Skip to content

[pull] main from sigstore:main#44

Open
pull[bot] wants to merge 357 commits into
Reality2byte:mainfrom
sigstore:main
Open

[pull] main from sigstore:main#44
pull[bot] wants to merge 357 commits into
Reality2byte:mainfrom
sigstore:main

Conversation

@pull

@pull pull Bot commented Aug 5, 2025

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.3)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot locked and limited conversation to collaborators Aug 5, 2025
@pull pull Bot added the ⤵️ pull label Aug 5, 2025
dependabot Bot and others added 28 commits October 22, 2025 05:33
---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-version: 0.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.43.0.
- [Commits](golang/crypto@v0.42.0...v0.43.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.0.0-rc2 to 2.0.0.
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](sigstore/rekor-tiles@v2.0.0-rc2...v2.0.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor-tiles/v2
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions).


Updates `chainguard-dev/actions` from 1.5.4 to 1.5.7
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml)
- [Commits](chainguard-dev/actions@7b18ea9...1b32103)

---
updated-dependencies:
- dependency-name: chainguard-dev/actions
  dependency-version: 1.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With this change, cosign sign can be run only once when an image
has multiple pull references.

Closes #4330

Signed-off-by: Emily Zheng <yuzheng@redhat.com>
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
* Add protobuf bundle support for tree subcommand

---------

Signed-off-by: Zach Steindler <steiza@github.com>
….1 (#4483)

Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.108.0 to 3.109.1.
- [Release notes](https://github.com/buildkite/agent/releases)
- [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md)
- [Commits](buildkite/agent@v3.108.0...v3.109.1)

---
updated-dependencies:
- dependency-name: github.com/buildkite/agent/v3
  dependency-version: 3.109.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Also updates the registry tests to use TUF so that they can be re-used
for both the legacy format and protobuf bundle format.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Without this change, --upload=false was not respected with the new
bundle format. It also would not have made sense because there was no
way to output the bundle locally. This change adds a flag
--bundle so that the bundle can be created on disk without
attaching it to the image, and also passes through the Upload parameter
to bypass uploading it if desired.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Use a common options struct for WriteBundle and
WriteNewBundleWithSigningConfig to reduce the number of arguments in
each function.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
* cmd/cosign: add --signing-algorithm flag

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* fix getHashFunction to use signingAlgorithm

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* cmd/cosign: set default ko.SigningAlgorithm

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* cmd/cosign: set default ko.SigningAlgorithm 2

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Validate signing-algorithm immediately

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Use GetDefaultLoadOptions function

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Update documentation

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* use v3

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Disable ed25519ph

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Fix doc

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* Fix getHashAlgorithm to have a default value for SigningAlgorithm

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* fix unused argument

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

---------

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
---------

Signed-off-by: Zach Steindler <steiza@github.com>
Without this change, when the new bundle format is used, annotations
were not being added to the payload, nor were they being checked during
verification, but were still being reported as verified. This also had a
side effect of the annotations not appearing in the verification output.
This change fixes the issue by passing through the annotations to the
statement builder during signing, and using a different in-toto
`Statement` type to parse annotations from the statement during
verification, as well as actually calling the claims verifier.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Signed-off-by: Natalie Somersall <natalie.somersall@gmail.com>
Use proper context passing for `sign` cli package.

Fixes: #4506

Signed-off-by: Noel Georgi <git@frezbo.dev>
* Deprecate tlog-upload flag

Clients that don't want to use a transparency log should provide a
signing config without tlog service instances rather than use this flag.
This will also throw an error when a client uses this flag when a
signing config will be used, since Cosign/sigstore-go ignores this flag
and we don't want a user to unexpectedly upload to the public instance.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

* Refactor TR and SC initialization into common method

The one difference between sign/attest and sign/attest-blob is whether a
bundle output flag is present, so the error message has been adjusted.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

* Fix e2e test, better error message

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

---------

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/theupdateframework/go-tuf/releases)
- [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml)
- [Commits](theupdateframework/go-tuf@v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/theupdateframework/go-tuf/v2
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4523)

Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.110.0 to 3.111.0.
- [Release notes](https://github.com/buildkite/agent/releases)
- [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md)
- [Commits](buildkite/agent@v3.110.0...v3.111.0)

---
updated-dependencies:
- dependency-name: github.com/buildkite/agent/v3
  dependency-version: 3.111.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4516)

Bumps the actions group with 2 updates in the / directory: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions).


Updates `sigstore/sigstore-conformance` from 0.0.21 to 0.0.23
- [Release notes](https://github.com/sigstore/sigstore-conformance/releases)
- [Commits](sigstore/sigstore-conformance@244638a...48320dc)

Updates `chainguard-dev/actions` from 1.5.7 to 1.5.8
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml)
- [Commits](chainguard-dev/actions@1b32103...abcc11e)

---
updated-dependencies:
- dependency-name: sigstore/sigstore-conformance
  dependency-version: 0.0.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: chainguard-dev/actions
  dependency-version: 1.5.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...330a01c)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….1 (#4521)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.9.0 to 1.10.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.9.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps cuelang.org/go from 0.14.2 to 0.15.0.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.32.0 to 0.33.0.
- [Commits](golang/oauth2@v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 1 update: golang.


Updates `golang` from 1.25.3 to 1.25.4

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.25.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.157.0 to 0.159.0.
- [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags)
- [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md)
- [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.157.0...v0.159.0)

---
updated-dependencies:
- dependency-name: gitlab.com/gitlab-org/api/client-go
  dependency-version: 0.159.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@d7543c9...faadad0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
cpanato and others added 30 commits June 15, 2026 09:51
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
…4942)

Capitalize Short descriptions and remove command-name self-references
("generate-key generates...", "reset resets..."). Add Example: fields
to all seven piv-tool subcommands. Regenerate doc/ via cmd/help/main.go.

Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
This change deprecates the --output-attestation flag for attest-blob in favor of --bundle.

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
AnnotationsMap parsed --annotations with strings.Split(a, "="), so any value
containing '=' (base64 padding, URLs with query strings, chained key=value)
yielded len>2 and was rejected with "unable to parse annotation". Use
strings.SplitN(a, "=", 2), matching the repo's canonical parser in
pkg/signature/annotations.go. The no-'=' case is still rejected.

Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com>
`cosign dockerfile verify` extracted the target of a `FROM` instruction even
when it referenced a previously declared build stage (e.g. `FROM base_image`),
then tried to pull that stage name as an image and failed with an
authentication/not-found error.

Skip `FROM` references that resolve to a known stage name, mirroring the
existing handling for `COPY --from=<stage>`.

Fixes #3880

Signed-off-by: bejaratommy <tommy@bejara.net>
Co-authored-by: bejaratommy <tommy@bejara.net>
* feat: shell complete bundles with .sigstore.json too

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>

* feat: verify shell completion improvements

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>

---------

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
…orkflow (#4970)

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: JasonPowr <japower@redhat.com>
…m base config (#4977)

* feat(signing-config): add --base-config flag to override services from base config

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

* update doc

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
The Payload table-of-contents link pointed to #payload, but the section
heading is 'Payloads' (anchor #payloads), so the link did not resolve.

Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.2.2-0.20260601073857-5d098a2b6443 to 2.3.0.
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md)
- [Commits](https://github.com/sigstore/rekor-tiles/commits/v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor-tiles/v2
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ors (#4978)

Signed-off-by: Stefan Kuhn <stefan.kuhn.zurich@gmail.com>
Signed-off-by: Kevin Demy <kevin.demy@ovhcloud.com>
…4983)

Bumps the gomod group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.32.3` | `0.32.4` |
| [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) | `0.26.3` | `0.26.4` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` |
| [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.2` | `1.5.3` |
| [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) | `1.2.0` | `1.2.1` |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` |



Updates `github.com/go-openapi/runtime` from 0.32.3 to 0.32.4
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](go-openapi/runtime@v0.32.3...v0.32.4)

Updates `github.com/go-openapi/strfmt` from 0.26.3 to 0.26.4
- [Release notes](https://github.com/go-openapi/strfmt/releases)
- [Commits](go-openapi/strfmt@v0.26.3...v0.26.4)

Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](google/go-containerregistry@v0.21.6...v0.21.7)

Updates `github.com/sigstore/rekor` from 1.5.2 to 1.5.3
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.5.2...v1.5.3)

Updates `github.com/sigstore/sigstore-go` from 1.2.0 to 1.2.1
- [Release notes](https://github.com/sigstore/sigstore-go/releases)
- [Commits](sigstore/sigstore-go@v1.2.0...v1.2.1)

Updates `k8s.io/api` from 0.36.1 to 0.36.2
- [Commits](kubernetes/api@v0.36.1...v0.36.2)

Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2
- [Commits](kubernetes/apimachinery@v0.36.1...v0.36.2)

Updates `k8s.io/client-go` from 0.36.1 to 0.36.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.36.1...v0.36.2)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/go-openapi/strfmt
  dependency-version: 0.26.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore-go
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: k8s.io/api
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4988)

Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.127.2 to 3.130.0.
- [Release notes](https://github.com/buildkite/agent/releases)
- [Commits](buildkite/agent@v3.127.2...v3.130.0)

---
updated-dependencies:
- dependency-name: github.com/buildkite/agent/v3
  dependency-version: 3.130.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4985)

Bumps [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag) from 0.26.1 to 0.27.0.
- [Release notes](https://github.com/go-openapi/swag/releases)
- [Commits](go-openapi/swag@v0.26.1...v0.27.0)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/swag/conv
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4990)

Bumps the actions group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `6.5.0` |
| [ko-build/setup-ko](https://github.com/ko-build/setup-ko) | `0.9` | `0.10` |
| [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` |
| [chainguard-dev/actions/donotsubmit](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` |
| [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) | `0.6` | `0.7` |
| [chainguard-dev/actions/setup-mirror](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` |
| [chainguard-dev/actions/kind-diag](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` |
| [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `9.2.1` | `9.3.0` |
| [chainguard-dev/actions/trailing-space](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` |
| [chainguard-dev/actions/eof-newline](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` |



Updates `actions/setup-go` from 6.4.0 to 6.5.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4a36011...924ae3a)

Updates `ko-build/setup-ko` from 0.9 to 0.10
- [Release notes](https://github.com/ko-build/setup-ko/releases)
- [Commits](ko-build/setup-ko@d006021...61b4d1d)

Updates `docker/login-action` from 4.2.0 to 4.4.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@650006c...af1e73f)

Updates `chainguard-dev/actions/donotsubmit` from 1.6.22 to 1.6.26
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@3b7bbee...f0be699)

Updates `imjasonh/setup-crane` from 0.6 to 0.7
- [Release notes](https://github.com/imjasonh/setup-crane/releases)
- [Commits](imjasonh/setup-crane@59c71e9...feee3b6)

Updates `chainguard-dev/actions/setup-mirror` from 1.6.22 to 1.6.26
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@3b7bbee...f0be699)

Updates `chainguard-dev/actions/kind-diag` from 1.6.22 to 1.6.26
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@3b7bbee...f0be699)

Updates `golangci/golangci-lint-action` from 9.2.1 to 9.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@82606bf...ba0d7d2)

Updates `chainguard-dev/actions/trailing-space` from 1.6.22 to 1.6.26
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@3b7bbee...f0be699)

Updates `chainguard-dev/actions/eof-newline` from 1.6.22 to 1.6.26
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@3b7bbee...f0be699)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: ko-build/setup-ko
  dependency-version: '0.10'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: docker/login-action
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: chainguard-dev/actions/donotsubmit
  dependency-version: 1.6.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: imjasonh/setup-crane
  dependency-version: '0.7'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: chainguard-dev/actions/setup-mirror
  dependency-version: 1.6.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: chainguard-dev/actions/kind-diag
  dependency-version: 1.6.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: chainguard-dev/actions/trailing-space
  dependency-version: 1.6.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: chainguard-dev/actions/eof-newline
  dependency-version: 1.6.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
* Return an error instead of panicking on malformed FROM lines in dockerfile verify

getImageFromLine panicked with an index-out-of-range on two malformed but
parseable FROM lines: an unresolvable build arg ("FROM ${BASE_IMAGE}" with
BASE_IMAGE unset) expands to an empty string and indexes fields[-1], and a
trailing "AS" ("FROM image AS") reads fields[i+1] past the slice. Return an
actionable error in both cases and propagate it from the caller. Adds a
regression test.

Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>


---------

Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
Signed-off-by: Zach Steindler <steiza@github.com>
* Allow attestation download to handle both bundle types.

As suggested on #4573

Signed-off-by: Zach Steindler <steiza@github.com>

* Do not error out if no old attestations are found to download

Signed-off-by: Zach Steindler <steiza@github.com>

* Update e2e test to actually check download attestation output

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
Bumps the all group with 1 update in the / directory: golang.


Updates `golang` from 1.26.3 to 1.26.5

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
…a git repo (#5000)

git describe/git rev-parse are shelled out to compute GIT_VERSION/GIT_HASH
for the version ldflags. When there is no .git directory (e.g. building
from a source tarball instead of a git clone, as some downstream packagers
do), these commands fail silently and GIT_VERSION/GIT_HASH resolve to empty
strings, while GIT_TREESTATE stays at its "clean" default. The resulting
binary reports a blank GitVersion/GitCommit with a misleading
GitTreeState: clean, instead of clearly indicating the provenance is
unknown.

Fixes #4999

Signed-off-by: John T Skarbek <jtslear@gmail.com>
* Skip nil subject entries in IntotoSubjectClaimVerifier

An in-toto statement whose subject array contains a null entry makes
IntotoSubjectClaimVerifier panic with a nil pointer dereference at the
subj.Digest lookup.

Statement.UnmarshalJSON first tries protojson, and falls back to
encoding/json when the predicate is a string rather than an object.
On that fallback path encoding/json decodes a JSON null in the subject
array into a nil *ResourceDescriptor, which the loop then dereferences.

Skip nil entries so a crafted attestation gets the usual "no matching
subject digest found" error instead of crashing the client. The claim
verifier runs after signature verification, so this needs a validly
signed attestation (an attacker can sign their own with their own
Fulcio cert and serve it from an image they control); it is a
robustness fix, not a verification bypass.

Adds a regression case to Test_IntotoSubjectClaimVerifier.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

* Return an error on a null in-toto subject entry

Per review: a null subject is an invalid statement per the in-toto v1 spec, so error instead of skipping it. Also drop the two comments the reviewer flagged as unnecessary.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

---------

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
LoadCertificatesFromPEM returns (nil, nil) for an empty or
whitespace-only PEM, so mutate.Signature then panics on certs[0]
(reachable via `cosign attach signature --certificate <empty-file>`).

PR #4760 fixed the same LoadCertificatesFromPEM-returns-empty case on
the read path (pkg/oci/internal/signature/layer.go) with a len(certs)==0
check; this applies the same guard to the write/attach path so an empty
certificate returns a clear error instead of panicking. Added a test.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
* Remove unused policy evaluation package and associated fuzz tests

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

* Remove unused ValidateJSONWithModuleInput helper from rego package

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

---------

Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.