Skip to content

Commit

Permalink
Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0 (#215)
Browse files Browse the repository at this point in the history 
Bumps
[github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from
2.3.0 to 2.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/cosign/releases">github.com/sigstore/cosign/v2's
releases</a>.</em></p>
<blockquote>
<p>v2.4.0 begins the modernization of the Cosign client, which
includes:</p>
<ul>
<li>Support for the newer Sigstore specification-compliant bundle
format</li>
<li>Support for providing trust roots (e.g. Fulcio certificates, Rekor
keys)
through a trust root file, instead of many different flags</li>
<li>Conformance test suite integration to verify signing and
verification behavior</li>
</ul>
<p>In future updates, we'll include:</p>
<ul>
<li>General support for the trust root file, instead of only when using
the bundle
format during verification</li>
<li>Simplification of trust root flags and deprecation of the
Cosign-specific bundle format</li>
<li>Bundle support with container signing</li>
</ul>
<p>We have also moved nightly Cosign container builds to GHCR instead of
GCR.</p>
<h2>Features</h2>
<ul>
<li>Add new bundle support to <code>verify-blob</code> and
<code>verify-blob-attestation</code> (<a
href="https://redirect.github.com/sigstore/cosign/issues/3796">#3796</a>)</li>
<li>Adding protobuf bundle support to sign-blob and attest-blob (<a
href="https://redirect.github.com/sigstore/cosign/issues/3752">#3752</a>)</li>
<li>Bump sigstore/sigstore to support <code>email_verified</code> as
string or boolean (<a
href="https://redirect.github.com/sigstore/cosign/issues/3819">#3819</a>)</li>
<li>Conformance testing for cosign (<a
href="https://redirect.github.com/sigstore/cosign/issues/3806">#3806</a>)</li>
<li>move incremental builds per commit to GHCR instead of GCR (<a
href="https://redirect.github.com/sigstore/cosign/issues/3808">#3808</a>)</li>
<li>Add support for recording creation timestamp for cosign attest (<a
href="https://redirect.github.com/sigstore/cosign/issues/3797">#3797</a>)</li>
<li>Include SCT verification failure details in error message (<a
href="https://redirect.github.com/sigstore/cosign/issues/3799">#3799</a>)</li>
</ul>
<h2>Contributors</h2>
<ul>
<li>Bob Callaway</li>
<li>Hayden B</li>
<li>Slavek Kabrda</li>
<li>Zach Steindler</li>
<li>Zsolt Horvath</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/sigstore/cosign/compare/v2.3.0...v2.4.0">https://github.com/sigstore/cosign/compare/v2.3.0...v2.4.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sigstore/cosign/commit/b5e7dc123a272080f4af4554054797296271e902"><code>b5e7dc1</code></a>
Add login for GHCR (<a
href="https://redirect.github.com/sigstore/cosign/issues/3820">#3820</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/c3468255e8fc475dd797599b0f900719f1fd045f"><code>c346825</code></a>
Bump sigstore/sigstore (<a
href="https://redirect.github.com/sigstore/cosign/issues/3819">#3819</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/fd0368aead1087e8dc1c6ce16b9a204dfc90f963"><code>fd0368a</code></a>
Conformance testing for cosign (<a
href="https://redirect.github.com/sigstore/cosign/issues/3806">#3806</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/2387b500d4ad0acc93601b71008d2f8cac645315"><code>2387b50</code></a>
chore(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 (<a
href="https://redirect.github.com/sigstore/cosign/issues/3815">#3815</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/be439028c4c0a1b3b719d4915fc1961ec4675297"><code>be43902</code></a>
move incremental builds per commit to GHCR instead of GCR (<a
href="https://redirect.github.com/sigstore/cosign/issues/3808">#3808</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/d0492cf4474dcc305c5a8fc80d92ec17fcda7c29"><code>d0492cf</code></a>
chore(deps): bump github.com/buildkite/agent/v3 from 3.75.1 to 3.76.2
(<a
href="https://redirect.github.com/sigstore/cosign/issues/3813">#3813</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/e3a3914c1f6256e7b68e7500116f5ed3f7cb222a"><code>e3a3914</code></a>
chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (<a
href="https://redirect.github.com/sigstore/cosign/issues/3814">#3814</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/7bac5e99c89f57ae199fde1b11399ef1ed29d380"><code>7bac5e9</code></a>
tidy up validate release script (<a
href="https://redirect.github.com/sigstore/cosign/issues/3817">#3817</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/983a3687b72d51b11d70ffdb98143eb64d3c41e7"><code>983a368</code></a>
chore(deps): bump go.step.sm/crypto from 0.50.0 to 0.51.1 (<a
href="https://redirect.github.com/sigstore/cosign/issues/3812">#3812</a>)</li>
<li><a
href="https://github.com/sigstore/cosign/commit/71a49522ed83786659f3ef73f3ff22339c75f053"><code>71a4952</code></a>
chore(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (<a
href="https://redirect.github.com/sigstore/cosign/issues/3811">#3811</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sigstore/cosign/compare/v2.3.0...v2.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sigstore/cosign/v2&package-manager=go_modules&previous-version=2.3.0&new-version=2.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
@dependabot
dependabot[bot] authored Aug 7, 2024
1 parent 3974287 commit d64ce70
Show file tree
Hide file tree
Showing 2 changed files with 129 additions and 125 deletions.
74 changes: 37 additions & 37 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,32 +20,32 @@ require (
github.com/hashicorp/terraform-plugin-log v0.9.0
github.com/hashicorp/terraform-plugin-testing v1.9.0
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/cosign/v2 v2.3.0
github.com/sigstore/cosign/v2 v2.4.0
github.com/sigstore/fulcio v1.5.1
github.com/sigstore/policy-controller v0.10.0
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.7
github.com/sigstore/sigstore v1.8.8
github.com/transparency-dev/merkle v0.0.2
go.uber.org/ratelimit v0.3.1
golang.org/x/oauth2 v0.22.0
)

require (
cloud.google.com/go v0.115.0 // indirect
cloud.google.com/go/auth v0.7.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
cloud.google.com/go/auth v0.7.3 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect
cloud.google.com/go/compute/metadata v0.5.0 // indirect
cloud.google.com/go/iam v1.1.10 // indirect
cloud.google.com/go/kms v1.18.2 // indirect
cloud.google.com/go/longrunning v0.5.9 // indirect
cloud.google.com/go/iam v1.1.12 // indirect
cloud.google.com/go/kms v1.18.4 // indirect
cloud.google.com/go/longrunning v0.5.11 // indirect
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
cuelang.org/go v0.9.2 // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
Expand Down Expand Up @@ -81,22 +81,22 @@ require (
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.54.19 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.1 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.24 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.24 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect
github.com/aws/aws-sdk-go v1.55.5 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.35.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
github.com/aws/smithy-go v1.20.3 // indirect
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
github.com/benbjohnson/clock v1.3.0 // indirect
Expand Down Expand Up @@ -158,9 +158,9 @@ require (
github.com/google/go-github/v55 v55.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/gax-go/v2 v2.12.5 // indirect
github.com/googleapis/gax-go/v2 v2.13.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
github.com/hashicorp/cli v1.1.6 // indirect
Expand Down Expand Up @@ -220,7 +220,7 @@ require (
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/run v1.1.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/open-policy-agent/opa v0.66.0 // indirect
github.com/open-policy-agent/opa v0.67.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
Expand All @@ -243,10 +243,10 @@ require (
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/sigstore/protobuf-specs v0.3.2 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.7 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8 // indirect
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
Expand Down Expand Up @@ -278,7 +278,7 @@ require (
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/sdk v1.28.0 // indirect
Expand All @@ -288,20 +288,20 @@ require (
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
golang.org/x/mod v0.17.0 // indirect
golang.org/x/mod v0.19.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/term v0.22.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
golang.org/x/tools v0.23.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/api v0.188.0 // indirect
google.golang.org/api v0.190.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240708141625-4ad9e859172b // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf // indirect
google.golang.org/grpc v1.65.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand All @@ -316,7 +316,7 @@ require (
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
knative.dev/pkg v0.0.0-20231101193506-b09d4f2a2845 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/release-utils v0.8.3 // indirect
sigs.k8s.io/release-utils v0.8.4 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading

0 comments on commit d64ce70

Please sign in to comment.