelang.org/go` from 0.14.0 to 0.14.1 Updates `github.com/buildkite/agent/v3` from 3.103.0 to 3.103.1 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.103.0...v3.103.1) Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 Updates `sigs.k8s.io/release-utils` from 0.12.0 to 0.12.1 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.41.0. - [Commits](golang/crypto@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4341) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.5 to 4.1.2. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.0.5...v4.1.2) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fixes to cosign sign / verify for the new bundle format Signed-off-by: Zach Steindler <steiza@github.com> * Update function signature to pass crypto.PublicKey directly Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>
This supports signing and verification with Rekor v2 with a user-provided signing key. Timestamps will only be required for verifying Fulcio certificates. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler <steiza@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.246.0 to 0.247.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.246.0...v0.247.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.247.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.137.0 to 0.140.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.137.0...v0.140.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.140.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
One of the dependencies has hardcoded a specific version of go, which forces all clients to use that version of Go in their own modules. This is unnecessarily restrictive, rather libraries should specify the minimum Go version necessary to build, and consumers should use the latest patch release when building to pick up bug fixes. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@b1933e3...1df2b55) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 4 updates: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.9 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.9) Updates `k8s.io/api` from 0.33.3 to 0.33.4 - [Commits](kubernetes/api@v0.33.3...v0.33.4) Updates `k8s.io/apimachinery` from 0.33.3 to 0.33.4 - [Commits](kubernetes/apimachinery@v0.33.3...v0.33.4) Updates `k8s.io/client-go` from 0.33.3 to 0.33.4 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.33.3...v0.33.4) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4365) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.98.2 to 3.103.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.98.2...v3.103.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4363) Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `chainguard-dev/actions` from 1.4.11 to 1.4.12 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@de82dfd...be7b31a) Updates `codecov/codecov-action` from 5.4.3 to 5.5.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@18283e0...fdcc847) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4362) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.140.0 to 0.142.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.140.0...v0.142.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.247.0 to 0.248.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.247.0...v0.248.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.248.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
This change improves the detection logic and bootstrap for GCE keyless signing by also supporting a standard environment variable and library used by gcp sdks The previous logic just looked for a file to figure out if its on gce or not while this change adds to that by using a metadata server environment variable. This is useful in testing and provides ability to acquire gcp id_tokens in various environments (off the shelf kubernetes, using TPM (i know you can fulfill the latter directly) Signed-off-by: sal rashid <salrashid123@gmail.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
* README: Move section Move the "What is not production ready?" section from "Quickstart" to "FAQ" Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * README: Add section for troubleshooting The goal is to get the error messages documented for human readers, SEO and AI. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * Apply review suggestions * Remove obsolete section about "production readiness" * Add some details about supported versions * Also capitalize Cosign Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> --------- Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `chainguard-dev/actions` from 1.6.4 to 1.6.5 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@eab208e...71714a7) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/go-piv/piv-go/v2](https://github.com/go-piv/piv-go) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/go-piv/piv-go/releases) - [Commits](go-piv/piv-go@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/go-piv/piv-go/v2 dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
Bumps the gomod group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag) | `0.25.4` | `0.25.5` | | [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go) | `1.3.2` | `1.3.3` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.0` | `0.21.2` | | [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) | `2.2.0` | `2.2.1` | | [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) | `2.0.4` | `2.0.5` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.35.1` | `0.35.2` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.1` | `0.35.2` | Updates `github.com/go-openapi/swag/conv` from 0.25.4 to 0.25.5 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.4...v0.25.5) Updates `github.com/google/certificate-transparency-go` from 1.3.2 to 1.3.3 - [Release notes](https://github.com/google/certificate-transparency-go/releases) - [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md) - [Commits](google/certificate-transparency-go@v1.3.2...v1.3.3) Updates `github.com/google/go-containerregistry` from 0.21.0 to 0.21.2 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.0...v0.21.2) Updates `github.com/sigstore/rekor-tiles/v2` from 2.2.0 to 2.2.1 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md) - [Commits](sigstore/rekor-tiles@v2.2.0...v2.2.1) Updates `github.com/sigstore/timestamp-authority/v2` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.4...v2.0.5) Updates `k8s.io/api` from 0.35.1 to 0.35.2 - [Commits](kubernetes/api@v0.35.1...v0.35.2) Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2 - [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2) Updates `k8s.io/client-go` from 0.35.1 to 0.35.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.1...v0.35.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.25.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/certificate-transparency-go dependency-version: 1.3.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>
…ity key (#4761) Fixes an error occurring when using a security key, such as a Yubikey or PKCS11 key for signing. The SignerVerifier was wrapped in a SignerVerifierKeypair and the underlying SignerVerifier closed before consuming the keypair to create the signature. This fix moves the deferred SignerVerifier.Close() call to the same function the sign method is called with the keypair. Signed-off-by: Petteri Pulkkinen <epelip@epelip.com>
…4765) Signed-off-by: Eric Pickard <piceri@github.com>
Without this change, a certificate annotation for a signed container that contains only whitespace will trigger a panic, because LoadCertificatesFromPEM doesn't throw an error with an empty or whitespace-only string. Thanks to Ziyu Lin for reporting this. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.9.0 to 0.10.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
The update of in-toto-golang to 0.10.0 deprecated the Statement type in favor of a protobuf-generated Statement type in the attestation package. The types are not identical, so some translation is needed to support arbitrarily typed predicates for some attestations. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...ba7bc0a) Updates `chainguard-dev/actions` from 1.6.5 to 1.6.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@71714a7...5e84f02) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.19.0 to 0.20.0. - [Commits](golang/sync@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.13.2 to 1.14.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.13.2...v1.14.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.14.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps cuelang.org/go from 0.15.4 to 0.16.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…-login Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.11.0 to 0.12.0. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.6.7 to 1.6.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@5e84f02...7440e20) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.6.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4784) Bumps the actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.0` | `4.1.1` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.4` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.8` | `1.6.11` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.52.4` | `4.52.5` | Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@ba7bc0a...cad07c2) Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) Updates `chainguard-dev/actions` from 1.6.8 to 1.6.11 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@7440e20...8bb24c2) Updates `mikefarah/yq` from 4.52.4 to 4.52.5 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@5a7e72a...0f4fb8d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.52.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Simon Josefsson <simon@josefsson.org>
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer. For more details see: https://www.cve.org/CVERecord?id=CVE-2026-1849 On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
…4789) * chore(deps): bump the gomod group across 1 directory with 18 updates Bumps the gomod group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) | `4.1.3` | `4.1.4` | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.29.2` | `0.29.3` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.2` | `0.21.3` | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.0` | `1.5.1` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.35.2` | `0.35.3` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.2` | `0.35.3` | | [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) | `0.12.3` | `0.12.4` | Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) Updates `github.com/go-openapi/runtime` from 0.29.2 to 0.29.3 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.2...v0.29.3) Updates `github.com/go-openapi/strfmt` from 0.25.0 to 0.26.0 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.25.0...v0.26.0) Updates `github.com/google/go-containerregistry` from 0.21.2 to 0.21.3 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.2...v0.21.3) Updates `github.com/sigstore/rekor` from 1.5.0 to 1.5.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.0...v1.5.1) Updates `github.com/sigstore/sigstore` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](golang/crypto@v0.48.0...v0.49.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) Updates `golang.org/x/term` from 0.40.0 to 0.41.0 - [Commits](golang/term@v0.40.0...v0.41.0) Updates `google.golang.org/api` from 0.267.0 to 0.269.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.267.0...v0.269.0) Updates `k8s.io/api` from 0.35.2 to 0.35.3 - [Commits](kubernetes/api@v0.35.2...v0.35.3) Updates `k8s.io/apimachinery` from 0.35.2 to 0.35.3 - [Commits](kubernetes/apimachinery@v0.35.2...v0.35.3) Updates `k8s.io/client-go` from 0.35.2 to 0.35.3 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.2...v0.35.3) Updates `sigs.k8s.io/release-utils` from 0.12.3 to 0.12.4 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/api dependency-version: 0.269.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * Bump grpc depdendency due to vulnerability Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 1.41.0 to 1.46.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v1.41.0...v1.46.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 1.46.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AttestationToPayloadJSON parses the attestation and checks that the predicate type matches the expected type provided by the user. Previously, when this function was called for old-format bundles and detached signatures, any error returned was silently ignored, so malformed attestations would be accepted and cosign would report a successful verification. For new-format bundles, this check was never performed at all, so the attestaion would be accepted even if it did not match the type given by the user. This change ensures that errors are handled correctly and that the check is performed for both paths. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Signed-off-by: Kynson Szetau <46522440+Kynson@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )