[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 288 commits into
Open
Conversation
Bumps the gomod group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.4.0` | `1.4.1` | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.9` | `0.1.10` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.9.5` | `1.9.6-0.20250729224751-181c5d3339b3` | | [github.com/spf13/pflag](https://github.com/spf13/pflag) | `1.0.7` | `1.0.9` | | [github.com/stretchr/testify](https://github.com/stretchr/testify) | `1.11.0` | `1.11.1` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.142.1` | `0.142.5` | Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.4.0...v1.4.1) Updates `github.com/sigstore/rekor-tiles` from 0.1.9 to 0.1.10 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v0.1.9...v0.1.10) Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/commits) Updates `github.com/spf13/pflag` from 1.0.7 to 1.0.9 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.7...v1.0.9) Updates `github.com/stretchr/testify` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.11.0...v1.11.1) Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.1 to 0.142.5 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.1...v0.142.5) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-version: 1.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.9.6-0.20250729224751-181c5d3339b3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/stretchr/testify dependency-version: 1.11.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.12 to 3.0.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@b7593ed...7c6bc77) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.9.1 to 1.10.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.9.1...v1.10.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…m go.mod (#4369) Signed-off-by: Carlos Panato <ctadeu@gmail.com>
#4379) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.7.1 to 1.8.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.7.1...v1.8.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Use sigstore/sigstore signature.LoadSignerVerifierFromPrivateKey to load default verifiers given a private key. Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
…oup (#4385) Bumps the gomod group with 1 update: [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go). Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.5 to 0.142.6 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.5...v0.142.6) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Support self-managed keys when signing with sigstore-go This creates a wrapper around the Keypair interface when a SignerVerifier is provided for signing with KMS or any other provided keys. This also retains support for --issue-certificate to request a certificate for a managed key. Fixes #4327 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Add issue-certificate flags to attest and attest-blob This is for uniformity with sign/sign-blob. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Refactor SignerFromKeyOpts to split Fulcio signer into its own method Now, we can generate a SignerVerifier from a provided key without mandating that we also request a Fulcio certificate when "issue-certificate" is provided. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Use default options to load key material Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.12 to 1.4.13 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@be7b31a...3caedd3) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add support for SigningConfig in sign/attest This will indirectly add support for signing with Rekor v2, since signing will be handled by sigstore-go rather than Cosign. This also brings sign/attest up to par with sign-blob/attest-blob with respect to signing with a key and providing a trusted root when providing a signing config. This feature is gated behind one of two signing config flags, which in a later version of Cosign will be flipped to on by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Address review comments --signing-config and --use-signing-config are now mutually exclusive. TrustedMaterial and SigningConfig are set in the same line as fetching the trusted root and signing config. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps the all group with 1 update: golang. Updates `golang` from 1.25.0 to 1.25.1 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4469467) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.16.0 to 0.17.0. - [Commits](golang/sync@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4390) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.103.1 to 3.104.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.103.1...v3.104.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.104.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@60a0d83...ed59741) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `sigstore/sigstore-conformance` from 0.0.19 to 0.0.20 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@a7ac671...1d8b0cd) Updates `chainguard-dev/actions` from 1.4.13 to 1.4.14 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@3caedd3...f632aec) Updates `mikefarah/yq` from 4.47.1 to 4.47.2 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@f03c9dc...6251e95) Updates `codecov/codecov-action` from 5.5.0 to 5.5.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@fdcc847...5a10915) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.47.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.34.0 to 0.35.0. - [Commits](golang/term@v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.142.6 to 0.143.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.6...v0.143.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.30.0 to 0.31.0. - [Commits](golang/oauth2@v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.42.0. - [Commits](golang/crypto@v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump sigstore-go, support alternative hash algorithms with keys sigstore-go now handles non-ECDSA-P-256 signatures with Rekor v2. To support verification, we also need a way to provide alternative hash algorithms to the default SHA-256. cosign verify already had a flag for this, so I added the flag to all verify commands. In the future, when we are only processing bundles, we can lookup the default hash algorithm given the key. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * lint fmt Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Drop support for Fulcio with ed25519ph key We've chosen to not support this in sigstore-go, so we'll also remove this from Cosign. This is a niche edge case where a user provides an ed25519 key or algorithm and requests a cert and logs it to Rekor. We'll revisit this if there's demand or when we support the prehash variant in Fulcio. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
…4401) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.10` | `0.1.11` | | [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) | `1.2.8` | `1.2.9` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.143.1` | `0.143.3` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.34.0` | `0.34.1` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.34.0` | `0.34.1` | Updates `github.com/sigstore/rekor-tiles` from 0.1.10 to 0.1.11 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v0.1.10...v0.1.11) Updates `github.com/sigstore/timestamp-authority` from 1.2.8 to 1.2.9 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v1.2.8...v1.2.9) Updates `github.com/spf13/pflag` from 1.0.9 to 1.0.10 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.9...v1.0.10) Updates `gitlab.com/gitlab-org/api/client-go` from 0.143.1 to 0.143.3 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.1...v0.143.3) Updates `google.golang.org/protobuf` from 1.36.8 to 1.36.9 Updates `k8s.io/api` from 0.34.0 to 0.34.1 - [Commits](kubernetes/api@v0.34.0...v0.34.1) Updates `k8s.io/apimachinery` from 0.34.0 to 0.34.1 - [Commits](kubernetes/apimachinery@v0.34.0...v0.34.1) Updates `k8s.io/client-go` from 0.34.0 to 0.34.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.34.0...v0.34.1) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority dependency-version: 1.2.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Recording signatures to Rekor v2 can take up to 10 seconds. We want to avoid someone killing the process while waiting for a response from Rekor, otherwise the user will have to re-sign the artifact. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
A signing config is a source of truth for the service URLs. We will disallow specifying multiple sources of truth for service URLs if the default values are overridden. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Default to using the new protobuf format --------- Signed-off-by: Zach Steindler <steiza@github.com>
….0 (#4411) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.104.0 to 3.105.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.104.0...v3.105.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.105.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.143.3 to 0.144.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.3...v0.144.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.144.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This change updates the bundle create command to prevent the user from enabling --ignore-tlog if the provided bundle contains a Signed Entry Timestamp (SET). The presence of a SET in an old-format bundle indicates that there should be a corresponding Rekor entry, which should be fetched for the creation of a new-format bundle. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
LoadCmd was calling name.ParseReference without the name.Insecure option, so --allow-http-registry had no effect: the command always tried to connect over HTTPS regardless of the flag. The RegistryOptions.NameOptions() helper already returns name.Insecure when AllowHTTPRegistry is set; the load command simply wasn't calling it, unlike the symmetric save, clean, and tree commands which do. Pass opts.Registry.NameOptions()... to name.ParseReference so that plain-HTTP registries are reachable when the flag is supplied. Fixes #4134 Signed-off-by: Tommy <tommy@bejara.net> Co-authored-by: Tommy <tommy@bejara.net>
…#4813) * fix: honor --digestAlg when hashing a blob in verify-blob-attestation verify-blob-attestation always hashed the artifact with SHA-256, so attestations produced against other digest algorithms could not be verified — npm provenance bundles, for example, use SHA-512. The command already exposed --digestAlg but only honored it when both --digest and --digestAlg were passed without a blob. Thread --digestAlg through the artifact-hashing branch as well: when set, parse it into a crypto.Hash and use it for the HashReader and the Subject digest algorithm label; default stays SHA-256 for backward compatibility. Invalid values are rejected up front with a clear error. Adds TestParseBlobHashAlgorithm covering sha256/sha384/sha512 plus rejection of sha1, md5, empty, and upper-case inputs. Fixes #4805 Signed-off-by: Ali <alliasgher123@gmail.com> * verify-blob-attestation: use WithArtifact when artifact path is given When a bundle is used and an artifact path is provided, pass the file directly to sgverify.WithArtifact so sigstore-go can peek at the bundle and select the correct hash algorithm automatically. This removes the need for the user to supply --digestAlg when verifying against a bundle. The --digestAlg flag is still honored for the legacy (non-bundle) verification path. Fixes #4805 Signed-off-by: Ali <ali@kscope.ai> --------- Signed-off-by: Ali <alliasgher123@gmail.com> Signed-off-by: Ali <ali@kscope.ai>
…4840) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | cuelang.org/go | `0.16.0` | `0.16.1` | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.29.3` | `0.29.4` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.3` | `0.21.5` | | [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) | `0.5.0` | `0.5.1` | | [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) | `2.0.5` | `2.0.6` | Updates `cuelang.org/go` from 0.16.0 to 0.16.1 Updates `github.com/go-openapi/runtime` from 0.29.3 to 0.29.4 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.3...v0.29.4) Updates `github.com/go-openapi/strfmt` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.0...v0.26.1) Updates `github.com/go-openapi/swag/conv` from 0.25.5 to 0.26.0 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.5...v0.26.0) Updates `github.com/google/go-containerregistry` from 0.21.3 to 0.21.5 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.3...v0.21.5) Updates `github.com/sigstore/protobuf-specs` from 0.5.0 to 0.5.1 - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](sigstore/protobuf-specs@v0.5.0...v0.5.1) Updates `github.com/sigstore/timestamp-authority/v2` from 2.0.5 to 2.0.6 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.5...v2.0.6) Updates `golang.org/x/crypto` from 0.49.0 to 0.50.0 - [Commits](golang/crypto@v0.49.0...v0.50.0) Updates `golang.org/x/term` from 0.41.0 to 0.42.0 - [Commits](golang/term@v0.41.0...v0.42.0) Updates `google.golang.org/api` from 0.269.0 to 0.272.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.269.0...v0.272.0) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.16.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/protobuf-specs dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/term dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/api dependency-version: 0.272.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
cosign copy does not copy referring artifacts, so we'll use oras instead as part of the build step. Fixes #4818 Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
…4853) Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
…4854) Signed-off-by: Eric Pickard <piceri@github.com>
…#4869) In WriteSignedImageIndexImages, os.Open is called inside a loop to parse each blob manifest, but the returned file descriptor is never closed. This leaks one fd per iteration—on every continue (parse error or nil Subject) and on the normal path alike. Close fd immediately after v1.ParseManifest since the parsed manifest is the only value needed from the file. A plain Close() rather than defer is used because defer inside a loop would accumulate closers until the function returns, defeating the purpose. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
The GitHub Actions OIDC token provider uses Header.Add inside a retry loop. On each retry iteration, an additional Authorization header is appended to the request. By the third attempt, three identical headers are sent. Some servers and proxies reject requests with duplicate Authorization headers, causing retries to fail when they should succeed. Replace Header.Add with Header.Set so only one Authorization header is ever present, regardless of how many retries occur. Add a test that forces two retries via connection hijack and asserts exactly one Authorization header is received on every attempt. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Allows populating the signing configuration using default values from the Sigstore TUF root, specifically fetching from the target `signing_config_rekor_v2.v0.2.json` to support Rekor v2 services. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
…#4864) Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.1` | `4.1.2` | | [docker/login-action](https://github.com/docker/login-action) | `4.0.0` | `4.1.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.11` | `1.6.19` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.52.5` | `4.53.2` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@b45d80f...4907a6d) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) Updates `chainguard-dev/actions` from 1.6.11 to 1.6.19 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@8bb24c2...c69a264) Updates `mikefarah/yq` from 4.52.5 to 4.53.2 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@0f4fb8d...751d8ad) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.53.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/in-toto/in-toto-golang/releases) - [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md) - [Commits](in-toto/in-toto-golang@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: github.com/in-toto/in-toto-golang dependency-version: 0.11.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump golang from 1.25.6 to 1.25.7 in the all group Bumps the all group with 1 update: golang. Updates `golang` from 1.25.6 to 1.25.7 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> * Fix linter failures for golang update Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Colleen Murphy <colleenmurphy@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Colleen Murphy <colleenmurphy@google.com>
…4798) Bumps [github.com/in-toto/attestation](https://github.com/in-toto/attestation) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.2...v1.2.0) --- updated-dependencies: - dependency-name: github.com/in-toto/attestation dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [github.com/go-piv/piv-go/v2](https://github.com/go-piv/piv-go) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/go-piv/piv-go/releases) - [Commits](go-piv/piv-go@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/go-piv/piv-go/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…6.2 (#4862) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.14.1 to 1.16.2. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.14.1...v1.16.2) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.16.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The HTTP status code checks in PutSecret use && instead of ||:
if statusCode < 200 && statusCode >= 300 {
This condition is always false (no integer is simultaneously less
than 200 and greater than or equal to 300), so non-2xx HTTP errors
are silently ignored. Fix all four checks to use || so that error
responses from the GitHub API are properly detected and reported.
The GitLab provider (pkg/cosign/git/gitlab/gitlab.go) already uses
the correct || operator for the same check.
Introduced in PR #848 (5302c87, 2021-10-12).
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
If no TSA chain in the trust root can verify a signed timestamp, then a crash would occur when Cosign tries to read one of the verified timestamps. We now throw an error if no timestamp was verified. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
--------- Signed-off-by: Andrew Womeldorf <andrew.womeldorf@gmail.com> Signed-off-by: Andrew Womeldorf <git@andrew.wom.icu>
LoadFileOrURL silently returns the response body for non-2xx HTTP responses. When a URL returns 404 or 500, the HTML error page is passed to callers as valid key/signature/certificate data, producing confusing parse errors downstream. Add a status code check that returns a clear error for non-2xx responses. The body is closed before returning to avoid leaking the HTTP connection. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
evaluateRegoEvalMapResult asserts each element in the Rego response
array as map[string]interface{} without an ok check. If a policy
returns a non-map value in the array, cosign panics instead of
returning a policy evaluation error.
Add an ok check and return a descriptive error on type mismatch.
The bug was introduced in b2cea0c (2022-12-28).
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )