Upgrade: Bump github.com/sigstore/sigstore from 1.8.9 to 1.9.5

[dependabot]

Bumps github.com/sigstore/sigstore from 1.8.9 to 1.9.5.

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.9.5

What's Changed

• Add context from opts to Azure signer in sigstore/sigstore#2070
• add RWMutex around providerMap to protect concurrent ops in sigstore/sigstore#2077

Full Changelog: sigstore/sigstore@v1.9.4...v1.9.5

v1.9.4

What's Changed

• Add a Name field to the TargetFile struct in sigstore/sigstore#2068
• Update to use Tink v2.3.0 API in sigstore/sigstore#2069

Full Changelog: sigstore/sigstore@v1.9.3...v1.9.4

v1.9.3

What's Changed

• add proto hash algorithm to registry by @​loosebazooka in sigstore/sigstore#2048

New Contributors

• @​loosebazooka made their first contribution in sigstore/sigstore#2048

Full Changelog: sigstore/sigstore@v1.9.2...v1.9.3

v1.9.2

What's Changed

• Add tink package by @​cmurphy in sigstore/sigstore#2024
• pkg/signature: add P384/P521 compatibility algo to algorithm registry by @​ret2libc in sigstore/sigstore#2037

New Contributors

• @​cmurphy made their first contribution in sigstore/sigstore#2024

Full Changelog: sigstore/sigstore@v1.9.1...v1.9.2

v1.9.1

What's Changed

• Implement default signing algorithms based on the key type by @​ret2libc in sigstore/sigstore#2014

Full Changelog: sigstore/sigstore@v1.9.0...v1.9.1

v1.9.0

What's Changed

• Update KMS policy for new plugin interface by @​haydentherapper in sigstore/sigstore#1987
• Update TUF root to latest v12 root by @​haydentherapper in sigstore/sigstore#1988
• build(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @​dependabot in sigstore/sigstore#1994
• upgrade go-jose to v4 by @​cpanato in sigstore/sigstore#2000
• pkg/signature: expose Algorithm Details information by @​ret2libc in sigstore/sigstore#2001

... (truncated)

Commits

• 75efc00 build(deps): Bump localstack/localstack in /test/e2e in the all group (#2092)
• 32d462f build(deps): Bump the all group in /test/e2e with 3 updates (#2091)
• 007cd79 build(deps): Bump the all group in /test/e2e with 3 updates (#2074)
• bbd546b build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#2087)
• 540126b build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#2088)
• 0996ba4 build(deps): Bump actions/dependency-review-action in the all group (#2085)
• 7eafe24 build(deps): Bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 (#2081)
• d771343 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2082)
• 1b0bd69 build(deps): Bump the all group with 2 updates (#2078)
• e2f3b71 build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#2084)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dryrunsecurity]

This pull request involves updating multiple dependencies in the go.sum file, which requires careful review to ensure no security risks or breaking changes are introduced during the version upgrades.

Dependency Version Update Risk in go.sum

Vulnerability	Dependency Version Update Risk
Description	Multiple dependencies were updated, which could potentially introduce new security risks. While no immediate vulnerabilities were detected, updates should be carefully reviewed for potential breaking changes or security implications.

genval/go.sum

Lines 7 to 14 in e035484

	cloud.google.com/go/auth v0.9.3/go.mod h1:7z6VY+7h3KUdRov5F1i8NDP5ZzWKYmEPO842BgCsmTk=
	cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY=
	cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
	cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
	cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
	cloud.google.com/go/iam v1.2.0 h1:kZKMKVNk/IsSSc/udOb83K0hL/Yh/Gcqpz+oAkoIFN8=
	cloud.google.com/go/iam v1.2.0/go.mod h1:zITGuWgsLZxd8OwAlX+eMFgZDXzBm7icj1PVTYG766Q=
	cloud.google.com/go/kms v1.19.0 h1:x0OVJDl6UH1BSX4THKlMfdcFWoE4ruh90ZHuilZekrU=

---

All finding details can be found in the DryRun Security Dashboard.