[Upstream Sync] Merge v3.0.6 into main by securesign-upstream-sync[bot] · Pull Request #762 · securesign/cosign

securesign-upstream-sync · 2026-06-08T09:53:00Z

Upstream Sync: `v3.0.6` into `main`

Merges upstream sigstore/cosign@v3.0.6 into main.

Upstream Changes (317 commits)

Showing first 50 of 317 commits:

f1ad3ee9 Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
2b396bdf chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4757)
eb5b1477 chore(deps): bump the gomod group across 1 directory with 18 updates (#4789)
fb66c28f fix(deps): CVE-2026-2303 / CVE-2026-2303 (#4764)
f3d74d48 Fix 'the' typo in copyright name (#4788)
f4766a94 chore(deps): bump the actions group across 1 directory with 5 updates (#4784)
4c9ba21b chore(deps): bump chainguard-dev/actions in the actions group (#4772)
af30fe6f chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login
92084d83 chore(deps): bump cuelang.org/go from 0.15.4 to 0.16.0
43a96828 chore(deps): bump github.com/open-policy-agent/opa from 1.13.2 to 1.14.1
ff15dcf9 chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0
d97615db chore(deps): bump the actions group with 2 updates
dd9e8234 Fix linter errors for in-toto-golang update
9fce8f96 chore(deps): bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.10.0
b9fc665c Add tests for attestation.GenerateStatement
75a39423 chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 (#4759)
a09afa97 Handle whitespace-only certificate annotation (#4760)
1d2038c2 remove managed key related xfails from conformance nightly workflow (#4765)
5a38a6d3 fix(sign): closing SignerVerifier too early when signing with a security key (#4761)
2290a593 Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
36f40082 support managed keys in conformance testing (#4728)
f4a0894d chore(deps): bump the gomod group across 1 directory with 8 updates
efbdae1b docs(changelog): fix sigstore URL scheme in release notes (#4740)
b739a4ea chore(deps): bump github.com/go-piv/piv-go/v2 from 2.4.0 to 2.5.0
71038713 chore(deps): bump the actions group with 2 updates
f756cae9 chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
01e227a7 Readme add troubleshooting section (#4724)
952a0ac4 Update e2e tests to use scaffolding containers (#4548)
3274cf98 Add support for GCE metadata server env var (#4732)
8bce2dc8 chore(deps): bump gitlab.com/gitlab-org/api/client-go
bb36c324 chore(deps): bump github.com/google/go-containerregistry
1624be94 chore(deps): bump github.com/open-policy-agent/opa from 1.12.3 to 1.13.2
85fd99a1 (fix): Fix necessary linter issues from gosec,errcheck and static check (#4726)
2e9754aa fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
dece2753 Fix parsing of in-toto for string predicates
bd4f0fde Mark batch of flags for deprecation (#4698)
9b259ff6 disallow key and cert identity being used together during verification (#4636)
95eb1c31 support key creation in GitLab group (#4704)
0d0474ab chore(deps): bump chainguard-dev/actions in the actions group (#4720)
ee1d1738 chore(deps): bump github.com/buildkite/agent/v3 from 3.115.4 to 3.116.0 (#4678)
843cf7c2 docs: add keyless verify-blob identity/issuer example (#4710)
1d7f6116 Update changelog for v3.0.5 (#4713)
479147a4 chore(deps): bump google.golang.org/api from 0.260.0 to 0.264.0 (#4679)
e0ba0c99 chore(deps): bump github.com/sigstore/rekor-tiles/v2 from 2.0.1 to 2.1.0 (#4670)
db5ab217 chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#4712)
66342587 chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4680)
02edc597 chore(deps): bump the gomod group across 1 directory with 4 updates (#4702)
3dd16b8c chore(deps): bump the actions group with 3 updates (#4703)
b7fd27da update golang builder to use go1.25.7 (#4687)
8f1cd80e update golangci-lint to v2.8.x (#4688)

⚠️ Unresolved conflicts

The following files need manual resolution:

.github/workflows/build.yaml
.github/workflows/golangci-lint.yml
.github/workflows/validate-release.yml
.github/workflows/whitespace.yaml
.golangci.yml
cmd/conformance/main.go
cmd/cosign/cli/attest.go
cmd/cosign/cli/attest_blob.go
cmd/cosign/cli/options/attest.go
cmd/cosign/cli/options/attest_blob.go
cmd/cosign/cli/options/signblob.go
cmd/cosign/cli/options/trustedroot.go
cmd/cosign/cli/options/verify.go
cmd/cosign/cli/sign.go
cmd/cosign/cli/sign/sign.go
cmd/cosign/cli/sign/sign_blob.go
cmd/cosign/cli/sign/sign_test.go
cmd/cosign/cli/signblob.go
cmd/cosign/cli/trustedroot/trustedroot.go
cmd/cosign/cli/trustedroot/trustedroot_test.go
cmd/cosign/cli/verify/verify.go
cmd/cosign/cli/verify/verify_attestation.go
cmd/cosign/errors/exit_code_lookup_test.go
pkg/cosign/tlog.go
pkg/cosign/verify.go
pkg/cosign/verify_bundle_test.go
pkg/cosign/verify_test.go
pkg/oci/remote/write.go
pkg/oci/remote/write_test.go
pkg/providers/google/google.go
release/cloudbuild.yaml
test/e2e_attach_test.go
test/e2e_test.go
test/e2e_test.sh
test/fakeoidc/go.mod
test/fakeoidc/go.sum

Resolve locally

git fetch origin
git checkout sync-upstream/main/v3.0.6
git merge origin/main

# Auto-resolve Dockerfiles, go.mod, and workflow version bumps
go install github.com/securesign/actions/sync-upstream/resolve-conflicts@main
resolve-conflicts all

# Take upstream content
git checkout --ours CHANGELOG.md && git add CHANGELOG.md
git checkout --ours doc/cosign_attest-blob.md && git add doc/cosign_attest-blob.md
git checkout --ours doc/cosign_sign-blob.md && git add doc/cosign_sign-blob.md
git checkout --ours doc/cosign_trusted-root_create.md && git add doc/cosign_trusted-root_create.md

# Resolve remaining conflicts manually
# .github/workflows/build.yaml
# .github/workflows/golangci-lint.yml
# .github/workflows/validate-release.yml
# .github/workflows/whitespace.yaml
# .golangci.yml
# cmd/conformance/main.go
# cmd/cosign/cli/attest.go
# cmd/cosign/cli/attest_blob.go
# cmd/cosign/cli/options/attest.go
# cmd/cosign/cli/options/attest_blob.go
# cmd/cosign/cli/options/signblob.go
# cmd/cosign/cli/options/trustedroot.go
# cmd/cosign/cli/options/verify.go
# cmd/cosign/cli/sign.go
# cmd/cosign/cli/sign/sign.go
# cmd/cosign/cli/sign/sign_blob.go
# cmd/cosign/cli/sign/sign_test.go
# cmd/cosign/cli/signblob.go
# cmd/cosign/cli/trustedroot/trustedroot.go
# cmd/cosign/cli/trustedroot/trustedroot_test.go
# cmd/cosign/cli/verify/verify.go
# cmd/cosign/cli/verify/verify_attestation.go
# cmd/cosign/errors/exit_code_lookup_test.go
# pkg/cosign/tlog.go
# pkg/cosign/verify.go
# pkg/cosign/verify_bundle_test.go
# pkg/cosign/verify_test.go
# pkg/oci/remote/write.go
# pkg/oci/remote/write_test.go
# pkg/providers/google/google.go
# release/cloudbuild.yaml
# test/e2e_attach_test.go
# test/e2e_test.go
# test/e2e_test.sh
# test/fakeoidc/go.mod
# test/fakeoidc/go.sum

git add -A && git commit
git push origin sync-upstream/main/v3.0.6

Generated by Sync Upstream action

Also needed to bump grpc-gcp-go to fix an incompatibility with the latest googleapis library Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

…tore#4326) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.243.0 to 0.244.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.243.0...v0.244.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.244.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…r v2 (sigstore#4319) * Refactor fetching an ID token into its own package This will allow these functions to be reused by other parts of the codebase, and eventually we can move these into an external package for use by other libraries. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Add support for SigningConfig for sign-blob/attest-blob Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Refactor identity token retrieval into its own method Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Disallow self-managed keys with a signing config temporarily Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

--------- Signed-off-by: Zach Steindler <steiza@github.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 3 updates: [actions/cache](https://github.com/actions/cache), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/cache` from 4.2.3 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) Updates `sigstore/sigstore-conformance` from 0.0.18 to 0.0.19 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@fd90e6b...a7ac671) Updates `chainguard-dev/actions` from 1.4.8 to 1.4.9 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@df684a7...b1933e3) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.1-0.20250801180901-37e45ae9c250 to 1.1.1. - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](https://github.com/sigstore/sigstore-go/commits/v1.1.1) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the gomod group with 4 updates: cuelang.org/go, [github.com/buildkite/agent/v3](https://github.com/buildkite/agent), google.golang.org/protobuf and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `cuelang.org/go` from 0.14.0 to 0.14.1 Updates `github.com/buildkite/agent/v3` from 3.103.0 to 3.103.1 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.103.0...v3.103.1) Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 Updates `sigs.k8s.io/release-utils` from 0.12.0 to 0.12.1 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#4339) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.41.0. - [Commits](golang/crypto@v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#4341) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.5 to 4.1.2. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.0.5...v4.1.2) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fixes to cosign sign / verify for the new bundle format Signed-off-by: Zach Steindler <steiza@github.com> * Update function signature to pass crypto.PublicKey directly Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>

This supports signing and verification with Rekor v2 with a user-provided signing key. Timestamps will only be required for verifying Fulcio certificates. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

…re#4347) That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler <steiza@github.com>

…tore#4353) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.246.0 to 0.247.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.246.0...v0.247.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.247.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.137.0 to 0.140.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.137.0...v0.140.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.140.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

One of the dependencies has hardcoded a specific version of go, which forces all clients to use that version of Go in their own modules. This is unnecessarily restrictive, rather libraries should specify the minimum Go version necessary to build, and consumers should use the latest patch release when building to pick up bug fixes. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

…re#4349) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@b1933e3...1df2b55) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the gomod group with 4 updates: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.9 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.9) Updates `k8s.io/api` from 0.33.3 to 0.33.4 - [Commits](kubernetes/api@v0.33.3...v0.33.4) Updates `k8s.io/apimachinery` from 0.33.3 to 0.33.4 - [Commits](kubernetes/apimachinery@v0.33.3...v0.33.4) Updates `k8s.io/client-go` from 0.33.3 to 0.33.4 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.33.3...v0.33.4) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

sigstore#4365) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.98.2 to 3.103.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.98.2...v3.103.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#4364) Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#4363) Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `chainguard-dev/actions` from 1.4.11 to 1.4.12 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@de82dfd...be7b31a) Updates `codecov/codecov-action` from 5.4.3 to 5.5.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@18283e0...fdcc847) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#4362) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.140.0 to 0.142.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.140.0...v0.142.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#4359) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.247.0 to 0.248.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.247.0...v0.248.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.248.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

The signing config will now be provided on the sign path to test Rekor v2, along with the trusted root for verifying bundles on the sign path. This also adds support for providing a trusted root with sign-blob/attest-blob. Currently, you can either provide just the CT log key or we'll fetch the trusted root from the initialized TUF repo. Since we are providing the trusted root for staging during signing now, this PR also lets the user provide the trusted root they'll use for verifying during signing. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

This change improves the detection logic and bootstrap for GCE keyless signing by also supporting a standard environment variable and library used by gcp sdks The previous logic just looked for a file to figure out if its on gce or not while this change adds to that by using a metadata server environment variable. This is useful in testing and provides ability to acquire gcp id_tokens in various environments (off the shelf kubernetes, using TPM (i know you can fulfill the latter directly) Signed-off-by: sal rashid <salrashid123@gmail.com>

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

* README: Move section Move the "What is not production ready?" section from "Quickstart" to "FAQ" Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * README: Add section for troubleshooting The goal is to get the error messages documented for human readers, SEO and AI. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * Apply review suggestions * Remove obsolete section about "production readiness" * Add some details about supported versions * Also capitalize Cosign Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> --------- Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `chainguard-dev/actions` from 1.6.4 to 1.6.5 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@eab208e...71714a7) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/go-piv/piv-go/v2](https://github.com/go-piv/piv-go) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/go-piv/piv-go/releases) - [Commits](go-piv/piv-go@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/go-piv/piv-go/v2 dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

) Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>

Bumps the gomod group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag) | `0.25.4` | `0.25.5` | | [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go) | `1.3.2` | `1.3.3` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.0` | `0.21.2` | | [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) | `2.2.0` | `2.2.1` | | [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) | `2.0.4` | `2.0.5` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.35.1` | `0.35.2` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.1` | `0.35.2` | Updates `github.com/go-openapi/swag/conv` from 0.25.4 to 0.25.5 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.4...v0.25.5) Updates `github.com/google/certificate-transparency-go` from 1.3.2 to 1.3.3 - [Release notes](https://github.com/google/certificate-transparency-go/releases) - [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md) - [Commits](google/certificate-transparency-go@v1.3.2...v1.3.3) Updates `github.com/google/go-containerregistry` from 0.21.0 to 0.21.2 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.0...v0.21.2) Updates `github.com/sigstore/rekor-tiles/v2` from 2.2.0 to 2.2.1 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md) - [Commits](sigstore/rekor-tiles@v2.2.0...v2.2.1) Updates `github.com/sigstore/timestamp-authority/v2` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.4...v2.0.5) Updates `k8s.io/api` from 0.35.1 to 0.35.2 - [Commits](kubernetes/api@v0.35.1...v0.35.2) Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2 - [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2) Updates `k8s.io/client-go` from 0.35.1 to 0.35.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.1...v0.35.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.25.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/certificate-transparency-go dependency-version: 1.3.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>

…ity key (sigstore#4761) Fixes an error occurring when using a security key, such as a Yubikey or PKCS11 key for signing. The SignerVerifier was wrapped in a SignerVerifierKeypair and the underlying SignerVerifier closed before consuming the keypair to create the signature. This fix moves the deferred SignerVerifier.Close() call to the same function the sign method is called with the keypair. Signed-off-by: Petteri Pulkkinen <epelip@epelip.com>

…igstore#4765) Signed-off-by: Eric Pickard <piceri@github.com>

Without this change, a certificate annotation for a signed container that contains only whitespace will trigger a panic, because LoadCertificatesFromPEM doesn't throw an error with an empty or whitespace-only string. Thanks to Ziyu Lin for reporting this. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.9.0 to 0.10.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

The update of in-toto-golang to 0.10.0 deprecated the Statement type in favor of a protobuf-generated Statement type in the attestation package. The types are not identical, so some translation is needed to support arbitrarily typed predicates for some attestations. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...ba7bc0a) Updates `chainguard-dev/actions` from 1.6.5 to 1.6.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@71714a7...5e84f02) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.19.0 to 0.20.0. - [Commits](golang/sync@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.13.2 to 1.14.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.13.2...v1.14.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.14.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps cuelang.org/go from 0.15.4 to 0.16.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

…-login Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.11.0 to 0.12.0. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

…re#4772) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.6.7 to 1.6.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@5e84f02...7440e20) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.6.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…sigstore#4784) Bumps the actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.0` | `4.1.1` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.4` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.8` | `1.6.11` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.52.4` | `4.52.5` | Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@ba7bc0a...cad07c2) Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) Updates `chainguard-dev/actions` from 1.6.8 to 1.6.11 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@7440e20...8bb24c2) Updates `mikefarah/yq` from 4.52.4 to 4.52.5 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@5a7e72a...0f4fb8d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.52.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Simon Josefsson <simon@josefsson.org>

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer. For more details see: https://www.cve.org/CVERecord?id=CVE-2026-1849 On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>

…igstore#4789) * chore(deps): bump the gomod group across 1 directory with 18 updates Bumps the gomod group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) | `4.1.3` | `4.1.4` | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.29.2` | `0.29.3` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.2` | `0.21.3` | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.0` | `1.5.1` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.10.4` | `1.10.5` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.35.2` | `0.35.3` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.2` | `0.35.3` | | [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) | `0.12.3` | `0.12.4` | Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) Updates `github.com/go-openapi/runtime` from 0.29.2 to 0.29.3 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.2...v0.29.3) Updates `github.com/go-openapi/strfmt` from 0.25.0 to 0.26.0 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.25.0...v0.26.0) Updates `github.com/google/go-containerregistry` from 0.21.2 to 0.21.3 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.2...v0.21.3) Updates `github.com/sigstore/rekor` from 1.5.0 to 1.5.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.0...v1.5.1) Updates `github.com/sigstore/sigstore` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](golang/crypto@v0.48.0...v0.49.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) Updates `golang.org/x/term` from 0.40.0 to 0.41.0 - [Commits](golang/term@v0.40.0...v0.41.0) Updates `google.golang.org/api` from 0.267.0 to 0.269.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.267.0...v0.269.0) Updates `k8s.io/api` from 0.35.2 to 0.35.3 - [Commits](kubernetes/api@v0.35.2...v0.35.3) Updates `k8s.io/apimachinery` from 0.35.2 to 0.35.3 - [Commits](kubernetes/apimachinery@v0.35.2...v0.35.3) Updates `k8s.io/client-go` from 0.35.2 to 0.35.3 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.2...v0.35.3) Updates `sigs.k8s.io/release-utils` from 0.12.3 to 0.12.4 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/api dependency-version: 0.269.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * Bump grpc depdendency due to vulnerability Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 1.41.0 to 1.46.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v1.41.0...v1.46.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 1.46.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

AttestationToPayloadJSON parses the attestation and checks that the predicate type matches the expected type provided by the user. Previously, when this function was called for old-format bundles and detached signatures, any error returned was silently ignored, so malformed attestations would be accepted and cosign would report a successful verification. For new-format bundles, this check was never performed at all, so the attestaion would be accepted even if it did not match the type given by the user. This change ensures that errors are handled correctly and that the check is performed for both paths. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Hayden and others added 30 commits August 7, 2025 10:40

Bump deps for cuelang and others (sigstore#4332)

cd8bc0b

Also needed to bump grpc-gcp-go to fix an incompatibility with the latest googleapis library Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

Have cosign sign support bundle format (sigstore#4316)

0ac382a

--------- Signed-off-by: Zach Steindler <steiza@github.com>

bump golangci-lint to v2.3.x (sigstore#4333)

fbea0dd

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

update builder to use go1.24.6 (sigstore#4334)

1059a80

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Don't load content from TUF if trusted root path is specified (sigsto…

3a2e076

…re#4347) That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler <steiza@github.com>

update builder image to use go1.25 (sigstore#4366)

fbb7ca1

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

salrashid123 and others added 29 commits March 3, 2026 01:13

Update e2e tests to use scaffolding containers (sigstore#4548)

952a0ac

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

docs(changelog): fix sigstore URL scheme in release notes (sigstore#4740

efbdae1

) Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>

support managed keys in conformance testing (sigstore#4728)

36f4008

Disallow --new-bundle-format and --rfc3161-timestamp (sigstore#4762)

2290a59

remove managed key related xfails from conformance nightly workflow (s…

1d2038c

…igstore#4765) Signed-off-by: Eric Pickard <piceri@github.com>

Add tests for attestation.GenerateStatement

b9fc665

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Fix 'the' typo in copyright name (sigstore#4788)

f3d74d4

Signed-off-by: Simon Josefsson <simon@josefsson.org>

securesign-upstream-sync Bot added the kind/sync-fork-to-upstream label Jun 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Upstream Sync] Merge v3.0.6 into main#762

[Upstream Sync] Merge v3.0.6 into main#762
securesign-upstream-sync[bot] wants to merge 317 commits into
mainfrom
sync-upstream/main/v3.0.6

securesign-upstream-sync Bot commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

securesign-upstream-sync Bot commented Jun 8, 2026

Upstream Sync: v3.0.6 into main

Upstream Changes (317 commits)

⚠️ Unresolved conflicts

Resolve locally

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Upstream Sync: `v3.0.6` into `main`