[pull] main from sigstore:main#44
Open
pull[bot] wants to merge 357 commits into
Open
Conversation
--- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.43.0. - [Commits](golang/crypto@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.0.0-rc2 to 2.0.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](sigstore/rekor-tiles@v2.0.0-rc2...v2.0.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.5.4 to 1.5.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@7b18ea9...1b32103) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With this change, cosign sign can be run only once when an image has multiple pull references. Closes #4330 Signed-off-by: Emily Zheng <yuzheng@redhat.com>
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
* Add protobuf bundle support for tree subcommand --------- Signed-off-by: Zach Steindler <steiza@github.com>
….1 (#4483) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.108.0 to 3.109.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.108.0...v3.109.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.109.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Also updates the registry tests to use TUF so that they can be re-used for both the legacy format and protobuf bundle format. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Without this change, --upload=false was not respected with the new bundle format. It also would not have made sense because there was no way to output the bundle locally. This change adds a flag --bundle so that the bundle can be created on disk without attaching it to the image, and also passes through the Upload parameter to bypass uploading it if desired. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Use a common options struct for WriteBundle and WriteNewBundleWithSigningConfig to reduce the number of arguments in each function. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
* cmd/cosign: add --signing-algorithm flag Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * fix getHashFunction to use signingAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * cmd/cosign: set default ko.SigningAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * cmd/cosign: set default ko.SigningAlgorithm 2 Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Validate signing-algorithm immediately Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Use GetDefaultLoadOptions function Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Update documentation Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * use v3 Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Disable ed25519ph Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Fix doc Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * Fix getHashAlgorithm to have a default value for SigningAlgorithm Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> * fix unused argument Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> --------- Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
--------- Signed-off-by: Zach Steindler <steiza@github.com>
Without this change, when the new bundle format is used, annotations were not being added to the payload, nor were they being checked during verification, but were still being reported as verified. This also had a side effect of the annotations not appearing in the verification output. This change fixes the issue by passing through the annotations to the statement builder during signing, and using a different in-toto `Statement` type to parse annotations from the statement during verification, as well as actually calling the claims verifier. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
Signed-off-by: Natalie Somersall <natalie.somersall@gmail.com>
Use proper context passing for `sign` cli package. Fixes: #4506 Signed-off-by: Noel Georgi <git@frezbo.dev>
* Deprecate tlog-upload flag Clients that don't want to use a transparency log should provide a signing config without tlog service instances rather than use this flag. This will also throw an error when a client uses this flag when a signing config will be used, since Cosign/sigstore-go ignores this flag and we don't want a user to unexpectedly upload to the public instance. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Refactor TR and SC initialization into common method The one difference between sign/attest and sign/attest-blob is whether a bundle output flag is present, so the error message has been adjusted. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Fix e2e test, better error message Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](theupdateframework/go-tuf@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4523) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.110.0 to 3.111.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](buildkite/agent@v3.110.0...v3.111.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.111.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4516) Bumps the actions group with 2 updates in the / directory: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/sigstore-conformance` from 0.0.21 to 0.0.23 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@244638a...48320dc) Updates `chainguard-dev/actions` from 1.5.7 to 1.5.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@1b32103...abcc11e) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.5.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….1 (#4521) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.9.0 to 1.10.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.9.0...v1.10.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps cuelang.org/go from 0.14.2 to 0.15.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.32.0 to 0.33.0. - [Commits](golang/oauth2@v0.32.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the all group with 1 update: golang. Updates `golang` from 1.25.3 to 1.25.4 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.157.0 to 0.159.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.157.0...v0.159.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.159.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.0.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d7543c9...faadad0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
…4942) Capitalize Short descriptions and remove command-name self-references ("generate-key generates...", "reset resets..."). Add Example: fields to all seven piv-tool subcommands. Regenerate doc/ via cmd/help/main.go. Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>
This change deprecates the --output-attestation flag for attest-blob in favor of --bundle. Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
AnnotationsMap parsed --annotations with strings.Split(a, "="), so any value containing '=' (base64 padding, URLs with query strings, chained key=value) yielded len>2 and was rejected with "unable to parse annotation". Use strings.SplitN(a, "=", 2), matching the repo's canonical parser in pkg/signature/annotations.go. The no-'=' case is still rejected. Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com>
`cosign dockerfile verify` extracted the target of a `FROM` instruction even when it referenced a previously declared build stage (e.g. `FROM base_image`), then tried to pull that stage name as an image and failed with an authentication/not-found error. Skip `FROM` references that resolve to a known stage name, mirroring the existing handling for `COPY --from=<stage>`. Fixes #3880 Signed-off-by: bejaratommy <tommy@bejara.net> Co-authored-by: bejaratommy <tommy@bejara.net>
* feat: shell complete bundles with .sigstore.json too Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> * feat: verify shell completion improvements Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> --------- Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
…orkflow (#4970) Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: JasonPowr <japower@redhat.com>
…m base config (#4977) * feat(signing-config): add --base-config flag to override services from base config Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update doc Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
The Payload table-of-contents link pointed to #payload, but the section heading is 'Payloads' (anchor #payloads), so the link did not resolve. Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.2.2-0.20260601073857-5d098a2b6443 to 2.3.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v2.3.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ors (#4978) Signed-off-by: Stefan Kuhn <stefan.kuhn.zurich@gmail.com>
Signed-off-by: Kevin Demy <kevin.demy@ovhcloud.com>
…4983) Bumps the gomod group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) | `0.32.3` | `0.32.4` | | [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) | `0.26.3` | `0.26.4` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.5.2` | `1.5.3` | | [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) | `1.2.0` | `1.2.1` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` | Updates `github.com/go-openapi/runtime` from 0.32.3 to 0.32.4 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.32.3...v0.32.4) Updates `github.com/go-openapi/strfmt` from 0.26.3 to 0.26.4 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.3...v0.26.4) Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.6...v0.21.7) Updates `github.com/sigstore/rekor` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.2...v1.5.3) Updates `github.com/sigstore/sigstore-go` from 1.2.0 to 1.2.1 - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](sigstore/sigstore-go@v1.2.0...v1.2.1) Updates `k8s.io/api` from 0.36.1 to 0.36.2 - [Commits](kubernetes/api@v0.36.1...v0.36.2) Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2 - [Commits](kubernetes/apimachinery@v0.36.1...v0.36.2) Updates `k8s.io/client-go` from 0.36.1 to 0.36.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.36.1...v0.36.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.32.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4988) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.127.2 to 3.130.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Commits](buildkite/agent@v3.127.2...v3.130.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.130.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4985) Bumps [github.com/go-openapi/swag/conv](https://github.com/go-openapi/swag) from 0.26.1 to 0.27.0. - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.26.1...v0.27.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#4990) Bumps the actions group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `6.5.0` | | [ko-build/setup-ko](https://github.com/ko-build/setup-ko) | `0.9` | `0.10` | | [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` | | [chainguard-dev/actions/donotsubmit](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` | | [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) | `0.6` | `0.7` | | [chainguard-dev/actions/setup-mirror](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` | | [chainguard-dev/actions/kind-diag](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `9.2.1` | `9.3.0` | | [chainguard-dev/actions/trailing-space](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` | | [chainguard-dev/actions/eof-newline](https://github.com/chainguard-dev/actions) | `1.6.22` | `1.6.26` | Updates `actions/setup-go` from 6.4.0 to 6.5.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4a36011...924ae3a) Updates `ko-build/setup-ko` from 0.9 to 0.10 - [Release notes](https://github.com/ko-build/setup-ko/releases) - [Commits](ko-build/setup-ko@d006021...61b4d1d) Updates `docker/login-action` from 4.2.0 to 4.4.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@650006c...af1e73f) Updates `chainguard-dev/actions/donotsubmit` from 1.6.22 to 1.6.26 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3b7bbee...f0be699) Updates `imjasonh/setup-crane` from 0.6 to 0.7 - [Release notes](https://github.com/imjasonh/setup-crane/releases) - [Commits](imjasonh/setup-crane@59c71e9...feee3b6) Updates `chainguard-dev/actions/setup-mirror` from 1.6.22 to 1.6.26 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3b7bbee...f0be699) Updates `chainguard-dev/actions/kind-diag` from 1.6.22 to 1.6.26 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3b7bbee...f0be699) Updates `golangci/golangci-lint-action` from 9.2.1 to 9.3.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@82606bf...ba0d7d2) Updates `chainguard-dev/actions/trailing-space` from 1.6.22 to 1.6.26 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3b7bbee...f0be699) Updates `chainguard-dev/actions/eof-newline` from 1.6.22 to 1.6.26 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3b7bbee...f0be699) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ko-build/setup-ko dependency-version: '0.10' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions/donotsubmit dependency-version: 1.6.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: imjasonh/setup-crane dependency-version: '0.7' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions/setup-mirror dependency-version: 1.6.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions/kind-diag dependency-version: 1.6.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-version: 9.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions/trailing-space dependency-version: 1.6.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions/eof-newline dependency-version: 1.6.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
* Return an error instead of panicking on malformed FROM lines in dockerfile verify
getImageFromLine panicked with an index-out-of-range on two malformed but
parseable FROM lines: an unresolvable build arg ("FROM ${BASE_IMAGE}" with
BASE_IMAGE unset) expands to an empty string and indexes fields[-1], and a
trailing "AS" ("FROM image AS") reads fields[i+1] past the slice. Return an
actionable error in both cases and propagate it from the caller. Adds a
regression test.
Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
---------
Signed-off-by: Nikhil Jathar <22786232+mailnike@users.noreply.github.com>
Signed-off-by: Zach Steindler <steiza@github.com>
* Allow attestation download to handle both bundle types. As suggested on #4573 Signed-off-by: Zach Steindler <steiza@github.com> * Do not error out if no old attestations are found to download Signed-off-by: Zach Steindler <steiza@github.com> * Update e2e test to actually check download attestation output Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
Bumps the all group with 1 update in the / directory: golang. Updates `golang` from 1.26.3 to 1.26.5 --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
…a git repo (#5000) git describe/git rev-parse are shelled out to compute GIT_VERSION/GIT_HASH for the version ldflags. When there is no .git directory (e.g. building from a source tarball instead of a git clone, as some downstream packagers do), these commands fail silently and GIT_VERSION/GIT_HASH resolve to empty strings, while GIT_TREESTATE stays at its "clean" default. The resulting binary reports a blank GitVersion/GitCommit with a misleading GitTreeState: clean, instead of clearly indicating the provenance is unknown. Fixes #4999 Signed-off-by: John T Skarbek <jtslear@gmail.com>
* Skip nil subject entries in IntotoSubjectClaimVerifier An in-toto statement whose subject array contains a null entry makes IntotoSubjectClaimVerifier panic with a nil pointer dereference at the subj.Digest lookup. Statement.UnmarshalJSON first tries protojson, and falls back to encoding/json when the predicate is a string rather than an object. On that fallback path encoding/json decodes a JSON null in the subject array into a nil *ResourceDescriptor, which the loop then dereferences. Skip nil entries so a crafted attestation gets the usual "no matching subject digest found" error instead of crashing the client. The claim verifier runs after signature verification, so this needs a validly signed attestation (an attacker can sign their own with their own Fulcio cert and serve it from an image they control); it is a robustness fix, not a verification bypass. Adds a regression case to Test_IntotoSubjectClaimVerifier. Signed-off-by: Arpit Jain <arpitjain099@gmail.com> * Return an error on a null in-toto subject entry Per review: a null subject is an invalid statement per the in-toto v1 spec, so error instead of skipping it. Also drop the two comments the reviewer flagged as unnecessary. Signed-off-by: Arpit Jain <arpitjain099@gmail.com> --------- Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
LoadCertificatesFromPEM returns (nil, nil) for an empty or whitespace-only PEM, so mutate.Signature then panics on certs[0] (reachable via `cosign attach signature --certificate <empty-file>`). PR #4760 fixed the same LoadCertificatesFromPEM-returns-empty case on the read path (pkg/oci/internal/signature/layer.go) with a len(certs)==0 check; this applies the same guard to the write/attach path so an empty certificate returns a clear error instead of panicking. Added a test. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
* Remove unused policy evaluation package and associated fuzz tests Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Remove unused ValidateJSONWithModuleInput helper from rego package Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> --------- Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )