[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 322 commits into
Open
Conversation
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](theupdateframework/go-tuf@v2.1.1...v2.2.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.144.1 to 0.147.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.144.1...v0.147.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.147.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…bundles (#4416) * Implement container image context in verify command * Use conformance on main for now (waiting for new release) --------- Signed-off-by: Zach Steindler <steiza@github.com>
Picks up a change to user agents when signing with sigstore-go Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
0.0.21 updates the signing config, making the tests work against staging again. Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
…#4437) Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.28.0...v0.29.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.147.1 to 0.148.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.147.1...v0.148.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.148.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4435) Bumps [github.com/go-openapi/swag](https://github.com/go-openapi/swag) from 0.24.1 to 0.25.1. - [Commits](go-openapi/swag@v0.24.1...v0.25.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag dependency-version: 0.25.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 3 updates: [docker/login-action](https://github.com/docker/login-action), [actions/cache](https://github.com/actions/cache) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `docker/login-action` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@184bdaa...5e57cd1) Updates `actions/cache` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...0057852) Updates `chainguard-dev/actions` from 1.5.1 to 1.5.2 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@de56c27...8e97c1f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4433) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod group with 2 updates: [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `github.com/buildkite/agent/v3` from 3.107.0 to 3.107.2 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.0...v3.107.2) Updates `sigs.k8s.io/release-utils` from 0.12.1 to 0.12.2 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.1...v0.12.2) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.107.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.249.0 to 0.250.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.249.0...v0.250.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.250.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* update goreleaser config for v3.0.0 release Signed-off-by: Bob Callaway <bcallaway@google.com> * specify signature Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
The rekor-tiles package is starting at version 2.0. There are no interface changes with this version change. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Bumps the gomod group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Updates `github.com/go-jose/go-jose/v4` from 4.1.2 to 4.1.3 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.2...v4.1.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4448) * choose different signature filename for keyless release signatures Signed-off-by: Bob Callaway <bcallaway@google.com> * switch, rename the kms-signed objects Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> * update README Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: Bob Callaway <bcallaway@google.com>
Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.107.2 to 3.108.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.107.2...v3.108.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.108.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `chainguard-dev/actions` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@8e97c1f...6f4f4de) Updates `cpanato/vault-installer` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](cpanato/vault-installer@e7c1d66...f7e2ad9) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: cpanato/vault-installer dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.148.1 to 0.151.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.148.1...v0.151.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.151.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.250.0 to 0.251.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.250.0...v0.251.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.251.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Update changelog for v3.0.2 Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> * Update CHANGELOG.md Signed-off-by: Hayden <haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
When calling cosign initialize, the client will cache the trusted root file if available. This PR adds support for caching the signing config as well. The public-good instance's TUF repo includes this file. Private deployments likely don't use this file, so like with the trusted root, Cosign will print a warning rather than fail initialization. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
* Deduplicate key/token handling in sign commands Move the nearly identical code for parsing key options and creating a key pair and token out of attest, attest-blob, sign, and sign-blob, and into a common helper package. Move functions that had been shared out of sign.go into the helper package too so that other commands do not have to import the sign command package. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate signer-verifier creation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate timestamp retrieval Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate rekor upload Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate bundle compilation Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move OCI parsing function to signcommon Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Make flag compatibility checking consistent Move flag checks when --new-bundle-format is used to a common helper module and have all four verify commands use it. Remove redundant flag checker code. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Remove duplicate certs setting RootCerts and IntermediateCerts are already set on CheckOpts during loadCertsKeylessVerification. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move loading key to common Move the setting of SigVerifier based on the key ref, key slot, or cert and cert chain, to the common file. For verifying blobs and blob attestations with a certificate instead of a key, we return the cert which is used directly in the options list for verification. For images, the cert and cert chain must be validated and then unpacked into the SigVerifier, where the cosign Verify* functions check its validity by extracting it from the verifier. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate TUF v1 fetch and rekor client setup Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Deduplicate trusted material setting Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move common functions to common.go Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
….0 (#4861) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.118.0 to 3.127.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Commits](buildkite/agent@v3.118.0...v3.127.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.126.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.35.3 to 0.36.1. - [Commits](kubernetes/apimachinery@v0.35.3...v0.36.1) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates: [docker/login-action](https://github.com/docker/login-action), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@4907a6d...650006c) Updates `sigstore/sigstore-conformance` from 0.0.27 to 0.0.28 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@4d66ba3...e2cc8e5) Updates `golangci/golangci-lint-action` from 9.2.0 to 9.2.1 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1e7e51e...82606bf) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.28 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.8.0 to 5.9.2. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.8.0...v5.9.2) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.9.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4880) * Fix Ed25519ph check to respect custom signing configs in sign-blob Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add Ed25519 signing test cases for sign-blob Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add unit tests for KMSKeypair Ed25519 methods Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Fix panic on Ed25519 signing without pre-hashing Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add test case for HashReader with unspecified hash algorithm Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> --------- Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.35.3 to 0.36.1. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.35.3...v0.36.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
New bundle verification cannot fall back to legacy TUF targets when the live trusted root cannot be loaded. Return the wrapped TUF error from SetTrustedMaterial in that mode so callers see the underlying trusted root failure instead of the later nil TrustedMaterial invariant. Legacy verification still warns and falls back to individual targets, and the new tests cover both paths. Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
--------- Signed-off-by: Eric Pickard <piceri@github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Since they will not show up in the command help. I suggested doing this on #4696 (comment), and then I closed the issue without actually doing this. Signed-off-by: Zach Steindler <steiza@github.com>
#4737) This change updates loadSignatureFromFile to properly bind the provided --certificate and --certificate-chain to the constructed signature object. Previously, verification using detached materials ignored these flags during object initialization, which caused transparency log lookups to incorrectly fall back to querying with a raw public key instead of the full certificate PEM, preventing the signature from being found in the log. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
…4917) verifyImageAttestationsSigstoreBundle fans out one goroutine per bundle sharing a single *CheckOpts. VerifyNewBundle -> rekorV2Bundle writes co.UseSignedTimestamps for Rekor v2 entries, racing sibling goroutines that read co via co.verificationOptions(). Add TestVerifyNewBundleConcurrentNoDataRace, which fans out concurrent verifications of a Rekor v2 bundle against one shared CheckOpts and fails under -race without the copy. Signed-off-by: Cody Soyland <cody.soyland@chainguard.dev> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* Update sigstore-go to v1.2.0 sigstore-go v1.2.0 encodes DSSE envelopes as hashedrekord entries on Rekor v2. Bump conformance action to v0.0.29 and remove the message-digest-mismatch xfail, which now passes. Fix e2e and unit tests for updated transitive dependencies (timestamp-authority v2.1.2 requires default-policy-oid config; tlog entry body parsing now requires a valid Rekor v1 or v2 body). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Cody Soyland <cody.soyland@chainguard.dev> * fix(ci): plug DSSE bundle reader leak and use --allow-http-registry Two fixes for the Rekor v2 / sigstore-go v1.2.0 attestation path: - oci/remote.Bundle never closed the reader returned by Uncompressed(), leaking a slot in go-containerregistry's pull limiter. Repeated calls (e.g. GetBundles walking multiple attestations) exhaust the limiter and block forever, hanging TestSignVerifyBundle and the vuln verify-attestation e2e step. - go-containerregistry v0.21.6 narrowed the local registry regex from `.local` to `.localhost`, so `registry.local:5000` is no longer auto-detected as HTTP. Use the correct `--allow-http-registry` flag. Signed-off-by: Cody Soyland <cody.soyland@chainguard.dev> --------- Signed-off-by: Cody Soyland <cody.soyland@chainguard.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add TestSignAttestVerifyRekorV2 to round-trip sign + attest + verify against rekor-tiles (Rekor v2) and assert each bundle's tlog entry is hashedrekord/0.0.2 — confirming sigstore-go v1.2.0's behavior of encoding DSSE attestations as hashedrekord on Rekor v2 (rather than dsse, which v1 emitted). Adds a rekorV2URL test constant and fixes TestSignRekorV2NoTSA which was building its signing config with the v1 URL but api-version=2. It never reached rekor-tiles, so it only happened to pass by failing early on the missing-TSA check. Signed-off-by: Cody Soyland <cody.soyland@chainguard.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…4919) Bumps the gomod group with 2 updates in the / directory: [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) and [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio). Updates `github.com/buildkite/agent/v3` from 3.127.0 to 3.127.2 - [Release notes](https://github.com/buildkite/agent/releases) - [Commits](buildkite/agent@v3.127.0...v3.127.2) Updates `github.com/sigstore/fulcio` from 1.8.5 to 1.8.7 - [Release notes](https://github.com/sigstore/fulcio/releases) - [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md) - [Commits](sigstore/fulcio@v1.8.5...v1.8.7) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.127.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/fulcio dependency-version: 1.8.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `chainguard-dev/actions` from 1.6.19 to 1.6.22 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@c69a264...3b7bbee) Updates `imjasonh/setup-crane` from 0.5 to 0.6 - [Release notes](https://github.com/imjasonh/setup-crane/releases) - [Commits](imjasonh/setup-crane@6da1ae0...59c71e9) Updates `mikefarah/yq` from 4.53.2 to 4.53.3 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@751d8ad...1b9b4ac) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.6.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: imjasonh/setup-crane dependency-version: '0.6' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.53.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.16.2 to 1.17.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/v1.17.1/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.16.2...v1.17.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.43.0 to 0.44.0. - [Commits](golang/term@v0.43.0...v0.44.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.44.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](spiffe/go-spiffe@v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the gomod group with 1 update: [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag). Updates `github.com/go-openapi/swag/conv` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.26.0...v0.26.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the all group with 1 update in the / directory: golang. Updates `golang` from 1.26.3 to 1.26.4 --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.4.2-0.20260407074541-7e8f69f906ef to 2.4.2. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Commits](https://github.com/theupdateframework/go-tuf/commits/v2.4.2) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.280.0 to 0.283.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.280.0...v0.283.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.283.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.52.0 to 0.53.0. - [Commits](golang/crypto@v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Needed to update the identity string as well. Also downgrade the Dockerfile version to match the release version, will bump all at once when there's a new golang-cross builder. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
This change adds a bundle inspect command which provides a diagnostic display of a bundle's contents. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Capitalize Short descriptions and remove command-name self-references
("list-tokens lists..." -> "List all..."). Add Example: fields to
both subcommands. Regenerate doc/ via cmd/help/main.go.
Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
* docs: add Example fields to env and bundle create commands Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com> * docs: regenerate doc/ after adding Example fields Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com> --------- Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )