[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 325 commits into
Open
Conversation
Picks up a change to user agents when signing with sigstore-go Signed-off-by: Hayden <[email protected]> Co-authored-by: Hayden <[email protected]>
0.0.21 updates the signing config, making the tests work against staging again. Signed-off-by: Hayden <[email protected]>
Signed-off-by: Hayden <[email protected]> Co-authored-by: Hayden <[email protected]>
…#4437) Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.28.0...v0.29.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.147.1 to 0.148.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.147.1...v0.148.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.148.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4435) Bumps [github.com/go-openapi/swag](https://github.com/go-openapi/swag) from 0.24.1 to 0.25.1. - [Commits](go-openapi/swag@v0.24.1...v0.25.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag dependency-version: 0.25.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 3 updates: [docker/login-action](https://github.com/docker/login-action), [actions/cache](https://github.com/actions/cache) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `docker/login-action` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@184bdaa...5e57cd1) Updates `actions/cache` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...0057852) Updates `chainguard-dev/actions` from 1.5.1 to 1.5.2 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@de56c27...8e97c1f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4433) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 2 updates: [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `github.com/buildkite/agent/v3` from 3.107.0 to 3.107.2 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.0...v3.107.2) Updates `sigs.k8s.io/release-utils` from 0.12.1 to 0.12.2 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.1...v0.12.2) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.107.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.249.0 to 0.250.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.249.0...v0.250.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.250.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Hayden <[email protected]> Co-authored-by: Hayden <[email protected]>
* Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <[email protected]> * Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <[email protected]> --------- Signed-off-by: Hayden <[email protected]> Co-authored-by: Hayden <[email protected]>
Signed-off-by: Hayden <[email protected]>
* update goreleaser config for v3.0.0 release Signed-off-by: Bob Callaway <[email protected]> * specify signature Signed-off-by: Bob Callaway <[email protected]> --------- Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
The rekor-tiles package is starting at version 2.0. There are no interface changes with this version change. Signed-off-by: Colleen Murphy <[email protected]>
Bumps the gomod group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Updates `github.com/go-jose/go-jose/v4` from 4.1.2 to 4.1.3 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.2...v4.1.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4448) * choose different signature filename for keyless release signatures Signed-off-by: Bob Callaway <[email protected]> * switch, rename the kms-signed objects Signed-off-by: Bob Callaway <[email protected]> * update README Signed-off-by: Bob Callaway <[email protected]> * update README Signed-off-by: Bob Callaway <[email protected]> --------- Signed-off-by: Bob Callaway <[email protected]>
Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.107.2 to 3.108.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.2...v3.108.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.108.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the actions group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `chainguard-dev/actions` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@8e97c1f...6f4f4de) Updates `cpanato/vault-installer` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](cpanato/vault-installer@e7c1d66...f7e2ad9) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: cpanato/vault-installer dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.148.1 to 0.151.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.148.1...v0.151.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.151.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.250.0 to 0.251.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.250.0...v0.251.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.251.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
* Update changelog for v3.0.2 Signed-off-by: Hayden <[email protected]> * Update CHANGELOG.md Signed-off-by: Hayden <[email protected]> --------- Signed-off-by: Hayden <[email protected]>
When calling cosign initialize, the client will cache the trusted root file if available. This PR adds support for caching the signing config as well. The public-good instance's TUF repo includes this file. Private deployments likely don't use this file, so like with the trusted root, Cosign will print a warning rather than fail initialization. Signed-off-by: Hayden <[email protected]>
* Deduplicate key/token handling in sign commands Move the nearly identical code for parsing key options and creating a key pair and token out of attest, attest-blob, sign, and sign-blob, and into a common helper package. Move functions that had been shared out of sign.go into the helper package too so that other commands do not have to import the sign command package. Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate signer-verifier creation Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate timestamp retrieval Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate rekor upload Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate bundle compilation Signed-off-by: Colleen Murphy <[email protected]> * Move OCI parsing function to signcommon Signed-off-by: Colleen Murphy <[email protected]> * Make flag compatibility checking consistent Move flag checks when --new-bundle-format is used to a common helper module and have all four verify commands use it. Remove redundant flag checker code. Signed-off-by: Colleen Murphy <[email protected]> * Remove duplicate certs setting RootCerts and IntermediateCerts are already set on CheckOpts during loadCertsKeylessVerification. Signed-off-by: Colleen Murphy <[email protected]> * Move loading key to common Move the setting of SigVerifier based on the key ref, key slot, or cert and cert chain, to the common file. For verifying blobs and blob attestations with a certificate instead of a key, we return the cert which is used directly in the options list for verification. For images, the cert and cert chain must be validated and then unpacked into the SigVerifier, where the cosign Verify* functions check its validity by extracting it from the verifier. Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate TUF v1 fetch and rekor client setup Signed-off-by: Colleen Murphy <[email protected]> * Deduplicate trusted material setting Signed-off-by: Colleen Murphy <[email protected]> * Move common functions to common.go Signed-off-by: Colleen Murphy <[email protected]> --------- Signed-off-by: Colleen Murphy <[email protected]>
The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired. I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags. Fixes #4454 Signed-off-by: Hayden <[email protected]>
Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `chainguard-dev/actions` from 1.5.3 to 1.5.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@6f4f4de...7b18ea9) Updates `mikefarah/yq` from 4.47.2 to 4.48.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@6251e95...0ecdce2) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Remove any mention of the `--out` flag from the `cosign initialize` command, since it's no longer used. Signed-off-by: Alex Pyrgiotis <[email protected]>
Bumps the actions group with 4 updates: [docker/login-action](https://github.com/docker/login-action), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@4907a6d...650006c) Updates `sigstore/sigstore-conformance` from 0.0.27 to 0.0.28 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@4d66ba3...e2cc8e5) Updates `golangci/golangci-lint-action` from 9.2.0 to 9.2.1 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1e7e51e...82606bf) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.28 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.8.0 to 5.9.2. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.8.0...v5.9.2) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.9.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4880) * Fix Ed25519ph check to respect custom signing configs in sign-blob Signed-off-by: Aaron Lew <[email protected]> * Add Ed25519 signing test cases for sign-blob Signed-off-by: Aaron Lew <[email protected]> * Add unit tests for KMSKeypair Ed25519 methods Signed-off-by: Aaron Lew <[email protected]> * Fix panic on Ed25519 signing without pre-hashing Signed-off-by: Aaron Lew <[email protected]> * Add test case for HashReader with unspecified hash algorithm Signed-off-by: Aaron Lew <[email protected]> --------- Signed-off-by: Aaron Lew <[email protected]>
Signed-off-by: Aaron Lew <[email protected]>
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.35.3 to 0.36.1. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.3...v0.36.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
New bundle verification cannot fall back to legacy TUF targets when the live trusted root cannot be loaded. Return the wrapped TUF error from SetTrustedMaterial in that mode so callers see the underlying trusted root failure instead of the later nil TrustedMaterial invariant. Legacy verification still warns and falls back to individual targets, and the new tests cover both paths. Signed-off-by: CrazyMax <[email protected]>
--------- Signed-off-by: Eric Pickard <[email protected]>
Signed-off-by: Aaron Lew <[email protected]>
Since they will not show up in the command help. I suggested doing this on #4696 (comment), and then I closed the issue without actually doing this. Signed-off-by: Zach Steindler <[email protected]>
#4737) This change updates loadSignatureFromFile to properly bind the provided --certificate and --certificate-chain to the constructed signature object. Previously, verification using detached materials ignored these flags during object initialization, which caused transparency log lookups to incorrectly fall back to querying with a raw public key instead of the full certificate PEM, preventing the signature from being found in the log. Signed-off-by: Aaron Lew <[email protected]>
…4917) verifyImageAttestationsSigstoreBundle fans out one goroutine per bundle sharing a single *CheckOpts. VerifyNewBundle -> rekorV2Bundle writes co.UseSignedTimestamps for Rekor v2 entries, racing sibling goroutines that read co via co.verificationOptions(). Add TestVerifyNewBundleConcurrentNoDataRace, which fans out concurrent verifications of a Rekor v2 bundle against one shared CheckOpts and fails under -race without the copy. Signed-off-by: Cody Soyland <[email protected]> Co-authored-by: Claude Opus 4.8 <[email protected]>
* Update sigstore-go to v1.2.0 sigstore-go v1.2.0 encodes DSSE envelopes as hashedrekord entries on Rekor v2. Bump conformance action to v0.0.29 and remove the message-digest-mismatch xfail, which now passes. Fix e2e and unit tests for updated transitive dependencies (timestamp-authority v2.1.2 requires default-policy-oid config; tlog entry body parsing now requires a valid Rekor v1 or v2 body). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Signed-off-by: Cody Soyland <[email protected]> * fix(ci): plug DSSE bundle reader leak and use --allow-http-registry Two fixes for the Rekor v2 / sigstore-go v1.2.0 attestation path: - oci/remote.Bundle never closed the reader returned by Uncompressed(), leaking a slot in go-containerregistry's pull limiter. Repeated calls (e.g. GetBundles walking multiple attestations) exhaust the limiter and block forever, hanging TestSignVerifyBundle and the vuln verify-attestation e2e step. - go-containerregistry v0.21.6 narrowed the local registry regex from `.local` to `.localhost`, so `registry.local:5000` is no longer auto-detected as HTTP. Use the correct `--allow-http-registry` flag. Signed-off-by: Cody Soyland <[email protected]> --------- Signed-off-by: Cody Soyland <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Add TestSignAttestVerifyRekorV2 to round-trip sign + attest + verify against rekor-tiles (Rekor v2) and assert each bundle's tlog entry is hashedrekord/0.0.2 — confirming sigstore-go v1.2.0's behavior of encoding DSSE attestations as hashedrekord on Rekor v2 (rather than dsse, which v1 emitted). Adds a rekorV2URL test constant and fixes TestSignRekorV2NoTSA which was building its signing config with the v1 URL but api-version=2. It never reached rekor-tiles, so it only happened to pass by failing early on the missing-TSA check. Signed-off-by: Cody Soyland <[email protected]> Co-authored-by: Claude Opus 4.7 <[email protected]>
…4919) Bumps the gomod group with 2 updates in the / directory: [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) and [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio). Updates `github.com/buildkite/agent/v3` from 3.127.0 to 3.127.2 - [Release notes](https://github.com/buildkite/agent/releases) - [Commits](buildkite/agent@v3.127.0...v3.127.2) Updates `github.com/sigstore/fulcio` from 1.8.5 to 1.8.7 - [Release notes](https://github.com/sigstore/fulcio/releases) - [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md) - [Commits](sigstore/fulcio@v1.8.5...v1.8.7) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.127.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/fulcio dependency-version: 1.8.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `chainguard-dev/actions` from 1.6.19 to 1.6.22 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@c69a264...3b7bbee) Updates `imjasonh/setup-crane` from 0.5 to 0.6 - [Release notes](https://github.com/imjasonh/setup-crane/releases) - [Commits](imjasonh/setup-crane@6da1ae0...59c71e9) Updates `mikefarah/yq` from 4.53.2 to 4.53.3 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@751d8ad...1b9b4ac) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: imjasonh/setup-crane dependency-version: '0.6' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.53.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.16.2 to 1.17.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/v1.17.1/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.16.2...v1.17.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.43.0 to 0.44.0. - [Commits](golang/term@v0.43.0...v0.44.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.44.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the gomod group with 1 update: [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag). Updates `github.com/go-openapi/swag/conv` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.26.0...v0.26.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the all group with 1 update in the / directory: golang. Updates `golang` from 1.26.3 to 1.26.4 --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.4.2-0.20260407074541-7e8f69f906ef to 2.4.2. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Commits](https://github.com/theupdateframework/go-tuf/commits/v2.4.2) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.280.0 to 0.283.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.280.0...v0.283.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.283.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.52.0 to 0.53.0. - [Commits](golang/crypto@v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Needed to update the identity string as well. Also downgrade the Dockerfile version to match the release version, will bump all at once when there's a new golang-cross builder. Signed-off-by: Hayden <[email protected]>
This change adds a bundle inspect command which provides a diagnostic display of a bundle's contents. Signed-off-by: Aaron Lew <[email protected]>
Capitalize Short descriptions and remove command-name self-references
("list-tokens lists..." -> "List all..."). Add Example: fields to
both subcommands. Regenerate doc/ via cmd/help/main.go.
Signed-off-by: Ogulcan Aydogan <[email protected]>
* docs: add Example fields to env and bundle create commands Signed-off-by: Ogulcan Aydogan <[email protected]> * docs: regenerate doc/ after adding Example fields Signed-off-by: Ogulcan Aydogan <[email protected]> --------- Signed-off-by: Ogulcan Aydogan <[email protected]>
Signed-off-by: Aaron Lew <[email protected]>
Signed-off-by: Aaron Lew <[email protected]>
* Remove unused signcommon code Signed-off-by: Aaron Lew <[email protected]> * Remove unused Rekor code Signed-off-by: Aaron Lew <[email protected]> * Remove unused Fulcio code Signed-off-by: Aaron Lew <[email protected]> * Remove unused tlog code Signed-off-by: Aaron Lew <[email protected]> * Remove unused attestation code Signed-off-by: Aaron Lew <[email protected]> * Remove unused bundle code Signed-off-by: Aaron Lew <[email protected]> * Remove unused TSA code Signed-off-by: Aaron Lew <[email protected]> * Replace legacy signers with static.NewSignature in verify test Signed-off-by: Aaron Lew <[email protected]> * Replace tsa.GetTimestampedSignature with new helpers in verify tests Signed-off-by: Aaron Lew <[email protected]> * Remove unused signer wrapper implementations Signed-off-by: Aaron Lew <[email protected]> * Replace tsa.SplitPEMCertificateChain with existing helper in verify test Signed-off-by: Aaron Lew <[email protected]> * Remove unused exported SplitPEMCertificateChain TSA util Signed-off-by: Aaron Lew <[email protected]> * Replace bundle.MakeProtobufBundle with proto in verify_blob_* tests Signed-off-by: Aaron Lew <[email protected]> * Move BundleV03MediaType constant to new constants file Signed-off-by: Aaron Lew <[email protected]> * Remove unused protobundle code Signed-off-by: Aaron Lew <[email protected]> * Update go.mod and go.sum Signed-off-by: Aaron Lew <[email protected]> --------- Signed-off-by: Aaron Lew <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )