gh-trusted-builds-attestations icon indicating copy to clipboard operation
gh-trusted-builds-attestations copied to clipboard

Published 20 hours ago verified publisher icon liatrio

build: update module github.com/sigstore/cosign/v2 to v2.4.1

Open renovate[bot] opened this issue 1 year ago • 1 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/sigstore/cosign/v2 v2.2.3 -> v2.4.1 age adoption passing confidence

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.1

Compare Source

v2.4.1 largely contains bug fixes and updates dependencies.

Features

  • Added fuzzing coverage to multiple packages

Bug Fixes

  • Fix bug in attest-blob when using a timestamp authority with new bundles (#​3877)
  • fix: documentation link for installation guide (#​3884)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Hayden B
  • Hemil K
  • Sota Sugiura
  • Zach Steindler

v2.4.0

Compare Source

v2.4.0 begins the modernization of the Cosign client, which includes:

  • Support for the newer Sigstore specification-compliant bundle format
  • Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
  • Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

  • General support for the trust root file, instead of only when using the bundle format during verification
  • Simplification of trust root flags and deprecation of the Cosign-specific bundle format
  • Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

  • Add new bundle support to verify-blob and verify-blob-attestation (#​3796)
  • Adding protobuf bundle support to sign-blob and attest-blob (#​3752)
  • Bump sigstore/sigstore to support email_verified as string or boolean (#​3819)
  • Conformance testing for cosign (#​3806)
  • move incremental builds per commit to GHCR instead of GCR (#​3808)
  • Add support for recording creation timestamp for cosign attest (#​3797)
  • Include SCT verification failure details in error message (#​3799)

Contributors

  • Bob Callaway
  • Hayden B
  • Slavek Kabrda
  • Zach Steindler
  • Zsolt Horvath

v2.3.0

Compare Source

Features

  • Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
  • add registry options to cosign save (#​3645)
  • Add debug providers command. (#​3728)
  • Make config layers in ociremote mountable (#​3741)
  • upgrade to go1.22 (#​3739)
  • adds tsa cert chain check for env var or tuf targets. (#​3600)
  • add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
  • add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

  • fix: close attestationFile (#​3679)
  • Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

  • Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

  • Refactor KMS E2E tests (#​3684)
  • Remove sign_blob_test.sh test (#​3707)
  • Remove KMS E2E test script (#​3702)
  • Refactor insecure registry E2E tests (#​3701)

Contributors

  • Billy Lynch
  • bminahan73
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Dmitry Savintsev
  • guangwu
  • Hayden B
  • Hector Fernandez
  • ian hundere
  • Jason Power
  • Jon Johnson
  • Max Lambrecht
  • Meeki1l

v2.2.4

Compare Source

Bug Fixes

  • Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#​3661)
  • ErrNoSignaturesFound should be used when there is no signature attached to an image. (#​3526)
  • fix semgrep issues for dgryski.semgrep-go ruleset (#​3541)
  • Honor creation timestamp for signatures again (#​3549)

Features

  • Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#​3578)

Documentation

  • add oci bundle spec (#​3622)
  • Correct help text of triangulate cmd (#​3551)
  • Correct help text of verify-attestation policy argument (#​3527)
  • feat: add OVHcloud MPR registry tested with cosign (#​3639)

Testing

  • Refactor e2e-tests.yml workflow (#​3627)
  • Clean up and clarify e2e scripts (#​3628)
  • Don't ignore transparency log in tests if possible (#​3528)
  • Make E2E tests hermetic (#​3499)
  • add e2e test for pkcs11 token signing (#​3495)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Apr 10 '24 23:04 renovate[bot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 84 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.1 -> 1.23.2
github.com/google/go-containerregistry v0.19.0 -> v0.20.2
github.com/in-toto/attestation v1.0.1 -> v1.1.0
github.com/open-policy-agent/opa v0.62.1 -> v0.68.0
github.com/sigstore/rekor v1.3.5 -> v1.3.6
github.com/sigstore/sigstore v1.8.2 -> v1.8.9
github.com/spf13/cobra v1.8.0 -> v1.8.1
golang.org/x/oauth2 v0.18.0 -> v0.23.0
google.golang.org/protobuf v1.33.0 -> v1.34.2
cloud.google.com/go/compute/metadata v0.2.3 -> v0.5.0
github.com/Microsoft/go-winio v0.6.1 -> v0.6.2
github.com/aliyun/credentials-go v1.3.1 -> v1.3.2
github.com/aws/aws-sdk-go-v2 v1.24.1 -> v1.30.5
github.com/aws/aws-sdk-go-v2/config v1.26.6 -> v1.27.33
github.com/aws/aws-sdk-go-v2/credentials v1.16.16 -> v1.17.32
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 -> v1.16.13
github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 -> v1.3.17
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 -> v2.6.17
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 -> v1.8.1
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 -> v1.11.4
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 -> v1.11.19
github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 -> v1.22.7
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 -> v1.26.7
github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 -> v1.30.7
github.com/aws/smithy-go v1.19.0 -> v1.20.4
github.com/buildkite/agent/v3 v3.62.0 -> v3.81.0
github.com/buildkite/go-pipeline v0.3.2 -> v0.13.1
github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 -> v0.1.3
github.com/cespare/xxhash/v2 v2.2.0 -> v2.3.0
github.com/coreos/go-oidc/v3 v3.9.0 -> v3.11.0
github.com/docker/cli v24.0.7+incompatible -> v27.1.1+incompatible
github.com/go-jose/go-jose/v3 v3.0.2 -> v3.0.3
github.com/go-logr/logr v1.4.1 -> v1.4.2
github.com/go-openapi/analysis v0.22.0 -> v0.23.0
github.com/go-openapi/errors v0.21.0 -> v0.22.0
github.com/go-openapi/jsonpointer v0.20.2 -> v0.21.0
github.com/go-openapi/jsonreference v0.20.4 -> v0.21.0
github.com/go-openapi/loads v0.21.5 -> v0.22.0
github.com/go-openapi/runtime v0.27.1 -> v0.28.0
github.com/go-openapi/spec v0.20.14 -> v0.21.0
github.com/go-openapi/strfmt v0.22.0 -> v0.23.0
github.com/go-openapi/swag v0.22.9 -> v0.23.0
github.com/go-openapi/validate v0.22.6 -> v0.24.0
github.com/golang/protobuf v1.5.3 -> v1.5.4
github.com/google/certificate-transparency-go v1.1.7 -> v1.2.1
github.com/google/s2a-go v0.1.7 -> v0.1.8
github.com/googleapis/enterprise-certificate-proxy v0.3.2 -> v0.3.3
github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7
github.com/klauspost/compress v1.17.2 -> v1.17.9
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 -> v0.0.0-20240620165639-de9c06129bec
github.com/mozillazg/docker-credential-acr-helper v0.3.0 -> v0.4.0
github.com/oleiade/reflections v1.0.1 -> v1.1.0
github.com/opencontainers/image-spec v1.1.0-rc6 -> v1.1.0
github.com/pelletier/go-toml/v2 v2.1.0 -> v2.2.2
github.com/prometheus/client_golang v1.19.0 -> v1.20.2
github.com/prometheus/client_model v0.5.0 -> v0.6.1
github.com/prometheus/common v0.48.0 -> v0.55.0
github.com/prometheus/procfs v0.12.0 -> v0.15.1
github.com/sigstore/fulcio v1.4.3 -> v1.6.3
github.com/sigstore/timestamp-authority v1.2.1 -> v1.2.2
github.com/spf13/viper v1.18.2 -> v1.19.0
github.com/spiffe/go-spiffe/v2 v2.1.7 -> v2.3.0
github.com/xanzy/go-gitlab v0.96.0 -> v0.109.0
go.mongodb.org/mongo-driver v1.13.1 -> v1.14.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 -> v0.54.0
go.opentelemetry.io/otel v1.22.0 -> v1.29.0
go.opentelemetry.io/otel/metric v1.22.0 -> v1.29.0
go.opentelemetry.io/otel/sdk v1.22.0 -> v1.29.0
go.opentelemetry.io/otel/trace v1.22.0 -> v1.29.0
go.step.sm/crypto v0.42.1 -> v0.51.2
go.uber.org/zap v1.26.0 -> v1.27.0
golang.org/x/crypto v0.21.0 -> v0.27.0
golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 -> v0.0.0-20240613232115-7f521ea00fb8
golang.org/x/mod v0.14.0 -> v0.20.0
golang.org/x/net v0.22.0 -> v0.28.0
golang.org/x/sync v0.6.0 -> v0.8.0
golang.org/x/sys v0.18.0 -> v0.25.0
golang.org/x/term v0.18.0 -> v0.24.0
golang.org/x/text v0.14.0 -> v0.18.0
golang.org/x/time v0.5.0 -> v0.6.0
google.golang.org/api v0.159.0 -> v0.196.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 -> v0.0.0-20240903143218-8af14fe29dc1
k8s.io/klog/v2 v2.120.0 -> v2.120.1
k8s.io/utils v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240502163921-fe8a2dddb1d0
sigs.k8s.io/release-utils v0.7.7 -> v0.8.4

renovate[bot] avatar Jul 22 '24 19:07 renovate[bot]