From f8e6db50ecf63bd98c3791fce09eb5cb342a89da Mon Sep 17 00:00:00 2001 From: Hayden Date: Mon, 4 Aug 2025 12:53:29 -0700 Subject: [PATCH 001/136] Verify subject with bundle only when checking claims (#4320) Previously, when --check-claims was set to false and a bundle in the new format was provided, we'd still try to check the in-toto subject digest and algorithm. These values weren't being set since they were conditioned on checking claims. Now, we skip digest verification if check-claims is false with a new bundle. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/verify/verify_blob_attestation.go | 9 ++++++++- cmd/cosign/cli/verify/verify_blob_attestation_test.go | 11 +++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index 3968ee653c8..3dfe570e0ac 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -230,7 +230,14 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st return err } - _, err = cosign.VerifyNewBundle(ctx, co, sgverify.WithArtifactDigest(h.Algorithm, digest), bundle) + var policyOpt sgverify.ArtifactPolicyOption + if c.CheckClaims { + policyOpt = sgverify.WithArtifactDigest(h.Algorithm, digest) + } else { + policyOpt = sgverify.WithoutArtifactUnsafe() + } + + _, err = cosign.VerifyNewBundle(ctx, co, policyOpt, bundle) if err != nil { return err } diff --git a/cmd/cosign/cli/verify/verify_blob_attestation_test.go b/cmd/cosign/cli/verify/verify_blob_attestation_test.go index ed2e24183ca..6f9314ee6ad 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation_test.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation_test.go @@ -185,6 +185,7 @@ func TestVerifyBlobAttestationNoCheckClaims(t *testing.T) { description string blobPath string signature string + bundlePath string }{ { description: "verify a predicate", @@ -198,6 +199,11 @@ func TestVerifyBlobAttestationNoCheckClaims(t *testing.T) { signature: blobSLSAProvenanceSignature, // This works because we're not checking the claims. It doesn't matter what we put in here - it should pass so long as the DSSE signagure can be verified. blobPath: anotherBlobPath, + }, { + description: "verify a predicate with a bundle with another blob path", + // From blobSLSAProvenanceSignature + bundlePath: makeLocalAttestNewBundle(t, "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJibG9iIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjY1ODc4MWNkNGVkOWJjYTYwZGFjZDA5ZjdiYjkxNGJiNTE1MDJlOGI1ZDYxOWY1N2YzOWExZDY1MjU5NmNjMjQifX1dLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6IjIifSwiYnVpbGRUeXBlIjoieCIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7fX19fQ==", "application/vnd.in-toto+json", "MEUCIA8KjZqkrt90fzBojSwwtj3Bqb41E6ruxQk97TLnpzdYAiEAzOAjOTzyvTHqbpFDAn6zhrg6EZv7kxK5faRoVGYMh2c="), + blobPath: anotherBlobPath, }, { description: "verify a predicate with /dev/null", signature: blobSLSAProvenanceSignature, @@ -220,6 +226,11 @@ func TestVerifyBlobAttestationNoCheckClaims(t *testing.T) { CheckClaims: false, PredicateType: "slsaprovenance", } + if test.bundlePath != "" { + cmd.BundlePath = test.bundlePath + cmd.NewBundleFormat = true + cmd.TrustedRootPath = writeTrustedRootFile(t, td, "{\"mediaType\":\"application/vnd.dev.sigstore.trustedroot+json;version=0.1\"}") + } if err := cmd.Exec(ctx, test.blobPath); err != nil { t.Fatalf("verifyBlobAttestation()= %v", err) } From 806fcd3f0507c8a4a7dbaaf1bbeb7adc1ca02778 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:18:48 +0200 Subject: [PATCH 002/136] chore(deps): bump github.com/sigstore/rekor from 1.3.10 to 1.4.0 (#4325) --- go.mod | 11 +++++------ go.sum | 30 ++++++++++++++++-------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index aae71c6b087..040d6e5239d 100644 --- a/go.mod +++ b/go.mod @@ -34,13 +34,13 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.0 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 - github.com/sigstore/rekor v1.3.10 + github.com/sigstore/rekor v1.4.0 github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f github.com/sigstore/sigstore v1.9.5 github.com/sigstore/sigstore-go v1.1.0 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 github.com/sigstore/timestamp-authority v1.2.8 github.com/spf13/cobra v1.9.1 @@ -67,7 +67,7 @@ require ( require ( cel.dev/expr v0.24.0 // indirect - cloud.google.com/go v0.121.1 // indirect + cloud.google.com/go v0.121.2 // indirect cloud.google.com/go/auth v0.16.3 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.7.0 // indirect @@ -175,7 +175,7 @@ require ( github.com/go-openapi/loads v0.22.0 // indirect github.com/go-openapi/spec v0.21.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/go-sql-driver/mysql v1.9.2 // indirect + github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.3.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -185,7 +185,6 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-querystring v1.1.0 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/trillian v1.7.2 // indirect github.com/google/uuid v1.6.0 // indirect @@ -209,7 +208,7 @@ require ( github.com/jackc/pgx/v5 v5.7.5 // indirect github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect - github.com/jellydator/ttlcache/v3 v3.3.0 // indirect + github.com/jellydator/ttlcache/v3 v3.4.0 // indirect github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect diff --git a/go.sum b/go.sum index 2f111d8bcf7..a3944946930 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRY cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= -cloud.google.com/go v0.121.1 h1:S3kTQSydxmu1JfLRLpKtxRPA7rSrYPRPEUmL/PavVUw= -cloud.google.com/go v0.121.1/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw= +cloud.google.com/go v0.121.2 h1:v2qQpN6Dx9x2NmwrqlesOt3Ys4ol5/lFZ6Mg1B7OJCg= +cloud.google.com/go v0.121.2/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= @@ -1004,8 +1004,8 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= -github.com/go-sql-driver/mysql v1.9.2 h1:4cNKDYQ1I84SXslGddlsrMhc8k4LeDVj6Ad6WRjiHuU= -github.com/go-sql-driver/mysql v1.9.2/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= +github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo= +github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= @@ -1130,8 +1130,8 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= +github.com/google/pprof v0.0.0-20250602020802-c6617b811d0e h1:FJta/0WsADCe1r9vQjdHbd3KuiLPu7Y9WlyLGwMUNyE= +github.com/google/pprof v0.0.0-20250602020802-c6617b811d0e/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= @@ -1166,6 +1166,8 @@ github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+ github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= +github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= @@ -1220,8 +1222,8 @@ github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= -github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc= -github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw= +github.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY= +github.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4= github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -1376,8 +1378,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d h1:HWfigq github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI= -github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= +github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs= +github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -1412,8 +1414,8 @@ github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ github.com/sigstore/fulcio v1.7.1/go.mod h1:7lYY+hsd8Dt+IvKQRC+KEhWpCZ/GlmNvwIa5JhypMS8= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.3.10 h1:/mSvRo4MZ/59ECIlARhyykAlQlkmeAQpvBPlmJtZOCU= -github.com/sigstore/rekor v1.3.10/go.mod h1:JvryKJ40O0XA48MdzYUPu0y4fyvqt0C4iSY7ri9iu3A= +github.com/sigstore/rekor v1.4.0 h1:K3DyH8309yzjYKUCQOVEIYpGp6Y9BQ8GpLhRj0D5CZk= +github.com/sigstore/rekor v1.4.0/go.mod h1:teR57QMQA1nYXPoZL7o26Txky21RfWslM0E9w5Z57Ro= github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYAlVouSm5qwCH+2vZ3eenZFBwzzuBz/IZyy5c= github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc= github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= @@ -1424,8 +1426,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5/go.mod h1:b9rFfITq2fp1M3oJmq6lFFhSrAz5vOEJH1qzbMsZWN4= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5 h1:7U0GsO0UGG1PdtgS6wBkRC0sMgq7BRVaFlPRwN4m1Qg= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5/go.mod h1:/2qrI0nnCy/DTIPOMFaZlFnNPWEn5UeS70P37XEM88o= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 h1:a7Yz8C0aBa/LjeiTa9ZLYi9B74GNhFRnUIUdvN6ddVk= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:tRtJzSZ48MXJV9bmS8pkb3mP36PCad/Cs+BmVJ3Z4O4= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 h1:S2ukEfN1orLKw2wEQIUHDDlzk0YcylhcheeZ5TGk8LI= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5/go.mod h1:m7sQxVJmDa+rsmS1m6biQxaLX83pzNS7ThUEyjOqkCU= github.com/sigstore/timestamp-authority v1.2.8 h1:BEV3fkphwU4zBp3allFAhCqQb99HkiyCXB853RIwuEE= From 674c9c102b84d4f1293c519593a303a1b614b91a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:19:29 +0200 Subject: [PATCH 003/136] chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4321) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 040d6e5239d..957bf8b732e 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 github.com/open-policy-agent/opa v1.6.0 - github.com/secure-systems-lab/go-securesystemslib v0.9.0 + github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.0 diff --git a/go.sum b/go.sum index a3944946930..19137c5867c 100644 --- a/go.sum +++ b/go.sum @@ -1402,8 +1402,8 @@ github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= -github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= -github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= +github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= +github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= From f385b03d1dbcbd95a9e358bf3bdd6aaa43b7acc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:36:45 +0200 Subject: [PATCH 004/136] chore(deps): bump the actions group with 3 updates (#4329) --- .github/workflows/build.yaml | 4 ++-- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 71b9de6c8c7..227a834bb1e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -59,7 +59,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Set up Cloud SDK - uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11 + uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12 with: workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign' service_account: 'github-actions@projectsigstore.iam.gserviceaccount.com' @@ -68,7 +68,7 @@ jobs: run: gcloud auth configure-docker --quiet - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 43cdb3a4975..fba338830e0 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + uses: chainguard-dev/actions/donotsubmit@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index b8ceccc4247..04589e57cee 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -220,4 +220,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index cddb4c31444..5d657a9bd77 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -156,7 +156,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index d87b0bfd58b..c5fb927a9f5 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -169,7 +169,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 525a9d3b776..e01756c72e8 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + - uses: chainguard-dev/actions/trailing-space@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@708219d4822f33611ac1a2653815cc10e1ab54a6 # v1.4.7 + - uses: chainguard-dev/actions/eof-newline@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 if: ${{ always() }} From bfd10447f9f3a593d419ed9dab7564ed5c126a6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 15:37:41 +0200 Subject: [PATCH 005/136] chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4323) --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 957bf8b732e..de44e917639 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.24.3 require ( cuelang.org/go v0.12.1 github.com/ThalesIgnite/crypto11 v1.2.5 - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 github.com/buildkite/agent/v3 v3.103.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 @@ -123,8 +123,8 @@ require ( github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.41.3 // indirect diff --git a/go.sum b/go.sum index 19137c5867c..cf5853905b4 100644 --- a/go.sum +++ b/go.sum @@ -773,10 +773,10 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 h1:v+X21AvTb2wZ+ycg1g github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37/go.mod h1:G0uM1kyssELxmJ2VZEfG0q2npObR3BAkF3c1VsfVnfs= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3 h1:a+210FCU/pR5hhKRaskRfX/ogcyyzFBrehcTk5DTAyU= -github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3/go.mod h1:dtD3a4sjUjVL86e0NUvaqdGvds5ED6itUiZPDaT+Gh8= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 h1:E6/Myrj9HgLF22medmDrKmbpm4ULsa+cIBNx3phirBk= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2/go.mod h1:OQ8NALFcchBJ/qruak6zKUQodovnTKKaReTuCkc5/9Y= +github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= +github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 h1:vvbXsA2TVO80/KT7ZqCbx934dt6PY+vQ8hZpUZ/cpYg= @@ -791,8 +791,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 h1:aUrLQwJfZtwv3/ZNG2xRtEen+NqI github.com/aws/aws-sdk-go-v2/service/sts v1.34.1/go.mod h1:3wFBZKoWnX3r+Sm7in79i54fBmNfwhdNdQuscCw7QIk= github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw= github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 h1:50sS0RWhGpW/yZx2KcDNEb1u1MANv5BMEkJgcieEDTA= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1/go.mod h1:ErZOtbzuHabipRTDTor0inoRlYwbsV1ovwSxjGs/uJo= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1/go.mod h1:EVJOSYOVeoD3VFFZ/dWCAzWJp5wZr9lTOCjW8ejAmO0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= From cd8bc0b738ef50147d8f8983429bfb3025d4b928 Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 7 Aug 2025 01:40:32 -0700 Subject: [PATCH 006/136] Bump deps for cuelang and others (#4332) Also needed to bump grpc-gcp-go to fix an incompatibility with the latest googleapis library Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --- go.mod | 31 +++++++++-------- go.sum | 71 ++++++++++++++++++++------------------ pkg/cosign/cue/cue_test.go | 2 +- 3 files changed, 55 insertions(+), 49 deletions(-) diff --git a/go.mod b/go.mod index de44e917639..fd519634647 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/sigstore/cosign/v2 go 1.24.3 require ( - cuelang.org/go v0.12.1 + cuelang.org/go v0.14.0 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 github.com/buildkite/agent/v3 v3.103.0 @@ -30,7 +30,7 @@ require ( github.com/moby/term v0.5.2 github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 - github.com/open-policy-agent/opa v1.6.0 + github.com/open-policy-agent/opa v1.7.1 github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 @@ -56,7 +56,7 @@ require ( golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 golang.org/x/term v0.33.0 - google.golang.org/api v0.243.0 + google.golang.org/api v0.244.0 google.golang.org/protobuf v1.36.6 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 @@ -77,7 +77,7 @@ require ( cloud.google.com/go/monitoring v1.24.2 // indirect cloud.google.com/go/spanner v1.82.0 // indirect cloud.google.com/go/storage v1.55.0 // indirect - cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 // indirect + cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect @@ -96,7 +96,7 @@ require ( github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect - github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.2 // indirect + github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect @@ -142,7 +142,7 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect - github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect + github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect @@ -156,7 +156,7 @@ require ( github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/emicklei/proto v1.13.4 // indirect + github.com/emicklei/proto v1.14.2 // indirect github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect @@ -236,7 +236,7 @@ require ( github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.63.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect - github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d // indirect + github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rs/cors v1.11.1 // indirect @@ -253,7 +253,7 @@ require ( github.com/spf13/cast v1.7.1 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect - github.com/tchap/go-patricia/v2 v2.3.2 // indirect + github.com/tchap/go-patricia/v2 v2.3.3 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 // indirect @@ -266,7 +266,7 @@ require ( github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823 // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/vbatts/tar-split v0.12.1 // indirect - github.com/vektah/gqlparser/v2 v2.5.28 // indirect + github.com/vektah/gqlparser/v2 v2.5.30 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect @@ -277,15 +277,16 @@ require ( go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect go.opentelemetry.io/otel v1.37.0 // indirect go.opentelemetry.io/otel/metric v1.37.0 // indirect go.opentelemetry.io/otel/sdk v1.37.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect go.opentelemetry.io/otel/trace v1.37.0 // indirect go.step.sm/crypto v0.67.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect + go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect golang.org/x/mod v0.26.0 // indirect golang.org/x/net v0.42.0 // indirect @@ -295,8 +296,8 @@ require ( golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect - google.golang.org/grpc v1.73.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 // indirect + google.golang.org/grpc v1.74.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -306,5 +307,5 @@ require ( sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/go.sum b/go.sum index cf5853905b4..7a038087a1b 100644 --- a/go.sum +++ b/go.sum @@ -620,10 +620,10 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M= cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA= cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= -cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 h1:mRwydyTyhtRX2wXS3mqYWzR2qlv6KsmoKXmlz5vInjg= -cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1/go.mod h1:5A4xfTzHTXfeVJBU6RAUf+QrlfTCW+017q/QiW+sMLg= -cuelang.org/go v0.12.1 h1:5I+zxmXim9MmiN2tqRapIqowQxABv2NKTgbOspud1Eo= -cuelang.org/go v0.12.1/go.mod h1:B4+kjvGGQnbkz+GuAv1dq/R308gTkp0sO28FdMrJ2Kw= +cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d h1:lX0EawyoAu4kgMJJfy7MmNkIHioBcdBGFRSKDZ+CWo0= +cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= +cuelang.org/go v0.14.0 h1:OvkDGmfiTCxoHhVs1tR/6Z96XbupB8oR2DNoIW068bQ= +cuelang.org/go v0.14.0/go.mod h1:aSP9UZUM5m2izHAHUvqtq0wTlWn5oLjuv2iBMQZBLLs= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= @@ -680,8 +680,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= -github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.2 h1:DBjmt6/otSdULyJdVg2BlG0qGZO5tKL4VzOs0jpvw5Q= -github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.2/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0= +github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgPJKZWyroE5QBszMiDMYEBrnfw= +github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM= @@ -849,8 +849,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f h1:C5bqEmzEPLsHm9Mv73lSE9e9bKV23aB1vxOsmZrkl3k= -github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls= +github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= @@ -877,8 +877,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 h1:foGzavPWwtoyBvjWyKJYDYsyzy+23iBV7NKTwdk+LRY= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936/go.mod h1:ttKPnOepYt4LLzD+loXQ1rT6EmpyIYHro7TAJuIIlHo= -github.com/dgraph-io/badger/v4 v4.7.0 h1:Q+J8HApYAY7UMpL8d9owqiB+odzEc0zn/aqOD9jhc6Y= -github.com/dgraph-io/badger/v4 v4.7.0/go.mod h1:He7TzG3YBy3j4f5baj5B7Zl2XyfNe5bl4Udl0aPemVA= +github.com/dgraph-io/badger/v4 v4.8.0 h1:JYph1ChBijCw8SLeybvPINizbDKWZ5n/GYbz2yhN/bs= +github.com/dgraph-io/badger/v4 v4.8.0/go.mod h1:U6on6e8k/RTbUWxqKR0MvugJuVmkxSNc79ap4917h4w= github.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM= github.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= @@ -906,8 +906,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/proto v1.13.4 h1:myn1fyf8t7tAqIzV91Tj9qXpvyXXGXk8OS2H6IBSc9g= -github.com/emicklei/proto v1.13.4/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= +github.com/emicklei/proto v1.14.2 h1:wJPxPy2Xifja9cEMrcA/g08art5+7CGJNFNk35iXC1I= +github.com/emicklei/proto v1.14.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -1334,8 +1334,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/open-policy-agent/opa v1.6.0 h1:/S/cnNQJ2MUMNzizHPbisTWBHowmLkPrugY5jjkPlRQ= -github.com/open-policy-agent/opa v1.6.0/go.mod h1:zFmw4P+W62+CWGYRDDswfVYSCnPo6oYaktQnfIaRFC4= +github.com/open-policy-agent/opa v1.7.1 h1:bhA2UGq5oS25471WB9aCJBWEp5/7WK+Nyb2PMAChQIg= +github.com/open-policy-agent/opa v1.7.1/go.mod h1:7cPuErOAt7k/oVWAVJnxqAC6mwArrAazkvk0RXiih2A= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -1374,8 +1374,8 @@ github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d h1:HWfigq7lB31IeJL8iy7jkUmU/PG1Sr8jVGhS749dbUA= -github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= +github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZFnGobK5ZXNu+N9If+8PDNVB9xAqrib/stUXsV4= +github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5/go.mod h1:BnHogPTyzYAReeQLZrOxyxzS739DaTNtTvohVdbENmA= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs= @@ -1406,8 +1406,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= -github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= -github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= +github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= +github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ= @@ -1482,8 +1482,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= -github.com/tchap/go-patricia/v2 v2.3.2 h1:xTHFutuitO2zqKAQ5rCROYgUb7Or/+IC3fts9/Yc7nM= -github.com/tchap/go-patricia/v2 v2.3.2/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhgwZDDc= +github.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= @@ -1513,8 +1513,8 @@ github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= -github.com/vektah/gqlparser/v2 v2.5.28 h1:bIulcl3LF69ba6EiZVGD88y4MkM+Jxrf3P2MX8xLRkY= -github.com/vektah/gqlparser/v2 v2.5.28/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= +github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE= +github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 h1:+dBg5k7nuTE38VVdoroRsT0Z88fmvdYrI2EjzJst35I= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1/go.mod h1:nmuySobZb4kFgFy6BptpXp/BBw+xFSyvVPP6auoJB4k= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= @@ -1568,8 +1568,8 @@ go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8F go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= @@ -1584,8 +1584,8 @@ go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/Wgbsd go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI= go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= +go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc= +go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= @@ -1601,6 +1601,10 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE= +go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -2077,8 +2081,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.243.0 h1:sw+ESIJ4BVnlJcWu9S+p2Z6Qq1PjG77T8IJ1xtp4jZQ= -google.golang.org/api v0.243.0/go.mod h1:GE4QtYfaybx1KmeHMdBnNnyLzBZCVihGBXAmJu/uUr8= +google.golang.org/api v0.244.0 h1:lpkP8wVibSKr++NCD36XzTk/IzeKJ3klj7vbj+XU5pE= +google.golang.org/api v0.244.0/go.mod h1:dMVhVcylamkirHdzEBAIQWUCgqY885ivNeZYd7VAVr8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2222,8 +2226,8 @@ google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuO google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 h1:1ZwqphdOdWYXsUHgMpU/101nCtf/kSp9hOrcvFsnl10= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 h1:MAKi5q709QWfnkkpNQ0M12hYJ1+e8qYVDyowc4U1XZM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -2265,8 +2269,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok= -google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc= +google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= +google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -2382,7 +2386,8 @@ sigs.k8s.io/release-utils v0.12.0 h1:+Z8cEUAaxItrMcTOJ0jtUg3Fm1uNgPNol+VIL6XtQqQ sigs.k8s.io/release-utils v0.12.0/go.mod h1:TveYRPK4Mq6qXA0PJiUMEOlWvvIQG0Mh5APQmHD5JpA= sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= diff --git a/pkg/cosign/cue/cue_test.go b/pkg/cosign/cue/cue_test.go index 9748fad3437..e16b3782622 100644 --- a/pkg/cosign/cue/cue_test.go +++ b/pkg/cosign/cue/cue_test.go @@ -157,7 +157,7 @@ func TestValidationJSON(t *testing.T) { } `, pass: false, - errorMsg: "authorityMatches.keysignature.signatures: invalid value [{subject:\"PLACEHOLDER\",issuer:\"PLACEHOLDER\"}] (does not satisfy list.MinItems(2))", + errorMsg: "authorityMatches.keysignature.signatures: invalid value [{subject:\"PLACEHOLDER\",issuer:\"PLACEHOLDER\"}] (does not satisfy list.MinItems(2)): len(list) < MinItems(2) (1 < 2)", }, } From 7319eb457c030751a818baf4855b189e78a1877a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Aug 2025 08:25:21 -0700 Subject: [PATCH 007/136] chore(deps): bump google.golang.org/api from 0.243.0 to 0.244.0 (#4326) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.243.0 to 0.244.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.243.0...v0.244.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.244.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fd519634647..1a1a8dfc4a6 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 golang.org/x/term v0.33.0 - google.golang.org/api v0.244.0 + google.golang.org/api v0.246.0 google.golang.org/protobuf v1.36.6 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 diff --git a/go.sum b/go.sum index 7a038087a1b..c335a158e23 100644 --- a/go.sum +++ b/go.sum @@ -2081,8 +2081,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.244.0 h1:lpkP8wVibSKr++NCD36XzTk/IzeKJ3klj7vbj+XU5pE= -google.golang.org/api v0.244.0/go.mod h1:dMVhVcylamkirHdzEBAIQWUCgqY885ivNeZYd7VAVr8= +google.golang.org/api v0.246.0 h1:H0ODDs5PnMZVZAEtdLMn2Ul2eQi7QNjqM2DIFp8TlTM= +google.golang.org/api v0.246.0/go.mod h1:dMVhVcylamkirHdzEBAIQWUCgqY885ivNeZYd7VAVr8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= From f011b93a85d785841cd236e7f0fffa85a50618ae Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 7 Aug 2025 09:20:58 -0700 Subject: [PATCH 008/136] Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319) * Refactor fetching an ID token into its own package This will allow these functions to be reused by other parts of the codebase, and eventually we can move these into an external package for use by other libraries. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Add support for SigningConfig for sign-blob/attest-blob Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Refactor identity token retrieval into its own method Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> * Disallow self-managed keys with a signing config temporarily Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --- .gitignore | 2 +- .golangci.yml | 5 + cmd/cosign/cli/attest.go | 1 + cmd/cosign/cli/attest/attest_blob.go | 64 +++++- cmd/cosign/cli/attest_blob.go | 19 ++ cmd/cosign/cli/fulcio/fulcio.go | 127 ++--------- cmd/cosign/cli/fulcio/fulcio_test.go | 49 +---- .../fulcioverifier/fulcioverifier_test.go | 8 +- cmd/cosign/cli/options/attest_blob.go | 10 + cmd/cosign/cli/options/key.go | 3 + cmd/cosign/cli/options/signblob.go | 10 + cmd/cosign/cli/sign/sign_blob.go | 44 +++- cmd/cosign/cli/signblob.go | 17 ++ doc/cosign_attest-blob.md | 2 + doc/cosign_sign-blob.md | 2 + go.mod | 5 +- go.sum | 10 +- internal/auth/auth.go | 172 +++++++++++++++ internal/auth/auth_test.go | 208 ++++++++++++++++++ pkg/cosign/bundle/sign.go | 126 +++++++++++ pkg/cosign/tuf.go | 12 + pkg/cosign/verify.go | 7 +- pkg/cosign/verify_bundle_test.go | 29 +++ test/e2e_test.go | 137 +++++++++++- 24 files changed, 892 insertions(+), 177 deletions(-) create mode 100644 internal/auth/auth.go create mode 100644 internal/auth/auth_test.go create mode 100644 pkg/cosign/bundle/sign.go diff --git a/.gitignore b/.gitignore index 473584dc6fa..4c5ee9a79ea 100644 --- a/.gitignore +++ b/.gitignore @@ -27,7 +27,7 @@ bin* dist/ cosignImagerefs -bundle +/bundle signature certificate sigstore-conformance diff --git a/.golangci.yml b/.golangci.yml index 5dacb8d3224..f6b550d9520 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -78,6 +78,11 @@ linters: path: pkg/cosign/verify.go # NewEntry used for Rekor v1, will update to NewTlogEntry for Rekor v2 support text: SA1019 + - linters: + - staticcheck + path: pkg/cosign/verify_bundle_test.go + # NewEntry used for Rekor v1, will update to NewTlogEntry for Rekor v2 support + text: SA1019 paths: - third_party$ - builtin$ diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index f9ac6a85c55..1e98b260fa6 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -107,6 +107,7 @@ func Attest() *cobra.Command { } ko.TrustedMaterial = trustedMaterial } + // TODO(#4324): Add support for SigningConfig attestCommand := attest.AttestCommand{ KeyOpts: ko, RegistryOptions: o.Registry, diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index b899e3e9606..2a7aca4ac12 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -36,9 +36,11 @@ import ( "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v2/internal/auth" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" @@ -46,6 +48,7 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" sigstoredsse "github.com/sigstore/sigstore/pkg/signature/dsse" @@ -100,16 +103,10 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return errors.New("expected either new bundle or an rfc3161-timestamp path when using a TSA server") } - sv, err := sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - defer sv.Close() - wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType) - base := path.Base(artifactPath) var payload []byte + var err error if c.StatementPath != "" { fmt.Fprintln(os.Stderr, "Using statement from:", c.StatementPath) @@ -165,6 +162,53 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } } + if c.SigningConfig != nil { + // TODO(#4327): Only ephemeral keys are currently supported + // Need to add support for self-managed keys (e.g. PKCS11, KMS, on disk) + // and determine if we want to store certificates for those as well. + if c.Sk || c.Slot != "" || c.KeyRef != "" || c.CertPath != "" { + return fmt.Errorf("using a signing config currently only supports signing with ephemeral keys and Fulcio") + } + keypair, err := sign.NewEphemeralKeypair(nil) + if err != nil { + return fmt.Errorf("generating keypair: %w", err) + } + idToken, err := auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: c.IDToken, + DisableProviders: c.OIDCDisableProviders, + Provider: c.OIDCProvider, + AuthFlow: c.FulcioAuthFlow, + SkipConfirm: c.SkipConfirmation, + OIDCServices: c.SigningConfig.OIDCProviderURLs(), + ClientID: c.OIDCClientID, + ClientSecret: c.OIDCClientSecret, + RedirectURL: c.OIDCRedirectURL, + }) + if err != nil { + return fmt.Errorf("retrieving ID token: %w", err) + } + content := &sign.DSSEData{ + Data: payload, + PayloadType: "application/vnd.in-toto+json", + } + bundle, err := cbundle.SignData(content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) + if err != nil { + return fmt.Errorf("signing bundle: %w", err) + } + if err := os.WriteFile(c.BundlePath, bundle, 0600); err != nil { + return fmt.Errorf("create bundle file: %w", err) + } + ui.Infof(ctx, "Wrote bundle to file %s", c.BundlePath) + return nil + } + + sv, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + defer sv.Close() + wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType) + sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { return fmt.Errorf("signing: %w", err) @@ -226,7 +270,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error if err != nil { return err } - shouldUpload, err := sign.ShouldUploadToTlog(ctx, c.KeyOpts, nil, c.TlogUpload) + shouldUpload, err := cosign_sign.ShouldUploadToTlog(ctx, c.KeyOpts, nil, c.TlogUpload) if err != nil { return fmt.Errorf("upload to tlog: %w", err) } @@ -314,7 +358,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return nil } -func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { +func makeNewBundle(sv *cosign_sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { // Determine if signature is certificate or not var hint string var rawCert []byte diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 022bd095e7f..55cc7fd2047 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -16,6 +16,7 @@ package cli import ( "context" + "fmt" "github.com/sigstore/cosign/v2/cmd/cosign/cli/attest" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" @@ -23,6 +24,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) @@ -94,6 +96,23 @@ func AttestBlob() *cobra.Command { } ko.TrustedMaterial = trustedMaterial } + if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { + return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") + } + if o.UseSigningConfig { + signingConfig, err := cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } + ko.SigningConfig = signingConfig + } else if o.SigningConfigPath != "" { + signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath) + if err != nil { + return fmt.Errorf("error reading signing config from file: %w", err) + } + ko.SigningConfig = signingConfig + } + v := attest.AttestBlobCommand{ KeyOpts: ko, CertPath: o.Cert, diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index 4a6d753cc8e..e13e4902e1d 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -24,44 +24,20 @@ import ( "os" "strings" - "github.com/go-jose/go-jose/v3/jwt" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v2/internal/auth" "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/providers" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" - "golang.org/x/term" ) -const ( - flowNormal = "normal" - flowDevice = "device" - flowToken = "token" - flowClientCredentials = "client_credentials" -) - -type oidcConnector interface { - OIDConnect(string, string, string, string) (*oauthflow.OIDCIDToken, error) -} - -type realConnector struct { - flow oauthflow.TokenGetter -} - -func (rf *realConnector) OIDConnect(url, clientID, secret, redirectURL string) (*oauthflow.OIDCIDToken, error) { - return oauthflow.OIDConnect(url, clientID, secret, redirectURL, rf.flow) -} - -func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connector oidcConnector, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (*api.CertificateResponse, error) { - tok, err := connector.OIDConnect(oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL) +// GetCert returns the PEM-encoded signature of the OIDC identity returned as part of an interactive oauth2 flow plus the PEM-encoded cert chain. +func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) { + sub, tok, err := auth.AuthenticateCaller(flow, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL) if err != nil { return nil, err } - publicKey, err := sv.PublicKey() if err != nil { return nil, err @@ -71,7 +47,7 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect return nil, err } // Sign the email address as part of the request - proof, err := sv.SignMessage(strings.NewReader(tok.Subject)) + proof, err := sv.SignMessage(strings.NewReader(sub)) if err != nil { return nil, err } @@ -83,26 +59,9 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect SignedEmailAddress: proof, } - return fc.SigningCert(cr, tok.RawString) -} - -// GetCert returns the PEM-encoded signature of the OIDC identity returned as part of an interactive oauth2 flow plus the PEM-encoded cert chain. -func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) { - c := &realConnector{} - switch flow { - case flowClientCredentials: - c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer) - case flowDevice: - c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer) - case flowNormal: - c.flow = oauthflow.DefaultIDTokenGetter - case flowToken: - c.flow = &oauthflow.StaticTokenGetter{RawToken: idToken} - default: - return nil, fmt.Errorf("unsupported oauth flow: %s", flow) - } + fmt.Fprintln(os.Stderr, "Retrieving signed certificate...") - return getCertForOauthID(sv, fClient, c, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL) + return fClient.SigningCert(cr, tok) } type Signer struct { @@ -118,65 +77,26 @@ func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerV return nil, fmt.Errorf("creating Fulcio client: %w", err) } - idToken, err := idToken(ko.IDToken) + idToken, err := auth.ReadIDToken(ctx, ko.IDToken, ko.OIDCDisableProviders, ko.OIDCProvider) if err != nil { - return nil, fmt.Errorf("getting id token: %w", err) + return nil, fmt.Errorf("reading id token: %w", err) } - var provider providers.Interface - // If token is not set in the options, get one from the provders - if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders { - if ko.OIDCProvider != "" { - provider, err = providers.ProvideFrom(ctx, ko.OIDCProvider) - if err != nil { - return nil, fmt.Errorf("getting provider: %w", err) - } - idToken, err = provider.Provide(ctx, "sigstore") - } else { - idToken, err = providers.Provide(ctx, "sigstore") - } - if err != nil { - return nil, fmt.Errorf("fetching ambient OIDC credentials: %w", err) - } - } - - fmt.Fprintln(os.Stderr, "Retrieving signed certificate...") - var flow string - switch { - case ko.FulcioAuthFlow != "": - // Caller manually set flow option. - flow = ko.FulcioAuthFlow - case idToken != "": - flow = flowToken - case !term.IsTerminal(0): - fmt.Fprintln(os.Stderr, "Non-interactive mode detected, using device flow.") - flow = flowDevice - default: - var statementErr error - privacy.StatementOnce.Do(func() { - ui.Infof(ctx, privacy.Statement) - ui.Infof(ctx, privacy.StatementConfirmation) - if !ko.SkipConfirmation { - if err := ui.ConfirmContinue(ctx); err != nil { - statementErr = err - } - } - }) - if statementErr != nil { - return nil, statementErr - } - flow = flowNormal + flow, err := auth.GetOAuthFlow(ctx, ko.FulcioAuthFlow, idToken, ko.SkipConfirmation) + if err != nil { + return nil, fmt.Errorf("setting auth flow: %w", err) } - Resp, err := GetCert(ctx, signer, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain. + + resp, err := GetCert(ctx, signer, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) if err != nil { return nil, fmt.Errorf("retrieving cert: %w", err) } f := &Signer{ SignerVerifier: signer, - Cert: Resp.CertPEM, - Chain: Resp.ChainPEM, - SCT: Resp.SCT, + Cert: resp.CertPEM, + Chain: resp.ChainPEM, + SCT: resp.SCT, } return f, nil @@ -204,16 +124,3 @@ func NewClient(fulcioURL string) (api.LegacyClient, error) { fClient := api.NewClient(fulcioServer, api.WithUserAgent(options.UserAgent())) return fClient, nil } - -// idToken allows users to either pass in an identity token directly -// or a path to an identity token via the --identity-token flag -func idToken(s string) (string, error) { - // If this is a valid raw token or is empty, just return it - if _, err := jwt.ParseSigned(s); err == nil || s == "" { - return s, nil - } - - // Otherwise, if this is a path to a token return the contents - c, err := os.ReadFile(s) - return string(c), err -} diff --git a/cmd/cosign/cli/fulcio/fulcio_test.go b/cmd/cosign/cli/fulcio/fulcio_test.go index a4a8783a4fe..3b0fb51fb81 100644 --- a/cmd/cosign/cli/fulcio/fulcio_test.go +++ b/cmd/cosign/cli/fulcio/fulcio_test.go @@ -33,23 +33,9 @@ import ( "github.com/sigstore/cosign/v2/test" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" ) -type testFlow struct { - idt *oauthflow.OIDCIDToken - email string - err error -} - -func (tf *testFlow) OIDConnect(url, clientID, secret, redirectURL string) (*oauthflow.OIDCIDToken, error) { //nolint: revive - if tf.err != nil { - return nil, tf.err - } - return tf.idt, nil -} - type testClient struct { payload api.CertificateResponse rootResp api.RootResponse @@ -88,19 +74,15 @@ func TestGetCertForOauthID(t *testing.T) { expectErr bool }{{ - desc: "happy case", - email: "example@oidc.id", - accessToken: "abc123foobar", + desc: "happy case", + email: "example@oidc.id", + // Generated from https://justtrustme.dev/token?sub=test + accessToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFhOWE1YjA5LTExMzktNGU2YS1hNjMxLTA2ZTU3NDU4NzI0MSJ9.eyJleHAiOjE3NTQwMjk5ODcsImlhdCI6MTc1NDAyODE4NywiaXNzIjoiaHR0cHM6Ly9qdXN0dHJ1c3RtZS5kZXYiLCJzdWIiOiJ0ZXN0In0.Fyp07QRXbuK65WKVKE6S7UgB9hvmNeyqWvcCWUvhMAwHwHl9EoRNwE-a5uBXgBgLUfbOCBHfc9fBIEEayzR1dRgfUXouOSIiZYr3DZNyGLdSiptL7wQRNy4rEiW44XCYFcbOuiWaii8icQUnOUO_TehgZHqSDvBSNQZcW-Rtx4A1us-CfVtrjqSNj_d0lCNEZ-vpL-Wp7JkOKzR0bN2KzYhVYHRe-pmvrzMWFfI17khB4wE6wj3e_PjDHAKS1EqGRrIgbr5jFcv9iGaf0zTnyZ_fxCmQM2Xe1u3kFlcCS0HondSJkxQoZRnK_OZHujNyWBT6cONg7Wvclkco3LulRw", }, { - desc: "getIDToken error", - email: "example@oidc.id", - accessToken: "abc123foobar", - tokenGetterErr: errors.New("getIDToken() failed"), - expectErr: true, - }, { - desc: "SigningCert error", - email: "example@oidc.id", - accessToken: "abc123foobar", + desc: "SigningCert error", + email: "example@oidc.id", + // Generated from https://justtrustme.dev/token?sub=test + accessToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFhOWE1YjA5LTExMzktNGU2YS1hNjMxLTA2ZTU3NDU4NzI0MSJ9.eyJleHAiOjE3NTQwMjk5NTMsImlhdCI6MTc1NDAyODE1MywiaXNzIjoiaHR0cHM6Ly9qdXN0dHJ1c3RtZS5kZXYifQ.n2JrybZ64bCeSvVVPYIEf2x9aZM-Xxwzdkq_DcPuPJuwEINFJBRiOsJ6R6MllV0YodQkshFB81YOQ4_QC5h5lfDmr-fmvxcIPw0Iw1oQkiNl73BpiWmT63dQ7DxPPnfCPW9xPmo3j8BTJ8zKNPXTyfwGEHjv6rJ56bMjRDNR0W78vG8di9R8ZCAPD7WOwWfFW4JTYrgNnsSfiTmFWl8Z5iYBnkEBCaEWldpgOuUhofQ_jdG_UbLyY3iXkOmfseKCOnYiWzp0CYbU5EYC8RHk4SfZ5JvG7rv7JPmPw2IFQdTjObX9vY6vLvP2-nMj_7hAUbBWzci9bQOAx-W7usd4qA", signingCertErr: errors.New("SigningCert() failed"), expectErr: true, }} @@ -121,16 +103,7 @@ func TestGetCertForOauthID(t *testing.T) { err: tc.signingCertErr, } - tf := testFlow{ - email: tc.email, - idt: &oauthflow.OIDCIDToken{ - RawString: tc.accessToken, - }, - err: tc.tokenGetterErr, - } - - resp, err := getCertForOauthID(sv, tscp, &tf, "", "", "", "") - + resp, err := GetCert(context.TODO(), sv, tc.accessToken, "token", "", "", "", "", tscp) if err != nil { if !tc.expectErr { t.Fatalf("getCertForOauthID returned error: %v", err) @@ -202,8 +175,8 @@ func TestNewSigner(t *testing.T) { ctx := context.TODO() ko := options.KeyOpts{ OIDCDisableProviders: true, - // random test token - IDToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", + // Generated from https://justtrustme.dev/token?sub=test + IDToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFhOWE1YjA5LTExMzktNGU2YS1hNjMxLTA2ZTU3NDU4NzI0MSJ9.eyJleHAiOjE3NTQwMjk5ODcsImlhdCI6MTc1NDAyODE4NywiaXNzIjoiaHR0cHM6Ly9qdXN0dHJ1c3RtZS5kZXYiLCJzdWIiOiJ0ZXN0In0.Fyp07QRXbuK65WKVKE6S7UgB9hvmNeyqWvcCWUvhMAwHwHl9EoRNwE-a5uBXgBgLUfbOCBHfc9fBIEEayzR1dRgfUXouOSIiZYr3DZNyGLdSiptL7wQRNy4rEiW44XCYFcbOuiWaii8icQUnOUO_TehgZHqSDvBSNQZcW-Rtx4A1us-CfVtrjqSNj_d0lCNEZ-vpL-Wp7JkOKzR0bN2KzYhVYHRe-pmvrzMWFfI17khB4wE6wj3e_PjDHAKS1EqGRrIgbr5jFcv9iGaf0zTnyZ_fxCmQM2Xe1u3kFlcCS0HondSJkxQoZRnK_OZHujNyWBT6cONg7Wvclkco3LulRw", FulcioURL: testServer.URL, FulcioAuthFlow: "token", } diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go index c0b11006ec1..6b8d2b6b302 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go @@ -168,8 +168,8 @@ func TestNewSigner(t *testing.T) { ctx := context.Background() ko := options.KeyOpts{ OIDCDisableProviders: true, - // random test token - IDToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", + // Generated from https://justtrustme.dev/token?sub=test-subject + IDToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFhOWE1YjA5LTExMzktNGU2YS1hNjMxLTA2ZTU3NDU4NzI0MSJ9.eyJleHAiOjE3NTQwMjgzODMsImlhdCI6MTc1NDAyNjU4MywiaXNzIjoiaHR0cHM6Ly9qdXN0dHJ1c3RtZS5kZXYiLCJzdWIiOiJ0ZXN0LXN1YmplY3QifQ.lfLAxD5XnbtvmGbgJTTV8nLDxUk9_KemdFG3_HydIWwLdKR86KYwwJn_5ONdycVuNluLOx96xA6jc4m1CjzH9N5Dafw4MQpjzXJWFlhM9sehW8VU_TzH1lEfY3KTxwDBRkZnVGXr3bJGowfdTyWLJxgl16nVTqsRAqIsTE4SEVHscDP1r5T0_B7RQ4Sjih1Z7zlIYzXxpAiVCOZ321Gqgxtej_xPfZ9rk1Z5-Uw-8sc6spog8Uca3kqumncPgM0su1ww5bWmawb4msqUnoOcPCPo-oywC-gdssWt_HmFPRhvREvdv5eYNDfp1bjS-nWAGJN7a4iO9qGBJed7zI6JNA", FulcioURL: testServer.URL, FulcioAuthFlow: "token", } @@ -183,12 +183,14 @@ func TestNewSigner(t *testing.T) { } fs, err := NewSigner(ctx, ko, sv) + if err != nil { + t.Fatal(err) + } if test.embeddedSCT { assert.Empty(t, fs.SCT) } else { assert.NotEmpty(t, fs.SCT) } - assert.NoError(t, err) }) } } diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index 5b1b8135694..b68a53e7ae4 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -50,6 +50,9 @@ type AttestBlobOptions struct { Fulcio FulcioOptions OIDC OIDCOptions SecurityKey SecurityKeyOptions + + UseSigningConfig bool + SigningConfigPath string } var _ Interface = (*AttestOptions)(nil) @@ -97,6 +100,13 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "output bundle in new format that contains all verification material") + // TODO: have this default to true as a breaking change + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") + + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config-path", "", + "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.Flags().StringVar(&o.Hash, "hash", "", "hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash") _ = cmd.RegisterFlagCompletionFunc("hash", cobra.NoFileCompletions) diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index 2cae8d5cdbe..07326895770 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -59,4 +59,7 @@ type KeyOpts struct { // TrustedMaterial contains trusted metadata for all Sigstore services. It is exclusive with RekorPubKeys, RootCerts, IntermediateCerts, CTLogPubKeys, and the TSA* cert fields. TrustedMaterial root.TrustedMaterial + + // SigningConfig contains the list of service URLs for Sigstore services. + SigningConfig *root.SigningConfig } diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 5afff3c8079..2081e109548 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -43,6 +43,9 @@ type SignBlobOptions struct { TSAServerURL string RFC3161TimestampPath string IssueCertificate bool + + UseSigningConfig bool + SigningConfigPath string } var _ Interface = (*SignBlobOptions)(nil) @@ -81,6 +84,13 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "output bundle in new format that contains all verification material") + // TODO: have this default to true as a breaking change + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") + + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config-path", "", + "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false, "skip confirmation prompts for non-destructive operations") diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index c01e7952044..ab2f73096df 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -22,6 +22,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "io" "os" "path/filepath" @@ -29,6 +30,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v2/internal/auth" internal "github.com/sigstore/cosign/v2/internal/pkg/cosign" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" @@ -38,6 +40,7 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) @@ -61,6 +64,46 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string payload = internal.NewHashReader(f, sha256.New()) } + if ko.SigningConfig != nil { + // TODO(#4327): Only ephemeral keys are currently supported + // Need to add support for self-managed keys (e.g. PKCS11, KMS, on disk) + // and determine if we want to store certificates for those as well. + if ko.Sk || ko.Slot != "" || ko.KeyRef != "" { + return nil, fmt.Errorf("using a signing config currently only supports signing with ephemeral keys and Fulcio") + } + keypair, err := sign.NewEphemeralKeypair(nil) + if err != nil { + return nil, fmt.Errorf("generating keypair: %w", err) + } + idToken, err := auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: ko.IDToken, + DisableProviders: ko.OIDCDisableProviders, + Provider: ko.OIDCProvider, + AuthFlow: ko.FulcioAuthFlow, + SkipConfirm: ko.SkipConfirmation, + OIDCServices: ko.SigningConfig.OIDCProviderURLs(), + ClientID: ko.OIDCClientID, + ClientSecret: ko.OIDCClientSecret, + RedirectURL: ko.OIDCRedirectURL, + }) + data, err := io.ReadAll(&payload) + if err != nil { + return nil, fmt.Errorf("reading payload: %w", err) + } + content := &sign.PlainData{ + Data: data, + } + bundle, err := cbundle.SignData(content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) + if err != nil { + return nil, fmt.Errorf("signing bundle: %w", err) + } + if err := os.WriteFile(ko.BundlePath, bundle, 0600); err != nil { + return nil, fmt.Errorf("create bundle file: %w", err) + } + ui.Infof(ctx, "Wrote bundle to file %s", ko.BundlePath) + return bundle, nil + } + sv, err := SignerFromKeyOpts(ctx, "", "", ko) if err != nil { return nil, err @@ -101,7 +144,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(timestampBytes) - // TODO: Consider uploading RFC3161 TS to Rekor if rfc3161Timestamp == nil { return nil, fmt.Errorf("rfc3161 timestamp is nil") diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 8909b9f90ac..490f29b15c5 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -26,6 +26,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" "github.com/spf13/viper" ) @@ -106,6 +107,22 @@ func SignBlob() *cobra.Command { } ko.TrustedMaterial = trustedMaterial } + if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { + return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") + } + if o.UseSigningConfig { + signingConfig, err := cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } + ko.SigningConfig = signingConfig + } else if o.SigningConfigPath != "" { + signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath) + if err != nil { + return fmt.Errorf("error reading signing config from file: %w", err) + } + ko.SigningConfig = signingConfig + } for _, blob := range args { // TODO: remove when the output flag has been deprecated diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 3a46e1fbafd..f7dc67e9933 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -57,6 +57,7 @@ cosign attest-blob [flags] --rekor-entry-type string specifies the type to be used for a rekor entry upload (dsse|intoto) (default "dsse") --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp-bundle string path to an RFC 3161 timestamp bundle FILE + --signing-config-path string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --statement string path to the statement file. @@ -67,6 +68,7 @@ cosign attest-blob [flags] --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index d78f9fb250e..9648f882af9 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -57,6 +57,7 @@ cosign sign-blob [flags] --output-signature string write the signature to FILE --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file + --signing-config-path string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-client-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server @@ -65,6 +66,7 @@ cosign sign-blob [flags] --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/go.mod b/go.mod index 1a1a8dfc4a6..463c5e7f81d 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 - github.com/go-jose/go-jose/v3 v3.0.4 + github.com/go-jose/go-jose/v4 v4.0.5 github.com/go-openapi/runtime v0.28.0 github.com/go-openapi/strfmt v0.23.0 github.com/go-openapi/swag v0.23.1 @@ -37,7 +37,7 @@ require ( github.com/sigstore/rekor v1.4.0 github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f github.com/sigstore/sigstore v1.9.5 - github.com/sigstore/sigstore-go v1.1.0 + github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 @@ -165,7 +165,6 @@ require ( github.com/globocom/go-buffer v1.2.2 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v4 v4.0.5 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect diff --git a/go.sum b/go.sum index c335a158e23..60b298c30a7 100644 --- a/go.sum +++ b/go.sum @@ -965,8 +965,6 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= @@ -1420,8 +1418,8 @@ github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYA github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc= github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= -github.com/sigstore/sigstore-go v1.1.0 h1:NBfyvL/LiBIplnIZAtC7GtDZ7qj82A/GTpn0+5WV7BM= -github.com/sigstore/sigstore-go v1.1.0/go.mod h1:97lDVpZVBCTFX114KPAManEsShVe934KyaVhZGhPVBM= +github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250 h1:Tw7WOXA0vtHfHL0QmF5NWsZtFvYWObtZ0BUhEHe4WBo= +github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250/go.mod h1:97lDVpZVBCTFX114KPAManEsShVe934KyaVhZGhPVBM= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= @@ -1622,7 +1620,6 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1894,7 +1891,6 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1908,7 +1904,6 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1929,7 +1924,6 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/internal/auth/auth.go b/internal/auth/auth.go new file mode 100644 index 00000000000..f820cfb7305 --- /dev/null +++ b/internal/auth/auth.go @@ -0,0 +1,172 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package auth + +import ( + "context" + "fmt" + "os" + "time" + + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/oauthflow" + "golang.org/x/term" +) + +const ( + flowNormal = "normal" + flowDevice = "device" + flowToken = "token" + flowClientCredentials = "client_credentials" +) + +var SigstoreOIDCIssuerAPIVersions = []uint32{1} + +type IDTokenConfig struct { + TokenOrPath string + DisableProviders bool + Provider string + AuthFlow string + SkipConfirm bool + OIDCServices []root.Service + ClientID string + ClientSecret string + RedirectURL string +} + +// RetrieveIDToken returns an ID token from one of the following sources: +// * Flag value +// * File, path provided by flag +// * Provider, e.g. a well-known location of a token for an environment like K8s or CI/CD +// * OpenID Connect authentication protocol +func RetrieveIDToken(ctx context.Context, c IDTokenConfig) (string, error) { + idToken, err := ReadIDToken(ctx, c.TokenOrPath, c.DisableProviders, c.Provider) + if err != nil { + return "", fmt.Errorf("reading ID token: %w", err) + } + if idToken != "" { + return idToken, nil + } + flow, err := GetOAuthFlow(ctx, c.AuthFlow, idToken, c.SkipConfirm) + if err != nil { + return "", fmt.Errorf("setting auth flow: %w", err) + } + oidcIssuerSvc, err := root.SelectService(c.OIDCServices, SigstoreOIDCIssuerAPIVersions, time.Now()) + if err != nil { + return "", fmt.Errorf("selecting OIDC issuer: %w", err) + } + _, idToken, err = AuthenticateCaller(flow, idToken, oidcIssuerSvc.URL, c.ClientID, c.ClientSecret, c.RedirectURL) + if err != nil { + return "", fmt.Errorf("authenticating caller: %w", err) + } + return idToken, err +} + +// ReadIDToken returns an OpenID Connect token from either a file or a well-known location from an identity provider +func ReadIDToken(ctx context.Context, tokOrPath string, disableProviders bool, oidcProvider string) (string, error) { + idToken, err := idToken(tokOrPath) + if err != nil { + return "", fmt.Errorf("getting id token: %w", err) + } + var provider providers.Interface + // If token is not set in the options, get one from the provders + if idToken == "" && providers.Enabled(ctx) && !disableProviders { + if oidcProvider != "" { + provider, err = providers.ProvideFrom(ctx, oidcProvider) + if err != nil { + return "", fmt.Errorf("getting provider: %w", err) + } + idToken, err = provider.Provide(ctx, "sigstore") + } else { + idToken, err = providers.Provide(ctx, "sigstore") + } + if err != nil { + return "", fmt.Errorf("fetching ambient OIDC credentials: %w", err) + } + } + return idToken, nil +} + +// GetOAuthFlow returns authentication flow that the client will initiate +func GetOAuthFlow(ctx context.Context, authFlow, idToken string, skipConfirm bool) (string, error) { + var flow string + switch { + case authFlow != "": + // Caller manually set flow option. + flow = authFlow + case idToken != "": + flow = flowToken + case !term.IsTerminal(0): + fmt.Fprintln(os.Stderr, "Non-interactive mode detected, using device flow.") + flow = flowDevice + default: + var statementErr error + privacy.StatementOnce.Do(func() { + ui.Infof(ctx, privacy.Statement) + ui.Infof(ctx, privacy.StatementConfirmation) + if !skipConfirm { + if err := ui.ConfirmContinue(ctx); err != nil { + statementErr = err + } + } + }) + if statementErr != nil { + return "", statementErr + } + flow = flowNormal + } + return flow, nil +} + +// AuthenticateCaller performs an OpenID Connect authentication to exchange credentials for an identity token +func AuthenticateCaller(flow, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (string, string, error) { + var tokenGetter oauthflow.TokenGetter + switch flow { + case flowClientCredentials: + tokenGetter = oauthflow.NewClientCredentialsFlow(oidcIssuer) + case flowDevice: + tokenGetter = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer) + case flowNormal: + tokenGetter = oauthflow.DefaultIDTokenGetter + case flowToken: + tokenGetter = &oauthflow.StaticTokenGetter{RawToken: idToken} + default: + return "", "", fmt.Errorf("unsupported oauth flow: %s", flow) + } + + tok, err := oauthflow.OIDConnect(oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, tokenGetter) + if err != nil { + return "", "", err + } + return tok.Subject, tok.RawString, nil +} + +// idToken allows users to either pass in an identity token directly +// or a path to an identity token via the --identity-token flag +func idToken(s string) (string, error) { + // If this is a valid raw token or is empty, just return it + if _, err := jwt.ParseSigned(s, []jose.SignatureAlgorithm{"RS256"}); err == nil || s == "" { + return s, nil + } + + // Otherwise, if this is a path to a token return the contents + c, err := os.ReadFile(s) + return string(c), err +} diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go new file mode 100644 index 00000000000..77633ad525a --- /dev/null +++ b/internal/auth/auth_test.go @@ -0,0 +1,208 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package auth + +import ( + "context" + "errors" + "os" + "path/filepath" + "testing" + + "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +var ( + // Generated from https://justtrustme.dev/token?sub=test-subject + dummyJWT = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFhOWE1YjA5LTExMzktNGU2YS1hNjMxLTA2ZTU3NDU4NzI0MSJ9.eyJleHAiOjE3NTM4MzY1NTIsImlhdCI6MTc1MzgzNDc1MiwiaXNzIjoiaHR0cHM6Ly9qdXN0dHJ1c3RtZS5kZXYiLCJzdWIiOiJ0ZXN0LXN1YmplY3QifQ.WWNGLWQsSDcz0cFlGbMfmLkGaMpiAsVfik2vAj_YPIXNG6jgkMmIF69TbrwH-qlSfKNNI1GTktxlufsQwOUiseVdqV7fOCdvPhQsozHye8JT-AgZ9wcH3DGcdp-5R5KOKlFNXHFcBjI9lS0KIelWoJLj8YzisOi0hWRdAwpJwuselV-d7IlcLZhJiZO3n-d15YB4fRMpjTr_aj--hdec7ywzmCQqKL3XdAjAmR99JExMKs_w25-6K7akjVSE1lljf8Wf9CBfOlwvWKxXPvIwzE0DC2yWS103yWfGHEf3UbKPlF34Xqo6beHTnf9uiO0HdWTaQp2e0eShsQDX9hpIeg" +) + +func Test_idToken(t *testing.T) { + td := t.TempDir() + tokenFile := filepath.Join(td, "token.jwt") + err := os.WriteFile(tokenFile, []byte(dummyJWT), 0600) + require.NoError(t, err) + + nonExistentFile := filepath.Join(td, "nonexistent") + + tests := []struct { + name string + s string + want string + wantErr bool + }{ + { + name: "empty string", + s: "", + want: "", + }, + { + name: "valid jwt", + s: dummyJWT, + want: dummyJWT, + }, + { + name: "not a jwt or file", + s: "not-a-jwt", + wantErr: true, + }, + { + name: "file path", + s: tokenFile, + want: dummyJWT, + }, + { + name: "non-existent file", + s: nonExistentFile, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := idToken(tt.s) + if (err != nil) != tt.wantErr { + t.Errorf("idToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("idToken() = %v, want %v", got, tt.want) + } + }) + } +} + +type mockProvider struct { + token string + err error +} + +func (m *mockProvider) Enabled(_ context.Context) bool { + return true +} + +func (m *mockProvider) Provide(_ context.Context, _ string) (string, error) { + return m.token, m.err +} + +func TestReadIDToken(t *testing.T) { + ctx := context.Background() + td := t.TempDir() + tokenFile := filepath.Join(td, "token.jwt") + err := os.WriteFile(tokenFile, []byte(dummyJWT), 0600) + require.NoError(t, err) + + providers.Register("mock-success", &mockProvider{token: "mock-token"}) + providers.Register("mock-fail", &mockProvider{err: errors.New("mock error")}) + + tests := []struct { + name string + tokOrPath string + disableProviders bool + oidcProvider string + want string + wantErr bool + }{ + { + name: "raw token", + tokOrPath: dummyJWT, + want: dummyJWT, + }, + { + name: "token from file", + tokOrPath: tokenFile, + want: dummyJWT, + }, + { + name: "no token, providers disabled", + tokOrPath: "", + disableProviders: true, + want: "", + }, + { + name: "no token, specific provider success", + tokOrPath: "", + oidcProvider: "mock-success", + want: "mock-token", + }, + { + name: "no token, specific provider fail", + tokOrPath: "", + oidcProvider: "mock-fail", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := ReadIDToken(ctx, tt.tokOrPath, tt.disableProviders, tt.oidcProvider) + if (err != nil) != tt.wantErr { + t.Errorf("ReadIDToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("ReadIDToken() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestGetOAuthFlow(t *testing.T) { + tests := []struct { + name string + authFlow string + idToken string + want string + }{ + { + name: "auth flow set explicitly", + authFlow: "client_credentials", + want: "client_credentials", + }, + { + name: "id token set", + idToken: dummyJWT, + want: "token", + }, + // Other flows can't be easily tested due to lack of interactivity + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := GetOAuthFlow(context.Background(), tt.authFlow, tt.idToken, false) + + if err != nil { + t.Errorf("GetOAuthFlow() error = %v", err) + } + if got != tt.want { + t.Errorf("GetOAuthFlow() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestAuthenticateCaller(t *testing.T) { + t.Run("token flow", func(t *testing.T) { + subject, token, err := AuthenticateCaller("token", dummyJWT, "", "", "", "") + require.NoError(t, err) + assert.Equal(t, "test-subject", subject) + assert.Equal(t, dummyJWT, token) + }) + + t.Run("unsupported flow", func(t *testing.T) { + _, _, err := AuthenticateCaller("bad-flow", "", "", "", "", "") + require.Error(t, err) + assert.Contains(t, err.Error(), "unsupported oauth flow") + }) +} diff --git a/pkg/cosign/bundle/sign.go b/pkg/cosign/bundle/sign.go new file mode 100644 index 00000000000..fbd6ac18be6 --- /dev/null +++ b/pkg/cosign/bundle/sign.go @@ -0,0 +1,126 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package bundle + +import ( + "crypto/x509" + "encoding/pem" + "fmt" + "log" + "time" + + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/sign" + "github.com/sigstore/sigstore/pkg/signature" + "google.golang.org/protobuf/encoding/protojson" +) + +func SignData(content sign.Content, keypair sign.Keypair, idToken string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) ([]byte, error) { + var opts sign.BundleOptions + + if trustedMaterial != nil { + opts.TrustedRoot = trustedMaterial + } + + if idToken != "" { + if len(signingConfig.FulcioCertificateAuthorityURLs()) == 0 { + return nil, fmt.Errorf("no fulcio URLs provided in signing config") + } + fulcioSvc, err := root.SelectService(signingConfig.FulcioCertificateAuthorityURLs(), sign.FulcioAPIVersions, time.Now()) + if err != nil { + return nil, err + } + fulcioOpts := &sign.FulcioOptions{ + BaseURL: fulcioSvc.URL, + Timeout: 30 * time.Second, + Retries: 1, + } + opts.CertificateProvider = sign.NewFulcio(fulcioOpts) + opts.CertificateProviderOptions = &sign.CertificateProviderOptions{ + IDToken: idToken, + } + } else { + publicKeyPem, err := keypair.GetPublicKeyPem() + if err != nil { + return nil, err + } + block, _ := pem.Decode([]byte(publicKeyPem)) + pubKey, err := x509.ParsePKIXPublicKey(block.Bytes) + if err != nil { + log.Fatal(err) + } + verifier, err := signature.LoadDefaultVerifier(pubKey) + if err != nil { + log.Fatal(err) + } + key := root.NewExpiringKey(verifier, time.Time{}, time.Time{}) + keyTrustedMaterial := root.NewTrustedPublicKeyMaterial(func(_ string) (root.TimeConstrainedVerifier, error) { + return key, nil + }) + trustedMaterial := &verifyTrustedMaterial{ + TrustedMaterial: opts.TrustedRoot, + keyTrustedMaterial: keyTrustedMaterial, + } + opts.TrustedRoot = trustedMaterial + } + + if len(signingConfig.TimestampAuthorityURLs()) != 0 { + tsaSvcs, err := root.SelectServices(signingConfig.TimestampAuthorityURLs(), + signingConfig.TimestampAuthorityURLsConfig(), sign.TimestampAuthorityAPIVersions, time.Now()) + if err != nil { + log.Fatal(err) + } + for _, tsaSvc := range tsaSvcs { + tsaOpts := &sign.TimestampAuthorityOptions{ + URL: tsaSvc.URL, + Timeout: 30 * time.Second, + Retries: 1, + } + opts.TimestampAuthorities = append(opts.TimestampAuthorities, sign.NewTimestampAuthority(tsaOpts)) + } + } + + if len(signingConfig.RekorLogURLs()) != 0 { + rekorSvcs, err := root.SelectServices(signingConfig.RekorLogURLs(), + signingConfig.RekorLogURLsConfig(), sign.RekorAPIVersions, time.Now()) + if err != nil { + return nil, err + } + for _, rekorSvc := range rekorSvcs { + rekorOpts := &sign.RekorOptions{ + BaseURL: rekorSvc.URL, + Timeout: 90 * time.Second, + Retries: 1, + Version: rekorSvc.MajorAPIVersion, + } + opts.TransparencyLogs = append(opts.TransparencyLogs, sign.NewRekor(rekorOpts)) + } + } + + bundle, err := sign.Bundle(content, keypair, opts) + if err != nil { + return nil, fmt.Errorf("error signing bundle: %w", err) + } + return protojson.Marshal(bundle) +} + +type verifyTrustedMaterial struct { + root.TrustedMaterial + keyTrustedMaterial root.TrustedMaterial +} + +func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstrainedVerifier, error) { + return v.keyTrustedMaterial.PublicKeyVerifier(hint) +} diff --git a/pkg/cosign/tuf.go b/pkg/cosign/tuf.go index 2a7049feec4..22d7a804af8 100644 --- a/pkg/cosign/tuf.go +++ b/pkg/cosign/tuf.go @@ -38,6 +38,18 @@ func TrustedRoot() (root.TrustedMaterial, error) { return tr, nil } +func SigningConfig() (*root.SigningConfig, error) { + opts, err := setTUFOpts() + if err != nil { + return nil, fmt.Errorf("error setting TUF options: %w", err) + } + sc, err := root.FetchSigningConfigWithOptions(opts) + if err != nil { + return nil, fmt.Errorf("error getting signing config from TUF: %w", err) + } + return sc, nil +} + // setTUFOpts sets the TUF cache directory, the mirror URL, and the root.json in the TUF options. // The cache directory is provided by the user as an environment variable TUF_ROOT, or the default $HOME/.sigstore/root is used. // The mirror URL is provided by the user as an environment variable TUF_MIRROR. If not overridden by the user, the value set during `cosign initialize` in remote.json in the cache directory is used. diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 00206560992..cbfb5d6e5d3 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -247,7 +247,12 @@ func (co *CheckOpts) verificationOptions() (trustedMaterial root.TrustedMaterial } if !co.IgnoreTlog { - verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1)) + verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1)) + // Verifying a Fulcio certificate and no signed timestamp will be provided, so + // use the timestamp from the log. For Rekor v2, a signed timestamp must be provided. + if !co.UseSignedTimestamps && co.SigVerifier == nil { + verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1)) + } } if co.UseSignedTimestamps { verifierOptions = append(verifierOptions, verify.WithSignedTimestamps(1)) diff --git a/pkg/cosign/verify_bundle_test.go b/pkg/cosign/verify_bundle_test.go index a1c705c0362..e3f9cd38b24 100644 --- a/pkg/cosign/verify_bundle_test.go +++ b/pkg/cosign/verify_bundle_test.go @@ -43,6 +43,7 @@ type bundleMutator struct { eraseTSA bool eraseTlog bool + eraseSET bool } func (b *bundleMutator) Timestamps() ([][]byte, error) { @@ -56,6 +57,21 @@ func (b *bundleMutator) TlogEntries() ([]*tlog.Entry, error) { if b.eraseTlog { return []*tlog.Entry{}, nil } + if b.eraseSET { + var entries []*tlog.Entry + oldEntries, err := b.SignedEntity.TlogEntries() + if err != nil { + return nil, err + } + for _, entry := range oldEntries { + mutEntry, err := tlog.NewEntry([]byte(entry.Body().(string)), entry.IntegratedTime().Unix(), entry.LogIndex(), []byte(entry.LogKeyID()), []byte{}, nil) + if err != nil { + return nil, err + } + entries = append(entries, mutEntry) + } + return entries, nil + } return b.SignedEntity.TlogEntries() } @@ -262,6 +278,19 @@ func TestVerifyBundle(t *testing.T) { entity: &bundleMutator{SignedEntity: attestation, eraseTlog: true}, wantErr: true, }, + { + name: "require SET, missing set", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + IgnoreTlog: false, + UseSignedTimestamps: false, // both set to false requires an SET + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: &bundleMutator{SignedEntity: attestation, eraseSET: true}, + wantErr: true, + }, { name: "require tsa, missing tsa", checkOpts: &cosign.CheckOpts{ diff --git a/test/e2e_test.go b/test/e2e_test.go index a57d197b99f..3c34f841eb8 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -60,6 +60,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/signingconfig" "github.com/sigstore/cosign/v2/cmd/cosign/cli/trustedroot" cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" @@ -834,6 +835,138 @@ func TestSignVerifyWithTUFMirror(t *testing.T) { } } +func prepareSigningConfig(t *testing.T, fulcioURL, rekorURL, oidcURL, tsaURL string) string { + startTime := "2024-01-01T00:00:00Z" + fulcioSpec := fmt.Sprintf("url=%s,api-version=1,operator=fulcio-op,start-time=%s", fulcioURL, startTime) + rekorSpec := fmt.Sprintf("url=%s,api-version=1,operator=rekor-op,start-time=%s", rekorURL, startTime) + oidcSpec := fmt.Sprintf("url=%s,api-version=1,operator=oidc-op,start-time=%s", oidcURL, startTime) + tsaSpec := fmt.Sprintf("url=%s,api-version=1,operator=tsa-op,start-time=%s", tsaURL, startTime) + + downloadDirectory := t.TempDir() + out := filepath.Join(downloadDirectory, "signing_config.v0.2.json") + cmd := &signingconfig.CreateCmd{ + FulcioSpecs: []string{fulcioSpec}, + RekorSpecs: []string{rekorSpec}, + OIDCProviderSpecs: []string{oidcSpec}, + TSASpecs: []string{tsaSpec}, + RekorConfig: "EXACT:1", + TSAConfig: "ANY", + Out: out, + } + must(cmd.Exec(context.TODO()), t) + return out +} + +func TestSignVerifyWithSigningConfig(t *testing.T) { + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + tufMirror := t.TempDir() + viper.Set("timestamp-signer", "memory") + viper.Set("timestamp-signer-hash", "sha256") + tsaAPIServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) + tsaServer := httptest.NewServer(tsaAPIServer.GetHandler()) + t.Cleanup(tsaServer.Close) + tufServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.FileServer(http.Dir(tufMirror)).ServeHTTP(w, r) + })) + mirror := tufServer.URL + trustedRoot := prepareTrustedRoot(t, tsaServer.URL) + signingConfigStr := prepareSigningConfig(t, fulcioURL, rekorURL, "unused", tsaServer.URL+"/api/v1/timestamp") + + _, err := newTUF(tufMirror, []targetInfo{ + { + name: "trusted_root.json", + source: trustedRoot, + }, + { + name: "signing_config.v0.2.json", + source: signingConfigStr, + }, + }) + must(err, t) + + ctx := context.Background() + + rootPath := filepath.Join(tufMirror, "1.root.json") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + ko := options.KeyOpts{ + IDToken: identityToken, + SkipConfirmation: true, + } + trustedMaterial, err := cosign.TrustedRoot() + must(err, t) + ko.TrustedMaterial = trustedMaterial + signingConfig, err := cosign.SigningConfig() + must(err, t) + ko.SigningConfig = signingConfig + + // Sign a blob + blob := "someblob" + blobDir := t.TempDir() + bp := filepath.Join(blobDir, blob) + if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + t.Fatal(err) + } + bundlePath := filepath.Join(blobDir, "bundle.json") + ko.NewBundleFormat = true + ko.BundlePath = bundlePath + + _, err = sign.SignBlobCmd(ro, ko, bp, false, "", "", true) + must(err, t) + + // Verify a blob + issuer := os.Getenv("OIDC_URL") + verifyBlobCmd := cliverify.VerifyBlobCmd{ + KeyOpts: ko, + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: issuer, + CertIdentity: certID, + }, + UseSignedTimestamps: true, + } + err = verifyBlobCmd.Exec(ctx, bp) + must(err, t) + + // Sign an attestation + statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}` + attestDir := t.TempDir() + statementPath := filepath.Join(attestDir, "statement") + if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil { + t.Fatal(err) + } + attBundlePath := filepath.Join(attestDir, "attest.bundle.json") + ko.NewBundleFormat = true + ko.BundlePath = attBundlePath + + attestBlobCmd := attest.AttestBlobCommand{ + KeyOpts: ko, + RekorEntryType: "dsse", + StatementPath: statementPath, + } + must(attestBlobCmd.Exec(ctx, bp), t) + + // Verify an attestation + verifyBlobAttestationCmd := cliverify.VerifyBlobAttestationCommand{ + KeyOpts: ko, + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: issuer, + CertIdentity: certID, + }, + UseSignedTimestamps: true, + Digest: "7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3", + DigestAlg: "alg", + CheckClaims: true, + } + err = verifyBlobAttestationCmd.Exec(ctx, "") + must(err, t) +} + func TestAttestVerify(t *testing.T) { for _, newBundleFormat := range []bool{false, true} { attestVerify(t, @@ -2835,7 +2968,7 @@ func TestAttestBlobSignVerify(t *testing.T) { blob := "someblob" predicate := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` predicateType := "slsaprovenance" - statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"123"}}],"predicateType":"something","predicate":{}}` + statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}` td1 := t.TempDir() t.Cleanup(func() { @@ -2920,7 +3053,7 @@ func TestAttestBlobSignVerify(t *testing.T) { } blobVerifyAttestationCmd = cliverify.VerifyBlobAttestationCommand{ KeyOpts: ko, - Digest: "123", + Digest: "7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3", DigestAlg: "alg", SignaturePath: outputSignature, IgnoreTlog: true, From 0ac382ac7102073d19ae43423ee83e722f469f6e Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Thu, 7 Aug 2025 14:41:10 -0400 Subject: [PATCH 009/136] Have cosign sign support bundle format (#4316) --------- Signed-off-by: Zach Steindler --- cmd/cosign/cli/attest/attest.go | 10 ++- cmd/cosign/cli/attest/attest_blob.go | 77 ++----------------- cmd/cosign/cli/attest/common.go | 16 ---- cmd/cosign/cli/options/sign.go | 3 + cmd/cosign/cli/options/verify.go | 2 +- cmd/cosign/cli/sign/sign.go | 106 +++++++++++++++++++++++++- cmd/cosign/cli/verify.go | 1 + cmd/cosign/cli/verify/verify.go | 66 +++++++++++++--- doc/cosign_dockerfile_verify.md | 2 +- doc/cosign_manifest_verify.md | 2 +- doc/cosign_sign.md | 1 + doc/cosign_verify-attestation.md | 2 +- doc/cosign_verify-blob-attestation.md | 2 +- doc/cosign_verify-blob.md | 2 +- doc/cosign_verify.md | 2 +- pkg/cosign/bundle/protobundle.go | 71 +++++++++++++++++ pkg/cosign/tsa.go | 15 ++++ pkg/cosign/verify.go | 6 +- pkg/types/predicate.go | 20 +++++ test/e2e_test.go | 96 ++++++++++++++++++++--- 20 files changed, 382 insertions(+), 120 deletions(-) create mode 100644 pkg/types/predicate.go diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 6a8443726e8..55b85e9d282 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -18,6 +18,7 @@ package attest import ( "bytes" "context" + "crypto" _ "crypto/sha256" // for `crypto.SHA256` "encoding/json" "fmt" @@ -184,7 +185,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { // will use the DSSE Sig field, so we choose what signature to send to // the timestamp authority based on our output format. if c.KeyOpts.NewBundleFormat { - tsaPayload, err = getEnvelopeSigBytes(signedPayload) + tsaPayload, err = cosign.GetDSSESigBytes(signedPayload) if err != nil { return err } @@ -251,7 +252,12 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if err != nil { return err } - bundleBytes, err := makeNewBundle(sv, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) + var pubKey *crypto.PublicKey + pk, err := sv.PublicKey() + if err == nil { + pubKey = &pk + } + bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) if err != nil { return err } diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index 2a7aca4ac12..efec55f9545 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -18,8 +18,6 @@ import ( "bytes" "context" "crypto" - "crypto/sha256" - "crypto/x509" "encoding/base64" "encoding/hex" "encoding/json" @@ -33,7 +31,6 @@ import ( "time" intotov1 "github.com/in-toto/attestation/go/v1" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" @@ -45,15 +42,12 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/types" - protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" - protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" sigstoredsse "github.com/sigstore/sigstore/pkg/signature/dsse" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" - "google.golang.org/protobuf/encoding/protojson" ) // nolint @@ -236,7 +230,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error // will use the DSSE Sig field, so we choose what signature to send to // the timestamp authority based on our output format. if c.NewBundleFormat { - tsaPayload, err = getEnvelopeSigBytes(sig) + tsaPayload, err = cosign.GetDSSESigBytes(sig) if err != nil { return err } @@ -296,7 +290,13 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error if c.BundlePath != "" { var contents []byte if c.NewBundleFormat { - contents, err = makeNewBundle(sv, rekorEntry, payload, sig, signer, timestampBytes) + var pubKey *crypto.PublicKey + pk, err := sv.PublicKey() + if err == nil { + pubKey = &pk + } + + contents, err = cbundle.MakeNewBundle(pubKey, rekorEntry, payload, sig, signer, timestampBytes) if err != nil { return err } @@ -358,67 +358,6 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return nil } -func makeNewBundle(sv *cosign_sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { - // Determine if signature is certificate or not - var hint string - var rawCert []byte - - cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) - if err != nil || len(cert) == 0 { - pubKey, err := sv.PublicKey() - if err != nil { - return nil, err - } - pkixPubKey, err := x509.MarshalPKIXPublicKey(pubKey) - if err != nil { - return nil, err - } - hashedBytes := sha256.Sum256(pkixPubKey) - hint = base64.StdEncoding.EncodeToString(hashedBytes[:]) - } else { - rawCert = cert[0].Raw - } - - bundle, err := cbundle.MakeProtobufBundle(hint, rawCert, rekorEntry, timestampBytes) - if err != nil { - return nil, err - } - - var envelope dsse.Envelope - err = json.Unmarshal(sig, &envelope) - if err != nil { - return nil, err - } - - if len(envelope.Signatures) == 0 { - return nil, fmt.Errorf("no signature in DSSE envelope") - } - - sigBytes, err := base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) - if err != nil { - return nil, err - } - - bundle.Content = &protobundle.Bundle_DsseEnvelope{ - DsseEnvelope: &protodsse.Envelope{ - Payload: payload, - PayloadType: envelope.PayloadType, - Signatures: []*protodsse.Signature{ - { - Sig: sigBytes, - }, - }, - }, - } - - contents, err := protojson.Marshal(bundle) - if err != nil { - return nil, err - } - - return contents, nil -} - func validateStatement(payload []byte) (string, error) { var statement *intotov1.Statement if err := json.Unmarshal(payload, &statement); err != nil { diff --git a/cmd/cosign/cli/attest/common.go b/cmd/cosign/cli/attest/common.go index e5f4589a343..b9bb6dcebcc 100644 --- a/cmd/cosign/cli/attest/common.go +++ b/cmd/cosign/cli/attest/common.go @@ -15,13 +15,9 @@ package attest import ( - "encoding/base64" - "encoding/json" "fmt" "io" "os" - - "github.com/secure-systems-lab/go-securesystemslib/dsse" ) func predicateReader(predicatePath string) (io.ReadCloser, error) { @@ -37,15 +33,3 @@ func predicateReader(predicatePath string) (io.ReadCloser, error) { } return f, nil } - -func getEnvelopeSigBytes(envelopeBytes []byte) ([]byte, error) { - var envelope dsse.Envelope - err := json.Unmarshal(envelopeBytes, &envelope) - if err != nil { - return nil, err - } - if len(envelope.Signatures) == 0 { - return nil, fmt.Errorf("envelope has no signatures") - } - return base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) -} diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index bcacfd7e63f..7e45c414d86 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -42,6 +42,7 @@ type SignOptions struct { IssueCertificate bool SignContainerIdentity string RecordCreationTimestamp bool + NewBundleFormat bool Rekor RekorOptions Fulcio FulcioOptions @@ -137,4 +138,6 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { "manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature") cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value") + + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "expect the signature/attestation to be packaged in a Sigstore bundle") } diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index cb7ac30401a..79c9a5421e6 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -54,7 +54,7 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) { "skip transparency log verification when verifying artifacts in a privately deployed infrastructure") cmd.Flags().BoolVar(&o.ExperimentalOCI11, "experimental-oci11", false, - "set to true to enable experimental OCI 1.1 behaviour") + "set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format)") cmd.Flags().IntVar(&o.MaxWorkers, "max-workers", cosign.DefaultMaxWorkers, "the amount of maximum workers for parallel executions") diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index a6ee88122d1..7e2e0739142 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -32,6 +32,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" + intotov1 "github.com/in-toto/attestation/go/v1" "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio/fulcioverifier" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" @@ -45,6 +46,7 @@ import ( "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" + cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" @@ -53,10 +55,14 @@ import ( ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" "github.com/sigstore/cosign/v2/pkg/oci/walk" sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/dsse" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" + "google.golang.org/protobuf/encoding/protojson" // Loads OIDC providers _ "github.com/sigstore/cosign/v2/pkg/providers/all" @@ -184,7 +190,11 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO } else if err != nil { return fmt.Errorf("accessing image: %w", err) } - err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + if signOpts.NewBundleFormat { + err = signDigestBundle(ctx, digest, ko, signOpts, sv) + } else { + err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + } if err != nil { return fmt.Errorf("signing digest: %w", err) } @@ -203,7 +213,11 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return fmt.Errorf("computing digest: %w", err) } digest := ref.Context().Digest(d.String()) - err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + if signOpts.NewBundleFormat { + err = signDigestBundle(ctx, digest, ko, signOpts, sv) + } else { + err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + } if err != nil { return fmt.Errorf("signing digest: %w", err) } @@ -216,6 +230,94 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return nil } +func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpts, signOpts options.SignOptions, sv *SignerVerifier) error { + digestParts := strings.Split(digest.DigestStr(), ":") + if len(digestParts) != 2 { + return fmt.Errorf("unable to parse digest %s", digest.DigestStr()) + } + + subject := intotov1.ResourceDescriptor{ + Digest: map[string]string{digestParts[0]: digestParts[1]}, + } + + statement := &intotov1.Statement{ + Type: intotov1.StatementTypeUri, + Subject: []*intotov1.ResourceDescriptor{&subject}, + PredicateType: types.CosignSignPredicateType, + } + + payload, err := protojson.Marshal(statement) + if err != nil { + return err + } + + wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) + signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) + if err != nil { + return fmt.Errorf("signing: %w", err) + } + + var timestampBytes []byte + if ko.TSAServerURL != "" { + tsaPayload, err := cosign.GetDSSESigBytes(signedPayload) + if err != nil { + return err + } + tc := client.NewTSAClient(ko.TSAServerURL) + if ko.TSAClientCert != "" { + tc = client.NewTSAClientMTLS(ko.TSAServerURL, + ko.TSAClientCACert, + ko.TSAClientCert, + ko.TSAClientKey, + ko.TSAServerName, + ) + } + timestampBytes, err = tsa.GetTimestampedSignature(tsaPayload, tc) + if err != nil { + return err + } + } + + signerBytes, err := sv.Bytes(ctx) + if err != nil { + return err + } + + var rekorEntry *models.LogEntryAnon + shouldUpload, err := ShouldUploadToTlog(ctx, ko, digest, signOpts.TlogUpload) + if err != nil { + return fmt.Errorf("should upload to tlog: %w", err) + } + if shouldUpload { + rClient, err := rekor.NewClient(ko.RekorURL) + if err != nil { + return err + } + rekorEntry, err = cosign.TLogUploadDSSEEnvelope(ctx, rClient, signedPayload, signerBytes) + if err != nil { + return err + } + } + + regOpts := signOpts.Registry + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return fmt.Errorf("constructing client options: %w", err) + } + + var pubKey *crypto.PublicKey + pk, err := sv.PublicKey() + if err == nil { + pubKey = &pk + } + + bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) + if err != nil { + return err + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, types.CosignSignPredicateType, ociremoteOpts...) +} + func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, annotations map[string]interface{}, dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error { diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index a0e4ca7e20f..af831440c1b 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -138,6 +138,7 @@ against the transparency log.`, MaxWorkers: o.CommonVerifyOptions.MaxWorkers, ExperimentalOCI11: o.CommonVerifyOptions.ExperimentalOCI11, UseSignedTimestamps: o.CommonVerifyOptions.UseSignedTimestamps, + NewBundleFormat: o.CommonVerifyOptions.NewBundleFormat, } if o.CommonVerifyOptions.MaxWorkers == 0 { diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 01a3ea60067..e04a5720795 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -85,6 +85,7 @@ type VerifyCommand struct { IgnoreTlog bool MaxWorkers int ExperimentalOCI11 bool + NewBundleFormat bool } // Exec runs the verification command @@ -157,12 +158,30 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } } + if c.NewBundleFormat { + if c.CertRef != "" { + return fmt.Errorf("unsupported: certificate may not be provided using --certificate when using --new-bundle-format (cert must be in bundle)") + } + if c.CertChain != "" { + return fmt.Errorf("unsupported: certificate chain may not be provided using --certificate-chain when using --new-bundle-format (cert must be in bundle)") + } + if c.CARoots != "" || c.CAIntermediates != "" { + return fmt.Errorf("unsupported: CA roots/intermediates must be provided using --trusted-root when using --new-bundle-format") + } + if c.TSACertChainPath != "" { + return fmt.Errorf("unsupported: TSA certificate chain path may only be provided using --trusted-root when using --new-bundle-format") + } + if co.TrustedMaterial == nil { + return fmt.Errorf("trusted root is required when using new bundle format") + } + } + if c.CheckClaims { co.ClaimVerifier = cosign.SimpleClaimVerifier } // If we are using signed timestamps and there is no trusted root, we need to load the TSA certificates - if co.UseSignedTimestamps && co.TrustedMaterial == nil { + if co.UseSignedTimestamps && co.TrustedMaterial == nil && !c.NewBundleFormat { tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) @@ -172,7 +191,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts } - if !c.IgnoreTlog { + if !c.IgnoreTlog && !c.NewBundleFormat { if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { @@ -229,6 +248,10 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { return fmt.Errorf("initializing piv token verifier: %w", err) } case certRef != "": + if c.NewBundleFormat { + // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions + return fmt.Errorf("unsupported: certificate reference currently not supported with --new-bundle-format") + } cert, err := loadCertFromFileOrURL(c.CertRef) if err != nil { return err @@ -292,10 +315,20 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { fulcioVerified := (co.SigVerifier == nil) for _, img := range images { + var verified []oci.Signature + var bundleVerified bool + if c.LocalImage { - verified, bundleVerified, err := cosign.VerifyLocalImageSignatures(ctx, img, co) - if err != nil { - return err + if c.NewBundleFormat { + verified, bundleVerified, err = cosign.VerifyLocalImageAttestations(ctx, img, co) + if err != nil { + return err + } + } else { + verified, bundleVerified, err = cosign.VerifyLocalImageSignatures(ctx, img, co) + if err != nil { + return err + } } PrintVerificationHeader(ctx, img, co, bundleVerified, fulcioVerified) PrintVerification(ctx, verified, c.Output) @@ -304,14 +337,23 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if err != nil { return fmt.Errorf("parsing reference: %w", err) } - ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...) - if err != nil { - return fmt.Errorf("resolving attachment type %s for image %s: %w", c.Attachment, img, err) - } - verified, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co) - if err != nil { - return cosignError.WrapError(err) + if c.NewBundleFormat { + // OCI bundle always contains attestation + verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co) + if err != nil { + return err + } + } else { + ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...) + if err != nil { + return fmt.Errorf("resolving attachment type %s for image %s: %w", c.Attachment, img, err) + } + + verified, bundleVerified, err = cosign.VerifyImageSignatures(ctx, ref, co) + if err != nil { + return cosignError.WrapError(err) + } } PrintVerificationHeader(ctx, ref.Name(), co, bundleVerified, fulcioVerified) diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index 3ee9b0d34c0..cef70479668 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -69,7 +69,7 @@ cosign dockerfile verify [flags] --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --check-claims whether to check the claims found (default true) - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index 0914e691f68..c8907d44b9e 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -63,7 +63,7 @@ cosign manifest verify [flags] --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --check-claims whether to check the claims found (default true) - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 07c3bb98fa3..6b4b400df64 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -87,6 +87,7 @@ cosign sign [flags] --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle --oidc-client-id string OIDC client ID for application (default "sigstore") --oidc-client-secret-file string Path to file containing OIDC client secret for application --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index b29905644ec..c55cbefb18d 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -73,7 +73,7 @@ cosign verify-attestation [flags] --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --check-claims whether to check the claims found (default true) - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify-attestation --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index d65c180e79a..0ad3f795161 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -45,7 +45,7 @@ cosign verify-blob-attestation [flags] --check-claims if true, verifies the digest exists in the in-toto subject (using either the provided digest and digest algorithm or the provided blob's sha256 digest). If false, only the DSSE envelope is verified. (default true) --digest string Digest to use for verifying in-toto subject (instead of providing a blob) --digestAlg string Digest algorithm to use for verifying in-toto subject (instead of providing a blob) - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify-blob-attestation --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 016a04da5de..3aa0bd761a7 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -78,7 +78,7 @@ cosign verify-blob [flags] --certificate-identity-regexp string A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows. --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify-blob --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 42ee11c7b28..ef47b2d7bbc 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -90,7 +90,7 @@ cosign verify [flags] --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows. --check-claims whether to check the claims found (default true) - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format) -h, --help help for verify --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log diff --git a/pkg/cosign/bundle/protobundle.go b/pkg/cosign/bundle/protobundle.go index a26e2fb2bb7..93f7191a971 100644 --- a/pkg/cosign/bundle/protobundle.go +++ b/pkg/cosign/bundle/protobundle.go @@ -15,11 +15,22 @@ package bundle import ( + "crypto" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/json" + "fmt" + + "github.com/secure-systems-lab/go-securesystemslib/dsse" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" protorekor "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/rekor/pkg/tle" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "google.golang.org/protobuf/encoding/protojson" ) const bundleV03MediaType = "application/vnd.dev.sigstore.bundle.v0.3+json" @@ -63,3 +74,63 @@ func MakeProtobufBundle(hint string, rawCert []byte, rekorEntry *models.LogEntry return bundle, nil } + +func MakeNewBundle(pubKey *crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { + // Determine if the signer is a certificate or not + var hint string + var rawCert []byte + + if pubKey != nil { + pkixPubKey, err := x509.MarshalPKIXPublicKey(*pubKey) + if err != nil { + return nil, err + } + hashedBytes := sha256.Sum256(pkixPubKey) + hint = base64.StdEncoding.EncodeToString(hashedBytes[:]) + } else { + cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) + if err != nil { + return nil, err + } + rawCert = cert[0].Raw + } + + bundle, err := MakeProtobufBundle(hint, rawCert, rekorEntry, timestampBytes) + if err != nil { + return nil, err + } + + var envelope dsse.Envelope + err = json.Unmarshal(sig, &envelope) + if err != nil { + return nil, err + } + + if len(envelope.Signatures) == 0 { + return nil, fmt.Errorf("no signature in DSSE envelope") + } + + sigBytes, err := base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) + if err != nil { + return nil, err + } + + bundle.Content = &protobundle.Bundle_DsseEnvelope{ + DsseEnvelope: &protodsse.Envelope{ + Payload: payload, + PayloadType: envelope.PayloadType, + Signatures: []*protodsse.Signature{ + { + Sig: sigBytes, + }, + }, + }, + } + + contents, err := protojson.Marshal(bundle) + if err != nil { + return nil, err + } + + return contents, nil +} diff --git a/pkg/cosign/tsa.go b/pkg/cosign/tsa.go index c2032f396e8..425639e4625 100644 --- a/pkg/cosign/tsa.go +++ b/pkg/cosign/tsa.go @@ -18,9 +18,12 @@ import ( "bytes" "context" "crypto/x509" + "encoding/base64" + "encoding/json" "fmt" "os" + "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/pkg/cosign/env" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/tuf" @@ -152,3 +155,15 @@ func splitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509. return leaves, intermediates, roots, nil } + +func GetDSSESigBytes(envelopeBytes []byte) ([]byte, error) { + var envelope dsse.Envelope + err := json.Unmarshal(envelopeBytes, &envelope) + if err != nil { + return nil, err + } + if len(envelope.Signatures) == 0 { + return nil, fmt.Errorf("envelope has no signatures") + } + return base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) +} diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index cbfb5d6e5d3..b4ccf3abc2e 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -248,9 +248,9 @@ func (co *CheckOpts) verificationOptions() (trustedMaterial root.TrustedMaterial if !co.IgnoreTlog { verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1)) - // Verifying a Fulcio certificate and no signed timestamp will be provided, so - // use the timestamp from the log. For Rekor v2, a signed timestamp must be provided. - if !co.UseSignedTimestamps && co.SigVerifier == nil { + // If you aren't using a signed timestamp, use the time from the transparency log. + // For Rekor v2, a signed timestamp must be provided. + if !co.UseSignedTimestamps { verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1)) } } diff --git a/pkg/types/predicate.go b/pkg/types/predicate.go new file mode 100644 index 00000000000..8a187192018 --- /dev/null +++ b/pkg/types/predicate.go @@ -0,0 +1,20 @@ +// +// Copyright 2021 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package types //nolint: revive // that is a valid package name :) + +const ( + CosignSignPredicateType = "https://sigstore.dev/cosign/sign/v1" +) diff --git a/test/e2e_test.go b/test/e2e_test.go index 3c34f841eb8..49d5c52d594 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -573,17 +573,19 @@ func prepareTrustedRoot(t *testing.T, tsaURL string) string { home, err := os.UserHomeDir() must(err, t) must(copyFile(filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), ctfePath), t) - tsaPath := filepath.Join(downloadDirectory, "tsa.crt.pem") - tsaFP, err := os.Create(tsaPath) - must(err, t) - must(downloadFile(tsaURL+"/api/v1/timestamp/certchain", tsaFP), t) out := filepath.Join(downloadDirectory, "trusted_root.json") cmd := &trustedroot.CreateCmd{ - CertChain: []string{caPath}, - CtfeKeyPath: []string{ctfePath}, - Out: out, - RekorKeyPath: []string{rekorPath}, - TSACertChainPath: []string{tsaPath}, + CertChain: []string{caPath}, + CtfeKeyPath: []string{ctfePath}, + Out: out, + RekorKeyPath: []string{rekorPath}, + } + if tsaURL != "" { + tsaPath := filepath.Join(downloadDirectory, "tsa.crt.pem") + tsaFP, err := os.Create(tsaPath) + must(err, t) + must(downloadFile(tsaURL+"/api/v1/timestamp/certchain", tsaFP), t) + cmd.TSACertChainPath = []string{tsaPath} } must(cmd.Exec(context.TODO()), t) return out @@ -967,6 +969,82 @@ func TestSignVerifyWithSigningConfig(t *testing.T) { must(err, t) } +func TestSignVerifyBundle(t *testing.T) { + td := t.TempDir() + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "cosign-e2e") + + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + _, privKeyPath, pubKeyPath := keypair(t, td) + + ctx := context.Background() + + // Sign image with key in bundle format + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } + so := options.SignOptions{ + Upload: true, + NewBundleFormat: true, + TlogUpload: true, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Verify bundle + trustedRootPath := prepareTrustedRoot(t, "") + + cmd := cliverify.VerifyCommand{ + CommonVerifyOptions: options.CommonVerifyOptions{ + TrustedRootPath: trustedRootPath, + }, + KeyRef: pubKeyPath, + NewBundleFormat: true, + UseSignedTimestamps: false, + } + + args := []string{imgName} + must(cmd.Exec(ctx, args), t) + + // Sign image with Fulcio + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + ko = options.KeyOpts{ + IDToken: identityToken, + FulcioURL: fulcioURL, + RekorURL: rekorURL, + SkipConfirmation: true, + } + so = options.SignOptions{ + Upload: true, + NewBundleFormat: true, + TlogUpload: true, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Verify Fulcio-signed image + cmd = cliverify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: os.Getenv("OIDC_URL"), + CertIdentityRegexp: ".+", + }, + CommonVerifyOptions: options.CommonVerifyOptions{ + TrustedRootPath: trustedRootPath, + }, + NewBundleFormat: true, + UseSignedTimestamps: false, + } +} + func TestAttestVerify(t *testing.T) { for _, newBundleFormat := range []bool{false, true} { attestVerify(t, From fbea0dd48a86fba5b8381a0c622ed27addc4823c Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 8 Aug 2025 17:22:15 +0200 Subject: [PATCH 010/136] bump golangci-lint to v2.3.x (#4333) Signed-off-by: Carlos Panato --- .github/workflows/golangci-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index e78b11219bc..c996533577e 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -41,7 +41,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: - version: v2.2 + version: v2.3 golangci-test-e2e: name: lint-test-e2e From 1059a8007c0d25d01bc838ab05de12bfa4091bcf Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 8 Aug 2025 17:22:47 +0200 Subject: [PATCH 011/136] update builder to use go1.24.6 (#4334) Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 8 ++++---- release/cloudbuild.yaml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 7def77f8458..73b3bb25990 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,14 +26,14 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: ghcr.io/sigstore/cosign/cosign:v2.5.2-dev@sha256:14a20131240190350e18f002bdd61345d2803eff370913737392281e834ee22a + image: ghcr.io/sigstore/cosign/cosign:v2.5.3-dev@sha256:fe84ab87222b60d2d87f5efcb8ef3cfd895897c088fbeb973280689c81aedff1 steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.24.5-0@sha256:492c51e60ed27ff597511b0a24e6c5acb6e3e2e97bb68d7bd35f81a7e3dfa4d0 \ + cosign verify ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.5-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.6-0" env: TUF_ROOT: /tmp @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.24.5-0@sha256:492c51e60ed27ff597511b0a24e6c5acb6e3e2e97bb68d7bd35f81a7e3dfa4d0 + image: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 volumes: - /usr:/host_usr - /opt:/host_opt diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 0edc5bda010..ae2eda64c63 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,20 +32,20 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'ghcr.io/sigstore/cosign/cosign:v2.5.2-dev@sha256:14a20131240190350e18f002bdd61345d2803eff370913737392281e834ee22a' + - name: 'ghcr.io/sigstore/cosign/cosign:v2.5.3-dev@sha256:fe84ab87222b60d2d87f5efcb8ef3cfd895897c088fbeb973280689c81aedff1' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.24.5-0@sha256:492c51e60ed27ff597511b0a24e6c5acb6e3e2e97bb68d7bd35f81a7e3dfa4d0' + - 'ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.5-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.6-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.24.5-0@sha256:492c51e60ed27ff597511b0a24e6c5acb6e3e2e97bb68d7bd35f81a7e3dfa4d0 + - name: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.24.5-0@sha256:492c51e60ed27ff597511b0a24e6c5acb6e3e2e97bb68d7bd35f81a7e3dfa4d0 + - name: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: From 18040e1217d79fc138d0c5c39ea95f62b3216de8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 09:18:02 +0200 Subject: [PATCH 012/136] chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4338) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/conformance-nightly.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 8 ++++---- .github/workflows/e2e-with-binary.yml | 2 +- .github/workflows/github-oidc.yaml | 2 +- .github/workflows/golangci-lint.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/scorecard-action.yml | 2 +- .github/workflows/tests.yaml | 8 ++++---- .github/workflows/validate-release.yml | 2 +- .github/workflows/verify-docgen.yaml | 2 +- .github/workflows/whitespace.yaml | 2 +- 15 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 227a834bb1e..37f4bb9a8a6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -44,7 +44,7 @@ jobs: packages: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b9ec879d307..075f708e135 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/conformance-nightly.yml b/.github/workflows/conformance-nightly.yml index 29b8590970a..ef8bc49618a 100644 --- a/.github/workflows/conformance-nightly.yml +++ b/.github/workflows/conformance-nightly.yml @@ -27,7 +27,7 @@ jobs: conformance: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index d64220099de..30ee8c0afcd 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -29,7 +29,7 @@ jobs: conformance: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index fba338830e0..70367489c53 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -35,7 +35,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v2.4.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v2.4.0 with: persist-credentials: false diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 04589e57cee..29553388231 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -39,7 +39,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -89,7 +89,7 @@ jobs: SCAFFOLDING_RELEASE_VERSION: "v0.7.24" steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -121,7 +121,7 @@ jobs: SCAFFOLDING_RELEASE_VERSION: "v0.7.24" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index ccb4ae7cc4f..67b18a83990 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -48,7 +48,7 @@ jobs: COSIGN_YES: "true" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index e9a837fa96c..d9ea4bc605a 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -48,7 +48,7 @@ jobs: KO_PREFIX: ghcr.io/${{ github.repository }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index c996533577e..d78bfd0d8e6 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -31,7 +31,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -51,7 +51,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 5d657a9bd77..82ebeae02a8 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -53,7 +53,7 @@ jobs: COSIGN_YES: "true" steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml index 3083085cf82..ece453c92dc 100644 --- a/.github/workflows/scorecard-action.yml +++ b/.github/workflows/scorecard-action.yml @@ -40,7 +40,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index c5fb927a9f5..0cd02dc423e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -41,7 +41,7 @@ jobs: OS: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds @@ -81,7 +81,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false # Related to https://github.com/sigstore/cosign/issues/3149 @@ -177,7 +177,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -207,7 +207,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 73b3bb25990..ec9277d1ab5 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -51,7 +51,7 @@ jobs: permissions: {} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml index 79d81f15d87..8bd4ed323d7 100644 --- a/.github/workflows/verify-docgen.yaml +++ b/.github/workflows/verify-docgen.yaml @@ -36,7 +36,7 @@ jobs: steps: - name: deps run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index e01756c72e8..e9d0fd972aa 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -34,7 +34,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false From 4702fb83f8e62b12ec64ec8761afa71e1618a219 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 13:16:13 +0200 Subject: [PATCH 013/136] chore(deps): bump the actions group with 3 updates (#4345) Bumps the actions group with 3 updates: [actions/cache](https://github.com/actions/cache), [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/cache` from 4.2.3 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/5a3ec84eff668545956fd18022155c47e93e2684...0400d5f644dc74513175e3cd8d07132dd4860809) Updates `sigstore/sigstore-conformance` from 0.0.18 to 0.0.19 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](https://github.com/sigstore/sigstore-conformance/compare/fd90e6b0f3046f2276a6659481de6df495dea3b9...a7ac671d8e55553de127c8b1ad96d8d416315e83) Updates `chainguard-dev/actions` from 1.4.8 to 1.4.9 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/df684a72f67ce7eecd78098365cb5057f16be3b1...b1933e3d1f574c772dc7efd68c2060dafbc25e8c) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 8 ++++---- .github/workflows/whitespace.yaml | 4 ++-- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 075f708e135..d753a485d93 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -56,7 +56,7 @@ jobs: persist-credentials: false - name: Utilize Go Module Cache - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 30ee8c0afcd..20a53cbc5a8 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -39,6 +39,6 @@ jobs: - run: make cosign conformance - - uses: sigstore/sigstore-conformance@fd90e6b0f3046f2276a6659481de6df495dea3b9 # v0.0.18 + - uses: sigstore/sigstore-conformance@a7ac671d8e55553de127c8b1ad96d8d416315e83 # v0.0.19 with: entrypoint: ${{ github.workspace }}/conformance diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 70367489c53..9b684602eb3 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + uses: chainguard-dev/actions/donotsubmit@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 29553388231..bc7e3255f14 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -220,4 +220,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 82ebeae02a8..3edd70b5543 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -156,7 +156,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0cd02dc423e..35fc730f502 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -45,7 +45,7 @@ jobs: with: persist-credentials: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # In order: # * Module download cache @@ -138,7 +138,7 @@ jobs: - name: check disk space run: df -h # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # In order: # * Module download cache @@ -169,7 +169,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 e2e-windows-powershell-tests: name: Run PowerShell E2E tests @@ -186,7 +186,7 @@ jobs: check-latest: true # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: # In order: # * Module download cache diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index e9d0fd972aa..051fcf5a13d 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + - uses: chainguard-dev/actions/trailing-space@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@df684a72f67ce7eecd78098365cb5057f16be3b1 # v1.4.8 + - uses: chainguard-dev/actions/eof-newline@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 if: ${{ always() }} From 275f2684e4bf49648e0e2a50a004029c3f823ac0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:13:58 +0200 Subject: [PATCH 014/136] chore(deps): bump github.com/sigstore/sigstore-go (#4340) Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.1-0.20250801180901-37e45ae9c250 to 1.1.1. - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](https://github.com/sigstore/sigstore-go/commits/v1.1.1) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 463c5e7f81d..0196f9ee067 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/sigstore/rekor v1.4.0 github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f github.com/sigstore/sigstore v1.9.5 - github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250 + github.com/sigstore/sigstore-go v1.1.1 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 diff --git a/go.sum b/go.sum index 60b298c30a7..1be3d33f689 100644 --- a/go.sum +++ b/go.sum @@ -1418,8 +1418,8 @@ github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYA github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc= github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= -github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250 h1:Tw7WOXA0vtHfHL0QmF5NWsZtFvYWObtZ0BUhEHe4WBo= -github.com/sigstore/sigstore-go v1.1.1-0.20250801180901-37e45ae9c250/go.mod h1:97lDVpZVBCTFX114KPAManEsShVe934KyaVhZGhPVBM= +github.com/sigstore/sigstore-go v1.1.1 h1:S1w6DqVX/lvEC+zFCymmiVc8Lxpa+VXQThcww8Jksqo= +github.com/sigstore/sigstore-go v1.1.1/go.mod h1:hZANT1PkDy+RcHfXv76T+Lfv7K4AdM/PcuT2IWV2Uq4= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= From c11b6b7037fe4145ef28a24f13827d9d5972071a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:14:16 +0200 Subject: [PATCH 015/136] chore(deps): bump the gomod group with 4 updates (#4343) Bumps the gomod group with 4 updates: cuelang.org/go, [github.com/buildkite/agent/v3](https://github.com/buildkite/agent), google.golang.org/protobuf and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `cuelang.org/go` from 0.14.0 to 0.14.1 Updates `github.com/buildkite/agent/v3` from 3.103.0 to 3.103.1 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.103.0...v3.103.1) Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 Updates `sigs.k8s.io/release-utils` from 0.12.0 to 0.12.1 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 42 ++++++++++++++--------------- go.sum | 84 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/go.mod b/go.mod index 0196f9ee067..557389f5274 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,10 @@ module github.com/sigstore/cosign/v2 go 1.24.3 require ( - cuelang.org/go v0.14.0 + cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.103.0 + github.com/buildkite/agent/v3 v3.103.1 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -57,12 +57,12 @@ require ( golang.org/x/sync v0.16.0 golang.org/x/term v0.33.0 google.golang.org/api v0.246.0 - google.golang.org/protobuf v1.36.6 + google.golang.org/protobuf v1.36.7 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 k8s.io/client-go v0.33.3 k8s.io/utils v0.0.0-20241210054802-24370beab758 - sigs.k8s.io/release-utils v0.12.0 + sigs.k8s.io/release-utils v0.12.1 ) require ( @@ -81,7 +81,7 @@ require ( filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect @@ -115,26 +115,26 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/avast/retry-go/v4 v4.6.1 // indirect - github.com/aws/aws-sdk-go v1.55.7 // indirect - github.com/aws/aws-sdk-go-v2 v1.36.6 // indirect - github.com/aws/aws-sdk-go-v2/config v1.29.18 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.71 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 // indirect + github.com/aws/aws-sdk-go v1.55.8 // indirect + github.com/aws/aws-sdk-go-v2 v1.37.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.30.2 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.2 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.41.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 // indirect - github.com/aws/smithy-go v1.22.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.42.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.26.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.35.1 // indirect + github.com/aws/smithy-go v1.22.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect - github.com/buildkite/go-pipeline v0.14.0 // indirect + github.com/buildkite/go-pipeline v0.15.0 // indirect github.com/buildkite/interpolate v0.1.5 // indirect github.com/buildkite/roko v1.3.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -179,7 +179,7 @@ require ( github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect - github.com/golang-jwt/jwt/v5 v5.2.2 // indirect + github.com/golang-jwt/jwt/v5 v5.2.3 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic-models v0.6.9 // indirect diff --git a/go.sum b/go.sum index 1be3d33f689..45fca3b7fc3 100644 --- a/go.sum +++ b/go.sum @@ -622,8 +622,8 @@ cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d h1:lX0EawyoAu4kgMJJfy7MmNkIHioBcdBGFRSKDZ+CWo0= cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= -cuelang.org/go v0.14.0 h1:OvkDGmfiTCxoHhVs1tR/6Z96XbupB8oR2DNoIW068bQ= -cuelang.org/go v0.14.0/go.mod h1:aSP9UZUM5m2izHAHUvqtq0wTlWn5oLjuv2iBMQZBLLs= +cuelang.org/go v0.14.1 h1:kxFAHr7bvrCikbtVps2chPIARazVdnRmlz65dAzKyWg= +cuelang.org/go v0.14.1/go.mod h1:aSP9UZUM5m2izHAHUvqtq0wTlWn5oLjuv2iBMQZBLLs= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= @@ -635,8 +635,8 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 h1:Wc1ml6QlJs2BHQ/9Bqu1jiyggbsSjramq2oUmp5WeIo= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= @@ -757,40 +757,40 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk= github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA= -github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= -github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.36.6 h1:zJqGjVbRdTPojeCGWn5IR5pbJwSQSBh5RWFTQcEQGdU= -github.com/aws/aws-sdk-go-v2 v1.36.6/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0= -github.com/aws/aws-sdk-go-v2/config v1.29.18 h1:x4T1GRPnqKV8HMJOMtNktbpQMl3bIsfx8KbqmveUO2I= -github.com/aws/aws-sdk-go-v2/config v1.29.18/go.mod h1:bvz8oXugIsH8K7HLhBv06vDqnFv3NsGDt2Znpk7zmOU= -github.com/aws/aws-sdk-go-v2/credentials v1.17.71 h1:r2w4mQWnrTMJjOyIsZtGp3R3XGY3nqHn8C26C2lQWgA= -github.com/aws/aws-sdk-go-v2/credentials v1.17.71/go.mod h1:E7VF3acIup4GB5ckzbKFrCK0vTvEQxOxgdq4U3vcMCY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 h1:D9ixiWSG4lyUBL2DDNK924Px9V/NBVpML90MHqyTADY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33/go.mod h1:caS/m4DI+cij2paz3rtProRBI4s/+TCiWoaWZuQ9010= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 h1:osMWfm/sC/L4tvEdQ65Gri5ZZDCUpuYJZbTTDrsn4I0= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37/go.mod h1:ZV2/1fbjOPr4G4v38G3Ww5TBT4+hmsK45s/rxu1fGy0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 h1:v+X21AvTb2wZ+ycg1gx+orkB/9U6L7AOp93R7qYxsxM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37/go.mod h1:G0uM1kyssELxmJ2VZEfG0q2npObR3BAkF3c1VsfVnfs= +github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= +github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= +github.com/aws/aws-sdk-go-v2 v1.37.1 h1:SMUxeNz3Z6nqGsXv0JuJXc8w5YMtrQMuIBmDx//bBDY= +github.com/aws/aws-sdk-go-v2 v1.37.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= +github.com/aws/aws-sdk-go-v2/config v1.30.2 h1:YE1BmSc4fFYqFgN1mN8uzrtc7R9x+7oSWeX8ckoltAw= +github.com/aws/aws-sdk-go-v2/config v1.30.2/go.mod h1:UNrLGZ6jfAVjgVJpkIxjLufRJqTXCVYOpkeVf83kwBo= +github.com/aws/aws-sdk-go-v2/credentials v1.18.2 h1:mfm0GKY/PHLhs7KO0sUaOtFnIQ15Qqxt+wXbO/5fIfs= +github.com/aws/aws-sdk-go-v2/credentials v1.18.2/go.mod h1:v0SdJX6ayPeZFQxgXUKw5RhLpAoZUuynxWDfh8+Eknc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1 h1:owmNBboeA0kHKDcdF8KiSXmrIuXZustfMGGytv6OMkM= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1/go.mod h1:Bg1miN59SGxrZqlP8vJZSmXW+1N8Y1MjQDq1OfuNod8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1 h1:ksZXBYv80EFTcgc8OJO48aQ8XDWXIQL7gGasPeCoTzI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1/go.mod h1:HSksQyyJETVZS7uM54cir0IgxttTD+8aEoJMPGepHBI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1 h1:+dn/xF/05utS7tUhjIcndbuaPjfll2LhbH1cCDGLYUQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1/go.mod h1:hyAGz30LHdm5KBZDI58MXx5lDVZ5CUfvfTZvMu4HCZo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 h1:vvbXsA2TVO80/KT7ZqCbx934dt6PY+vQ8hZpUZ/cpYg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18/go.mod h1:m2JJHledjBGNMsLOF1g9gbAxprzq3KjC8e4lxtn+eWg= -github.com/aws/aws-sdk-go-v2/service/kms v1.41.3 h1:P0mjq/4mqTRA8SlS/4jL946RBW287kkKI/fazTTDJ3E= -github.com/aws/aws-sdk-go-v2/service/kms v1.41.3/go.mod h1:79gw7fH6dqzJz3a5qwDnQv5GDPs8b6eJIb9hJ+/c/YU= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 h1:rGtWqkQbPk7Bkwuv3NzpE/scwwL9sC1Ul3tn9x83DUI= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.6/go.mod h1:u4ku9OLv4TO4bCPdxf4fA1upaMaJmP9ZijGk3AAOC6Q= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 h1:OV/pxyXh+eMA0TExHEC4jyWdumLxNbzz1P0zJoezkJc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4/go.mod h1:8Mm5VGYwtm+r305FfPSuc+aFkrypeylGYhFim6XEPoc= -github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 h1:aUrLQwJfZtwv3/ZNG2xRtEen+NqI3iesuacjP51Mv1s= -github.com/aws/aws-sdk-go-v2/service/sts v1.34.1/go.mod h1:3wFBZKoWnX3r+Sm7in79i54fBmNfwhdNdQuscCw7QIk= -github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw= -github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1 h1:ky79ysLMxhwk5rxJtS+ILd3Mc8kC5fhsLBrP27r6h4I= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1/go.mod h1:+2MmkvFvPYM1vsozBWduoLJUi5maxFk5B7KJFECujhY= +github.com/aws/aws-sdk-go-v2/service/kms v1.42.1 h1:YozphKGMWbikYX1H8Cjmh+QUboGA1c/D48m1pBosDmM= +github.com/aws/aws-sdk-go-v2/service/kms v1.42.1/go.mod h1:I/6K08h6XpKZPzb1jMZb1k5N6HpzLyjS4Z0uBFzvaDc= +github.com/aws/aws-sdk-go-v2/service/sso v1.26.1 h1:uWaz3DoNK9MNhm7i6UGxqufwu3BEuJZm72WlpGwyVtY= +github.com/aws/aws-sdk-go-v2/service/sso v1.26.1/go.mod h1:ILpVNjL0BO+Z3Mm0SbEeUoYS9e0eJWV1BxNppp0fcb8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1 h1:XdG6/o1/ZDmn3wJU5SRAejHaWgKS4zHv0jBamuKuS2k= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1/go.mod h1:oiotGTKadCOCl3vg/tYh4k45JlDF81Ka8rdumNhEnIQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.35.1 h1:iF4Xxkc0H9c/K2dS0zZw3SCkj0Z7n6AMnUiiyoJND+I= +github.com/aws/aws-sdk-go-v2/service/sts v1.35.1/go.mod h1:0bxIatfN0aLq4mjoLDeBpOjOke68OsFlXPDFJ7V0MYw= +github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw= +github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1/go.mod h1:EVJOSYOVeoD3VFFZ/dWCAzWJp5wZr9lTOCjW8ejAmO0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -799,10 +799,10 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.103.0 h1:yzHF1gVuSNHO+fsOyyJun95fx8oTSGQmdudjKTaaW8M= -github.com/buildkite/agent/v3 v3.103.0/go.mod h1:5N1KWTrYKq7D2k7g10Hit6DnQ0jfjKgE3JPnJVr5teM= -github.com/buildkite/go-pipeline v0.14.0 h1:TMkFalrkniy2l5wEfmGyckT5kf21akWOY07i4esosAI= -github.com/buildkite/go-pipeline v0.14.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= +github.com/buildkite/agent/v3 v3.103.1 h1:PdbUrGUeQaf4xIaWSXQEYWf4Q6SB9gHUWlC/r6bHHig= +github.com/buildkite/agent/v3 v3.103.1/go.mod h1:OSoURonIdwLChSvNXxnmywtqD0xnqbFdvgMAkfxTOPg= +github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= +github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= github.com/buildkite/roko v1.3.1 h1:t7K30ceLLYn6k7hQP4oq1c7dVlhgD5nRcuSRDEEnY1s= @@ -1024,8 +1024,8 @@ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= -github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0= +github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -2283,8 +2283,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= +google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -2376,8 +2376,8 @@ sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/release-utils v0.12.0 h1:+Z8cEUAaxItrMcTOJ0jtUg3Fm1uNgPNol+VIL6XtQqQ= -sigs.k8s.io/release-utils v0.12.0/go.mod h1:TveYRPK4Mq6qXA0PJiUMEOlWvvIQG0Mh5APQmHD5JpA= +sigs.k8s.io/release-utils v0.12.1 h1:3p9w137wBTTApHlL8izdJHcCuaBe8wZhQz+B0QIAaBE= +sigs.k8s.io/release-utils v0.12.1/go.mod h1:0z7JOb7iQcuDQcemQw5CSVrkH8evRHY0DMMjcyRB1e4= sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From b77ae44dc3cfcc12b6856dd5cd902c6b5a1384bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:46:57 +0200 Subject: [PATCH 016/136] chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.41.0 (#4339) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.41.0. - [Commits](https://github.com/golang/crypto/compare/v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 557389f5274..5b84801ade6 100644 --- a/go.mod +++ b/go.mod @@ -52,10 +52,10 @@ require ( github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.137.0 - golang.org/x/crypto v0.40.0 + golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 - golang.org/x/term v0.33.0 + golang.org/x/term v0.34.0 google.golang.org/api v0.246.0 google.golang.org/protobuf v1.36.7 k8s.io/api v0.33.3 @@ -289,8 +289,8 @@ require ( golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect golang.org/x/mod v0.26.0 // indirect golang.org/x/net v0.42.0 // indirect - golang.org/x/sys v0.34.0 // indirect - golang.org/x/text v0.27.0 // indirect + golang.org/x/sys v0.35.0 // indirect + golang.org/x/text v0.28.0 // indirect golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect diff --git a/go.sum b/go.sum index 45fca3b7fc3..76153e6400e 100644 --- a/go.sum +++ b/go.sum @@ -1620,8 +1620,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= -golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= +golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= +golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1891,8 +1891,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= -golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1904,8 +1904,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= -golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= +golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= +golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1924,8 +1924,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= -golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= +golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= +golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 3e8eb0db1c74fc69d902261b32d49dc7a601aaad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:51:46 +0200 Subject: [PATCH 017/136] chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.2 (#4341) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.5 to 4.1.2. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](https://github.com/go-jose/go-jose/compare/v4.0.5...v4.1.2) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5b84801ade6..2ae27651e86 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 - github.com/go-jose/go-jose/v4 v4.0.5 + github.com/go-jose/go-jose/v4 v4.1.2 github.com/go-openapi/runtime v0.28.0 github.com/go-openapi/strfmt v0.23.0 github.com/go-openapi/swag v0.23.1 diff --git a/go.sum b/go.sum index 76153e6400e..76728e98be1 100644 --- a/go.sum +++ b/go.sum @@ -965,8 +965,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= -github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= -github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= +github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= +github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= From a2a8ca368673ed7342686a06a7cf2e5ae680c400 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Wed, 13 Aug 2025 17:08:20 -0400 Subject: [PATCH 018/136] Fixes to cosign sign / verify for the new bundle format (#4346) * Fixes to cosign sign / verify for the new bundle format Signed-off-by: Zach Steindler * Update function signature to pass crypto.PublicKey directly Signed-off-by: Zach Steindler --------- Signed-off-by: Zach Steindler --- cmd/cosign/cli/attest/attest.go | 8 +++----- cmd/cosign/cli/attest/attest_blob.go | 7 +++---- cmd/cosign/cli/sign/sign.go | 7 +++---- cmd/cosign/cli/verify.go | 1 + pkg/cosign/bundle/protobundle.go | 11 ++++------- test/e2e_test.go | 2 ++ 6 files changed, 16 insertions(+), 20 deletions(-) diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 55b85e9d282..48ad904b656 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -18,7 +18,6 @@ package attest import ( "bytes" "context" - "crypto" _ "crypto/sha256" // for `crypto.SHA256` "encoding/json" "fmt" @@ -252,10 +251,9 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if err != nil { return err } - var pubKey *crypto.PublicKey - pk, err := sv.PublicKey() - if err == nil { - pubKey = &pk + pubKey, err := sv.PublicKey() + if err != nil { + return err } bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) if err != nil { diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index efec55f9545..9cf69592d71 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -290,10 +290,9 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error if c.BundlePath != "" { var contents []byte if c.NewBundleFormat { - var pubKey *crypto.PublicKey - pk, err := sv.PublicKey() - if err == nil { - pubKey = &pk + pubKey, err := sv.PublicKey() + if err != nil { + return err } contents, err = cbundle.MakeNewBundle(pubKey, rekorEntry, payload, sig, signer, timestampBytes) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 7e2e0739142..34e1b20c2a0 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -305,10 +305,9 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt return fmt.Errorf("constructing client options: %w", err) } - var pubKey *crypto.PublicKey - pk, err := sv.PublicKey() - if err == nil { - pubKey = &pk + pubKey, err := sv.PublicKey() + if err != nil { + return err } bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index af831440c1b..c891e754626 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -109,6 +109,7 @@ against the transparency log.`, v := &verify.VerifyCommand{ RegistryOptions: o.Registry, CertVerifyOptions: o.CertVerify, + CommonVerifyOptions: o.CommonVerifyOptions, CheckClaims: o.CheckClaims, KeyRef: o.Key, CertRef: o.CertVerify.Cert, diff --git a/pkg/cosign/bundle/protobundle.go b/pkg/cosign/bundle/protobundle.go index 93f7191a971..e1f39584ad6 100644 --- a/pkg/cosign/bundle/protobundle.go +++ b/pkg/cosign/bundle/protobundle.go @@ -75,23 +75,20 @@ func MakeProtobufBundle(hint string, rawCert []byte, rekorEntry *models.LogEntry return bundle, nil } -func MakeNewBundle(pubKey *crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { +func MakeNewBundle(pubKey crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) { // Determine if the signer is a certificate or not var hint string var rawCert []byte - if pubKey != nil { - pkixPubKey, err := x509.MarshalPKIXPublicKey(*pubKey) + cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) + if err != nil || len(cert) == 0 { + pkixPubKey, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { return nil, err } hashedBytes := sha256.Sum256(pkixPubKey) hint = base64.StdEncoding.EncodeToString(hashedBytes[:]) } else { - cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) - if err != nil { - return nil, err - } rawCert = cert[0].Raw } diff --git a/test/e2e_test.go b/test/e2e_test.go index 49d5c52d594..b3c2788f3f2 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -1043,6 +1043,8 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, UseSignedTimestamps: false, } + + must(cmd.Exec(ctx, args), t) } func TestAttestVerify(t *testing.T) { From 36acb301e9b89eb7455d2b576d363a9293415f98 Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 14 Aug 2025 10:07:45 -0700 Subject: [PATCH 019/136] Don't require timestamps when verifying with a key (#4337) This supports signing and verification with Rekor v2 with a user-provided signing key. Timestamps will only be required for verifying Fulcio certificates. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- pkg/cosign/verify.go | 17 ++++++++++++++--- test/e2e_test.go | 27 +++++++++++++++++++++++++-- 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 2ae27651e86..04736f31da0 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/sigstore/rekor v1.4.0 github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f github.com/sigstore/sigstore v1.9.5 - github.com/sigstore/sigstore-go v1.1.1 + github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 @@ -287,7 +287,7 @@ require ( go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect - golang.org/x/mod v0.26.0 // indirect + golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.42.0 // indirect golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.28.0 // indirect diff --git a/go.sum b/go.sum index 76728e98be1..8a0ecebc3cd 100644 --- a/go.sum +++ b/go.sum @@ -1418,8 +1418,8 @@ github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYA github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc= github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= -github.com/sigstore/sigstore-go v1.1.1 h1:S1w6DqVX/lvEC+zFCymmiVc8Lxpa+VXQThcww8Jksqo= -github.com/sigstore/sigstore-go v1.1.1/go.mod h1:hZANT1PkDy+RcHfXv76T+Lfv7K4AdM/PcuT2IWV2Uq4= +github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb h1:Yy/pIVtUFjyTSAbr+7jIg5YKTaDXsoHAn9/a8DMyAhQ= +github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb/go.mod h1:kjsxkuzk8dd8bCODeVb9lDSYiMRxxomF3MvBMstHqJM= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= @@ -1681,8 +1681,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= -golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= +golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= +golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index b4ccf3abc2e..d2f1c4163a6 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -248,17 +248,28 @@ func (co *CheckOpts) verificationOptions() (trustedMaterial root.TrustedMaterial if !co.IgnoreTlog { verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1)) - // If you aren't using a signed timestamp, use the time from the transparency log. + // If you aren't using a signed timestamp, use the time from the transparency log + // to verify Fulcio certificates, or require no timestamp to verify a key. // For Rekor v2, a signed timestamp must be provided. if !co.UseSignedTimestamps { - verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1)) + if co.SigVerifier == nil { + verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1)) + } else { + verifierOptions = append(verifierOptions, verify.WithNoObserverTimestamps()) + } } } if co.UseSignedTimestamps { verifierOptions = append(verifierOptions, verify.WithSignedTimestamps(1)) } + // A time verification policy must be provided. Without a signed timestamp or integrated timestamp, + // verify a certificate with the current time, or require no timestamp to verify a key. if co.IgnoreTlog && !co.UseSignedTimestamps { - verifierOptions = append(verifierOptions, verify.WithCurrentTime()) + if co.SigVerifier == nil { + verifierOptions = append(verifierOptions, verify.WithCurrentTime()) + } else { + verifierOptions = append(verifierOptions, verify.WithNoObserverTimestamps()) + } } return vTrustedMaterial, verifierOptions, policyOptions, nil diff --git a/test/e2e_test.go b/test/e2e_test.go index b3c2788f3f2..60afa02aef1 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -1008,10 +1008,34 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, UseSignedTimestamps: false, } - args := []string{imgName} must(cmd.Exec(ctx, args), t) + // Sign image with key in bundle format without Rekor + _, privKeyPath, pubKeyPath = keypair(t, td) + ko = options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + SkipConfirmation: true, + } + so = options.SignOptions{ + Upload: true, + NewBundleFormat: true, + TlogUpload: false, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + // Verify bundle without Rekor + cmd = cliverify.VerifyCommand{ + CommonVerifyOptions: options.CommonVerifyOptions{ + TrustedRootPath: trustedRootPath, + }, + KeyRef: pubKeyPath, + NewBundleFormat: true, + IgnoreTlog: true, + UseSignedTimestamps: false, + } + must(cmd.Exec(ctx, args), t) + // Sign image with Fulcio identityToken, err := getOIDCToken() if err != nil { @@ -1043,7 +1067,6 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, UseSignedTimestamps: false, } - must(cmd.Exec(ctx, args), t) } From 3a2e07606b040b8f082c8a3d886a0ce7f5109124 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Mon, 18 Aug 2025 13:34:59 -0400 Subject: [PATCH 020/136] Don't load content from TUF if trusted root path is specified (#4347) That way cosign verify-attestation can work in offline environments. Signed-off-by: Zach Steindler --- cmd/cosign/cli/verify/verify_attestation.go | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 39baabce400..bb8ac96e057 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -99,21 +99,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return fmt.Errorf("constructing client options: %w", err) } - trustedMaterial, err := cosign.TrustedRoot() - if err != nil { - ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - - if options.NOf(c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath) > 0 || - env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) != "" || - env.Getenv(env.VariableSigstoreRootFile) != "" || - env.Getenv(env.VariableSigstoreRekorPublicKey) != "" || - env.Getenv(env.VariableSigstoreTSACertificateFile) != "" { - // trusted_root.json was found, but a cert chain was explicitly provided, or environment variables point to the key material, - // so don't overrule the user's intentions. - trustedMaterial = nil - } - co := &cosign.CheckOpts{ RegistryClientOpts: ociremoteOpts, CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger, @@ -128,7 +113,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e MaxWorkers: c.MaxWorkers, UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, NewBundleFormat: c.NewBundleFormat, - TrustedMaterial: trustedMaterial, } if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier From 47b5ffe8a19b25e17bebe5debe017839059fdf66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 15:24:16 +0200 Subject: [PATCH 021/136] chore(deps): bump google.golang.org/api from 0.246.0 to 0.247.0 (#4353) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.246.0 to 0.247.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.246.0...v0.247.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.247.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 04736f31da0..0536f7660d1 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 golang.org/x/term v0.34.0 - google.golang.org/api v0.246.0 + google.golang.org/api v0.247.0 google.golang.org/protobuf v1.36.7 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 @@ -68,9 +68,9 @@ require ( require ( cel.dev/expr v0.24.0 // indirect cloud.google.com/go v0.121.2 // indirect - cloud.google.com/go/auth v0.16.3 // indirect + cloud.google.com/go/auth v0.16.4 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect - cloud.google.com/go/compute/metadata v0.7.0 // indirect + cloud.google.com/go/compute/metadata v0.8.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect cloud.google.com/go/kms v1.22.0 // indirect cloud.google.com/go/longrunning v0.6.7 // indirect @@ -288,14 +288,14 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect golang.org/x/mod v0.27.0 // indirect - golang.org/x/net v0.42.0 // indirect + golang.org/x/net v0.43.0 // indirect golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.28.0 // indirect golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect google.golang.org/grpc v1.74.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 8a0ecebc3cd..5a7c038f969 100644 --- a/go.sum +++ b/go.sum @@ -103,8 +103,8 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E= -cloud.google.com/go/auth v0.16.3 h1:kabzoQ9/bobUmnseYnBO6qQG7q4a/CffFRlJSxv2wCc= -cloud.google.com/go/auth v0.16.3/go.mod h1:NucRGjaXfzP1ltpcQ7On/VTZ0H4kWB5Jy+Y9Dnm76fA= +cloud.google.com/go/auth v0.16.4 h1:fXOAIQmkApVvcIn7Pc2+5J8QTMVbUGLscnSVNl11su8= +cloud.google.com/go/auth v0.16.4/go.mod h1:j10ncYwjX/g3cdX7GpEzsdM+d+ZNsXAbb6qXA7p1Y5M= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= @@ -186,8 +186,8 @@ cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU= -cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= +cloud.google.com/go/compute/metadata v0.8.0 h1:HxMRIbao8w17ZX6wBnjhcDkW6lTFpgcaobyVfZWqRLA= +cloud.google.com/go/compute/metadata v0.8.0/go.mod h1:sYOGTp851OV9bOFJ9CH7elVvyzopvWQFNNghtDQ/Biw= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= @@ -1748,8 +1748,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= -golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= +golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= +golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2075,8 +2075,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.246.0 h1:H0ODDs5PnMZVZAEtdLMn2Ul2eQi7QNjqM2DIFp8TlTM= -google.golang.org/api v0.246.0/go.mod h1:dMVhVcylamkirHdzEBAIQWUCgqY885ivNeZYd7VAVr8= +google.golang.org/api v0.247.0 h1:tSd/e0QrUlLsrwMKmkbQhYVa109qIintOls2Wh6bngc= +google.golang.org/api v0.247.0/go.mod h1:r1qZOPmxXffXg6xS5uhx16Fa/UFY8QU/K4bfKrnvovM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2220,8 +2220,8 @@ google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuO google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 h1:MAKi5q709QWfnkkpNQ0M12hYJ1+e8qYVDyowc4U1XZM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From e185b40d0577bd660cd2fd2473615a13de97adf2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 15:24:41 +0200 Subject: [PATCH 022/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4352) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.137.0 to 0.140.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.137.0...v0.140.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.140.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 0536f7660d1..dc49aabe099 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.137.0 + gitlab.com/gitlab-org/api/client-go v0.140.0 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 diff --git a/go.sum b/go.sum index 5a7c038f969..9104fe975ad 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho= -al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= +al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA= +al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= @@ -1547,8 +1547,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.137.0 h1:H26yL44qnb38Czl20pEINCJrcj63W6/BX8iKPVUKQP0= -gitlab.com/gitlab-org/api/client-go v0.137.0/go.mod h1:AcAYES3lfkIS4zhso04S/wyUaWQmDYve2Fd9AF7C6qc= +gitlab.com/gitlab-org/api/client-go v0.140.0 h1:xajVsCRN7BJ5YNTygBvth89uWUBGPy5aKtRkkH/2xbo= +gitlab.com/gitlab-org/api/client-go v0.140.0/go.mod h1:vY0XbE86FvL7v5jCGDiaFgDyCV8YbmjIIkBhXx+ZDWM= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From ddca0f121f40c79d0d9bd030521d61b6ccb9d860 Mon Sep 17 00:00:00 2001 From: Hayden Date: Tue, 19 Aug 2025 06:27:56 -0700 Subject: [PATCH 023/136] Relax go directive to 1.24.x (#4351) One of the dependencies has hardcoded a specific version of go, which forces all clients to use that version of Go in their own modules. This is unnecessarily restrictive, rather libraries should specify the minimum Go version necessary to build, and consumers should use the latest patch release when building to pick up bug fixes. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> --- go.mod | 6 ++++-- go.sum | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index dc49aabe099..179b66d099a 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,14 @@ module github.com/sigstore/cosign/v2 -go 1.24.3 +go 1.24.0 + +toolchain go1.24.6 require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.103.1 + github.com/buildkite/agent/v3 v3.98.2 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 diff --git a/go.sum b/go.sum index 9104fe975ad..dab75442ba8 100644 --- a/go.sum +++ b/go.sum @@ -799,8 +799,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.103.1 h1:PdbUrGUeQaf4xIaWSXQEYWf4Q6SB9gHUWlC/r6bHHig= -github.com/buildkite/agent/v3 v3.103.1/go.mod h1:OSoURonIdwLChSvNXxnmywtqD0xnqbFdvgMAkfxTOPg= +github.com/buildkite/agent/v3 v3.98.2 h1:VOOxv8XD8HVCtEvtRPQhvB6k2Gorha2gN1wGh94gYAA= +github.com/buildkite/agent/v3 v3.98.2/go.mod h1:+zCvvo/OlOwfs+AH3QvSn37H3cBXP3Fe18eoSbqUvnY= github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= From b11824349c8e79b30546a256cb543281e2f2971d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 16:58:25 +0200 Subject: [PATCH 024/136] chore(deps): bump chainguard-dev/actions in the actions group (#4349) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.9 to 1.4.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/b1933e3d1f574c772dc7efd68c2060dafbc25e8c...1df2b5598adffbfe72a3abe9243d73e338bbb006) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 9b684602eb3..33b1e07d670 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + uses: chainguard-dev/actions/donotsubmit@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index bc7e3255f14..20538e0aec4 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -220,4 +220,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 3edd70b5543..a9893c00e81 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -156,7 +156,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 35fc730f502..3d8749c96cf 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -169,7 +169,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 051fcf5a13d..ce96340408d 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + - uses: chainguard-dev/actions/trailing-space@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@b1933e3d1f574c772dc7efd68c2060dafbc25e8c # v1.4.9 + - uses: chainguard-dev/actions/eof-newline@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 if: ${{ always() }} From 5bca529e13118abb0aa1e404600b86b00b0eee49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 10:37:18 -0700 Subject: [PATCH 025/136] chore(deps): bump the gomod group with 4 updates (#4350) Bumps the gomod group with 4 updates: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.9 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.9) Updates `k8s.io/api` from 0.33.3 to 0.33.4 - [Commits](https://github.com/kubernetes/api/compare/v0.33.3...v0.33.4) Updates `k8s.io/apimachinery` from 0.33.3 to 0.33.4 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.33.3...v0.33.4) Updates `k8s.io/client-go` from 0.33.3 to 0.33.4 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.33.3...v0.33.4) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.33.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 62 +++++++++++++-------------- go.sum | 131 +++++++++++++++++++++++++++------------------------------ 2 files changed, 92 insertions(+), 101 deletions(-) diff --git a/go.mod b/go.mod index 179b66d099a..5cff47fa609 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.0 - github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f + github.com/sigstore/rekor-tiles v0.1.9 github.com/sigstore/sigstore v1.9.5 github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 @@ -60,16 +60,16 @@ require ( golang.org/x/term v0.34.0 google.golang.org/api v0.247.0 google.golang.org/protobuf v1.36.7 - k8s.io/api v0.33.3 - k8s.io/apimachinery v0.33.3 - k8s.io/client-go v0.33.3 + k8s.io/api v0.33.4 + k8s.io/apimachinery v0.33.4 + k8s.io/client-go v0.33.4 k8s.io/utils v0.0.0-20241210054802-24370beab758 sigs.k8s.io/release-utils v0.12.1 ) require ( cel.dev/expr v0.24.0 // indirect - cloud.google.com/go v0.121.2 // indirect + cloud.google.com/go v0.121.4 // indirect cloud.google.com/go/auth v0.16.4 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.8.0 // indirect @@ -77,15 +77,15 @@ require ( cloud.google.com/go/kms v1.22.0 // indirect cloud.google.com/go/longrunning v0.6.7 // indirect cloud.google.com/go/monitoring v1.24.2 // indirect - cloud.google.com/go/spanner v1.82.0 // indirect - cloud.google.com/go/storage v1.55.0 // indirect + cloud.google.com/go/spanner v1.84.1 // indirect + cloud.google.com/go/storage v1.56.0 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect @@ -99,7 +99,7 @@ require ( github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect @@ -116,23 +116,22 @@ require ( github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/avast/retry-go/v4 v4.6.1 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.37.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.30.2 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.2 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1 // indirect + github.com/aws/aws-sdk-go-v2 v1.38.0 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.42.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.26.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.35.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect github.com/aws/smithy-go v1.22.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect @@ -140,7 +139,7 @@ require ( github.com/buildkite/interpolate v0.1.5 // indirect github.com/buildkite/roko v1.3.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/cenkalti/backoff/v5 v5.0.2 // indirect + github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect @@ -164,7 +163,6 @@ require ( github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect - github.com/globocom/go-buffer v1.2.2 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect @@ -233,10 +231,10 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_golang v1.23.0 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.63.0 // indirect - github.com/prometheus/procfs v0.15.1 // indirect + github.com/prometheus/common v0.65.0 // indirect + github.com/prometheus/procfs v0.16.1 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect @@ -264,7 +262,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect - github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823 // indirect + github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/vbatts/tar-split v0.12.1 // indirect github.com/vektah/gqlparser/v2 v2.5.30 // indirect @@ -276,7 +274,7 @@ require ( go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.37.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect go.opentelemetry.io/otel v1.37.0 // indirect @@ -284,11 +282,11 @@ require ( go.opentelemetry.io/otel/sdk v1.37.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect go.opentelemetry.io/otel/trace v1.37.0 // indirect - go.step.sm/crypto v0.67.0 // indirect + go.step.sm/crypto v0.69.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect - golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect + golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.43.0 // indirect golang.org/x/sys v0.35.0 // indirect @@ -296,7 +294,7 @@ require ( golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect google.golang.org/grpc v1.74.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect diff --git a/go.sum b/go.sum index dab75442ba8..2ee88f77ae9 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRY cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= -cloud.google.com/go v0.121.2 h1:v2qQpN6Dx9x2NmwrqlesOt3Ys4ol5/lFZ6Mg1B7OJCg= -cloud.google.com/go v0.121.2/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw= +cloud.google.com/go v0.121.4 h1:cVvUiY0sX0xwyxPwdSU2KsF9knOVmtRyAMt8xou0iTs= +cloud.google.com/go v0.121.4/go.mod h1:XEBchUiHFJbz4lKBZwYBDHV/rSyfFktk737TLDU089s= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= @@ -532,8 +532,8 @@ cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+ cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos= cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk= cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M= -cloud.google.com/go/spanner v1.82.0 h1:w9uO8RqEoBooBLX4nqV1RtgudyU2ZX780KTLRgeVg60= -cloud.google.com/go/spanner v1.82.0/go.mod h1:BzybQHFQ/NqGxvE/M+/iU29xgutJf7Q85/4U9RWMto0= +cloud.google.com/go/spanner v1.84.1 h1:ShH4Y3YeDtmHa55dFiSS3YtQ0dmCuP0okfAoHp/d68w= +cloud.google.com/go/spanner v1.84.1/go.mod h1:3GMEIjOcXINJSvb42H3M6TdlGCDzaCFpiiNQpjHPlCM= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= @@ -551,8 +551,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= -cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2znf0= -cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY= +cloud.google.com/go/storage v1.56.0 h1:iixmq2Fse2tqxMbWhLWC9HfBj1qdxqAmiK8/eqtsLxI= +cloud.google.com/go/storage v1.56.0/go.mod h1:Tpuj6t4NweCLzlNbw9Z9iwxEkrSem20AetIeH/shgVU= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= @@ -635,14 +635,14 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 h1:Wc1ml6QlJs2BHQ/9Bqu1jiyggbsSjramq2oUmp5WeIo= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 h1:Hr5FTipp7SL07o2FvoVOX9HRiRH3CR3Mj8pxqCcdD5A= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2/go.mod h1:QyVsSSN64v5TGltphKLQ2sQxe4OBQg0J1eKRcVBnfgE= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= @@ -682,8 +682,8 @@ github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7Oputl github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgPJKZWyroE5QBszMiDMYEBrnfw= github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs= github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg= @@ -755,22 +755,20 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk= -github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.37.1 h1:SMUxeNz3Z6nqGsXv0JuJXc8w5YMtrQMuIBmDx//bBDY= -github.com/aws/aws-sdk-go-v2 v1.37.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= -github.com/aws/aws-sdk-go-v2/config v1.30.2 h1:YE1BmSc4fFYqFgN1mN8uzrtc7R9x+7oSWeX8ckoltAw= -github.com/aws/aws-sdk-go-v2/config v1.30.2/go.mod h1:UNrLGZ6jfAVjgVJpkIxjLufRJqTXCVYOpkeVf83kwBo= -github.com/aws/aws-sdk-go-v2/credentials v1.18.2 h1:mfm0GKY/PHLhs7KO0sUaOtFnIQ15Qqxt+wXbO/5fIfs= -github.com/aws/aws-sdk-go-v2/credentials v1.18.2/go.mod h1:v0SdJX6ayPeZFQxgXUKw5RhLpAoZUuynxWDfh8+Eknc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1 h1:owmNBboeA0kHKDcdF8KiSXmrIuXZustfMGGytv6OMkM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.1/go.mod h1:Bg1miN59SGxrZqlP8vJZSmXW+1N8Y1MjQDq1OfuNod8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1 h1:ksZXBYv80EFTcgc8OJO48aQ8XDWXIQL7gGasPeCoTzI= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.1/go.mod h1:HSksQyyJETVZS7uM54cir0IgxttTD+8aEoJMPGepHBI= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1 h1:+dn/xF/05utS7tUhjIcndbuaPjfll2LhbH1cCDGLYUQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.1/go.mod h1:hyAGz30LHdm5KBZDI58MXx5lDVZ5CUfvfTZvMu4HCZo= +github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU= +github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= +github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4= +github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I= +github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM= +github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= @@ -779,16 +777,16 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SU github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1 h1:ky79ysLMxhwk5rxJtS+ILd3Mc8kC5fhsLBrP27r6h4I= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.1/go.mod h1:+2MmkvFvPYM1vsozBWduoLJUi5maxFk5B7KJFECujhY= -github.com/aws/aws-sdk-go-v2/service/kms v1.42.1 h1:YozphKGMWbikYX1H8Cjmh+QUboGA1c/D48m1pBosDmM= -github.com/aws/aws-sdk-go-v2/service/kms v1.42.1/go.mod h1:I/6K08h6XpKZPzb1jMZb1k5N6HpzLyjS4Z0uBFzvaDc= -github.com/aws/aws-sdk-go-v2/service/sso v1.26.1 h1:uWaz3DoNK9MNhm7i6UGxqufwu3BEuJZm72WlpGwyVtY= -github.com/aws/aws-sdk-go-v2/service/sso v1.26.1/go.mod h1:ILpVNjL0BO+Z3Mm0SbEeUoYS9e0eJWV1BxNppp0fcb8= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1 h1:XdG6/o1/ZDmn3wJU5SRAejHaWgKS4zHv0jBamuKuS2k= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.1/go.mod h1:oiotGTKadCOCl3vg/tYh4k45JlDF81Ka8rdumNhEnIQ= -github.com/aws/aws-sdk-go-v2/service/sts v1.35.1 h1:iF4Xxkc0H9c/K2dS0zZw3SCkj0Z7n6AMnUiiyoJND+I= -github.com/aws/aws-sdk-go-v2/service/sts v1.35.1/go.mod h1:0bxIatfN0aLq4mjoLDeBpOjOke68OsFlXPDFJ7V0MYw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 h1:ieRzyHXypu5ByllM7Sp4hC5f/1Fy5wqxqY0yB85hC7s= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3/go.mod h1:O5ROz8jHiOAKAwx179v+7sHMhfobFVi6nZt8DEyiYoM= +github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 h1:mdbWU38ipmDapPcsD6F7ObjjxMLrWUK0jI2NcC7zAcI= +github.com/aws/aws-sdk-go-v2/service/kms v1.43.0/go.mod h1:6FWXdzVbnG8ExnBQLHGIo/ilb1K7Ek1u6dcllumBe1s= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 h1:Mc/MKBf2m4VynyJkABoVEN+QzkfLqGj0aiJuEe7cMeM= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.0/go.mod h1:iS5OmxEcN4QIPXARGhavH7S8kETNL11kym6jhoS7IUQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7yBW653Wy/B9hnBofW+sw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs= +github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8= github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw= github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= @@ -811,8 +809,8 @@ github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HV github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8= -github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= @@ -951,8 +949,6 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/globocom/go-buffer v1.2.2 h1:ICgtlUe5GIYIZFdAVj57+5WYBR4DA56cX+PYZDhGDwc= -github.com/globocom/go-buffer v1.2.2/go.mod h1:kY1ALQS0ChiiThmWhsFoT5CYSiuad0t3keIew5LsWdM= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= @@ -1319,7 +1315,6 @@ github.com/oleiade/reflections v1.1.0 h1:D+I/UsXQB4esMathlt0kkZRJZdUDmhv5zGi/HOw github.com/oleiade/reflections v1.1.0/go.mod h1:mCxx0QseeVCHs5Um5HhJeCKVC7AwS8kO67tky4rdisA= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= @@ -1330,8 +1325,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= -github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= +github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/open-policy-agent/opa v1.7.1 h1:bhA2UGq5oS25471WB9aCJBWEp5/7WK+Nyb2PMAChQIg= github.com/open-policy-agent/opa v1.7.1/go.mod h1:7cPuErOAt7k/oVWAVJnxqAC6mwArrAazkvk0RXiih2A= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -1361,17 +1356,17 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc= +github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k= -github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18= -github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= -github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE= +github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= +github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= +github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZFnGobK5ZXNu+N9If+8PDNVB9xAqrib/stUXsV4= github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5/go.mod h1:BnHogPTyzYAReeQLZrOxyxzS739DaTNtTvohVdbENmA= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= @@ -1399,7 +1394,6 @@ github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGq github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= -github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= @@ -1414,8 +1408,8 @@ github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= github.com/sigstore/rekor v1.4.0 h1:K3DyH8309yzjYKUCQOVEIYpGp6Y9BQ8GpLhRj0D5CZk= github.com/sigstore/rekor v1.4.0/go.mod h1:teR57QMQA1nYXPoZL7o26Txky21RfWslM0E9w5Z57Ro= -github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYAlVouSm5qwCH+2vZ3eenZFBwzzuBz/IZyy5c= -github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc= +github.com/sigstore/rekor-tiles v0.1.9 h1:eB/svZuPfTksovh9TfrKKzubdsAunhTaZ7hR3P1Lps0= +github.com/sigstore/rekor-tiles v0.1.9/go.mod h1:Ir+1Prb7dvYzm3bQuFg6L81NYVgmR1+E7iwlBDG5hvU= github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb h1:Yy/pIVtUFjyTSAbr+7jIg5YKTaDXsoHAn9/a8DMyAhQ= @@ -1505,8 +1499,8 @@ github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 h1:YTbkeF github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26/go.mod h1:ODywn0gGarHMMdSkWT56ULoK8Hk71luOyRseKek9COw= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823 h1:s3p7wNrK/mnKI2bdp9PrQd9eBVxo1i5rU6O5hKkN0zc= -github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823/go.mod h1:Jv2IDwG1q8QNXZTaI1X6QX8s96WlJn73ka2hT1n4N5c= +github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b h1:8FPNq4fiON1iwC9fX+BADLxW1JeYE4W6IS1VfvlfcrM= +github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b/go.mod h1:zYJtx9IZYR8QmWClqBO3ebj+C1nO9qAAvVjpz4+GZ6g= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= @@ -1562,8 +1556,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw= -go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k= +go.opentelemetry.io/contrib/detectors/gcp v1.37.0 h1:B+WbN9RPsvobe6q4vP6KgM8/9plR/HNjgGBrfcOlweA= +go.opentelemetry.io/contrib/detectors/gcp v1.37.0/go.mod h1:K5zQ3TT7p2ru9Qkzk0bKtCql0RGkPj9pRjpXgZJZ+rU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= @@ -1591,8 +1585,8 @@ go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os= go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo= -go.step.sm/crypto v0.67.0 h1:1km9LmxMKG/p+mKa1R4luPN04vlJYnRLlLQrWv7egGU= -go.step.sm/crypto v0.67.0/go.mod h1:+AoDpB0mZxbW/PmOXuwkPSpXRgaUaoIK+/Wx/HGgtAU= +go.step.sm/crypto v0.69.0 h1:ELMNQjAGsnwpOeRfX/1phJdWm8Y6RIxAXnDzYlU9AOk= +go.step.sm/crypto v0.69.0/go.mod h1:mZ0mP4Q4wdoDy+fdEo6cOo0qzDDf7KgkvSIleTLv1+w= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -1637,8 +1631,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= -golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM= -golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -1830,7 +1824,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2218,8 +2211,8 @@ google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOl google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs= google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8= google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -2321,12 +2314,12 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8= -k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE= -k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA= -k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA= -k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg= +k8s.io/api v0.33.4 h1:oTzrFVNPXBjMu0IlpA2eDDIU49jsuEorGHB4cvKupkk= +k8s.io/api v0.33.4/go.mod h1:VHQZ4cuxQ9sCUMESJV5+Fe8bGnqAARZ08tSTdHWfeAc= +k8s.io/apimachinery v0.33.4 h1:SOf/JW33TP0eppJMkIgQ+L6atlDiP/090oaX0y9pd9s= +k8s.io/apimachinery v0.33.4/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= +k8s.io/client-go v0.33.4 h1:TNH+CSu8EmXfitntjUPwaKVPN0AYMbc9F1bBS8/ABpw= +k8s.io/client-go v0.33.4/go.mod h1:LsA0+hBG2DPwovjd931L/AoaezMPX9CmBgyVyBZmbCY= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= From 76faaff0cfce9d8fd3892a125426f9f7ed0f9508 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Aug 2025 17:58:46 +0200 Subject: [PATCH 026/136] chore(deps): bump github.com/go-viper/mapstructure/v2 (#4355) Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5cff47fa609..87b22b5e905 100644 --- a/go.mod +++ b/go.mod @@ -175,7 +175,7 @@ require ( github.com/go-openapi/spec v0.21.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect - github.com/go-viper/mapstructure/v2 v2.3.0 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect diff --git a/go.sum b/go.sum index 2ee88f77ae9..f598ec6291a 100644 --- a/go.sum +++ b/go.sum @@ -1006,8 +1006,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= -github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= -github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= From 8999f9eac503faa2061f3b7b6e6a07b6c7b3ffa6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 08:36:04 +0200 Subject: [PATCH 027/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.98.2 to 3.103.1 (#4365) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.98.2 to 3.103.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.98.2...v3.103.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.103.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 87b22b5e905..d3d1ca69582 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/sigstore/cosign/v2 -go 1.24.0 +go 1.24.3 toolchain go1.24.6 @@ -8,7 +8,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.98.2 + github.com/buildkite/agent/v3 v3.103.1 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 diff --git a/go.sum b/go.sum index f598ec6291a..c1a2413c186 100644 --- a/go.sum +++ b/go.sum @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.98.2 h1:VOOxv8XD8HVCtEvtRPQhvB6k2Gorha2gN1wGh94gYAA= -github.com/buildkite/agent/v3 v3.98.2/go.mod h1:+zCvvo/OlOwfs+AH3QvSn37H3cBXP3Fe18eoSbqUvnY= +github.com/buildkite/agent/v3 v3.103.1 h1:PdbUrGUeQaf4xIaWSXQEYWf4Q6SB9gHUWlC/r6bHHig= +github.com/buildkite/agent/v3 v3.103.1/go.mod h1:OSoURonIdwLChSvNXxnmywtqD0xnqbFdvgMAkfxTOPg= github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= From 6dd6f52a496d5c0a365259d2c684cffd54a279a1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 08:36:25 +0200 Subject: [PATCH 028/136] chore(deps): bump google.golang.org/protobuf in the gomod group (#4364) Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d3d1ca69582..44b57bab54d 100644 --- a/go.mod +++ b/go.mod @@ -59,7 +59,7 @@ require ( golang.org/x/sync v0.16.0 golang.org/x/term v0.34.0 google.golang.org/api v0.247.0 - google.golang.org/protobuf v1.36.7 + google.golang.org/protobuf v1.36.8 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 k8s.io/client-go v0.33.4 diff --git a/go.sum b/go.sum index c1a2413c186..15248938392 100644 --- a/go.sum +++ b/go.sum @@ -2276,8 +2276,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= -google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= +google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From ef083d435d94d805371f2129e03ab5482c9c676d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:08:08 +0200 Subject: [PATCH 029/136] chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.5.0 to 2.6.0 (#4363) Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](https://github.com/spiffe/go-spiffe/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 5 ++--- go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 44b57bab54d..f56bf2f94d9 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( github.com/spf13/cobra v1.9.1 github.com/spf13/pflag v1.0.7 github.com/spf13/viper v1.20.1 - github.com/spiffe/go-spiffe/v2 v2.5.0 + github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/stretchr/testify v1.10.0 github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 @@ -270,7 +270,6 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - github.com/zeebo/errs v1.4.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect @@ -296,7 +295,7 @@ require ( google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect - google.golang.org/grpc v1.74.2 // indirect + google.golang.org/grpc v1.75.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 15248938392..c122b782360 100644 --- a/go.sum +++ b/go.sum @@ -1448,8 +1448,8 @@ github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M= github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= -github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= -github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= +github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= +github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -1538,8 +1538,6 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s= github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= -github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= -github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= gitlab.com/gitlab-org/api/client-go v0.140.0 h1:xajVsCRN7BJ5YNTygBvth89uWUBGPy5aKtRkkH/2xbo= gitlab.com/gitlab-org/api/client-go v0.140.0/go.mod h1:vY0XbE86FvL7v5jCGDiaFgDyCV8YbmjIIkBhXx+ZDWM= @@ -2007,6 +2005,8 @@ gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJ gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0= gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0= gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc= gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY= @@ -2256,8 +2256,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= -google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= +google.golang.org/grpc v1.75.0 h1:+TW+dqTd2Biwe6KKfhE5JpiYIBWq865PhKGSXiivqt4= +google.golang.org/grpc v1.75.0/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 663b97c11ae8ccaab78365135bfe813830eba541 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:12:56 +0200 Subject: [PATCH 030/136] chore(deps): bump the actions group with 2 updates (#4361) Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `chainguard-dev/actions` from 1.4.11 to 1.4.12 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/de82dfd62f186b1b55bd0cdf084f484496d88ee3...be7b31a01af8ce7228fe901326f1d223fb788e14) Updates `codecov/codecov-action` from 5.4.3 to 5.5.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/18283e04ce6e62d37312384ff67231eb8fd56d24...fdcc8476540edceab3de004e990f80d881c6cc00) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 4 ++-- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 33b1e07d670..43752375256 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + uses: chainguard-dev/actions/donotsubmit@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 20538e0aec4..4b61b5c21dd 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -220,4 +220,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index a9893c00e81..f00a0a8de64 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -156,7 +156,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 3d8749c96cf..945e8bd610d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -67,7 +67,7 @@ jobs: - name: Run Go tests run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) - name: Upload Coverage Report - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 + uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 with: env_vars: OS - name: Run Go tests w/ `-race` @@ -169,7 +169,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index ce96340408d..6d40d652aad 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + - uses: chainguard-dev/actions/trailing-space@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@de82dfd62f186b1b55bd0cdf084f484496d88ee3 # v1.4.11 + - uses: chainguard-dev/actions/eof-newline@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 if: ${{ always() }} From ec66f46de5ed1969220518b92a011865764bd76b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:53:24 +0200 Subject: [PATCH 031/136] chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 (#4362) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f56bf2f94d9..f2c676e233d 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/spf13/pflag v1.0.7 github.com/spf13/viper v1.20.1 github.com/spiffe/go-spiffe/v2 v2.6.0 - github.com/stretchr/testify v1.10.0 + github.com/stretchr/testify v1.11.0 github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 diff --git a/go.sum b/go.sum index c122b782360..59e46e3aaff 100644 --- a/go.sum +++ b/go.sum @@ -1468,8 +1468,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8= +github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= From 29f93499955c7108e47b4a13154294b233c0fa90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:55:03 +0200 Subject: [PATCH 032/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4360) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.140.0 to 0.142.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.140.0...v0.142.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f2c676e233d..6f90a41d549 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.140.0 + gitlab.com/gitlab-org/api/client-go v0.142.1 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 diff --git a/go.sum b/go.sum index 59e46e3aaff..61f4fddc8bf 100644 --- a/go.sum +++ b/go.sum @@ -1539,8 +1539,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.140.0 h1:xajVsCRN7BJ5YNTygBvth89uWUBGPy5aKtRkkH/2xbo= -gitlab.com/gitlab-org/api/client-go v0.140.0/go.mod h1:vY0XbE86FvL7v5jCGDiaFgDyCV8YbmjIIkBhXx+ZDWM= +gitlab.com/gitlab-org/api/client-go v0.142.1 h1:PFMUo/MPVjLlUDUE0RPpufrsjaMQbyZHSmhP25MHsZw= +gitlab.com/gitlab-org/api/client-go v0.142.1/go.mod h1:Pht8kWkFX+obFPjQK3fct8gk+kILqH/ur5v31+VFsKc= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 5ad3dfe0a6a2da9d0cc46c74638fd60fdb300ea8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:55:21 +0200 Subject: [PATCH 033/136] chore(deps): bump google.golang.org/api from 0.247.0 to 0.248.0 (#4359) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.247.0 to 0.248.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.247.0...v0.248.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.248.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6f90a41d549..2c241fb22cc 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 golang.org/x/term v0.34.0 - google.golang.org/api v0.247.0 + google.golang.org/api v0.248.0 google.golang.org/protobuf v1.36.8 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 @@ -70,7 +70,7 @@ require ( require ( cel.dev/expr v0.24.0 // indirect cloud.google.com/go v0.121.4 // indirect - cloud.google.com/go/auth v0.16.4 // indirect + cloud.google.com/go/auth v0.16.5 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.8.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect @@ -294,7 +294,7 @@ require ( golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect google.golang.org/grpc v1.75.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 61f4fddc8bf..38c251237ee 100644 --- a/go.sum +++ b/go.sum @@ -103,8 +103,8 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E= -cloud.google.com/go/auth v0.16.4 h1:fXOAIQmkApVvcIn7Pc2+5J8QTMVbUGLscnSVNl11su8= -cloud.google.com/go/auth v0.16.4/go.mod h1:j10ncYwjX/g3cdX7GpEzsdM+d+ZNsXAbb6qXA7p1Y5M= +cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI= +cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= @@ -2068,8 +2068,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.247.0 h1:tSd/e0QrUlLsrwMKmkbQhYVa109qIintOls2Wh6bngc= -google.golang.org/api v0.247.0/go.mod h1:r1qZOPmxXffXg6xS5uhx16Fa/UFY8QU/K4bfKrnvovM= +google.golang.org/api v0.248.0 h1:hUotakSkcwGdYUqzCRc5yGYsg4wXxpkKlW5ryVqvC1Y= +google.golang.org/api v0.248.0/go.mod h1:yAFUAF56Li7IuIQbTFoLwXTCI6XCFKueOlS7S9e4F9k= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2213,8 +2213,8 @@ google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuO google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8= google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From fbb7ca11b55a24b551b841b4dffc5146a637d40c Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Wed, 27 Aug 2025 14:45:13 +0200 Subject: [PATCH 034/136] update builder image to use go1.25 (#4366) Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 6 +++--- release/cloudbuild.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index ec9277d1ab5..30034621aee 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -31,9 +31,9 @@ jobs: steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 \ + cosign verify ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.6-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.0-0" env: TUF_ROOT: /tmp @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 + image: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 volumes: - /usr:/host_usr - /opt:/host_opt diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index ae2eda64c63..037247f5a51 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -38,14 +38,14 @@ steps: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665' + - 'ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.6-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.0-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 + - name: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.24.6-0@sha256:961353cc71207c6c50db62a1e01275f3e809493bea34861c4de199f5dc17d665 + - name: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: From b6ce93da38c781b1ba763c9c7d7a4ce49763fbee Mon Sep 17 00:00:00 2001 From: Hayden Date: Wed, 27 Aug 2025 09:45:05 -0700 Subject: [PATCH 035/136] Update conformance test binary for signing config (#4367) The signing config will now be provided on the sign path to test Rekor v2, along with the trusted root for verifying bundles on the sign path. This also adds support for providing a trusted root with sign-blob/attest-blob. Currently, you can either provide just the CT log key or we'll fetch the trusted root from the initialized TUF repo. Since we are providing the trusted root for staging during signing now, this PR also lets the user provide the trusted root they'll use for verifying during signing. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/conformance/main.go | 9 ++++++++- cmd/cosign/cli/attest_blob.go | 15 +++++++++++---- cmd/cosign/cli/options/attest_blob.go | 6 +++++- cmd/cosign/cli/options/signblob.go | 6 +++++- cmd/cosign/cli/signblob.go | 15 +++++++++++---- doc/cosign_attest-blob.md | 3 ++- doc/cosign_sign-blob.md | 3 ++- 7 files changed, 44 insertions(+), 13 deletions(-) diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index d4916df6df6..6415341135d 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -30,10 +30,11 @@ var certOIDC *string var certSAN *string var identityToken *string var trustedRootPath *string +var signingConfigPath *string func usage() { fmt.Println("Usage:") - fmt.Printf("\t%s sign-bundle --identity-token TOKEN --bundle FILE FILE\n", os.Args[0]) + fmt.Printf("\t%s sign-bundle --identity-token TOKEN [--signing-config FILE] [--trusted-root FILE] --bundle FILE FILE\n", os.Args[0]) fmt.Printf("\t%s verify-bundle --bundle FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0]) } @@ -61,6 +62,9 @@ func parseArgs() { case "--trusted-root": trustedRootPath = &os.Args[i+1] i += 2 + case "--signing-config": + signingConfigPath = &os.Args[i+1] + i += 2 default: i++ } @@ -121,6 +125,9 @@ func main() { if trustedRootPath != nil { args = append(args, "--trusted-root", *trustedRootPath) } + if signingConfigPath != nil { + args = append(args, "--signing-config", *signingConfigPath) + } args = append(args, os.Args[len(os.Args)-1]) dir := filepath.Dir(os.Args[0]) diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 55cc7fd2047..051294e9511 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -90,11 +90,18 @@ func AttestBlob() *cobra.Command { NewBundleFormat: o.NewBundleFormat, } if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing - trustedMaterial, err := cosign.TrustedRoot() - if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + if o.TrustedRootPath != "" { + ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + } else { + trustedMaterial, err := cosign.TrustedRoot() + if err != nil { + ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + ko.TrustedMaterial = trustedMaterial } - ko.TrustedMaterial = trustedMaterial } if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index b68a53e7ae4..1e3421bce67 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -53,6 +53,7 @@ type AttestBlobOptions struct { UseSigningConfig bool SigningConfigPath string + TrustedRootPath string } var _ Interface = (*AttestOptions)(nil) @@ -104,9 +105,12 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") - cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config-path", "", + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", + "optional path to a TrustedRoot JSON file to verify a signature after signing") + cmd.Flags().StringVar(&o.Hash, "hash", "", "hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash") _ = cmd.RegisterFlagCompletionFunc("hash", cobra.NoFileCompletions) diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 2081e109548..e1ad98089dd 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -46,6 +46,7 @@ type SignBlobOptions struct { UseSigningConfig bool SigningConfigPath string + TrustedRootPath string } var _ Interface = (*SignBlobOptions)(nil) @@ -88,9 +89,12 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") - cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config-path", "", + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", + "optional path to a TrustedRoot JSON file to verify a signature after signing") + cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false, "skip confirmation prompts for non-destructive operations") diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 490f29b15c5..90b886fef2b 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -101,11 +101,18 @@ func SignBlob() *cobra.Command { IssueCertificateForExistingKey: o.IssueCertificate, } if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { - trustedMaterial, err := cosign.TrustedRoot() - if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + if o.TrustedRootPath != "" { + ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + } else { + trustedMaterial, err := cosign.TrustedRoot() + if err != nil { + ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + ko.TrustedMaterial = trustedMaterial } - ko.TrustedMaterial = trustedMaterial } if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index f7dc67e9933..64242c4e830 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -57,7 +57,7 @@ cosign attest-blob [flags] --rekor-entry-type string specifies the type to be used for a rekor entry upload (dsse|intoto) (default "dsse") --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp-bundle string path to an RFC 3161 timestamp bundle FILE - --signing-config-path string path to a signing config file. Must provide --bundle, which will output verification material in the new format + --signing-config string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --statement string path to the statement file. @@ -67,6 +67,7 @@ cosign attest-blob [flags] --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) + --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 9648f882af9..7078de609c6 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -57,7 +57,7 @@ cosign sign-blob [flags] --output-signature string write the signature to FILE --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file - --signing-config-path string path to a signing config file. Must provide --bundle, which will output verification material in the new format + --signing-config string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-client-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server @@ -66,6 +66,7 @@ cosign sign-blob [flags] --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) + --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations ``` From fd5fcfbf07db65345ffbddb6c7324ea79cedcb0d Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 28 Aug 2025 11:42:30 -0700 Subject: [PATCH 036/136] Break import cycle with e2e build tag (#4370) When developing locally, with the e2e build tag set, there's an import cycle. test/helpers.go imports "cmd/cosign/cli/verify", which imports "test" in test files in the verify package. This change breaks the import cycle by moving certificate utilities to an internal test directory. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest/attest_blob_test.go | 2 +- cmd/cosign/cli/bundle/bundle_test.go | 2 +- cmd/cosign/cli/fulcio/fulcio_test.go | 2 +- cmd/cosign/cli/sign/sign_test.go | 2 +- cmd/cosign/cli/verify/verify_blob_test.go | 2 +- cmd/cosign/cli/verify/verify_test.go | 2 +- .../fulcio/fulcioroots/fulcioroots_test.go | 2 +- internal/pkg/cosign/tsa/utils_test.go | 2 +- {test => internal/test}/cert_utils.go | 0 pkg/cosign/verify_test.go | 2 +- test/e2e_attach_test.go | 25 ++++++++++--------- test/e2e_test.go | 13 +++++----- test/e2e_tsa_test.go | 11 ++++---- 13 files changed, 35 insertions(+), 32 deletions(-) rename {test => internal/test}/cert_utils.go (100%) diff --git a/cmd/cosign/cli/attest/attest_blob_test.go b/cmd/cosign/cli/attest/attest_blob_test.go index 806de15d058..57f7d349a57 100644 --- a/cmd/cosign/cli/attest/attest_blob_test.go +++ b/cmd/cosign/cli/attest/attest_blob_test.go @@ -35,8 +35,8 @@ import ( "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/test" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/stretchr/testify/assert" diff --git a/cmd/cosign/cli/bundle/bundle_test.go b/cmd/cosign/cli/bundle/bundle_test.go index 279d59bf86b..94f6233775a 100644 --- a/cmd/cosign/cli/bundle/bundle_test.go +++ b/cmd/cosign/cli/bundle/bundle_test.go @@ -30,8 +30,8 @@ import ( "path/filepath" "testing" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/test" sgBundle "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/cmd/cosign/cli/fulcio/fulcio_test.go b/cmd/cosign/cli/fulcio/fulcio_test.go index 3b0fb51fb81..43b27b691b4 100644 --- a/cmd/cosign/cli/fulcio/fulcio_test.go +++ b/cmd/cosign/cli/fulcio/fulcio_test.go @@ -29,8 +29,8 @@ import ( "testing" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/test" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index 0d9de73f790..8b7fcdf59ab 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -31,9 +31,9 @@ import ( "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/test" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go index 0e54449dd93..fb746bc0288 100644 --- a/cmd/cosign/cli/verify/verify_blob_test.go +++ b/cmd/cosign/cli/verify/verify_blob_test.go @@ -40,11 +40,11 @@ import ( "github.com/go-openapi/swag" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" sigs "github.com/sigstore/cosign/v2/pkg/signature" ctypes "github.com/sigstore/cosign/v2/pkg/types" - "github.com/sigstore/cosign/v2/test" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/cmd/cosign/cli/verify/verify_test.go b/cmd/cosign/cli/verify/verify_test.go index 620c841b6f9..c253533bef5 100644 --- a/cmd/cosign/cli/verify/verify_test.go +++ b/cmd/cosign/cli/verify/verify_test.go @@ -37,11 +37,11 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/test" "github.com/sigstore/sigstore/pkg/signature/payload" "github.com/stretchr/testify/assert" ) diff --git a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go index 7d7ad46254e..479c0575394 100644 --- a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go +++ b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go @@ -19,7 +19,7 @@ import ( "sync" "testing" - "github.com/sigstore/cosign/v2/test" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/internal/pkg/cosign/tsa/utils_test.go b/internal/pkg/cosign/tsa/utils_test.go index ba294ffe8f0..4a7951b46df 100644 --- a/internal/pkg/cosign/tsa/utils_test.go +++ b/internal/pkg/cosign/tsa/utils_test.go @@ -19,7 +19,7 @@ import ( "reflect" "testing" - "github.com/sigstore/cosign/v2/test" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/test/cert_utils.go b/internal/test/cert_utils.go similarity index 100% rename from test/cert_utils.go rename to internal/test/cert_utils.go diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index a1dad623084..0546cd9e27b 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -48,11 +48,11 @@ import ( "github.com/sigstore/cosign/v2/internal/pkg/cosign/rekor/mock" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" tsaMock "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" + "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/static" "github.com/sigstore/cosign/v2/pkg/types" - "github.com/sigstore/cosign/v2/test" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/test/e2e_attach_test.go b/test/e2e_attach_test.go index 7385da4f4a6..879fd170ddd 100644 --- a/test/e2e_attach_test.go +++ b/test/e2e_attach_test.go @@ -45,6 +45,7 @@ import ( cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" + cert_test "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" @@ -73,11 +74,11 @@ func TestAttachSignature(t *testing.T) { // Scenario 1: attach a single signature with certificate and certificate chain to an artifact // and verify it using the root certificate. - rootCert1, rootKey1, _ := GenerateRootCa() + rootCert1, rootKey1, _ := cert_test.GenerateRootCa() pemRoot1 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert1.Raw}) pemRootRef1 := mkfile(string(pemRoot1), td, t) - subCert1, subKey1, _ := GenerateSubordinateCa(rootCert1, rootKey1) - leafCert1, privKey1, _ := GenerateLeafCert("foo@example.com", "oidc-issuer", subCert1, subKey1) + subCert1, subKey1, _ := cert_test.GenerateSubordinateCa(rootCert1, rootKey1) + leafCert1, privKey1, _ := cert_test.GenerateLeafCert("foo@example.com", "oidc-issuer", subCert1, subKey1) pemSub1 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert1.Raw}) pemLeaf1 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert1.Raw}) pemLeafRef1 := mkfile(string(pemLeaf1), td, t) @@ -122,11 +123,11 @@ func TestAttachSignature(t *testing.T) { // Scenario 2: Attaches second signature with another certificate and certificate chain to the // same artifact and verify it using both root certificates separately. - rootCert2, rootKey2, _ := GenerateRootCa() + rootCert2, rootKey2, _ := cert_test.GenerateRootCa() pemRoot2 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert2.Raw}) pemRootRef2 := mkfile(string(pemRoot2), td, t) - subCert2, subKey2, _ := GenerateSubordinateCa(rootCert2, rootKey2) - leafCert2, privKey2, _ := GenerateLeafCert("foo@exampleclient.com", "oidc-issuer", subCert2, subKey2) + subCert2, subKey2, _ := cert_test.GenerateSubordinateCa(rootCert2, rootKey2) + leafCert2, privKey2, _ := cert_test.GenerateLeafCert("foo@exampleclient.com", "oidc-issuer", subCert2, subKey2) pemSub2 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert2.Raw}) pemLeaf2 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert2.Raw}) pemLeafRef2 := mkfile(string(pemLeaf2), td, t) @@ -187,9 +188,9 @@ func TestAttachWithRFC3161Timestamp(t *testing.T) { b := bytes.Buffer{} must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) - rootCert, rootKey, _ := GenerateRootCa() - subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) + rootCert, rootKey, _ := cert_test.GenerateRootCa() + subCert, subKey, _ := cert_test.GenerateSubordinateCa(rootCert, rootKey) + leafCert, privKey, _ := cert_test.GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) @@ -257,9 +258,9 @@ func TestAttachWithRekorBundle(t *testing.T) { b := bytes.Buffer{} must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) - rootCert, rootKey, _ := GenerateRootCa() - subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) + rootCert, rootKey, _ := cert_test.GenerateRootCa() + subCert, subKey, _ := cert_test.GenerateSubordinateCa(rootCert, rootKey) + leafCert, privKey, _ := cert_test.GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) diff --git a/test/e2e_test.go b/test/e2e_test.go index 60afa02aef1..550ce6418fa 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -66,6 +66,7 @@ import ( "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" + cert_test "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/cosign/env" @@ -1803,17 +1804,17 @@ func TestVerifyWithCARoots(t *testing.T) { } must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) - rootCert, rootKey, _ := GenerateRootCa() - subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) + rootCert, rootKey, _ := cert_test.GenerateRootCa() + subCert, subKey, _ := cert_test.GenerateSubordinateCa(rootCert, rootKey) + leafCert, privKey, _ := cert_test.GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) privKeyRef := importECDSAPrivateKey(t, privKey, td, "cosign-test-key.pem") pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - rootCert02, rootKey02, _ := GenerateRootCa() - subCert02, subKey02, _ := GenerateSubordinateCa(rootCert02, rootKey02) - leafCert02, _, _ := GenerateLeafCert("subject02@mail.com", "oidc-issuer02", subCert02, subKey02) + rootCert02, rootKey02, _ := cert_test.GenerateRootCa() + subCert02, subKey02, _ := cert_test.GenerateSubordinateCa(rootCert02, rootKey02) + leafCert02, _, _ := cert_test.GenerateLeafCert("subject02@mail.com", "oidc-issuer02", subCert02, subKey02) pemRoot02 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert02.Raw}) pemSub02 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert02.Raw}) pemLeaf02 := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert02.Raw}) diff --git a/test/e2e_tsa_test.go b/test/e2e_tsa_test.go index acd873a601c..e46e1ccc70d 100644 --- a/test/e2e_tsa_test.go +++ b/test/e2e_tsa_test.go @@ -30,6 +30,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + cert_test "github.com/sigstore/cosign/v2/internal/test" "github.com/sigstore/cosign/v2/pkg/cosign" tsaclient "github.com/sigstore/timestamp-authority/pkg/client" tsaserver "github.com/sigstore/timestamp-authority/pkg/server" @@ -132,11 +133,11 @@ func TestSignBlobTSAMTLS(t *testing.T) { } func generateSigningKeys(t *testing.T, td string) (string, string, string) { - rootCert, rootKey, _ := GenerateRootCa() + rootCert, rootKey, _ := cert_test.GenerateRootCa() pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) pemRootRef := mkfile(string(pemRoot), td, t) - leafCert, privKey, _ := GenerateLeafCert("xyz@nosuchprovider.com", "oidc-issuer", rootCert, rootKey) + leafCert, privKey, _ := cert_test.GenerateLeafCert("xyz@nosuchprovider.com", "oidc-issuer", rootCert, rootKey) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) pemLeafRef := mkfile(string(pemLeaf), td, t) @@ -151,11 +152,11 @@ func generateSigningKeys(t *testing.T, td string) (string, string, string) { } func generateMTLSKeys(t *testing.T, td string) (string, string, string, string, string) { - rootCert, rootKey, _ := GenerateRootCa() + rootCert, rootKey, _ := cert_test.GenerateRootCa() pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) pemRootRef := mkfile(string(pemRoot), td, t) - serverLeafCert, serverPrivKey, _ := GenerateLeafCertWithSubjectAlternateNames([]string{"server.example.com"}, nil, nil, nil, "oidc-issuer", rootCert, rootKey) + serverLeafCert, serverPrivKey, _ := cert_test.GenerateLeafCertWithSubjectAlternateNames([]string{"server.example.com"}, nil, nil, nil, "oidc-issuer", rootCert, rootKey) serverPemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverLeafCert.Raw}) serverPemLeafRef := mkfile(string(serverPemLeaf), td, t) serverX509Encoded, _ := x509.MarshalPKCS8PrivateKey(serverPrivKey) @@ -164,7 +165,7 @@ func generateMTLSKeys(t *testing.T, td string) (string, string, string, string, Bytes: serverX509Encoded}) serverPemKeyRef := mkfile(string(serverKeyPem), td, t) - clientLeafCert, clientPrivKey, _ := GenerateLeafCert("tsa-mtls-client", "oidc-issuer", rootCert, rootKey) + clientLeafCert, clientPrivKey, _ := cert_test.GenerateLeafCert("tsa-mtls-client", "oidc-issuer", rootCert, rootKey) clientPemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: clientLeafCert.Raw}) clientPemLeafRef := mkfile(string(clientPemLeaf), td, t) clientX509Encoded, _ := x509.MarshalPKCS8PrivateKey(clientPrivKey) From 68caffdb1061fb990ce0b432a3c9ba7c2124e0d0 Mon Sep 17 00:00:00 2001 From: Andrew McNamara Date: Fri, 29 Aug 2025 10:08:00 -0400 Subject: [PATCH 037/136] refactor: extract function to write referrer attestations (#4357) * refactor: extract function to write referrer attestations The only way that we can generate attestations is when we also produce protobuf bundles. While we are working to use bundles by default from the CLI, we should enable the cosign api to be used as a dependency to also assist in migrating to the referrer's api from the tag-based strategy. Co-Authored-By: Gemini Signed-off-by: arewm rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED * test: add test coverage for WriteReferrer functions Co-Authored-By: Claude Signed-off-by: arewm rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- pkg/oci/remote/remote.go | 11 +- pkg/oci/remote/write.go | 125 ++++++++----- pkg/oci/remote/write_test.go | 341 ++++++++++++++++++++++++++++++++++- 3 files changed, 427 insertions(+), 50 deletions(-) diff --git a/pkg/oci/remote/remote.go b/pkg/oci/remote/remote.go index eab4e1f9b01..fc8ea148c5e 100644 --- a/pkg/oci/remote/remote.go +++ b/pkg/oci/remote/remote.go @@ -33,10 +33,13 @@ import ( // These enable mocking for unit testing without faking an entire registry. var ( - remoteImage = remote.Image - remoteIndex = remote.Index - remoteGet = remote.Get - remoteWrite = remote.Write + remoteImage = remote.Image + remoteIndex = remote.Index + remoteGet = remote.Get + remoteWrite = remote.Write + remoteHead = remote.Head + remoteWriteLayer = remote.WriteLayer + remotePut = remote.Put ) // EntityNotFoundError is the error that SignedEntity returns when the diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index d353c6b0883..20758b55261 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -146,7 +146,7 @@ func WriteSignaturesExperimentalOCI(d name.Digest, se oci.SignedEntity, opts ... if err != nil { return err } - desc, err := remote.Head(ref, o.ROpt...) + desc, err := remoteHead(ref, o.ROpt...) if err != nil { return err } @@ -161,7 +161,7 @@ func WriteSignaturesExperimentalOCI(d name.Digest, se oci.SignedEntity, opts ... return err } for _, v := range s { - if err := remote.WriteLayer(d.Repository, v, o.ROpt...); err != nil { + if err := remoteWriteLayer(d.Repository, v, o.ROpt...); err != nil { return err } } @@ -176,7 +176,7 @@ func WriteSignaturesExperimentalOCI(d name.Digest, se oci.SignedEntity, opts ... return err } configLayer := static.NewLayer(configBytes, configDesc.MediaType) - if err := remote.WriteLayer(d.Repository, configLayer, o.ROpt...); err != nil { + if err := remoteWriteLayer(d.Repository, configLayer, o.ROpt...); err != nil { return err } @@ -208,7 +208,7 @@ func WriteSignaturesExperimentalOCI(d name.Digest, se oci.SignedEntity, opts ... // TODO: use ui.Infof fmt.Fprintf(os.Stderr, "Uploading signature for [%s] to [%s] with config.mediaType [%s] layers[0].mediaType [%s].\n", d.String(), targetRef.String(), artifactType, ctypes.SimpleSigningMediaType) - return remote.Put(targetRef, &taggableManifest{raw: b, mediaType: m.MediaType}, o.ROpt...) + return remotePut(targetRef, &taggableManifest{raw: b, mediaType: m.MediaType}, o.ROpt...) } type taggableManifest struct { @@ -224,7 +224,9 @@ func (taggable taggableManifest) MediaType() (types.MediaType, error) { return taggable.mediaType, nil } -func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicateType string, opts ...Option) error { +// WriteReferrer writes a referrer manifest for a given subject digest. +// It uploads the provided layers and creates a manifest that refers to the subject. +func WriteReferrer(d name.Digest, artifactType string, layers []v1.Layer, annotations map[string]string, opts ...Option) error { o := makeOptions(d.Repository, opts...) signTarget := d.String() @@ -232,7 +234,7 @@ func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicat if err != nil { return err } - desc, err := remote.Head(ref, o.ROpt...) + desc, err := remoteHead(ref, o.ROpt...) if err != nil { return err } @@ -247,32 +249,35 @@ func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicat if err != nil { return fmt.Errorf("failed to calculate size: %w", err) } - err = remote.WriteLayer(d.Repository, configLayer, o.ROpt...) + err = remoteWriteLayer(d.Repository, configLayer, o.ROpt...) if err != nil { return fmt.Errorf("failed to upload layer: %w", err) } - // generate bundle media type string - bundleMediaType, err := sgbundle.MediaTypeString("0.3") - if err != nil { - return fmt.Errorf("failed to generate bundle media type string: %w", err) - } - - // Write the bundle layer - layer := static.NewLayer(bundleBytes, types.MediaType(bundleMediaType)) - blobDigest, err := layer.Digest() - if err != nil { - return fmt.Errorf("failed to calculate digest: %w", err) - } - - blobSize, err := layer.Size() - if err != nil { - return fmt.Errorf("failed to calculate size: %w", err) - } + layerDescriptors := make([]v1.Descriptor, len(layers)) + for i, layer := range layers { + mediaType, err := layer.MediaType() + if err != nil { + return fmt.Errorf("failed to get media type: %w", err) + } + layerDigest, err := layer.Digest() + if err != nil { + return fmt.Errorf("failed to calculate digest: %w", err) + } + layerSize, err := layer.Size() + if err != nil { + return fmt.Errorf("failed to calculate size: %w", err) + } - err = remote.WriteLayer(d.Repository, layer, o.ROpt...) - if err != nil { - return fmt.Errorf("failed to upload layer: %w", err) + err = remoteWriteLayer(d.Repository, layer, o.ROpt...) + if err != nil { + return fmt.Errorf("failed to upload layer: %w", err) + } + layerDescriptors[i] = v1.Descriptor{ + MediaType: mediaType, + Digest: layerDigest, + Size: layerSize, + } } // Create a manifest that includes the blob as a layer @@ -281,42 +286,76 @@ func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicat MediaType: types.OCIManifestSchema1, Config: v1.Descriptor{ MediaType: types.MediaType("application/vnd.oci.empty.v1+json"), - ArtifactType: bundleMediaType, + ArtifactType: artifactType, Digest: configDigest, Size: configSize, }, - Layers: []v1.Descriptor{ - { - MediaType: types.MediaType(bundleMediaType), - Digest: blobDigest, - Size: blobSize, - }, - }, + Layers: layerDescriptors, Subject: &v1.Descriptor{ MediaType: desc.MediaType, Digest: desc.Digest, Size: desc.Size, }, - Annotations: map[string]string{ - "org.opencontainers.image.created": time.Now().UTC().Format(time.RFC3339), - "dev.sigstore.bundle.content": "dsse-envelope", - "dev.sigstore.bundle.predicateType": predicateType, - }, - }, bundleMediaType} + Annotations: annotations, + }, artifactType} targetRef, err := manifest.targetRef(d.Repository) if err != nil { return fmt.Errorf("failed to create target reference: %w", err) } - if err := remote.Put(targetRef, manifest, o.ROpt...); err != nil { + if err := remotePut(targetRef, manifest, o.ROpt...); err != nil { return fmt.Errorf("failed to upload manifest: %w", err) } return nil } -// referrerManifest implements Taggable for use in remote.Put. +func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicateType string, opts ...Option) error { + // generate bundle media type string + bundleMediaType, err := sgbundle.MediaTypeString("0.3") + if err != nil { + return fmt.Errorf("failed to generate bundle media type string: %w", err) + } + + // Write the bundle layer + layer := static.NewLayer(bundleBytes, types.MediaType(bundleMediaType)) + + annotations := map[string]string{ + "org.opencontainers.image.created": time.Now().UTC().Format(time.RFC3339), + "dev.sigstore.bundle.content": "dsse-envelope", + "dev.sigstore.bundle.predicateType": predicateType, + } + + return WriteReferrer(d, bundleMediaType, []v1.Layer{layer}, annotations, opts...) +} + +// WriteAttestationsReferrer publishes the attestations attached to the given entity +// into the provided repository using the referrers API. +func WriteAttestationsReferrer(d name.Digest, se oci.SignedEntity, opts ...Option) error { + atts, err := se.Attestations() + if err != nil { + return err + } + layers, err := atts.Layers() + if err != nil { + return err + } + + annotations := map[string]string{ + "org.opencontainers.image.created": time.Now().UTC().Format(time.RFC3339), + } + + // We have to pick an artifactType for the referrer manifest. The attestation + // layers themselves are DSSE envelopes, which wrap in-toto statements. + // For discovery, the artifactType should describe the semantic content (the + // in-toto statement) rather than the wrapper format (the DSSE envelope). + // Using the in-toto media type is the most appropriate and conventional choice, + // as policy engines and other tools will query for attestations using this type. + return WriteReferrer(d, ctypes.IntotoPayloadType, layers, annotations, opts...) +} + +// referrerManifest implements Taggable for use in remotePut. // This type also augments the built-in v1.Manifest with an ArtifactType field // which is part of the OCI 1.1 Image Manifest spec but is unsupported by // go-containerregistry at this time. diff --git a/pkg/oci/remote/write_test.go b/pkg/oci/remote/write_test.go index 32be283fff1..89f3e58928d 100644 --- a/pkg/oci/remote/write_test.go +++ b/pkg/oci/remote/write_test.go @@ -17,15 +17,19 @@ package remote import ( "fmt" + "strings" "testing" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/google/go-containerregistry/pkg/v1/static" + "github.com/google/go-containerregistry/pkg/v1/types" "github.com/sigstore/cosign/v2/pkg/oci/mutate" "github.com/sigstore/cosign/v2/pkg/oci/signed" - "github.com/sigstore/cosign/v2/pkg/oci/static" + cosignstatic "github.com/sigstore/cosign/v2/pkg/oci/static" + ctypes "github.com/sigstore/cosign/v2/pkg/types" ) func TestWriteSignatures(t *testing.T) { @@ -41,7 +45,7 @@ func TestWriteSignatures(t *testing.T) { want := 6 // Add 6 signatures for i := 0; i < want; i++ { - sig, err := static.NewSignature(nil, fmt.Sprintf("%d", i)) + sig, err := cosignstatic.NewSignature(nil, fmt.Sprintf("%d", i)) if err != nil { t.Fatalf("static.NewSignature() = %v", err) } @@ -83,7 +87,7 @@ func TestWriteAttestations(t *testing.T) { want := 6 // Add 6 attestations for i := 0; i < want; i++ { - sig, err := static.NewAttestation([]byte(fmt.Sprintf("%d", i))) + sig, err := cosignstatic.NewAttestation([]byte(fmt.Sprintf("%d", i))) if err != nil { t.Fatalf("static.NewSignature() = %v", err) } @@ -111,3 +115,334 @@ func TestWriteAttestations(t *testing.T) { t.Fatalf("WriteAttestations() = %v", err) } } + +func TestReferrerManifest(t *testing.T) { + // Test referrerManifest.RawManifest() + rm := referrerManifest{ + Manifest: v1.Manifest{ + SchemaVersion: 2, + MediaType: types.OCIManifestSchema1, + Config: v1.Descriptor{ + MediaType: "application/vnd.oci.empty.v1+json", + Digest: v1.Hash{Algorithm: "sha256", Hex: "abc123"}, + Size: 100, + }, + Layers: []v1.Descriptor{}, + }, + ArtifactType: "test.artifact.type", + } + + manifestBytes, err := rm.RawManifest() + if err != nil { + t.Fatalf("RawManifest() = %v", err) + } + + if len(manifestBytes) == 0 { + t.Error("RawManifest returned empty bytes") + } + + // Test referrerManifest.MediaType() + mediaType, err := rm.MediaType() + if err != nil { + t.Fatalf("MediaType() = %v", err) + } + if mediaType != types.OCIManifestSchema1 { + t.Errorf("MediaType() = %s, want %s", mediaType, types.OCIManifestSchema1) + } + + // Test referrerManifest.targetRef() + repo := name.MustParseReference("gcr.io/test/repo").Context() + targetRef, err := rm.targetRef(repo) + if err != nil { + t.Fatalf("targetRef() = %v", err) + } + if targetRef == nil { + t.Error("targetRef returned nil") + } +} + +func TestTaggableManifest(t *testing.T) { + // Test taggableManifest.RawManifest() + tm := taggableManifest{ + raw: []byte(`{"test":"manifest"}`), + mediaType: types.DockerManifestSchema2, + } + + manifestBytes, err := tm.RawManifest() + if err != nil { + t.Fatalf("RawManifest() = %v", err) + } + if string(manifestBytes) != `{"test":"manifest"}` { + t.Errorf("RawManifest() = %s, want %s", string(manifestBytes), `{"test":"manifest"}`) + } + + // Test taggableManifest.MediaType() + mediaType, err := tm.MediaType() + if err != nil { + t.Fatalf("MediaType() = %v", err) + } + if mediaType != types.DockerManifestSchema2 { + t.Errorf("MediaType() = %s, want %s", mediaType, types.DockerManifestSchema2) + } +} + +func TestWriteAttestationNewBundleFormat(t *testing.T) { + // Save original functions + origHead := remoteHead + origWriteLayer := remoteWriteLayer + origPut := remotePut + t.Cleanup(func() { + remoteHead = origHead + remoteWriteLayer = origWriteLayer + remotePut = origPut + }) + + bundleBytes := []byte(`{"payload":"test","signatures":[]}`) + predicateType := "https://test.predicate.type" + digest := name.MustParseReference("gcr.io/test/image@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef").(name.Digest) + + // Mock remoteHead to return a descriptor + remoteHead = func(name.Reference, ...remote.Option) (*v1.Descriptor, error) { + return &v1.Descriptor{ + MediaType: types.DockerManifestSchema2, + Digest: v1.Hash{Algorithm: "sha256", Hex: "abcdef1234567890"}, + Size: 100, + }, nil + } + + // Mock remoteWriteLayer to succeed + remoteWriteLayer = func(name.Repository, v1.Layer, ...remote.Option) error { + return nil + } + + // Mock remotePut to capture the manifest + var capturedManifest remote.Taggable + remotePut = func(_ name.Reference, manifest remote.Taggable, _ ...remote.Option) error { + capturedManifest = manifest + return nil + } + + err := WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType) + if err != nil { + t.Fatalf("WriteAttestationNewBundleFormat() = %v", err) + } + + // Verify that a manifest was uploaded + if capturedManifest == nil { + t.Error("Expected manifest to be uploaded, but none was captured") + } + + // Verify it's a referrerManifest + refManifest, ok := capturedManifest.(referrerManifest) + if !ok { + t.Errorf("Expected referrerManifest, got %T", capturedManifest) + return + } + + // Verify the artifact type contains bundle media type + if refManifest.ArtifactType == "" { + t.Error("Expected ArtifactType to be set") + } + + // Verify annotations are set correctly + if refManifest.Annotations["dev.sigstore.bundle.content"] != "dsse-envelope" { + t.Errorf("Expected bundle.content annotation to be 'dsse-envelope', got %s", refManifest.Annotations["dev.sigstore.bundle.content"]) + } + if refManifest.Annotations["dev.sigstore.bundle.predicateType"] != predicateType { + t.Errorf("Expected predicateType annotation to be %s, got %s", predicateType, refManifest.Annotations["dev.sigstore.bundle.predicateType"]) + } +} + +func TestWriteAttestationsReferrer(t *testing.T) { + // Save original functions + origHead := remoteHead + origWriteLayer := remoteWriteLayer + origPut := remotePut + t.Cleanup(func() { + remoteHead = origHead + remoteWriteLayer = origWriteLayer + remotePut = origPut + }) + + digest := name.MustParseReference("gcr.io/test/image@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef").(name.Digest) + + // Create a test signed entity with attestations + i, err := random.Image(300, 1) + if err != nil { + t.Fatalf("random.Image() = %v", err) + } + si := signed.Image(i) + + // Add an attestation + att, err := cosignstatic.NewAttestation([]byte("test-attestation")) + if err != nil { + t.Fatalf("static.NewAttestation() = %v", err) + } + si, err = mutate.AttachAttestationToImage(si, att) + if err != nil { + t.Fatalf("AttachAttestationToImage() = %v", err) + } + + // Mock remoteHead to return a descriptor + remoteHead = func(name.Reference, ...remote.Option) (*v1.Descriptor, error) { + return &v1.Descriptor{ + MediaType: types.DockerManifestSchema2, + Digest: v1.Hash{Algorithm: "sha256", Hex: "abcdef1234567890"}, + Size: 100, + }, nil + } + + // Mock remoteWriteLayer to succeed + remoteWriteLayer = func(name.Repository, v1.Layer, ...remote.Option) error { + return nil + } + + // Mock remotePut to capture the manifest + var capturedManifest remote.Taggable + remotePut = func(_ name.Reference, manifest remote.Taggable, _ ...remote.Option) error { + capturedManifest = manifest + return nil + } + + err = WriteAttestationsReferrer(digest, si) + if err != nil { + t.Fatalf("WriteAttestationsReferrer() = %v", err) + } + + // Verify that a manifest was uploaded + if capturedManifest == nil { + t.Error("Expected manifest to be uploaded, but none was captured") + } + + // Verify it's a referrerManifest + refManifest, ok := capturedManifest.(referrerManifest) + if !ok { + t.Errorf("Expected referrerManifest, got %T", capturedManifest) + return + } + + // Verify the artifact type is set to in-toto payload type + if refManifest.ArtifactType != ctypes.IntotoPayloadType { + t.Errorf("Expected ArtifactType to be %s, got %s", ctypes.IntotoPayloadType, refManifest.ArtifactType) + } + + // Verify annotations include created timestamp + if _, exists := refManifest.Annotations["org.opencontainers.image.created"]; !exists { + t.Error("Expected created annotation to be set") + } + + // Verify we have at least one layer + if len(refManifest.Layers) == 0 { + t.Error("Expected at least one layer in manifest") + } +} + +func TestWriteReferrer(t *testing.T) { + // Save original functions + origHead := remoteHead + origWriteLayer := remoteWriteLayer + origPut := remotePut + t.Cleanup(func() { + remoteHead = origHead + remoteWriteLayer = origWriteLayer + remotePut = origPut + }) + + digest := name.MustParseReference("gcr.io/test/image@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef").(name.Digest) + + // Create a test layer + testLayer := static.NewLayer([]byte("test-data"), "application/octet-stream") + layers := []v1.Layer{testLayer} + annotations := map[string]string{ + "test.annotation": "test-value", + } + artifactType := "test.artifact.type" + + // Mock remoteHead to return a descriptor + remoteHead = func(name.Reference, ...remote.Option) (*v1.Descriptor, error) { + return &v1.Descriptor{ + MediaType: types.DockerManifestSchema2, + Digest: v1.Hash{Algorithm: "sha256", Hex: "abcdef1234567890"}, + Size: 100, + }, nil + } + + // Mock remoteWriteLayer to succeed + remoteWriteLayer = func(name.Repository, v1.Layer, ...remote.Option) error { + return nil + } + + // Mock remotePut to capture the manifest + var capturedManifest remote.Taggable + remotePut = func(_ name.Reference, manifest remote.Taggable, _ ...remote.Option) error { + capturedManifest = manifest + return nil + } + + err := WriteReferrer(digest, artifactType, layers, annotations) + if err != nil { + t.Fatalf("WriteReferrer() = %v", err) + } + + // Verify that a manifest was uploaded + if capturedManifest == nil { + t.Error("Expected manifest to be uploaded, but none was captured") + } + + // Verify it's a referrerManifest + refManifest, ok := capturedManifest.(referrerManifest) + if !ok { + t.Errorf("Expected referrerManifest, got %T", capturedManifest) + return + } + + // Verify the artifact type is set correctly + if refManifest.ArtifactType != artifactType { + t.Errorf("Expected ArtifactType to be %s, got %s", artifactType, refManifest.ArtifactType) + } + + // Verify annotations are passed through + if refManifest.Annotations["test.annotation"] != "test-value" { + t.Errorf("Expected annotation to be 'test-value', got %s", refManifest.Annotations["test.annotation"]) + } + + // Verify we have the expected number of layers + if len(refManifest.Layers) != 1 { + t.Errorf("Expected 1 layer, got %d", len(refManifest.Layers)) + } + + // Verify the subject is set + if refManifest.Subject == nil { + t.Error("Expected Subject to be set") + } + + // Verify config descriptor + if refManifest.Config.ArtifactType != artifactType { + t.Errorf("Expected Config.ArtifactType to be %s, got %s", artifactType, refManifest.Config.ArtifactType) + } +} + +func TestWriteReferrerErrorHandling(t *testing.T) { + // Save original functions + origHead := remoteHead + t.Cleanup(func() { + remoteHead = origHead + }) + + digest := name.MustParseReference("gcr.io/test/image@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef").(name.Digest) + layers := []v1.Layer{} + annotations := map[string]string{} + + // Mock remoteHead to return an error + remoteHead = func(name.Reference, ...remote.Option) (*v1.Descriptor, error) { + return nil, fmt.Errorf("remote head failed") + } + + err := WriteReferrer(digest, "test.type", layers, annotations) + if err == nil { + t.Error("Expected error from WriteReferrer when remoteHead fails") + } + if !strings.Contains(err.Error(), "remote head failed") { + t.Errorf("Expected error to contain 'remote head failed', got %v", err) + } +} From dafb08b6e54cc4f82fefddaf983b33eee107652d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 08:30:39 +0200 Subject: [PATCH 038/136] chore(deps): bump k8s.io/client-go from 0.33.4 to 0.34.0 (#4383) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.33.4 to 0.34.0. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.33.4...v0.34.0) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 23 ++++++++++++----------- go.sum | 49 ++++++++++++++++++++++++------------------------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/go.mod b/go.mod index 2c241fb22cc..42a278b3117 100644 --- a/go.mod +++ b/go.mod @@ -60,10 +60,10 @@ require ( golang.org/x/term v0.34.0 google.golang.org/api v0.248.0 google.golang.org/protobuf v1.36.8 - k8s.io/api v0.33.4 - k8s.io/apimachinery v0.33.4 - k8s.io/client-go v0.33.4 - k8s.io/utils v0.0.0-20241210054802-24370beab758 + k8s.io/api v0.34.0 + k8s.io/apimachinery v0.34.0 + k8s.io/client-go v0.34.0 + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 sigs.k8s.io/release-utils v0.12.1 ) @@ -156,13 +156,13 @@ require ( github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/emicklei/proto v1.14.2 // indirect github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect - github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect @@ -182,7 +182,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.2.3 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/trillian v1.7.2 // indirect @@ -218,7 +218,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/oleiade/reflections v1.1.0 // indirect @@ -285,6 +285,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.43.0 // indirect @@ -301,9 +302,9 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/go.sum b/go.sum index 38c251237ee..a8214b53668 100644 --- a/go.sum +++ b/go.sum @@ -902,8 +902,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= -github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= +github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.14.2 h1:wJPxPy2Xifja9cEMrcA/g08art5+7CGJNFNk35iXC1I= github.com/emicklei/proto v1.14.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -946,8 +946,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= -github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= -github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= @@ -1072,8 +1072,8 @@ github.com/google/certificate-transparency-go v1.3.2/go.mod h1:H5FpMUaGa5Ab2+KCY github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q= github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -1296,8 +1296,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/mozillazg/docker-credential-acr-helper v0.4.0 h1:Uoh3Z9CcpEDnLiozDx+D7oDgRq7X+R296vAqAumnOcw= github.com/mozillazg/docker-credential-acr-helper v0.4.0/go.mod h1:2kiicb3OlPytmlNC9XGkLvVC+f0qTiJw3f/mhmeeQBg= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= @@ -1593,8 +1594,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= -go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE= -go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -2314,18 +2315,18 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.33.4 h1:oTzrFVNPXBjMu0IlpA2eDDIU49jsuEorGHB4cvKupkk= -k8s.io/api v0.33.4/go.mod h1:VHQZ4cuxQ9sCUMESJV5+Fe8bGnqAARZ08tSTdHWfeAc= -k8s.io/apimachinery v0.33.4 h1:SOf/JW33TP0eppJMkIgQ+L6atlDiP/090oaX0y9pd9s= -k8s.io/apimachinery v0.33.4/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/client-go v0.33.4 h1:TNH+CSu8EmXfitntjUPwaKVPN0AYMbc9F1bBS8/ABpw= -k8s.io/client-go v0.33.4/go.mod h1:LsA0+hBG2DPwovjd931L/AoaezMPX9CmBgyVyBZmbCY= +k8s.io/api v0.34.0 h1:L+JtP2wDbEYPUeNGbeSa/5GwFtIA662EmT2YSLOkAVE= +k8s.io/api v0.34.0/go.mod h1:YzgkIzOOlhl9uwWCZNqpw6RJy9L2FK4dlJeayUoydug= +k8s.io/apimachinery v0.34.0 h1:eR1WO5fo0HyoQZt1wdISpFDffnWOvFLOOeJ7MgIv4z0= +k8s.io/apimachinery v0.34.0/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/client-go v0.34.0 h1:YoWv5r7bsBfb0Hs2jh8SOvFbKzzxyNo0nSb0zC19KZo= +k8s.io/client-go v0.34.0/go.mod h1:ozgMnEKXkRjeMvBZdV1AijMHLTh3pbACPvK7zFR+QQY= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= -k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= @@ -2364,16 +2365,14 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= -sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/release-utils v0.12.1 h1:3p9w137wBTTApHlL8izdJHcCuaBe8wZhQz+B0QIAaBE= sigs.k8s.io/release-utils v0.12.1/go.mod h1:0z7JOb7iQcuDQcemQw5CSVrkH8evRHY0DMMjcyRB1e4= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= From a40b90785edd4ee8bfcf841a983b6eecad3e2303 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 08:32:58 +0200 Subject: [PATCH 039/136] chore(deps): bump the gomod group with 6 updates (#4382) Bumps the gomod group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.4.0` | `1.4.1` | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.9` | `0.1.10` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.9.5` | `1.9.6-0.20250729224751-181c5d3339b3` | | [github.com/spf13/pflag](https://github.com/spf13/pflag) | `1.0.7` | `1.0.9` | | [github.com/stretchr/testify](https://github.com/stretchr/testify) | `1.11.0` | `1.11.1` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.142.1` | `0.142.5` | Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.4.0...v1.4.1) Updates `github.com/sigstore/rekor-tiles` from 0.1.9 to 0.1.10 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/compare/v0.1.9...v0.1.10) Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/commits) Updates `github.com/spf13/pflag` from 1.0.7 to 1.0.9 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](https://github.com/spf13/pflag/compare/v1.0.7...v1.0.9) Updates `github.com/stretchr/testify` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.11.0...v1.11.1) Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.1 to 0.142.5 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.1...v0.142.5) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-version: 1.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.9.6-0.20250729224751-181c5d3339b3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/stretchr/testify dependency-version: 1.11.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 57 ++++++++++++++-------------- go.sum | 118 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 87 insertions(+), 88 deletions(-) diff --git a/go.mod b/go.mod index 42a278b3117..ee485f5e472 100644 --- a/go.mod +++ b/go.mod @@ -36,9 +36,9 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 - github.com/sigstore/rekor v1.4.0 - github.com/sigstore/rekor-tiles v0.1.9 - github.com/sigstore/sigstore v1.9.5 + github.com/sigstore/rekor v1.4.1 + github.com/sigstore/rekor-tiles v0.1.10 + github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 @@ -46,14 +46,14 @@ require ( github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 github.com/sigstore/timestamp-authority v1.2.8 github.com/spf13/cobra v1.9.1 - github.com/spf13/pflag v1.0.7 + github.com/spf13/pflag v1.0.9 github.com/spf13/viper v1.20.1 github.com/spiffe/go-spiffe/v2 v2.6.0 - github.com/stretchr/testify v1.11.0 + github.com/stretchr/testify v1.11.1 github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.142.1 + gitlab.com/gitlab-org/api/client-go v0.142.5 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 @@ -69,7 +69,7 @@ require ( require ( cel.dev/expr v0.24.0 // indirect - cloud.google.com/go v0.121.4 // indirect + cloud.google.com/go v0.121.6 // indirect cloud.google.com/go/auth v0.16.5 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.8.0 // indirect @@ -78,16 +78,16 @@ require ( cloud.google.com/go/longrunning v0.6.7 // indirect cloud.google.com/go/monitoring v1.24.2 // indirect cloud.google.com/go/spanner v1.84.1 // indirect - cloud.google.com/go/storage v1.56.0 // indirect + cloud.google.com/go/storage v1.56.1 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect @@ -117,21 +117,21 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.38.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect + github.com/aws/aws-sdk-go-v2 v1.38.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.3 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.7 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 // indirect github.com/aws/smithy-go v1.22.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect @@ -164,11 +164,12 @@ require ( github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect + github.com/go-chi/chi/v5 v5.2.2 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect - github.com/go-openapi/errors v0.22.1 // indirect + github.com/go-openapi/errors v0.22.2 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.22.0 // indirect @@ -179,7 +180,7 @@ require ( github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect - github.com/golang-jwt/jwt/v5 v5.2.3 // indirect + github.com/golang-jwt/jwt/v5 v5.3.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic-models v0.7.0 // indirect @@ -189,7 +190,7 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect github.com/googleapis/gax-go/v2 v2.15.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -262,7 +263,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect - github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b // indirect + github.com/transparency-dev/tessera v1.0.0-rc2 // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/vbatts/tar-split v0.12.1 // indirect github.com/vektah/gqlparser/v2 v2.5.30 // indirect @@ -281,7 +282,7 @@ require ( go.opentelemetry.io/otel/sdk v1.37.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect go.opentelemetry.io/otel/trace v1.37.0 // indirect - go.step.sm/crypto v0.69.0 // indirect + go.step.sm/crypto v0.70.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect @@ -294,7 +295,7 @@ require ( golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect google.golang.org/grpc v1.75.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect diff --git a/go.sum b/go.sum index a8214b53668..8170143e695 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRY cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= -cloud.google.com/go v0.121.4 h1:cVvUiY0sX0xwyxPwdSU2KsF9knOVmtRyAMt8xou0iTs= -cloud.google.com/go v0.121.4/go.mod h1:XEBchUiHFJbz4lKBZwYBDHV/rSyfFktk737TLDU089s= +cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c= +cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= @@ -551,8 +551,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= -cloud.google.com/go/storage v1.56.0 h1:iixmq2Fse2tqxMbWhLWC9HfBj1qdxqAmiK8/eqtsLxI= -cloud.google.com/go/storage v1.56.0/go.mod h1:Tpuj6t4NweCLzlNbw9Z9iwxEkrSem20AetIeH/shgVU= +cloud.google.com/go/storage v1.56.1 h1:n6gy+yLnHn0hTwBFzNn8zJ1kqWfR91wzdM8hjRF4wP0= +cloud.google.com/go/storage v1.56.1/go.mod h1:C9xuCZgFl3buo2HZU/1FncgvvOgTAs/rnh4gF4lMg0s= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= @@ -637,16 +637,16 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 h1:Hr5FTipp7SL07o2FvoVOX9HRiRH3CR3Mj8pxqCcdD5A= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2/go.mod h1:QyVsSSN64v5TGltphKLQ2sQxe4OBQg0J1eKRcVBnfgE= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 h1:MhRfI58HblXzCtWEZCO0feHs8LweePB3s90r7WaR1KU= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0/go.mod h1:okZ+ZURbArNdlJ+ptXoyHNuOETzOl1Oww19rm8I2WLA= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= @@ -757,18 +757,18 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU= -github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= -github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4= -github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I= -github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM= -github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc= +github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8= +github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= +github.com/aws/aws-sdk-go-v2/config v1.31.3 h1:RIb3yr/+PZ18YYNe6MDiG/3jVoJrPmdoCARwNkMGvco= +github.com/aws/aws-sdk-go-v2/config v1.31.3/go.mod h1:jjgx1n7x0FAKl6TnakqrpkHWWKcX3xfWtdnIJs5K9CE= +github.com/aws/aws-sdk-go-v2/credentials v1.18.7 h1:zqg4OMrKj+t5HlswDApgvAHjxKtlduKS7KicXB+7RLg= +github.com/aws/aws-sdk-go-v2/credentials v1.18.7/go.mod h1:/4M5OidTskkgkv+nCIfC9/tbiQ/c8qTox9QcUDV0cgc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 h1:lpdMwTzmuDLkgW7086jE94HweHCqG+uOJwHf3LZs7T0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4/go.mod h1:9xzb8/SV62W6gHQGC/8rrvgNXU6ZoYM3sAIJCIrXJxY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 h1:IdCLsiiIj5YJ3AFevsewURCPV+YWUlOW8JiPhoAy8vg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4/go.mod h1:l4bdfCD7XyyZA9BolKBo1eLqgaJxl0/x91PL4Yqe0ao= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 h1:j7vjtr1YIssWQOMeOWRbh3z8g2oY/xPjnZH2gLY4sGw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4/go.mod h1:yDmJgqOiH4EA8Hndnv4KwAo8jCGTSnM5ASG1nBI+toA= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= @@ -777,16 +777,16 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SU github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 h1:ieRzyHXypu5ByllM7Sp4hC5f/1Fy5wqxqY0yB85hC7s= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3/go.mod h1:O5ROz8jHiOAKAwx179v+7sHMhfobFVi6nZt8DEyiYoM= -github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 h1:mdbWU38ipmDapPcsD6F7ObjjxMLrWUK0jI2NcC7zAcI= -github.com/aws/aws-sdk-go-v2/service/kms v1.43.0/go.mod h1:6FWXdzVbnG8ExnBQLHGIo/ilb1K7Ek1u6dcllumBe1s= -github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 h1:Mc/MKBf2m4VynyJkABoVEN+QzkfLqGj0aiJuEe7cMeM= -github.com/aws/aws-sdk-go-v2/service/sso v1.28.0/go.mod h1:iS5OmxEcN4QIPXARGhavH7S8kETNL11kym6jhoS7IUQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7yBW653Wy/B9hnBofW+sw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs= -github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA= -github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 h1:ueB2Te0NacDMnaC+68za9jLwkjzxGWm0KB5HTUHjLTI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4/go.mod h1:nLEfLnVMmLvyIG58/6gsSA03F1voKGaCfHV7+lR8S7s= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 h1:Z95XCqqSnwXr0AY7PgsiOUBhUG2GoDM5getw6RfD1Lg= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.0/go.mod h1:DqcSngL7jJeU1fOzh5Ll5rSvX/MlMV6OZlE4mVdFAQc= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 h1:ve9dYBB8CfJGTFqcQ3ZLAAb/KXWgYlgu/2R2TZL2Ko0= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.2/go.mod h1:n9bTZFZcBa9hGGqVz3i/a6+NG0zmZgtkB9qVVFDqPA8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 h1:Bnr+fXrlrPEoR1MAFrHVsge3M/WoK4n23VNhRM7TPHI= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0/go.mod h1:eknndR9rU8UpE/OmFpqU78V1EcXPKFTTm5l/buZYgvM= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 h1:iV1Ko4Em/lkJIsoKyGfc0nQySi+v0Udxr6Igq+y9JZc= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.0/go.mod h1:bEPcjW7IbolPfK67G1nilqWyoxYMSPrDiIQ3RdIdKgo= github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw= github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= @@ -879,8 +879,6 @@ github.com/dgraph-io/badger/v4 v4.8.0 h1:JYph1ChBijCw8SLeybvPINizbDKWZ5n/GYbz2yh github.com/dgraph-io/badger/v4 v4.8.0/go.mod h1:U6on6e8k/RTbUWxqKR0MvugJuVmkxSNc79ap4917h4w= github.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM= github.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI= -github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= -github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= @@ -951,6 +949,8 @@ github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj2 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= +github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= +github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= @@ -972,8 +972,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= -github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU= -github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= +github.com/go-openapi/errors v0.22.2 h1:rdxhzcBUazEcGccKqbY1Y7NS8FDcMyIRr0934jrYnZg= +github.com/go-openapi/errors v0.22.2/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= @@ -1020,8 +1020,8 @@ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0= -github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= +github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -1165,8 +1165,8 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vb github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1372,8 +1372,6 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZF github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5/go.mod h1:BnHogPTyzYAReeQLZrOxyxzS739DaTNtTvohVdbENmA= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs= -github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -1407,12 +1405,12 @@ github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ github.com/sigstore/fulcio v1.7.1/go.mod h1:7lYY+hsd8Dt+IvKQRC+KEhWpCZ/GlmNvwIa5JhypMS8= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.4.0 h1:K3DyH8309yzjYKUCQOVEIYpGp6Y9BQ8GpLhRj0D5CZk= -github.com/sigstore/rekor v1.4.0/go.mod h1:teR57QMQA1nYXPoZL7o26Txky21RfWslM0E9w5Z57Ro= -github.com/sigstore/rekor-tiles v0.1.9 h1:eB/svZuPfTksovh9TfrKKzubdsAunhTaZ7hR3P1Lps0= -github.com/sigstore/rekor-tiles v0.1.9/go.mod h1:Ir+1Prb7dvYzm3bQuFg6L81NYVgmR1+E7iwlBDG5hvU= -github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= -github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= +github.com/sigstore/rekor v1.4.1 h1:KK3McuHnptIE9mdNlrc9qh/OVE0AXf4rnScMxJE6xH4= +github.com/sigstore/rekor v1.4.1/go.mod h1:/McBsz/vrtfi4EInxSIk/MGbDXzgv2+1FQUg1R/uSnE= +github.com/sigstore/rekor-tiles v0.1.10 h1:10LVWV+isl43KpjmAID/DH/wT7LeYj3j0eW5pVu6SXE= +github.com/sigstore/rekor-tiles v0.1.10/go.mod h1:SDtO+1nGYo6hEPTyshgd4EFDP3gZyZuVCUukBCqaqz0= +github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= +github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb h1:Yy/pIVtUFjyTSAbr+7jIg5YKTaDXsoHAn9/a8DMyAhQ= github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb/go.mod h1:kjsxkuzk8dd8bCODeVb9lDSYiMRxxomF3MvBMstHqJM= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= @@ -1445,8 +1443,8 @@ github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cA github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M= -github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= @@ -1469,8 +1467,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8= -github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= @@ -1500,8 +1498,8 @@ github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 h1:YTbkeF github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26/go.mod h1:ODywn0gGarHMMdSkWT56ULoK8Hk71luOyRseKek9COw= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b h1:8FPNq4fiON1iwC9fX+BADLxW1JeYE4W6IS1VfvlfcrM= -github.com/transparency-dev/tessera v1.0.0-rc1.0.20250813103158-d62fc3a7519b/go.mod h1:zYJtx9IZYR8QmWClqBO3ebj+C1nO9qAAvVjpz4+GZ6g= +github.com/transparency-dev/tessera v1.0.0-rc2 h1:BKtDWr0nhL9dG66cS4DyKU9lpZFbUZrpHGh+BpqakcU= +github.com/transparency-dev/tessera v1.0.0-rc2/go.mod h1:aaLlvG/sEPMzT96iIF4hua6Z9pLzkfDtkbaUAR4IL8I= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= @@ -1540,8 +1538,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.142.1 h1:PFMUo/MPVjLlUDUE0RPpufrsjaMQbyZHSmhP25MHsZw= -gitlab.com/gitlab-org/api/client-go v0.142.1/go.mod h1:Pht8kWkFX+obFPjQK3fct8gk+kILqH/ur5v31+VFsKc= +gitlab.com/gitlab-org/api/client-go v0.142.5 h1:zvengEU958Fjwasi1V+9QNRw0viqNKkqUwvFD15XDZI= +gitlab.com/gitlab-org/api/client-go v0.142.5/go.mod h1:Ru5IRauphXt9qwmTzJD7ou1dH7Gc6pnsdFWEiMMpmB0= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -1584,8 +1582,8 @@ go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os= go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo= -go.step.sm/crypto v0.69.0 h1:ELMNQjAGsnwpOeRfX/1phJdWm8Y6RIxAXnDzYlU9AOk= -go.step.sm/crypto v0.69.0/go.mod h1:mZ0mP4Q4wdoDy+fdEo6cOo0qzDDf7KgkvSIleTLv1+w= +go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds= +go.step.sm/crypto v0.70.0/go.mod h1:pzfUhS5/ue7ev64PLlEgXvhx1opwbhFCjkvlhsxVds0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -2212,8 +2210,8 @@ google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOl google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= -google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8= -google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs= +google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ= +google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA= google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg= google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= From 62f0cb1a93e13ea09d10eb37bd65dd97c2464d52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 08:33:18 +0200 Subject: [PATCH 040/136] chore(deps): bump google-github-actions/auth from 2.1.12 to 3.0.0 (#4381) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.12 to 3.0.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/b7593ed2efd1c1617e1b0254da33b86225adb2a5...7c6bc770dae815cd3e89ee6cdf493a5fab2cc093) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 37f4bb9a8a6..5c6ea869440 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -59,7 +59,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Set up Cloud SDK - uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign' service_account: 'github-actions@projectsigstore.iam.gserviceaccount.com' From be9d024bcd5a95e30f8391dca5645a6cb620a173 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 11:16:37 +0200 Subject: [PATCH 041/136] chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#4380) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.9.1 to 1.10.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.9.1...v1.10.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index ee485f5e472..8b71439a7d2 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 github.com/sigstore/timestamp-authority v1.2.8 - github.com/spf13/cobra v1.9.1 + github.com/spf13/cobra v1.10.1 github.com/spf13/pflag v1.0.9 github.com/spf13/viper v1.20.1 github.com/spiffe/go-spiffe/v2 v2.6.0 diff --git a/go.sum b/go.sum index 8170143e695..3a111101142 100644 --- a/go.sum +++ b/go.sum @@ -1440,9 +1440,8 @@ github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs= github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4= github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= +github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= From 402cc2aae43eaa58c698bef50e8b2909967211bc Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Tue, 2 Sep 2025 19:06:12 +0200 Subject: [PATCH 042/136] introduce dockerfile to pin the go version to decouple go version from go.mod (#4369) Signed-off-by: Carlos Panato --- .github/dependabot.yml | 10 ++++++ .github/workflows/build.yaml | 6 +++- .github/workflows/codeql-analysis.yml | 9 +++-- .github/workflows/conformance-nightly.yml | 9 +++-- .github/workflows/conformance.yml | 7 +++- .github/workflows/e2e-tests.yml | 29 ++++++++++++--- .github/workflows/e2e-with-binary.yml | 8 ++++- .github/workflows/github-oidc.yaml | 8 +++-- .github/workflows/golangci-lint.yml | 20 ++++++++--- .../workflows/kind-verify-attestation.yaml | 7 +++- .github/workflows/tests.yaml | 35 ++++++++++++++++--- .github/workflows/verify-docgen.yaml | 9 ++++- Dockerfile | 18 ++++++++++ 13 files changed, 150 insertions(+), 25 deletions(-) create mode 100644 Dockerfile diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b39c03108ed..5c17c1be8f6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -35,3 +35,13 @@ updates: update-types: - "minor" - "patch" + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + groups: + all: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5c6ea869440..c0f1f527a47 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -50,10 +50,14 @@ jobs: - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false # will use the latest release available for ko - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d753a485d93..073b8c32e62 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -65,11 +65,14 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name: Set correct version of Golang to use during CodeQL run - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/conformance-nightly.yml b/.github/workflows/conformance-nightly.yml index ef8bc49618a..1b0d1a4a8d4 100644 --- a/.github/workflows/conformance-nightly.yml +++ b/.github/workflows/conformance-nightly.yml @@ -30,10 +30,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - run: make cosign conformance @@ -43,7 +48,7 @@ jobs: - name: Create Issue on Failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 20a53cbc5a8..ef97435778d 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -32,10 +32,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - run: make cosign conformance diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 4b61b5c21dd..ae8cf5dee11 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -42,10 +42,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - name: Run cross platform e2e tests run: go test -tags=e2e,cross -v ./test/... @@ -57,10 +62,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - name: Run pkcs11 end-to-end tests shell: bash @@ -96,10 +106,14 @@ jobs: - name: setup vault uses: cpanato/vault-installer@e7c1d664fa15219e89e43739e39a9df11ba00849 # v1.2.0 + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 @@ -124,13 +138,18 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@main + uses: chainguard-dev/actions/setup-mirror@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 with: mirror: mirror.gcr.io diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index 67b18a83990..b18a72edf8f 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -51,10 +51,16 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - name: build cosign and check sign-blob and verify-blob shell: bash run: | diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index d9ea4bc605a..44455166cf7 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -51,11 +51,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true - cache: true + cache: false # Install tools. - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index d78bfd0d8e6..87f362352a5 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -34,14 +34,20 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - name: golangci-lint uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: - version: v2.3 + version: v2.4 golangci-test-e2e: name: lint-test-e2e @@ -54,12 +60,18 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - name: golangci-lint uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: - version: v2.2 + version: v2.4 args: --build-tags e2e ./test diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index f00a0a8de64..e370545704e 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -56,10 +56,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false # will use the latest release available for ko - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 945e8bd610d..69cec480033 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -44,6 +44,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: @@ -60,16 +61,24 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - name: Run Go tests run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) + - name: Upload Coverage Report uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 with: env_vars: OS + - name: Run Go tests w/ `-race` if: ${{ runner.os == 'Linux' }} run: go test -race $(go list ./... | grep -v third_party/) @@ -153,10 +162,16 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: setup kind cluster run: | @@ -180,10 +195,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 @@ -210,12 +230,19 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - name: Install addlicense run: go install github.com/google/addlicense@latest + - name: Check license headers run: | set -e diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml index 8bd4ed323d7..63d45eae797 100644 --- a/.github/workflows/verify-docgen.yaml +++ b/.github/workflows/verify-docgen.yaml @@ -36,11 +36,18 @@ jobs: steps: - name: deps run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + + - name: Extract version of Go to use + run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version-file: 'go.mod' + go-version: '${{ env.GOVERSION }}' check-latest: true + cache: false + - run: ./cmd/help/verify.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000000..4239690292f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +# +# Copyright 2025 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is used to we scrap the go version and use in CI to get the latest go version +# and we use dependabot to keep the go version up to date +FROM golang:1.25.0 From 66fd8de43eeca8a9cf999480045ee762813eccd5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 19:20:51 +0200 Subject: [PATCH 043/136] chore(deps): bump github.com/open-policy-agent/opa from 1.7.1 to 1.8.0 (#4379) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.7.1 to 1.8.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v1.7.1...v1.8.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 16 ++++++++++++---- go.sum | 24 ++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 8b71439a7d2..b8a2b32f4bd 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/sigstore/cosign/v2 -go 1.24.3 - -toolchain go1.24.6 +go 1.24.6 require ( cuelang.org/go v0.14.1 @@ -32,7 +30,7 @@ require ( github.com/moby/term v0.5.2 github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 - github.com/open-policy-agent/opa v1.7.1 + github.com/open-policy-agent/opa v1.8.0 github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 @@ -150,6 +148,7 @@ require ( github.com/coreos/go-oidc/v3 v3.14.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/cli v28.2.2+incompatible // indirect @@ -178,6 +177,7 @@ require ( github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect + github.com/goccy/go-json v0.10.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect github.com/golang-jwt/jwt/v5 v5.3.0 // indirect @@ -214,6 +214,12 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect + github.com/lestrrat-go/blackmagic v1.0.4 // indirect + github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/httprc/v3 v3.0.0 // indirect + github.com/lestrrat-go/jwx/v3 v3.0.10 // indirect + github.com/lestrrat-go/option v1.0.1 // indirect + github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -244,6 +250,7 @@ require ( github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sagikazarmark/locafero v0.7.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect + github.com/segmentio/asm v1.2.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -265,6 +272,7 @@ require ( github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect github.com/transparency-dev/tessera v1.0.0-rc2 // indirect github.com/urfave/negroni v1.0.0 // indirect + github.com/valyala/fastjson v1.6.4 // indirect github.com/vbatts/tar-split v0.12.1 // indirect github.com/vektah/gqlparser/v2 v2.5.30 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/go.sum b/go.sum index 3a111101142..38f203975e5 100644 --- a/go.sum +++ b/go.sum @@ -873,6 +873,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 h1:foGzavPWwtoyBvjWyKJYDYsyzy+23iBV7NKTwdk+LRY= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936/go.mod h1:ttKPnOepYt4LLzD+loXQ1rT6EmpyIYHro7TAJuIIlHo= github.com/dgraph-io/badger/v4 v4.8.0 h1:JYph1ChBijCw8SLeybvPINizbDKWZ5n/GYbz2yhN/bs= @@ -1011,6 +1013,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlnd github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= +github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -1258,6 +1262,18 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA= +github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= +github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc= +github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q= +github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw= +github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk= +github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= +github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= +github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg= github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= @@ -1328,8 +1344,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/open-policy-agent/opa v1.7.1 h1:bhA2UGq5oS25471WB9aCJBWEp5/7WK+Nyb2PMAChQIg= -github.com/open-policy-agent/opa v1.7.1/go.mod h1:7cPuErOAt7k/oVWAVJnxqAC6mwArrAazkvk0RXiih2A= +github.com/open-policy-agent/opa v1.8.0 h1:4JdYuZcANeUF1v/87NGpirocpaZzJA0PcuL7xfmsMNM= +github.com/open-policy-agent/opa v1.8.0/go.mod h1:vOVZuIJQISnaYcZtQ58yTDkVCp1FmGPwK43pO9qPDqM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -1395,6 +1411,8 @@ github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgm github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= +github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= +github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= @@ -1501,6 +1519,8 @@ github.com/transparency-dev/tessera v1.0.0-rc2 h1:BKtDWr0nhL9dG66cS4DyKU9lpZFbUZ github.com/transparency-dev/tessera v1.0.0-rc2/go.mod h1:aaLlvG/sEPMzT96iIF4hua6Z9pLzkfDtkbaUAR4IL8I= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= +github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE= From b36644f793e61bec1e5f68cfb163aef1968556e3 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone <562321+ret2libc@users.noreply.github.com> Date: Wed, 3 Sep 2025 00:00:46 +0200 Subject: [PATCH 044/136] Remove SHA256 assumption in sign-blob/verify-blob (#4050) Use sigstore/sigstore signature.LoadSignerVerifierFromPrivateKey to load default verifiers given a private key. Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/fulcio/fulcio.go | 11 +- .../fulcio/fulcioverifier/fulcioverifier.go | 6 +- cmd/cosign/cli/options/key.go | 10 ++ cmd/cosign/cli/sign/sign.go | 37 +++++- cmd/cosign/cli/sign/sign_blob.go | 114 ++++++++++++++--- cmd/cosign/cli/sign/sign_test.go | 10 +- .../cli/verify/verify_blob_attestation.go | 3 +- internal/pkg/cosign/common.go | 17 ++- internal/pkg/cosign/common_test.go | 3 +- pkg/cosign/fuzz_test.go | 2 +- pkg/cosign/keys.go | 83 ++++++++++-- pkg/cosign/keys_test.go | 10 +- pkg/cosign/tlog.go | 63 +++++++-- pkg/signature/keys.go | 14 +- pkg/signature/keys_test.go | 2 +- test/e2e_test.go | 121 +++++++++++++++++- test/helpers.go | 14 +- 17 files changed, 447 insertions(+), 73 deletions(-) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index e13e4902e1d..adf3226730a 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -72,6 +72,15 @@ type Signer struct { } func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier) (*Signer, error) { + return NewSignerWithAdapter(ctx, ko, signer, signer) +} + +// NewSignerWithAdapter creates a Fulcio Signer with a `fulcioSigner` that is +// used to sign the Proof Of Possession sent to Fulcio. In most cases this will +// be the same as the `signer`, however it is possible to use a different signer. +// For example when ed25519ph is used for signing, the `fulcioSigner` will be +// the equivalent PureED25519 signer, given that Fulcio does not support ed25519ph. +func NewSignerWithAdapter(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier, fulcioSigner signature.SignerVerifier) (*Signer, error) { fClient, err := NewClient(ko.FulcioURL) if err != nil { return nil, fmt.Errorf("creating Fulcio client: %w", err) @@ -87,7 +96,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerV return nil, fmt.Errorf("setting auth flow: %w", err) } - resp, err := GetCert(ctx, signer, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) + resp, err := GetCert(ctx, fulcioSigner, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) if err != nil { return nil, fmt.Errorf("retrieving cert: %w", err) } diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index 076a763c536..4b58808aaea 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -30,7 +30,11 @@ import ( ) func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier) (*fulcio.Signer, error) { - fs, err := fulcio.NewSigner(ctx, ko, signer) + return NewSignerWithAdapter(ctx, ko, signer, signer) +} + +func NewSignerWithAdapter(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier, fulcioSigner signature.SignerVerifier) (*fulcio.Signer, error) { + fs, err := fulcio.NewSignerWithAdapter(ctx, ko, signer, fulcioSigner) if err != nil { return nil, err } diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index 07326895770..bf8d78b77b1 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -18,6 +18,7 @@ package options import ( "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/signature" ) type KeyOpts struct { @@ -62,4 +63,13 @@ type KeyOpts struct { // SigningConfig contains the list of service URLs for Sigstore services. SigningConfig *root.SigningConfig + + // DefaultLoadOptions may be set to control the behaviour of + // `LoadDefaultSigner/Verifier` family of functions. Some public/private key + // types have ambiguities with regards to the signing algorithm to use (e.g. + // RSA can be RSASSA-PSS or RSASSA-PKCS1v15). This is a way to control that. + // + // By default, Ed25519ph is used for ed25519 keys and RSA-PKCS1v15 is used + // for RSA keys. + DefaultLoadOptions *[]signature.LoadOption } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 34e1b20c2a0..f3a2c31cc5a 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -490,8 +490,8 @@ func signerFromSecurityKey(ctx context.Context, keySlot string) (*SignerVerifier }, nil } -func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef string, passFunc cosign.PassFunc) (*SignerVerifier, error) { - k, err := sigs.SignerVerifierFromKeyRef(ctx, keyRef, passFunc) +func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef string, passFunc cosign.PassFunc, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + k, err := sigs.SignerVerifierFromKeyRef(ctx, keyRef, passFunc, defaultLoadOptions) if err != nil { return nil, fmt.Errorf("reading key: %w", err) } @@ -618,18 +618,45 @@ func signerFromNewKey() (*SignerVerifier, error) { }, nil } +// adaptSignerVerifierToFulcio adapts, if necessary, the SignerVerifier to be +// used to interact with Fulcio. +// +// This is needed in particular for ED25519 keys with the pre-hashed version of +// the algorithm, which is not supported by Fulcio. This function creates a +// ED25519 SignerVerifier based on that instead. +func adaptSignerVerifierToFulcio(sv *SignerVerifier) (*SignerVerifier, error) { + if ed25519phSV, ok := sv.SignerVerifier.(*signature.ED25519phSignerVerifier); ok { + signerVerifier, err := ed25519phSV.ToED25519SignerVerifier() + if err != nil { + return nil, err + } + + return &SignerVerifier{ + SignerVerifier: signerVerifier, + Cert: sv.Cert, + Chain: sv.Chain, + }, nil + } + return sv, nil +} + func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { var ( k *fulcio.Signer err error ) + fulcioSV, err := adaptSignerVerifierToFulcio(sv) + if err != nil { + return nil, fmt.Errorf("adapting signer verifier to Fulcio: %w", err) + } + if ko.InsecureSkipFulcioVerify { - if k, err = fulcio.NewSigner(ctx, ko, sv); err != nil { + if k, err = fulcio.NewSignerWithAdapter(ctx, ko, sv, fulcioSV); err != nil { return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } else { - if k, err = fulcioverifier.NewSigner(ctx, ko, sv); err != nil { + if k, err = fulcioverifier.NewSignerWithAdapter(ctx, ko, sv, fulcioSV); err != nil { return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } @@ -649,7 +676,7 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath strin case ko.Sk: sv, err = signerFromSecurityKey(ctx, ko.Slot) case ko.KeyRef != "": - sv, err = signerFromKeyRef(ctx, certPath, certChainPath, ko.KeyRef, ko.PassFunc) + sv, err = signerFromKeyRef(ctx, certPath, certChainPath, ko.KeyRef, ko.PassFunc, ko.DefaultLoadOptions) default: genKey = true ui.Infof(ctx, "Generating ephemeral keys...") diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index ab2f73096df..b3d8103cdda 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -17,6 +17,7 @@ package sign import ( "context" + "crypto" "crypto/sha256" "crypto/x509" "encoding/base64" @@ -42,9 +43,22 @@ import ( "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) +func getPayload(ctx context.Context, payloadPath string, hashFunction crypto.Hash) (internal.HashReader, func() error, error) { + if payloadPath == "-" { + return internal.NewHashReader(os.Stdin, hashFunction), func() error { return nil }, nil + } + ui.Infof(ctx, "Using payload from: %s", payloadPath) + f, err := os.Open(filepath.Clean(payloadPath)) + if err != nil { + return internal.HashReader{}, nil, err + } + return internal.NewHashReader(f, hashFunction), f.Close, nil +} + // nolint func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) { var payload internal.HashReader @@ -52,16 +66,16 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() - if payloadPath == "-" { - payload = internal.NewHashReader(os.Stdin, sha256.New()) - } else { - ui.Infof(ctx, "Using payload from: %s", payloadPath) - f, err := os.Open(filepath.Clean(payloadPath)) - if err != nil { - return nil, err - } - defer f.Close() - payload = internal.NewHashReader(f, sha256.New()) + shouldUpload, err := ShouldUploadToTlog(ctx, ko, nil, tlogUpload) + if err != nil { + return nil, fmt.Errorf("upload to tlog: %w", err) + } + + if !shouldUpload { + // To maintain backwards compatibility with older cosign versions, + // we do not use ed25519ph for ed25519 keys when the signatures are not + // uploaded to the Tlog. + ko.DefaultLoadOptions = &[]signature.LoadOption{} } if ko.SigningConfig != nil { @@ -86,6 +100,15 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ClientSecret: ko.OIDCClientSecret, RedirectURL: ko.OIDCRedirectURL, }) + if err != nil { + return nil, fmt.Errorf("retrieving ID token: %w", err) + } + + payload, closePayload, err := getPayload(ctx, payloadPath, protoHashAlgoToHash(keypair.GetHashAlgorithm())) + if err != nil { + return nil, fmt.Errorf("getting payload: %w", err) + } + defer closePayload() data, err := io.ReadAll(&payload) if err != nil { return nil, fmt.Errorf("reading payload: %w", err) @@ -110,6 +133,27 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } defer sv.Close() + hashFunction, err := getHashFunction(sv, ko.DefaultLoadOptions) + if err != nil { + return nil, err + } + + if hashFunction != crypto.SHA256 && !ko.NewBundleFormat && (shouldUpload || (!ko.Sk && ko.KeyRef == "")) { + ui.Infof(ctx, "Non SHA256 hash function is not supported for old bundle format. Use --new-bundle-format to use the new bundle format or use different signing key/algorithm.") + if !ko.SkipConfirmation { + if err := ui.ConfirmContinue(ctx); err != nil { + return nil, err + } + } + ui.Infof(ctx, "Continuing with non SHA256 hash function and old bundle format") + } + + payload, closePayload, err := getPayload(ctx, payloadPath, hashFunction) + if err != nil { + return nil, err + } + defer closePayload() + sig, err := sv.SignMessage(&payload, signatureoptions.WithContext(ctx)) if err != nil { return nil, fmt.Errorf("signing blob: %w", err) @@ -160,10 +204,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ui.Infof(ctx, "RFC3161 timestamp written to file %s\n", ko.RFC3161TimestampPath) } } - shouldUpload, err := ShouldUploadToTlog(ctx, ko, nil, tlogUpload) - if err != nil { - return nil, fmt.Errorf("upload to tlog: %w", err) - } if shouldUpload { rekorBytes, err := sv.Bytes(ctx) if err != nil { @@ -173,7 +213,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string if err != nil { return nil, err } - rekorEntry, err = cosign.TLogUpload(ctx, rekorClient, sig, &payload, rekorBytes) + rekorEntry, err = cosign.TLogUploadWithCustomHash(ctx, rekorClient, sig, &payload, rekorBytes) if err != nil { return nil, err } @@ -217,7 +257,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string bundle.Content = &protobundle.Bundle_MessageSignature{ MessageSignature: &protocommon.MessageSignature{ MessageDigest: &protocommon.HashOutput{ - Algorithm: protocommon.HashAlgorithm_SHA2_256, + Algorithm: hashFuncToProtoBundle(payload.HashFunc()), Digest: digest, }, Signature: sig, @@ -301,3 +341,45 @@ func extractCertificate(ctx context.Context, sv *SignerVerifier) ([]byte, error) } return nil, nil } + +func getHashFunction(sv *SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (crypto.Hash, error) { + pubKey, err := sv.PublicKey() + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) + } + + defaultLoadOptions = cosign.GetDefaultLoadOptions(defaultLoadOptions) + + // TODO: Ideally the SignerVerifier should have a method to get the hash function + algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...) + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err) + } + return algo.GetHashType(), nil +} + +func hashFuncToProtoBundle(hashFunc crypto.Hash) protocommon.HashAlgorithm { + switch hashFunc { + case crypto.SHA256: + return protocommon.HashAlgorithm_SHA2_256 + case crypto.SHA384: + return protocommon.HashAlgorithm_SHA2_384 + case crypto.SHA512: + return protocommon.HashAlgorithm_SHA2_512 + default: + return protocommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED + } +} + +func protoHashAlgoToHash(hashFunc protocommon.HashAlgorithm) crypto.Hash { + switch hashFunc { + case protocommon.HashAlgorithm_SHA2_256: + return crypto.SHA256 + case protocommon.HashAlgorithm_SHA2_384: + return crypto.SHA384 + case protocommon.HashAlgorithm_SHA2_512: + return crypto.SHA512 + default: + return crypto.Hash(0) + } +} diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index 8b7fcdf59ab..5802f2b60c1 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -134,7 +134,7 @@ func Test_signerFromKeyRefSuccess(t *testing.T) { ctx := context.Background() keyFile, certFile, chainFile, privKey, cert, chain := generateCertificateFiles(t, tmpDir, pass("foo")) - signer, err := signerFromKeyRef(ctx, certFile, chainFile, keyFile, pass("foo")) + signer, err := signerFromKeyRef(ctx, certFile, chainFile, keyFile, pass("foo"), nil) if err != nil { t.Fatalf("unexpected error generating signer: %v", err) } @@ -173,17 +173,17 @@ func Test_signerFromKeyRefFailure(t *testing.T) { _, certFile2, chainFile2, _, _, _ := generateCertificateFiles(t, tmpDir2, pass("bar")) // Public keys don't match - _, err := signerFromKeyRef(ctx, certFile2, chainFile2, keyFile, pass("foo")) + _, err := signerFromKeyRef(ctx, certFile2, chainFile2, keyFile, pass("foo"), nil) if err == nil || err.Error() != "public key in certificate does not match the provided public key" { t.Fatalf("expected mismatched keys error, got %v", err) } // Certificate chain cannot be verified - _, err = signerFromKeyRef(ctx, certFile, chainFile2, keyFile, pass("foo")) + _, err = signerFromKeyRef(ctx, certFile, chainFile2, keyFile, pass("foo"), nil) if err == nil || !strings.Contains(err.Error(), "unable to validate certificate chain") { t.Fatalf("expected chain verification error, got %v", err) } // Certificate chain specified without certificate - _, err = signerFromKeyRef(ctx, "", chainFile2, keyFile, pass("foo")) + _, err = signerFromKeyRef(ctx, "", chainFile2, keyFile, pass("foo"), nil) if err == nil || !strings.Contains(err.Error(), "no leaf certificate found or provided while specifying chain") { t.Fatalf("expected no leaf error, got %v", err) } @@ -203,7 +203,7 @@ func Test_signerFromKeyRefFailureEmptyChainFile(t *testing.T) { t.Fatalf("failed to write chain file: %v", err) } - _, err = signerFromKeyRef(ctx, certFile, tmpChainFile.Name(), keyFile, pass("foo")) + _, err = signerFromKeyRef(ctx, certFile, tmpChainFile.Name(), keyFile, pass("foo"), nil) if err == nil || err.Error() != "no certificates in certificate chain" { t.Fatalf("expected empty chain error, got %v", err) } diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index 3dfe570e0ac..b88d185cd15 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -18,7 +18,6 @@ package verify import ( "context" "crypto" - "crypto/sha256" "crypto/x509" "encoding/base64" "encoding/hex" @@ -178,7 +177,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st return err } - payload = internal.NewHashReader(f, sha256.New()) + payload = internal.NewHashReader(f, crypto.SHA256) if _, err := io.ReadAll(&payload); err != nil { return err } diff --git a/internal/pkg/cosign/common.go b/internal/pkg/cosign/common.go index a1aa8ebc35f..44027402e24 100644 --- a/internal/pkg/cosign/common.go +++ b/internal/pkg/cosign/common.go @@ -15,6 +15,7 @@ package cosign import ( + "crypto" "errors" "hash" "io" @@ -39,14 +40,17 @@ func FileExists(filename string) (bool, error) { // HashReader hashes while it reads. type HashReader struct { - r io.Reader - h hash.Hash + r io.Reader + h hash.Hash + ch crypto.Hash } -func NewHashReader(r io.Reader, h hash.Hash) HashReader { +func NewHashReader(r io.Reader, ch crypto.Hash) HashReader { + h := ch.New() return HashReader{ - r: io.TeeReader(r, h), - h: h, + r: io.TeeReader(r, h), + h: h, + ch: ch, } } @@ -67,3 +71,6 @@ func (h *HashReader) BlockSize() int { return h.h.BlockSize() } // Write implements hash.Hash func (h *HashReader) Write(p []byte) (int, error) { return 0, errors.New("not implemented") } //nolint: revive + +// HashFunc implements cosign.NamedHash +func (h *HashReader) HashFunc() crypto.Hash { return h.ch } diff --git a/internal/pkg/cosign/common_test.go b/internal/pkg/cosign/common_test.go index 4a54109e435..4f38e07865c 100644 --- a/internal/pkg/cosign/common_test.go +++ b/internal/pkg/cosign/common_test.go @@ -17,6 +17,7 @@ package cosign import ( "bytes" + "crypto" "crypto/sha256" "io" "os" @@ -55,7 +56,7 @@ func Test_FileExists(t *testing.T) { func Test_HashReader(t *testing.T) { input := []byte("hello world") - r := NewHashReader(bytes.NewReader(input), sha256.New()) + r := NewHashReader(bytes.NewReader(input), crypto.SHA256) got, err := io.ReadAll(&r) if err != nil { diff --git a/pkg/cosign/fuzz_test.go b/pkg/cosign/fuzz_test.go index db56ab11e1f..0ea3e39036b 100644 --- a/pkg/cosign/fuzz_test.go +++ b/pkg/cosign/fuzz_test.go @@ -61,7 +61,7 @@ func FuzzImportKeyPairLoadPrivateKey(f *testing.F) { return } // Loading the private key should also work. - _, err = LoadPrivateKey(keyBytes.PrivateBytes, password) + _, err = LoadPrivateKey(keyBytes.PrivateBytes, password, nil) if err != nil { t.Fatal(err) } diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go index ed5bbc16d4b..29d498b6a4a 100644 --- a/pkg/cosign/keys.go +++ b/pkg/cosign/keys.go @@ -19,7 +19,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/elliptic" "crypto/rand" "crypto/rsa" _ "crypto/sha256" // for `crypto.SHA256` @@ -32,8 +31,10 @@ import ( "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v2/pkg/oci/static" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/options" ) const ( @@ -70,7 +71,48 @@ func (k *KeysBytes) Password() []byte { // GeneratePrivateKey generates an ECDSA private key with the P-256 curve. func GeneratePrivateKey() (*ecdsa.PrivateKey, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := GeneratePrivateKeyWithAlgorithm(nil) + if err != nil { + return nil, err + } + return priv.(*ecdsa.PrivateKey), nil +} + +// GeneratePrivateKeyWithAlgorithm generates a private key for the given algorithm +func GeneratePrivateKeyWithAlgorithm(algo *signature.AlgorithmDetails) (crypto.PrivateKey, error) { + var currentAlgo signature.AlgorithmDetails + if algo == nil { + var err error + currentAlgo, err = signature.GetAlgorithmDetails(v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + if err != nil { + return nil, fmt.Errorf("error getting algorithm details for default algorithm: %w", err) + } + } else { + currentAlgo = *algo + } + + switch currentAlgo.GetKeyType() { + case signature.ECDSA: + curve, err := currentAlgo.GetECDSACurve() + if err != nil { + return nil, fmt.Errorf("error getting ECDSA curve: %w", err) + } + return ecdsa.GenerateKey(*curve, rand.Reader) + case signature.RSA: + rsaKeySize, err := currentAlgo.GetRSAKeySize() + if err != nil { + return nil, fmt.Errorf("error getting RSA key size: %w", err) + } + return rsa.GenerateKey(rand.Reader, int(rsaKeySize)) + case signature.ED25519: + _, priv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + return nil, fmt.Errorf("error generating ED25519 key: %w", err) + } + return priv, nil + default: + return nil, fmt.Errorf("unsupported key type: %v", currentAlgo.GetKeyType()) + } } // ImportKeyPair imports a key pair from a file containing a PEM-encoded @@ -194,6 +236,19 @@ func GenerateKeyPair(pf PassFunc) (*KeysBytes, error) { return marshalKeyPair(SigstorePrivateKeyPemType, Keys{priv, priv.Public()}, pf) } +func GenerateKeyPairWithAlgorithm(algo *signature.AlgorithmDetails, pf PassFunc) (*KeysBytes, error) { + priv, err := GeneratePrivateKeyWithAlgorithm(algo) + if err != nil { + return nil, err + } + signer, ok := priv.(crypto.Signer) + if !ok { + return nil, fmt.Errorf("private key is not a signer verifier") + } + // Emit SIGSTORE keys by default + return marshalKeyPair(SigstorePrivateKeyPemType, Keys{signer, signer.Public()}, pf) +} + // PemToECDSAKey marshals and returns the PEM-encoded ECDSA public key. func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) { pub, err := cryptoutils.UnmarshalPEMToPublicKey(pemBytes) @@ -209,7 +264,7 @@ func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) { // LoadPrivateKey loads a cosign PEM private key encrypted with the given passphrase, // and returns a SignerVerifier instance. The private key must be in the PKCS #8 format. -func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) { +func LoadPrivateKey(key []byte, pass []byte, defaultLoadOptions *[]signature.LoadOption) (signature.SignerVerifier, error) { // Decrypt first p, _ := pem.Decode(key) if p == nil { @@ -227,14 +282,18 @@ func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) { if err != nil { return nil, fmt.Errorf("parsing private key: %w", err) } - switch pk := pk.(type) { - case *rsa.PrivateKey: - return signature.LoadRSAPKCS1v15SignerVerifier(pk, crypto.SHA256) - case *ecdsa.PrivateKey: - return signature.LoadECDSASignerVerifier(pk, crypto.SHA256) - case ed25519.PrivateKey: - return signature.LoadED25519SignerVerifier(pk) - default: - return nil, errors.New("unsupported key type") + defaultLoadOptions = GetDefaultLoadOptions(defaultLoadOptions) + return signature.LoadDefaultSignerVerifier(pk, *defaultLoadOptions...) +} + +func GetDefaultLoadOptions(defaultLoadOptions *[]signature.LoadOption) *[]signature.LoadOption { + if defaultLoadOptions == nil { + // Cosign uses ED25519ph by default for ED25519 keys, because that's the + // only available option for hashedrekord entries. This behaviour is + // configurable because we want to maintain compatibility with older + // cosign versions that used PureEd25519 for ED25519 keys (but which did + // not support TLog uploads). + return &[]signature.LoadOption{options.WithED25519ph()} } + return defaultLoadOptions } diff --git a/pkg/cosign/keys_test.go b/pkg/cosign/keys_test.go index f1408da27e5..41ace7df23d 100644 --- a/pkg/cosign/keys_test.go +++ b/pkg/cosign/keys_test.go @@ -339,12 +339,12 @@ func TestLoadECDSAPrivateKey(t *testing.T) { } // Load the private key with the right password - if _, err := LoadPrivateKey(keys.PrivateBytes, []byte("hello")); err != nil { + if _, err := LoadPrivateKey(keys.PrivateBytes, []byte("hello"), nil); err != nil { t.Errorf("unexpected error decrypting key: %s", err) } // Try it with the wrong one - if _, err := LoadPrivateKey(keys.PrivateBytes, []byte("wrong")); err == nil { + if _, err := LoadPrivateKey(keys.PrivateBytes, []byte("wrong"), nil); err == nil { t.Error("expected error decrypting key!") } @@ -353,7 +353,7 @@ func TestLoadECDSAPrivateKey(t *testing.T) { if _, err := rand.Read(buf[:]); err != nil { t.Fatal(err) } - if _, err := LoadPrivateKey(buf[:], []byte("wrong")); err == nil { + if _, err := LoadPrivateKey(buf[:], []byte("wrong"), nil); err == nil { t.Error("expected error decrypting key!") } } @@ -384,7 +384,7 @@ func TestReadingPrivatePemTypes(t *testing.T) { for _, tc := range testCases { t.Run(tc.pemType, func(t *testing.T) { - _, err := LoadPrivateKey(tc.pemData, []byte("hello")) + _, err := LoadPrivateKey(tc.pemData, []byte("hello"), nil) if tc.expected == nil { require.NoError(t, err) } else { @@ -497,7 +497,7 @@ func TestImportPrivateKey(t *testing.T) { if err == nil || tc.expected == nil { require.Equal(t, tc.expected, err) // Loading the private key should also work. - _, err = LoadPrivateKey(keyBytes.PrivateBytes, []byte("hello")) + _, err = LoadPrivateKey(keyBytes.PrivateBytes, []byte("hello"), nil) require.Equal(t, tc.expected, err) } else { require.Equal(t, tc.expected.Error(), err.Error()) diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index bd3c2a897e6..cb8c10de525 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -55,6 +55,36 @@ import ( // This is the rekor transparency log public key target name var rekorTargetStr = `rekor.pub` +type NamedHash interface { + hash.Hash + crypto.SignerOpts +} + +type CryptoNamedHash struct { + hash.Hash + hashType crypto.Hash +} + +func (h CryptoNamedHash) HashFunc() crypto.Hash { + return h.hashType +} + +func NewCryptoNamedHash(hashType crypto.Hash) NamedHash { + return CryptoNamedHash{Hash: hashType.New(), hashType: hashType} +} + +type SHA256NamedHash struct { + hash.Hash +} + +func (h SHA256NamedHash) HashFunc() crypto.Hash { + return crypto.SHA256 +} + +func WrapSHA256Hash(hash hash.Hash) NamedHash { + return SHA256NamedHash{Hash: hash} +} + // TransparencyLogPubKey contains the ECDSA verification key and the current status // of the key according to TUF metadata, whether it's active or expired. type TransparencyLogPubKey struct { @@ -172,7 +202,14 @@ func rekorPubsFromClient(rekorClient *client.Rekor) (*TrustedTransparencyLogPubK // TLogUpload will upload the signature, public key and payload to the transparency log. func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature []byte, sha256CheckSum hash.Hash, pemBytes []byte) (*models.LogEntryAnon, error) { - re := rekorEntry(sha256CheckSum, signature, pemBytes) + cryptoChecksum := WrapSHA256Hash(sha256CheckSum) + return TLogUploadWithCustomHash(ctx, rekorClient, signature, cryptoChecksum, pemBytes) +} + +// TLogUploadWithCustomHash will upload the signature, public key and payload to +// the transparency log. Clients can use this to specify a custom hash function. +func TLogUploadWithCustomHash(ctx context.Context, rekorClient *client.Rekor, signature []byte, checksum NamedHash, pemBytes []byte) (*models.LogEntryAnon, error) { + re := rekorEntry(checksum, signature, pemBytes) returnVal := models.Hashedrekord{ APIVersion: swag.String(re.APIVersion()), Spec: re.HashedRekordObj, @@ -231,16 +268,26 @@ func doUpload(ctx context.Context, rekorClient *client.Rekor, pe models.Proposed return nil, errors.New("bad response from server") } -func rekorEntry(sha256CheckSum hash.Hash, signature, pubKey []byte) hashedrekord_v001.V001Entry { - // TODO: Signatures created on a digest using a hash algorithm other than SHA256 will fail - // upload right now. Plumb information on the hash algorithm used when signing from the - // SignerVerifier to use for the HashedRekordObj.Data.Hash.Algorithm. +func rekorEntryHashAlgorithm(checksum crypto.SignerOpts) string { + switch checksum.HashFunc() { + case crypto.SHA256: + return models.HashedrekordV001SchemaDataHashAlgorithmSha256 + case crypto.SHA384: + return models.HashedrekordV001SchemaDataHashAlgorithmSha384 + case crypto.SHA512: + return models.HashedrekordV001SchemaDataHashAlgorithmSha512 + default: + return models.HashedrekordV001SchemaDataHashAlgorithmSha256 + } +} + +func rekorEntry(checksum NamedHash, signature, pubKey []byte) hashedrekord_v001.V001Entry { return hashedrekord_v001.V001Entry{ HashedRekordObj: models.HashedrekordV001Schema{ Data: &models.HashedrekordV001SchemaData{ Hash: &models.HashedrekordV001SchemaDataHash{ - Algorithm: swag.String(models.HashedrekordV001SchemaDataHashAlgorithmSha256), - Value: swag.String(hex.EncodeToString(sha256CheckSum.Sum(nil))), + Algorithm: swag.String(rekorEntryHashAlgorithm(checksum)), + Value: swag.String(hex.EncodeToString(checksum.Sum(nil))), }, }, Signature: &models.HashedrekordV001SchemaSignature{ @@ -393,7 +440,7 @@ func proposedEntries(b64Sig string, payload, pubKey []byte) ([]models.ProposedEn } proposedEntry = []models.ProposedEntry{dsseEntry, intotoEntry} } else { - sha256CheckSum := sha256.New() + sha256CheckSum := NewCryptoNamedHash(crypto.SHA256) if _, err := sha256CheckSum.Write(payload); err != nil { return nil, err } diff --git a/pkg/signature/keys.go b/pkg/signature/keys.go index dfac964725d..a396d096865 100644 --- a/pkg/signature/keys.go +++ b/pkg/signature/keys.go @@ -72,7 +72,7 @@ func VerifierForKeyRef(ctx context.Context, keyRef string, hashAlgorithm crypto. return signature.LoadVerifier(pubKey, hashAlgorithm) } -func loadKey(keyPath string, pf cosign.PassFunc) (signature.SignerVerifier, error) { +func loadKey(keyPath string, pf cosign.PassFunc, defaultLoadOptions *[]signature.LoadOption) (signature.SignerVerifier, error) { kb, err := blob.LoadFileOrURL(keyPath) if err != nil { return nil, err @@ -84,7 +84,7 @@ func loadKey(keyPath string, pf cosign.PassFunc) (signature.SignerVerifier, erro return nil, err } } - return cosign.LoadPrivateKey(kb, pass) + return cosign.LoadPrivateKey(kb, pass, defaultLoadOptions) } // LoadPublicKeyRaw loads a verifier from a PEM-encoded public key @@ -97,10 +97,10 @@ func LoadPublicKeyRaw(raw []byte, hashAlgorithm crypto.Hash) (signature.Verifier } func SignerFromKeyRef(ctx context.Context, keyRef string, pf cosign.PassFunc) (signature.Signer, error) { - return SignerVerifierFromKeyRef(ctx, keyRef, pf) + return SignerVerifierFromKeyRef(ctx, keyRef, pf, nil) } -func SignerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.PassFunc) (signature.SignerVerifier, error) { +func SignerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.PassFunc, defaultLoadOptions *[]signature.LoadOption) (signature.SignerVerifier, error) { switch { case strings.HasPrefix(keyRef, pkcs11key.ReferenceScheme): pkcs11UriConfig := pkcs11key.NewPkcs11UriConfig() @@ -129,7 +129,7 @@ func SignerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.Pass } if len(s.Data) > 0 { - return cosign.LoadPrivateKey(s.Data["cosign.key"], s.Data["cosign.password"]) + return cosign.LoadPrivateKey(s.Data["cosign.key"], s.Data["cosign.password"], defaultLoadOptions) } case strings.HasPrefix(keyRef, gitlab.ReferenceScheme): split := strings.Split(keyRef, "://") @@ -150,7 +150,7 @@ func SignerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.Pass return nil, err } - return cosign.LoadPrivateKey([]byte(pk), []byte(pass)) + return cosign.LoadPrivateKey([]byte(pk), []byte(pass), defaultLoadOptions) } if strings.Contains(keyRef, "://") { @@ -165,7 +165,7 @@ func SignerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.Pass // ProviderNotFoundError is okay; loadKey handles other URL schemes } - return loadKey(keyRef, pf) + return loadKey(keyRef, pf, defaultLoadOptions) } func PublicKeyFromKeyRef(ctx context.Context, keyRef string) (signature.Verifier, error) { diff --git a/pkg/signature/keys_test.go b/pkg/signature/keys_test.go index 0365aa34911..631625a62a1 100644 --- a/pkg/signature/keys_test.go +++ b/pkg/signature/keys_test.go @@ -135,7 +135,7 @@ func TestSignerVerifierFromEnvVar(t *testing.T) { os.Setenv("MY_ENV_VAR", string(keys.PrivateBytes)) defer os.Unsetenv("MY_ENV_VAR") - if _, err := SignerVerifierFromKeyRef(ctx, "env://MY_ENV_VAR", passFunc); err != nil { + if _, err := SignerVerifierFromKeyRef(ctx, "env://MY_ENV_VAR", passFunc, nil); err != nil { t.Fatalf("SignerVerifierFromKeyRef returned error: %v", err) } } diff --git a/test/e2e_test.go b/test/e2e_test.go index 550ce6418fa..a9606c3304e 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -73,6 +73,7 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign/kubernetes" "github.com/sigstore/cosign/v2/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -2328,7 +2329,7 @@ func TestGenerateKeyPairEnvVar(t *testing.T) { if err != nil { t.Fatal(err) } - if _, err := cosign.LoadPrivateKey(keys.PrivateBytes, []byte("foo")); err != nil { + if _, err := cosign.LoadPrivateKey(keys.PrivateBytes, []byte("foo"), nil); err != nil { t.Fatal(err) } } @@ -2583,6 +2584,124 @@ func TestSignBlobNewBundle(t *testing.T) { must(verifyBlobCmd.Exec(ctx, blobPath), t) } +func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { + tts := []struct { + algo v1.PublicKeyDetails + }{ + {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384}, + {v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256}, + {v1.PublicKeyDetails_PKIX_ED25519}, + {v1.PublicKeyDetails_PKIX_ED25519_PH}, + } + + td := t.TempDir() + + // set up SIGSTORE_ variables to point to keys for the local instances + err := setLocalEnv(t, td) + if err != nil { + t.Fatal(err) + } + + err = fulcioroots.ReInit() + if err != nil { + t.Fatal(err) + } + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + // Use the CreateCmd approach to create a trusted root + rootFile := os.Getenv("SIGSTORE_ROOT_FILE") + ctfePubKey := os.Getenv("SIGSTORE_CT_LOG_PUBLIC_KEY_FILE") + rekorPubKey := os.Getenv("SIGSTORE_REKOR_PUBLIC_KEY") + // Create a temporary file for the trusted root JSON + trustedRootPath := filepath.Join(td, "trustedroot.json") + + // Create a CreateCmd instance + createCmd := trustedroot.CreateCmd{ + CertChain: []string{rootFile}, + Out: trustedRootPath, + RekorKeyPath: []string{rekorPubKey}, + CtfeKeyPath: []string{ctfePubKey}, + } + + // Execute the command to create the trusted root + if err := createCmd.Exec(context.Background()); err != nil { + t.Fatal(err) + } + + for _, tt := range tts { + t.Run(tt.algo.String(), func(t *testing.T) { + td1 := t.TempDir() + + blob := "someblob" + blobPath := filepath.Join(td1, blob) + if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + t.Fatal(err) + } + + bundlePath := filepath.Join(td1, "bundle.sigstore.json") + + ctx := context.Background() + _, privKeyPath, _ := keypairWithAlgorithm(t, td1, tt.algo) + + verifyBlobCmd := cliverify.VerifyBlobCmd{ + TrustedRootPath: trustedRootPath, + KeyOpts: options.KeyOpts{ + FulcioURL: fulcioURL, + RekorURL: rekorURL, + PassFunc: passFunc, + BundlePath: bundlePath, + NewBundleFormat: true, + SkipConfirmation: true, + }, + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuerRegexp: ".*", + CertIdentityRegexp: ".*", + }, + } + + // Verify should fail before bundle is written + mustErr(verifyBlobCmd.Exec(ctx, blobPath), t) + + // Produce signed bundle + ko := options.KeyOpts{ + FulcioURL: fulcioURL, + RekorURL: rekorURL, + IDToken: identityToken, + KeyRef: privKeyPath, + PassFunc: passFunc, + BundlePath: bundlePath, + NewBundleFormat: true, + IssueCertificateForExistingKey: true, + SkipConfirmation: true, + } + + if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", true); err != nil { + t.Fatal(err) + } + + // Copy bundle to /tmp with test name + bundleBytes, err := os.ReadFile(bundlePath) + if err != nil { + t.Fatal(err) + } + tmpBundlePath := filepath.Join("/tmp", fmt.Sprintf("bundle-%s", tt.algo)) + if err := os.WriteFile(tmpBundlePath, bundleBytes, 0644); err != nil { + t.Fatal(err) + } + + // Verify should succeed now that bundle is written + must(verifyBlobCmd.Exec(ctx, blobPath), t) + }) + } +} + func TestSignBlobRFC3161TimestampBundle(t *testing.T) { td := t.TempDir() err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) diff --git a/test/helpers.go b/test/helpers.go index 393366eedc2..ccaf632c654 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -58,6 +58,8 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign/env" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" sigs "github.com/sigstore/cosign/v2/pkg/signature" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/sigstore/sigstore/pkg/signature" ) const ( @@ -256,7 +258,11 @@ var verifyOffline = func(keyRef, imageRef string, checkClaims bool, annotations var ro = &options.RootOptions{Timeout: options.DefaultTimeout} -func keypair(t *testing.T, td string) (*cosign.KeysBytes, string, string) { +func keypairWithAlgorithm(t *testing.T, td string, publicKeyDetails v1.PublicKeyDetails) (*cosign.KeysBytes, string, string) { + algo, err := signature.GetAlgorithmDetails(publicKeyDetails) + if err != nil { + t.Fatal(err) + } wd, err := os.Getwd() if err != nil { t.Fatal(err) @@ -267,7 +273,7 @@ func keypair(t *testing.T, td string) (*cosign.KeysBytes, string, string) { defer func() { _ = os.Chdir(wd) }() - keys, err := cosign.GenerateKeyPair(passFunc) + keys, err := cosign.GenerateKeyPairWithAlgorithm(&algo, passFunc) if err != nil { t.Fatal(err) } @@ -284,6 +290,10 @@ func keypair(t *testing.T, td string) (*cosign.KeysBytes, string, string) { return keys, privKeyPath, pubKeyPath } +func keypair(t *testing.T, td string) (*cosign.KeysBytes, string, string) { + return keypairWithAlgorithm(t, td, v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) +} + // convert the given ecdsa.PrivateKey to a PEM encoded string, import into sigstore format, // and write to the given file path. Returns the path to the imported key (/) func importECDSAPrivateKey(t *testing.T, privKey *ecdsa.PrivateKey, td, fname string) string { From 40c308c15a2f2d1503db8810abd5f534ee373949 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Sep 2025 16:38:46 +0200 Subject: [PATCH 045/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go in the gomod group (#4385) Bumps the gomod group with 1 update: [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go). Updates `gitlab.com/gitlab-org/api/client-go` from 0.142.5 to 0.142.6 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.5...v0.142.6) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.142.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b8a2b32f4bd..a751e93844f 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.142.5 + gitlab.com/gitlab-org/api/client-go v0.142.6 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.16.0 diff --git a/go.sum b/go.sum index 38f203975e5..3088a8256e1 100644 --- a/go.sum +++ b/go.sum @@ -1557,8 +1557,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.142.5 h1:zvengEU958Fjwasi1V+9QNRw0viqNKkqUwvFD15XDZI= -gitlab.com/gitlab-org/api/client-go v0.142.5/go.mod h1:Ru5IRauphXt9qwmTzJD7ou1dH7Gc6pnsdFWEiMMpmB0= +gitlab.com/gitlab-org/api/client-go v0.142.6 h1:RjqPb7XxJypn9DzkSTuQUOJN7wpRGXZFH8rJCLj4Bg8= +gitlab.com/gitlab-org/api/client-go v0.142.6/go.mod h1:t02B5oJWYEzalBlYIh+PmEJm2H4LPC/VFM1xks5qtG8= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 59b9930775e16492a7450da977ee4185165529c8 Mon Sep 17 00:00:00 2001 From: Hayden Date: Wed, 3 Sep 2025 12:21:29 -0700 Subject: [PATCH 046/136] Support self-managed keys when signing with sigstore-go (#4368) * Support self-managed keys when signing with sigstore-go This creates a wrapper around the Keypair interface when a SignerVerifier is provided for signing with KMS or any other provided keys. This also retains support for --issue-certificate to request a certificate for a managed key. Fixes #4327 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Add issue-certificate flags to attest and attest-blob This is for uniformity with sign/sign-blob. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Refactor SignerFromKeyOpts to split Fulcio signer into its own method Now, we can generate a SignerVerifier from a provided key without mandating that we also request a Fulcio certificate when "issue-certificate" is provided. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Use default options to load key material Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest.go | 43 ++--- cmd/cosign/cli/attest/attest.go | 8 +- cmd/cosign/cli/attest/attest_blob.go | 72 +++++--- cmd/cosign/cli/attest_blob.go | 53 +++--- cmd/cosign/cli/options/attest.go | 4 + cmd/cosign/cli/options/attest_blob.go | 10 +- cmd/cosign/cli/sign/sign.go | 21 +-- cmd/cosign/cli/sign/sign_blob.go | 71 +++++--- cmd/cosign/cli/signblob.go | 6 +- doc/cosign_attest-blob.md | 1 + doc/cosign_attest.md | 1 + internal/key/svkeypair.go | 122 ++++++++++++++ internal/key/svkeypair_test.go | 229 ++++++++++++++++++++++++++ test/e2e_test.go | 100 +++++++++++ 14 files changed, 637 insertions(+), 104 deletions(-) create mode 100644 internal/key/svkeypair.go create mode 100644 internal/key/svkeypair_test.go diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 1e98b260fa6..b3744c21424 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -78,27 +78,28 @@ func Attest() *cobra.Command { } ko := options.KeyOpts{ - KeyRef: o.Key, - PassFunc: generate.GetPass, - Sk: o.SecurityKey.Use, - Slot: o.SecurityKey.Slot, - FulcioURL: o.Fulcio.URL, - IDToken: o.Fulcio.IdentityToken, - FulcioAuthFlow: o.Fulcio.AuthFlow, - InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, - RekorURL: o.Rekor.URL, - OIDCIssuer: o.OIDC.Issuer, - OIDCClientID: o.OIDC.ClientID, - OIDCClientSecret: oidcClientSecret, - OIDCRedirectURL: o.OIDC.RedirectURL, - OIDCProvider: o.OIDC.Provider, - SkipConfirmation: o.SkipConfirmation, - TSAClientCACert: o.TSAClientCACert, - TSAClientKey: o.TSAClientKey, - TSAClientCert: o.TSAClientCert, - TSAServerName: o.TSAServerName, - TSAServerURL: o.TSAServerURL, - NewBundleFormat: o.NewBundleFormat, + KeyRef: o.Key, + PassFunc: generate.GetPass, + Sk: o.SecurityKey.Use, + Slot: o.SecurityKey.Slot, + FulcioURL: o.Fulcio.URL, + IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, + InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, + RekorURL: o.Rekor.URL, + OIDCIssuer: o.OIDC.Issuer, + OIDCClientID: o.OIDC.ClientID, + OIDCClientSecret: oidcClientSecret, + OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCProvider: o.OIDC.Provider, + SkipConfirmation: o.SkipConfirmation, + TSAClientCACert: o.TSAClientCACert, + TSAClientKey: o.TSAClientKey, + TSAClientCert: o.TSAClientCert, + TSAServerName: o.TSAServerName, + TSAServerURL: o.TSAServerURL, + IssueCertificateForExistingKey: o.IssueCertificate, + NewBundleFormat: o.NewBundleFormat, } if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing trustedMaterial, err := cosign.TrustedRoot() diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 48ad904b656..cf8eac0bff7 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -132,10 +132,16 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { // each access. ref = digest // nolint - sv, err := sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + sv, genKey, err := sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) if err != nil { return fmt.Errorf("getting signer: %w", err) } + if genKey || c.IssueCertificateForExistingKey { + sv, err = sign.KeylessSigner(ctx, c.KeyOpts, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } defer sv.Close() wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) dd := cremote.NewDupeDetector(sv) diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index 9cf69592d71..4a49fae0925 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -35,6 +35,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" "github.com/sigstore/cosign/v2/internal/auth" + "github.com/sigstore/cosign/v2/internal/key" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/internal/ui" @@ -157,30 +158,51 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } if c.SigningConfig != nil { - // TODO(#4327): Only ephemeral keys are currently supported - // Need to add support for self-managed keys (e.g. PKCS11, KMS, on disk) - // and determine if we want to store certificates for those as well. + var keypair sign.Keypair + var ephemeralKeypair bool + var idToken string + var sv *cosign_sign.SignerVerifier + var err error + if c.Sk || c.Slot != "" || c.KeyRef != "" || c.CertPath != "" { - return fmt.Errorf("using a signing config currently only supports signing with ephemeral keys and Fulcio") - } - keypair, err := sign.NewEphemeralKeypair(nil) - if err != nil { - return fmt.Errorf("generating keypair: %w", err) + sv, _, err = cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + keypair, err = key.NewSignerVerifierKeypair(sv, c.DefaultLoadOptions) + if err != nil { + return fmt.Errorf("creating signerverifier keypair: %w", err) + } + } else { + keypair, err = sign.NewEphemeralKeypair(nil) + if err != nil { + return fmt.Errorf("generating keypair: %w", err) + } + ephemeralKeypair = true } - idToken, err := auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: c.IDToken, - DisableProviders: c.OIDCDisableProviders, - Provider: c.OIDCProvider, - AuthFlow: c.FulcioAuthFlow, - SkipConfirm: c.SkipConfirmation, - OIDCServices: c.SigningConfig.OIDCProviderURLs(), - ClientID: c.OIDCClientID, - ClientSecret: c.OIDCClientSecret, - RedirectURL: c.OIDCRedirectURL, - }) - if err != nil { - return fmt.Errorf("retrieving ID token: %w", err) + defer func() { + if sv != nil { + sv.Close() + } + }() + + if ephemeralKeypair || c.IssueCertificateForExistingKey { + idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: c.IDToken, + DisableProviders: c.OIDCDisableProviders, + Provider: c.OIDCProvider, + AuthFlow: c.FulcioAuthFlow, + SkipConfirm: c.SkipConfirmation, + OIDCServices: c.SigningConfig.OIDCProviderURLs(), + ClientID: c.OIDCClientID, + ClientSecret: c.OIDCClientSecret, + RedirectURL: c.OIDCRedirectURL, + }) + if err != nil { + return fmt.Errorf("retrieving ID token: %w", err) + } } + content := &sign.DSSEData{ Data: payload, PayloadType: "application/vnd.in-toto+json", @@ -196,10 +218,16 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return nil } - sv, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + sv, genKey, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) if err != nil { return fmt.Errorf("getting signer: %w", err) } + if genKey || c.IssueCertificateForExistingKey { + sv, err = cosign_sign.KeylessSigner(ctx, c.KeyOpts, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } defer sv.Close() wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType) diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 051294e9511..55f13321c1c 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -65,31 +65,36 @@ func AttestBlob() *cobra.Command { } ko := options.KeyOpts{ - KeyRef: o.Key, - PassFunc: generate.GetPass, - Sk: o.SecurityKey.Use, - Slot: o.SecurityKey.Slot, - FulcioURL: o.Fulcio.URL, - IDToken: o.Fulcio.IdentityToken, - FulcioAuthFlow: o.Fulcio.AuthFlow, - InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, - RekorURL: o.Rekor.URL, - OIDCIssuer: o.OIDC.Issuer, - OIDCClientID: o.OIDC.ClientID, - OIDCClientSecret: oidcClientSecret, - OIDCRedirectURL: o.OIDC.RedirectURL, - OIDCProvider: o.OIDC.Provider, - SkipConfirmation: o.SkipConfirmation, - TSAClientCACert: o.TSAClientCACert, - TSAClientKey: o.TSAClientKey, - TSAClientCert: o.TSAClientCert, - TSAServerName: o.TSAServerName, - TSAServerURL: o.TSAServerURL, - RFC3161TimestampPath: o.RFC3161TimestampPath, - BundlePath: o.BundlePath, - NewBundleFormat: o.NewBundleFormat, + KeyRef: o.Key, + PassFunc: generate.GetPass, + Sk: o.SecurityKey.Use, + Slot: o.SecurityKey.Slot, + FulcioURL: o.Fulcio.URL, + IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, + InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, + RekorURL: o.Rekor.URL, + OIDCIssuer: o.OIDC.Issuer, + OIDCClientID: o.OIDC.ClientID, + OIDCClientSecret: oidcClientSecret, + OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCProvider: o.OIDC.Provider, + SkipConfirmation: o.SkipConfirmation, + TSAClientCACert: o.TSAClientCACert, + TSAClientKey: o.TSAClientKey, + TSAClientCert: o.TSAClientCert, + TSAServerName: o.TSAServerName, + TSAServerURL: o.TSAServerURL, + RFC3161TimestampPath: o.RFC3161TimestampPath, + IssueCertificateForExistingKey: o.IssueCertificate, + BundlePath: o.BundlePath, + NewBundleFormat: o.NewBundleFormat, } - if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing + // Fetch a trusted root when: + // * requesting a certificate and no CT log key is provided to verify an SCT + // * using a signing config and signing using sigstore-go + if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || + (o.UseSigningConfig || o.SigningConfigPath != "") { if o.TrustedRootPath != "" { ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) if err != nil { diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index 7b67e4ee563..b602dc9aa33 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -26,6 +26,7 @@ type AttestOptions struct { Key string Cert string CertChain string + IssueCertificate bool NoUpload bool Replace bool SkipConfirmation bool @@ -107,5 +108,8 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the attestation artifact to the time it was created; by default, cosign sets this to the zero value") + cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, + "issue a code signing certificate from Fulcio, even if a key is provided") + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "attach a Sigstore bundle using OCI referrers API") } diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index 1e3421bce67..c65585e540b 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -22,9 +22,10 @@ import ( // AttestOptions is the top level wrapper for the attest command. type AttestBlobOptions struct { - Key string - Cert string - CertChain string + Key string + Cert string + CertChain string + IssueCertificate bool SkipConfirmation bool TlogUpload bool @@ -144,4 +145,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "", "path to an RFC 3161 timestamp bundle FILE") // _ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle") // no typical extensions + + cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, + "issue a code signing certificate from Fulcio, even if a key is provided") } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index f3a2c31cc5a..c66b87330bc 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -142,10 +142,16 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() - sv, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) + sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) if err != nil { return fmt.Errorf("getting signer: %w", err) } + if genKey || ko.IssueCertificateForExistingKey { + sv, err = KeylessSigner(ctx, ko, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } defer sv.Close() dd := cremote.NewDupeDetector(sv) @@ -640,7 +646,7 @@ func adaptSignerVerifierToFulcio(sv *SignerVerifier) (*SignerVerifier, error) { return sv, nil } -func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { +func KeylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { var ( k *fulcio.Signer err error @@ -668,7 +674,7 @@ func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) }, nil } -func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) { +func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, bool, error) { var sv *SignerVerifier var err error genKey := false @@ -683,14 +689,9 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath strin sv, err = signerFromNewKey() } if err != nil { - return nil, err + return nil, false, err } - - if ko.IssueCertificateForExistingKey || genKey { - return keylessSigner(ctx, ko, sv) - } - - return sv, nil + return sv, genKey, nil } type SignerVerifier struct { diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index b3d8103cdda..6d918650123 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -32,6 +32,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v2/internal/auth" + "github.com/sigstore/cosign/v2/internal/key" internal "github.com/sigstore/cosign/v2/internal/pkg/cosign" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" @@ -79,29 +80,49 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } if ko.SigningConfig != nil { - // TODO(#4327): Only ephemeral keys are currently supported - // Need to add support for self-managed keys (e.g. PKCS11, KMS, on disk) - // and determine if we want to store certificates for those as well. + var keypair sign.Keypair + var ephemeralKeypair bool + var idToken string + var sv *SignerVerifier + var err error + if ko.Sk || ko.Slot != "" || ko.KeyRef != "" { - return nil, fmt.Errorf("using a signing config currently only supports signing with ephemeral keys and Fulcio") - } - keypair, err := sign.NewEphemeralKeypair(nil) - if err != nil { - return nil, fmt.Errorf("generating keypair: %w", err) + sv, _, err = SignerFromKeyOpts(ctx, "", "", ko) + if err != nil { + return nil, fmt.Errorf("getting signer: %w", err) + } + keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions) + if err != nil { + return nil, fmt.Errorf("creating signerverifier keypair: %w", err) + } + } else { + keypair, err = sign.NewEphemeralKeypair(nil) + if err != nil { + return nil, fmt.Errorf("generating keypair: %w", err) + } + ephemeralKeypair = true } - idToken, err := auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: ko.IDToken, - DisableProviders: ko.OIDCDisableProviders, - Provider: ko.OIDCProvider, - AuthFlow: ko.FulcioAuthFlow, - SkipConfirm: ko.SkipConfirmation, - OIDCServices: ko.SigningConfig.OIDCProviderURLs(), - ClientID: ko.OIDCClientID, - ClientSecret: ko.OIDCClientSecret, - RedirectURL: ko.OIDCRedirectURL, - }) - if err != nil { - return nil, fmt.Errorf("retrieving ID token: %w", err) + defer func() { + if sv != nil { + sv.Close() + } + }() + + if ephemeralKeypair || ko.IssueCertificateForExistingKey { + idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: ko.IDToken, + DisableProviders: ko.OIDCDisableProviders, + Provider: ko.OIDCProvider, + AuthFlow: ko.FulcioAuthFlow, + SkipConfirm: ko.SkipConfirmation, + OIDCServices: ko.SigningConfig.OIDCProviderURLs(), + ClientID: ko.OIDCClientID, + ClientSecret: ko.OIDCClientSecret, + RedirectURL: ko.OIDCRedirectURL, + }) + if err != nil { + return nil, fmt.Errorf("retrieving ID token: %w", err) + } } payload, closePayload, err := getPayload(ctx, payloadPath, protoHashAlgoToHash(keypair.GetHashAlgorithm())) @@ -127,10 +148,16 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string return bundle, nil } - sv, err := SignerFromKeyOpts(ctx, "", "", ko) + sv, genKey, err := SignerFromKeyOpts(ctx, "", "", ko) if err != nil { return nil, err } + if genKey || ko.IssueCertificateForExistingKey { + sv, err = KeylessSigner(ctx, ko, sv) + if err != nil { + return nil, fmt.Errorf("getting Fulcio signer: %w", err) + } + } defer sv.Close() hashFunction, err := getHashFunction(sv, ko.DefaultLoadOptions) diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 90b886fef2b..2f3fe8a21fc 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -100,7 +100,11 @@ func SignBlob() *cobra.Command { RFC3161TimestampPath: o.RFC3161TimestampPath, IssueCertificateForExistingKey: o.IssueCertificate, } - if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { + // Fetch a trusted root when: + // * requesting a certificate and no CT log key is provided to verify an SCT + // * using a signing config and signing using sigstore-go + if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || + (o.UseSigningConfig || o.SigningConfigPath != "") { if o.TrustedRootPath != "" { ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) if err != nil { diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 64242c4e830..6836ded3ba5 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -42,6 +42,7 @@ cosign attest-blob [flags] -h, --help help for attest-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). + --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret --new-bundle-format output bundle in new format that contains all verification material --oidc-client-id string OIDC client ID for application (default "sigstore") diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 5ad9f4e70f4..1189513a92b 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -58,6 +58,7 @@ cosign attest [flags] -h, --help help for attest --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). + --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret --new-bundle-format attach a Sigstore bundle using OCI referrers API diff --git a/internal/key/svkeypair.go b/internal/key/svkeypair.go new file mode 100644 index 00000000000..2bcdcc608f3 --- /dev/null +++ b/internal/key/svkeypair.go @@ -0,0 +1,122 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package key + +import ( + "bytes" + "context" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "errors" + "fmt" + + "github.com/sigstore/cosign/v2/pkg/cosign" + protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" + signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" +) + +// SignerVerifierKeypair is a wrapper around a SignerVerifier that implements +// sigstore-go's Keypair interface. +type SignerVerifierKeypair struct { + sv signature.SignerVerifier + hint []byte + keyAlg string + sigAlg signature.AlgorithmDetails +} + +// NewSignerVerifierKeypair creates a new SignerVerifierKeypair from a SignerVerifier. +func NewSignerVerifierKeypair(sv signature.SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifierKeypair, error) { + pubKey, err := sv.PublicKey() + if err != nil { + return nil, fmt.Errorf("getting public key: %w", err) + } + pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) + if err != nil { + return nil, fmt.Errorf("marshalling public key: %w", err) + } + hashedBytes := sha256.Sum256(pubKeyBytes) + hint := []byte(base64.StdEncoding.EncodeToString(hashedBytes[:])) + + var keyAlg string + switch pubKey.(type) { + case *ecdsa.PublicKey: + keyAlg = "ECDSA" + case *rsa.PublicKey: + keyAlg = "RSA" + case ed25519.PublicKey: + keyAlg = "ED25519" + default: + return nil, errors.New("unsupported key type") + } + + algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *cosign.GetDefaultLoadOptions(defaultLoadOptions)...) + if err != nil { + return nil, fmt.Errorf("getting default algorithm details: %w", err) + } + + return &SignerVerifierKeypair{ + sv: sv, + hint: hint, + keyAlg: keyAlg, + sigAlg: algo, + }, nil +} + +// GetHashAlgorithm returns the hash algorithm to generate the digest to be signed. +func (k *SignerVerifierKeypair) GetHashAlgorithm() protocommon.HashAlgorithm { + return k.sigAlg.GetProtoHashType() +} + +// GetHint returns a hint for the public key. +func (k *SignerVerifierKeypair) GetHint() []byte { + return k.hint +} + +// GetKeyAlgorithm returns the key algorithm, to be used in requests to Fulcio. +func (k *SignerVerifierKeypair) GetKeyAlgorithm() string { + return k.keyAlg +} + +// GetPublicKeyPem returns the public key in PEM format. +func (k *SignerVerifierKeypair) GetPublicKeyPem() (string, error) { + pubKey, err := k.sv.PublicKey() + if err != nil { + return "", err + } + pemBytes, err := cryptoutils.MarshalPublicKeyToPEM(pubKey) + if err != nil { + return "", err + } + return string(pemBytes), nil +} + +// SignData signs the given data with the SignerVerifier. +func (k *SignerVerifierKeypair) SignData(ctx context.Context, data []byte) ([]byte, []byte, error) { + h := k.sigAlg.GetHashType().New() + h.Write(data) + digest := h.Sum(nil) + sOpts := []signature.SignOption{signatureoptions.WithContext(ctx), signatureoptions.WithDigest(digest)} + sig, err := k.sv.SignMessage(bytes.NewReader(data), sOpts...) + if err != nil { + return nil, nil, err + } + return sig, digest, nil +} diff --git a/internal/key/svkeypair_test.go b/internal/key/svkeypair_test.go new file mode 100644 index 00000000000..f1378aa07d2 --- /dev/null +++ b/internal/key/svkeypair_test.go @@ -0,0 +1,229 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package key + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "errors" + "io" + "strings" + "testing" + + protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" +) + +// mockSignerVerifier is a mock implementation of signature.SignerVerifier for testing. +type mockSignerVerifier struct { + pubKey crypto.PublicKey + pubKeyErr error + signErr error +} + +func (m *mockSignerVerifier) PublicKey(_ ...signature.PublicKeyOption) (crypto.PublicKey, error) { + if m.pubKeyErr != nil { + return nil, m.pubKeyErr + } + return m.pubKey, nil +} + +func (m *mockSignerVerifier) SignMessage(_ io.Reader, _ ...signature.SignOption) ([]byte, error) { + if m.signErr != nil { + return nil, m.signErr + } + return []byte("mock-signature"), nil +} + +func (m *mockSignerVerifier) VerifySignature(_, _ io.Reader, _ ...signature.VerifyOption) error { + return errors.New("not implemented") +} + +func TestNewKMSKeypair(t *testing.T) { + ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("failed to generate ecdsa key: %v", err) + } + rsaPriv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + t.Fatalf("failed to generate rsa key: %v", err) + } + _, ed25519Priv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + t.Fatalf("failed to generate ed25519 key: %v", err) + } + + testCases := []struct { + name string + sv signature.SignerVerifier + expectErr bool + errMsg string + }{ + { + name: "ECDSA key", + sv: &mockSignerVerifier{ + pubKey: &ecdsaPriv.PublicKey, + }, + expectErr: false, + }, + { + name: "RSA key", + sv: &mockSignerVerifier{ + pubKey: &rsaPriv.PublicKey, + }, + expectErr: false, + }, + { + name: "ED25519 key", + sv: &mockSignerVerifier{ + pubKey: ed25519Priv.Public(), + }, + expectErr: false, + }, + { + name: "Unsupported key type", + sv: &mockSignerVerifier{ + pubKey: "not a key", + }, + expectErr: true, + errMsg: "unsupported public key type", + }, + { + name: "PublicKey returns error", + sv: &mockSignerVerifier{ + pubKeyErr: errors.New("pubkey error"), + }, + expectErr: true, + errMsg: "getting public key: pubkey error", + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + kp, err := NewSignerVerifierKeypair(tc.sv, nil) + if tc.expectErr { + if err == nil { + t.Errorf("expected an error, but got none") + } else if !strings.Contains(err.Error(), tc.errMsg) { + t.Errorf("expected error message '%s', got '%s'", tc.errMsg, err.Error()) + } + } else { + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if kp == nil { + t.Error("expected a keypair, but got nil") + } + } + }) + } +} + +func TestKMSKeypair_Methods(t *testing.T) { + ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("failed to generate ecdsa key: %v", err) + } + sv := &mockSignerVerifier{pubKey: &ecdsaPriv.PublicKey} + kp, err := NewSignerVerifierKeypair(sv, nil) + if err != nil { + t.Fatalf("failed to create KMSKeypair: %v", err) + } + + t.Run("GetHashAlgorithm", func(t *testing.T) { + if kp.GetHashAlgorithm() != protocommon.HashAlgorithm_SHA2_256 { + t.Errorf("expected SHA2_256, got %v", kp.GetHashAlgorithm()) + } + }) + + t.Run("GetHint", func(t *testing.T) { + pubKeyBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPriv.PublicKey) + if err != nil { + t.Fatalf("marshalling public key: %v", err) + } + hashedBytes := sha256.Sum256(pubKeyBytes) + expectedHint := base64.StdEncoding.EncodeToString(hashedBytes[:]) + + if string(kp.GetHint()) != expectedHint { + t.Errorf("expected hint %s, got %s", expectedHint, string(kp.GetHint())) + } + }) + + t.Run("GetKeyAlgorithm", func(t *testing.T) { + if kp.GetKeyAlgorithm() != "ECDSA" { + t.Errorf("expected ECDSA, got %s", kp.GetKeyAlgorithm()) + } + }) + + t.Run("GetPublicKeyPem", func(t *testing.T) { + pem, err := kp.GetPublicKeyPem() + if err != nil { + t.Fatalf("GetPublicKeyPem returned an error: %v", err) + } + pub, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(pem)) + if err != nil { + t.Fatalf("failed to unmarshal pem: %v", err) + } + if !pub.(*ecdsa.PublicKey).Equal(&ecdsaPriv.PublicKey) { + t.Error("public keys do not match") + } + }) + + t.Run("SignData", func(t *testing.T) { + data := []byte("some data to sign") + sig, digest, err := kp.SignData(context.Background(), data) + if err != nil { + t.Fatalf("SignData returned an error: %v", err) + } + if string(sig) != "mock-signature" { + t.Errorf("expected signature 'mock-signature', got '%s'", string(sig)) + } + + h := sha256.New() + h.Write(data) + expectedDigest := h.Sum(nil) + if !bytes.Equal(digest, expectedDigest) { + t.Errorf("expected digest %x, got %x", expectedDigest, digest) + } + }) + + t.Run("SignData with error", func(t *testing.T) { + errSV := &mockSignerVerifier{ + pubKey: &ecdsaPriv.PublicKey, + signErr: errors.New("signing failed"), + } + errKP, err := NewSignerVerifierKeypair(errSV, nil) + if err != nil { + t.Fatalf("failed to create KMSKeypair: %v", err) + } + + _, _, err = errKP.SignData(context.Background(), []byte("data")) + if err == nil { + t.Error("expected an error, but got none") + } else if err.Error() != "signing failed" { + t.Errorf("expected error 'signing failed', got '%s'", err.Error()) + } + }) +} diff --git a/test/e2e_test.go b/test/e2e_test.go index a9606c3304e..51536a85840 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -971,6 +971,106 @@ func TestSignVerifyWithSigningConfig(t *testing.T) { must(err, t) } +func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + tufMirror := t.TempDir() + viper.Set("timestamp-signer", "memory") + viper.Set("timestamp-signer-hash", "sha256") + tsaAPIServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) + tsaServer := httptest.NewServer(tsaAPIServer.GetHandler()) + t.Cleanup(tsaServer.Close) + tufServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.FileServer(http.Dir(tufMirror)).ServeHTTP(w, r) + })) + mirror := tufServer.URL + trustedRoot := prepareTrustedRoot(t, tsaServer.URL) + signingConfigStr := prepareSigningConfig(t, fulcioURL, rekorURL, "unused", tsaServer.URL+"/api/v1/timestamp") + + _, err := newTUF(tufMirror, []targetInfo{ + { + name: "trusted_root.json", + source: trustedRoot, + }, + { + name: "signing_config.v0.2.json", + source: signingConfigStr, + }, + }) + must(err, t) + + ctx := context.Background() + + rootPath := filepath.Join(tufMirror, "1.root.json") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) + + _, privKeyPath, pubKeyPath := keypair(t, t.TempDir()) + + ko := options.KeyOpts{ + PassFunc: passFunc, + SkipConfirmation: true, + } + trustedMaterial, err := cosign.TrustedRoot() + must(err, t) + ko.TrustedMaterial = trustedMaterial + signingConfig, err := cosign.SigningConfig() + must(err, t) + ko.SigningConfig = signingConfig + + // Sign a blob using a provided key + blob := "someblob" + blobDir := t.TempDir() + bp := filepath.Join(blobDir, blob) + if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + t.Fatal(err) + } + bundlePath := filepath.Join(blobDir, "bundle.json") + ko.NewBundleFormat = true + ko.BundlePath = bundlePath + ko.KeyRef = privKeyPath + + _, err = sign.SignBlobCmd(ro, ko, bp, false, "", "", true) + must(err, t) + + // Verify a blob with the key in the trusted root + ko.KeyRef = pubKeyPath + verifyBlobCmd := cliverify.VerifyBlobCmd{ + KeyOpts: ko, + } + err = verifyBlobCmd.Exec(ctx, bp) + must(err, t) + + // Sign an attestation with a provided key + statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}` + attestDir := t.TempDir() + statementPath := filepath.Join(attestDir, "statement") + if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil { + t.Fatal(err) + } + attBundlePath := filepath.Join(attestDir, "attest.bundle.json") + ko.NewBundleFormat = true + ko.BundlePath = attBundlePath + ko.KeyRef = privKeyPath + + attestBlobCmd := attest.AttestBlobCommand{ + KeyOpts: ko, + RekorEntryType: "dsse", + StatementPath: statementPath, + } + must(attestBlobCmd.Exec(ctx, bp), t) + + // Verify an attestation with the key in the trusted root + ko.KeyRef = pubKeyPath + verifyBlobAttestationCmd := cliverify.VerifyBlobAttestationCommand{ + KeyOpts: ko, + Digest: "7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3", + DigestAlg: "alg", + CheckClaims: true, + } + err = verifyBlobAttestationCmd.Exec(ctx, "") + must(err, t) +} + func TestSignVerifyBundle(t *testing.T) { td := t.TempDir() repo, stop := reg(t) From eed2a117b8e707d702f43e113bc3488a4e3af457 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 10:18:41 -0700 Subject: [PATCH 047/136] chore(deps): bump chainguard-dev/actions in the actions group (#4376) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.12 to 1.4.13 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/be7b31a01af8ce7228fe901326f1d223fb788e14...3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 43752375256..30515131430 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + uses: chainguard-dev/actions/donotsubmit@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index ae8cf5dee11..a4ff31d92f7 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + uses: chainguard-dev/actions/setup-mirror@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index e370545704e..009d5dd798d 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -161,7 +161,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 69cec480033..2e7b129eac2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 6d40d652aad..fa1f399e442 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + - uses: chainguard-dev/actions/trailing-space@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@be7b31a01af8ce7228fe901326f1d223fb788e14 # v1.4.12 + - uses: chainguard-dev/actions/eof-newline@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 if: ${{ always() }} From a2cbedabccb0a99cb3116b7f59244aa58ce7a81d Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 4 Sep 2025 13:32:50 -0700 Subject: [PATCH 048/136] Add support for SigningConfig in sign/attest (#4371) * Add support for SigningConfig in sign/attest This will indirectly add support for signing with Rekor v2, since signing will be handled by sigstore-go rather than Cosign. This also brings sign/attest up to par with sign-blob/attest-blob with respect to signing with a key and providing a trusted root when providing a signing config. This feature is gated behind one of two signing config flags, which in a later version of Cosign will be flipped to on by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Address review comments --signing-config and --use-signing-config are now mutually exclusive. TrustedMaterial and SigningConfig are set in the same line as fetching the trusted root and signing config. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest.go | 36 ++++++-- cmd/cosign/cli/attest/attest.go | 100 ++++++++++++++++++---- cmd/cosign/cli/attest_blob.go | 9 +- cmd/cosign/cli/options/attest.go | 16 ++++ cmd/cosign/cli/options/attest_blob.go | 2 + cmd/cosign/cli/options/sign.go | 16 ++++ cmd/cosign/cli/options/signblob.go | 2 + cmd/cosign/cli/sign.go | 35 +++++++- cmd/cosign/cli/sign/sign.go | 118 +++++++++++++++++++++----- cmd/cosign/cli/signblob.go | 9 +- doc/cosign_attest.md | 3 + doc/cosign_sign.md | 3 + test/e2e_test.go | 110 +++++++++++++++++++++++- 13 files changed, 400 insertions(+), 59 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index b3744c21424..f5a4427d149 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -25,6 +25,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) @@ -101,14 +102,39 @@ func Attest() *cobra.Command { IssueCertificateForExistingKey: o.IssueCertificate, NewBundleFormat: o.NewBundleFormat, } - if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing - trustedMaterial, err := cosign.TrustedRoot() + // Fetch a trusted root when: + // * requesting a certificate and no CT log key is provided to verify an SCT + // * using a signing config and signing using sigstore-go + if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || + (o.UseSigningConfig || o.SigningConfigPath != "") { + if o.TrustedRootPath != "" { + ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + } else { + ko.TrustedMaterial, err = cosign.TrustedRoot() + if err != nil { + ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + } + } + + if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { + return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") + } + if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + return fmt.Errorf("error getting signing config from TUF: %w", err) + } + } else if o.SigningConfigPath != "" { + ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) + if err != nil { + return fmt.Errorf("error reading signing config from file: %w", err) } - ko.TrustedMaterial = trustedMaterial } - // TODO(#4324): Add support for SigningConfig + attestCommand := attest.AttestCommand{ KeyOpts: ko, RegistryOptions: o.Registry, diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index cf8eac0bff7..67da902eb9f 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -29,7 +29,9 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v2/internal/auth" + "github.com/sigstore/cosign/v2/internal/key" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/internal/ui" @@ -43,13 +45,14 @@ import ( "github.com/sigstore/cosign/v2/pkg/types" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/signature/dsse" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) type tlogUploadFn func(*client.Rekor, []byte) (*models.LogEntryAnon, error) -func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string, upload tlogUploadFn) (*models.LogEntryAnon, error) { +func uploadToTlog(ctx context.Context, sv *cosign_sign.SignerVerifier, rekorURL string, upload tlogUploadFn) (*models.LogEntryAnon, error) { rekorBytes, err := sv.Bytes(ctx) if err != nil { return nil, err @@ -132,20 +135,6 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { // each access. ref = digest // nolint - sv, genKey, err := sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - if genKey || c.IssueCertificateForExistingKey { - sv, err = sign.KeylessSigner(ctx, c.KeyOpts, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } - } - defer sv.Close() - wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) - dd := cremote.NewDupeDetector(sv) - predicate, err := predicateReader(c.PredicatePath) if err != nil { return fmt.Errorf("getting predicate reader: %w", err) @@ -166,6 +155,83 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if err != nil { return err } + + if c.SigningConfig != nil { + var keypair sign.Keypair + var ephemeralKeypair bool + var idToken string + var sv *cosign_sign.SignerVerifier + var err error + + if c.Sk || c.Slot != "" || c.KeyRef != "" || c.CertPath != "" { + sv, _, err = cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + keypair, err = key.NewSignerVerifierKeypair(sv, c.DefaultLoadOptions) + if err != nil { + return fmt.Errorf("creating signerverifier keypair: %w", err) + } + } else { + keypair, err = sign.NewEphemeralKeypair(nil) + if err != nil { + return fmt.Errorf("generating keypair: %w", err) + } + ephemeralKeypair = true + } + defer func() { + if sv != nil { + sv.Close() + } + }() + + if ephemeralKeypair || c.IssueCertificateForExistingKey { + idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: c.IDToken, + DisableProviders: c.OIDCDisableProviders, + Provider: c.OIDCProvider, + AuthFlow: c.FulcioAuthFlow, + SkipConfirm: c.SkipConfirmation, + OIDCServices: c.SigningConfig.OIDCProviderURLs(), + ClientID: c.OIDCClientID, + ClientSecret: c.OIDCClientSecret, + RedirectURL: c.OIDCRedirectURL, + }) + if err != nil { + return fmt.Errorf("retrieving ID token: %w", err) + } + } + + content := &sign.DSSEData{ + Data: payload, + PayloadType: "application/vnd.in-toto+json", + } + bundle, err := cbundle.SignData(content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) + if err != nil { + return fmt.Errorf("signing bundle: %w", err) + } + + ociremoteOpts, err := c.RegistryOptions.ClientOpts(ctx) + if err != nil { + return err + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundle, types.CosignSignPredicateType, ociremoteOpts...) + } + + sv, genKey, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + if genKey || c.IssueCertificateForExistingKey { + sv, err = cosign_sign.KeylessSigner(ctx, c.KeyOpts, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } + defer sv.Close() + wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) + dd := cremote.NewDupeDetector(sv) + signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { return fmt.Errorf("signing: %w", err) @@ -227,7 +293,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { opts = append(opts, static.WithAnnotations(predicateTypeAnnotation)) // Check whether we should be uploading to the transparency log - shouldUpload, err := sign.ShouldUploadToTlog(ctx, c.KeyOpts, digest, c.TlogUpload) + shouldUpload, err := cosign_sign.ShouldUploadToTlog(ctx, c.KeyOpts, digest, c.TlogUpload) if err != nil { return fmt.Errorf("should upload to tlog: %w", err) } diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 55f13321c1c..860ab474911 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -101,28 +101,25 @@ func AttestBlob() *cobra.Command { return fmt.Errorf("loading trusted root: %w", err) } } else { - trustedMaterial, err := cosign.TrustedRoot() + ko.TrustedMaterial, err = cosign.TrustedRoot() if err != nil { ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) } - ko.TrustedMaterial = trustedMaterial } } if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") } if o.UseSigningConfig { - signingConfig, err := cosign.SigningConfig() + ko.SigningConfig, err = cosign.SigningConfig() if err != nil { return fmt.Errorf("error getting signing config from TUF: %w", err) } - ko.SigningConfig = signingConfig } else if o.SigningConfigPath != "" { - signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath) + ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } - ko.SigningConfig = signingConfig } v := attest.AttestBlobCommand{ diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index b602dc9aa33..fa91ac8a207 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -39,6 +39,9 @@ type AttestOptions struct { RekorEntryType string RecordCreationTimestamp bool NewBundleFormat bool + UseSigningConfig bool + SigningConfigPath string + TrustedRootPath string Rekor RekorOptions Fulcio FulcioOptions @@ -111,5 +114,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") + // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "attach a Sigstore bundle using OCI referrers API") + + // TODO: have this default to true as a breaking change + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + "whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format") + + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", + "path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format") + + cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config") + + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", + "optional path to a TrustedRoot JSON file to verify a signature after signing") } diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index c65585e540b..a3f73aede02 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -109,6 +109,8 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config") + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", "optional path to a TrustedRoot JSON file to verify a signature after signing") diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 7e45c414d86..3cda1a3f839 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -43,6 +43,9 @@ type SignOptions struct { SignContainerIdentity string RecordCreationTimestamp bool NewBundleFormat bool + UseSigningConfig bool + SigningConfigPath string + TrustedRootPath string Rekor RekorOptions Fulcio FulcioOptions @@ -139,5 +142,18 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value") + // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "expect the signature/attestation to be packaged in a Sigstore bundle") + + // TODO: have this default to true as a breaking change + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + "whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format") + + cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", + "path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format") + + cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config") + + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", + "optional path to a TrustedRoot JSON file to verify a signature after signing") } diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index e1ad98089dd..51f14c67d0a 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -92,6 +92,8 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", "path to a signing config file. Must provide --bundle, which will output verification material in the new format") + cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config") + cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", "optional path to a TrustedRoot JSON file to verify a signature after signing") diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 24a659bc828..c19ee56190d 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -26,6 +26,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) @@ -131,13 +132,39 @@ race conditions or (worse) malicious tampering. TSAServerURL: o.TSAServerURL, IssueCertificateForExistingKey: o.IssueCertificate, } - if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { - trustedMaterial, err := cosign.TrustedRoot() + // Fetch a trusted root when: + // * requesting a certificate and no CT log key is provided to verify an SCT + // * using a signing config and signing using sigstore-go + if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || + (o.UseSigningConfig || o.SigningConfigPath != "") { + if o.TrustedRootPath != "" { + ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + } else { + ko.TrustedMaterial, err = cosign.TrustedRoot() + if err != nil { + ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + } + } + + if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { + return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") + } + if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + return fmt.Errorf("error getting signing config from TUF: %w", err) + } + } else if o.SigningConfigPath != "" { + ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) + if err != nil { + return fmt.Errorf("error reading signing config from file: %w", err) } - ko.TrustedMaterial = trustedMaterial } + if err := sign.SignCmd(ro, ko, *o, args); err != nil { if o.Attachment == "" { return fmt.Errorf("signing %v: %w", args, err) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index c66b87330bc..f5ee16678e0 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -38,6 +38,8 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v2/internal/auth" + "github.com/sigstore/cosign/v2/internal/key" icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" ifulcio "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio" ipayload "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" @@ -57,6 +59,7 @@ import ( sigs "github.com/sigstore/cosign/v2/pkg/signature" "github.com/sigstore/cosign/v2/pkg/types" "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" @@ -142,20 +145,8 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() - sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - if genKey || ko.IssueCertificateForExistingKey { - sv, err = KeylessSigner(ctx, ko, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } - } - defer sv.Close() - dd := cremote.NewDupeDetector(sv) - var staticPayload []byte + var err error if signOpts.PayloadPath != "" { ui.Infof(ctx, "Using payload from: %s", signOpts.PayloadPath) staticPayload, err = os.ReadFile(filepath.Clean(signOpts.PayloadPath)) @@ -197,9 +188,9 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return fmt.Errorf("accessing image: %w", err) } if signOpts.NewBundleFormat { - err = signDigestBundle(ctx, digest, ko, signOpts, sv) + err = signDigestBundle(ctx, digest, ko, signOpts) } else { - err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, se) } if err != nil { return fmt.Errorf("signing digest: %w", err) @@ -220,9 +211,9 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO } digest := ref.Context().Digest(d.String()) if signOpts.NewBundleFormat { - err = signDigestBundle(ctx, digest, ko, signOpts, sv) + err = signDigestBundle(ctx, digest, ko, signOpts) } else { - err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, dd, sv, se) + err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, se) } if err != nil { return fmt.Errorf("signing digest: %w", err) @@ -236,7 +227,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return nil } -func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpts, signOpts options.SignOptions, sv *SignerVerifier) error { +func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpts, signOpts options.SignOptions) error { digestParts := strings.Split(digest.DigestStr(), ":") if len(digestParts) != 2 { return fmt.Errorf("unable to parse digest %s", digest.DigestStr()) @@ -257,6 +248,81 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt return err } + if ko.SigningConfig != nil { + var keypair sign.Keypair + var ephemeralKeypair bool + var idToken string + var sv *SignerVerifier + var err error + + if ko.Sk || ko.Slot != "" || ko.KeyRef != "" || signOpts.Cert != "" { + sv, _, err = SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions) + if err != nil { + return fmt.Errorf("creating signerverifier keypair: %w", err) + } + } else { + keypair, err = sign.NewEphemeralKeypair(nil) + if err != nil { + return fmt.Errorf("generating keypair: %w", err) + } + ephemeralKeypair = true + } + defer func() { + if sv != nil { + sv.Close() + } + }() + + if ephemeralKeypair || ko.IssueCertificateForExistingKey { + idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: ko.IDToken, + DisableProviders: ko.OIDCDisableProviders, + Provider: ko.OIDCProvider, + AuthFlow: ko.FulcioAuthFlow, + SkipConfirm: ko.SkipConfirmation, + OIDCServices: ko.SigningConfig.OIDCProviderURLs(), + ClientID: ko.OIDCClientID, + ClientSecret: ko.OIDCClientSecret, + RedirectURL: ko.OIDCRedirectURL, + }) + if err != nil { + return fmt.Errorf("retrieving ID token: %w", err) + } + } + + content := &sign.DSSEData{ + Data: payload, + PayloadType: "application/vnd.in-toto+json", + } + bundle, err := cbundle.SignData(content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) + if err != nil { + return fmt.Errorf("signing bundle: %w", err) + } + + regOpts := signOpts.Registry + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return fmt.Errorf("constructing client options: %w", err) + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundle, types.CosignSignPredicateType, ociremoteOpts...) + } + + sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + if genKey || ko.IssueCertificateForExistingKey { + sv, err = KeylessSigner(ctx, ko, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } + defer sv.Close() + wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { @@ -324,8 +390,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt } func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, - annotations map[string]interface{}, - dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error { + annotations map[string]interface{}, se oci.SignedEntity) error { var err error // The payload can be passed to skip generation. if len(payload) == 0 { @@ -339,6 +404,19 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } } + sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) + if err != nil { + return fmt.Errorf("getting signer: %w", err) + } + if genKey || ko.IssueCertificateForExistingKey { + sv, err = KeylessSigner(ctx, ko, sv) + if err != nil { + return fmt.Errorf("getting Fulcio signer: %w", err) + } + } + defer sv.Close() + dd := cremote.NewDupeDetector(sv) + var s icos.Signer s = ipayload.NewSigner(sv) if sv.Cert != nil { diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 2f3fe8a21fc..b0f704114c4 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -111,28 +111,25 @@ func SignBlob() *cobra.Command { return fmt.Errorf("loading trusted root: %w", err) } } else { - trustedMaterial, err := cosign.TrustedRoot() + ko.TrustedMaterial, err = cosign.TrustedRoot() if err != nil { ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) } - ko.TrustedMaterial = trustedMaterial } } if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") } if o.UseSigningConfig { - signingConfig, err := cosign.SigningConfig() + ko.SigningConfig, err = cosign.SigningConfig() if err != nil { return fmt.Errorf("error getting signing config from TUF: %w", err) } - ko.SigningConfig = signingConfig } else if o.SigningConfigPath != "" { - signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath) + ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } - ko.SigningConfig = signingConfig } for _, blob := range args { diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 1189513a92b..ed95856f615 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -81,6 +81,7 @@ cosign attest [flags] --rekor-entry-type string specifies the type to be used for a rekor entry upload (dsse|intoto) (default "dsse") --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --replace + --signing-config string path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --statement string path to the statement file. @@ -90,7 +91,9 @@ cosign attest [flags] --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) + --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 6b4b400df64..40fec19f5b9 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -110,6 +110,7 @@ cosign sign [flags] --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sign-container-identity string manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature + --signing-config string path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-client-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server @@ -118,7 +119,9 @@ cosign sign [flags] --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) + --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --upload whether to upload the signature (default true) + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/test/e2e_test.go b/test/e2e_test.go index 51536a85840..2c525f3557e 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -861,7 +861,7 @@ func prepareSigningConfig(t *testing.T, fulcioURL, rekorURL, oidcURL, tsaURL str return out } -func TestSignVerifyWithSigningConfig(t *testing.T) { +func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) { tufLocalCache := t.TempDir() t.Setenv("TUF_ROOT", tufLocalCache) tufMirror := t.TempDir() @@ -971,6 +971,114 @@ func TestSignVerifyWithSigningConfig(t *testing.T) { must(err, t) } +func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) { + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + tufMirror := t.TempDir() + viper.Set("timestamp-signer", "memory") + viper.Set("timestamp-signer-hash", "sha256") + tsaAPIServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) + tsaServer := httptest.NewServer(tsaAPIServer.GetHandler()) + t.Cleanup(tsaServer.Close) + tufServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.FileServer(http.Dir(tufMirror)).ServeHTTP(w, r) + })) + mirror := tufServer.URL + trustedRoot := prepareTrustedRoot(t, tsaServer.URL) + signingConfigStr := prepareSigningConfig(t, fulcioURL, rekorURL, "unused", tsaServer.URL+"/api/v1/timestamp") + + _, err := newTUF(tufMirror, []targetInfo{ + { + name: "trusted_root.json", + source: trustedRoot, + }, + { + name: "signing_config.v0.2.json", + source: signingConfigStr, + }, + }) + must(err, t) + + repo, stop := reg(t) + defer stop() + imgName := path.Join(repo, "cosign-e2e") + + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + ctx := context.Background() + + rootPath := filepath.Join(tufMirror, "1.root.json") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + ko := options.KeyOpts{ + IDToken: identityToken, + NewBundleFormat: true, + SkipConfirmation: true, + } + trustedMaterial, err := cosign.TrustedRoot() + must(err, t) + ko.TrustedMaterial = trustedMaterial + signingConfig, err := cosign.SigningConfig() + must(err, t) + ko.SigningConfig = signingConfig + + // Sign image with identity token in bundle format + so := options.SignOptions{ + Upload: true, + NewBundleFormat: true, + TlogUpload: true, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Verify Fulcio-signed image + cmd := cliverify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: os.Getenv("OIDC_URL"), + CertIdentity: certID, + }, + NewBundleFormat: true, + UseSignedTimestamps: true, + } + args := []string{imgName} + must(cmd.Exec(ctx, args), t) + + // Attest image + predicate := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` + predicatePath := filepath.Join(t.TempDir(), "predicate.json") + if err := os.WriteFile(predicatePath, []byte(predicate), 0644); err != nil { + t.Fatal(err) + } + attestCmd := attest.AttestCommand{ + KeyOpts: ko, + PredicatePath: predicatePath, + PredicateType: "slsaprovenance", + Timeout: 30 * time.Second, + RekorEntryType: "dsse", + } + must(attestCmd.Exec(ctx, imgName), t) + + // Verify attestation + verifyAttestation := cliverify.VerifyAttestationCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: os.Getenv("OIDC_URL"), + CertIdentity: certID, + }, + CommonVerifyOptions: options.CommonVerifyOptions{ + NewBundleFormat: true, + }, + PredicateType: "slsaprovenance", + UseSignedTimestamps: true, + CheckClaims: true, + } + must(verifyAttestation.Exec(ctx, []string{imgName}), t) +} + func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { tufLocalCache := t.TempDir() t.Setenv("TUF_ROOT", tufLocalCache) From 62a960c0346d32838c9cc70636004806c5234c37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:26:18 +0000 Subject: [PATCH 049/136] chore(deps): bump golang from 1.25.0 to 1.25.1 in the all group (#4398) Bumps the all group with 1 update: golang. Updates `golang` from 1.25.0 to 1.25.1 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4239690292f..856f771c0be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,4 +15,4 @@ # This is used to we scrap the go version and use in CI to get the latest go version # and we use dependabot to keep the go version up to date -FROM golang:1.25.0 +FROM golang:1.25.1 From fd1bf740d647120e04b3d5002ef9b6400c6e0d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 14:16:02 -0700 Subject: [PATCH 050/136] chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#4397) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/d35c59abb061a4a6fb18e82ac0862c26744d6ab5...44694675825211faa026b3c33043df3e48a5fa00) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/conformance-nightly.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/e2e-tests.yml | 8 ++++---- .github/workflows/e2e-with-binary.yml | 2 +- .github/workflows/github-oidc.yaml | 2 +- .github/workflows/golangci-lint.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 8 ++++---- .github/workflows/verify-docgen.yaml | 2 +- 11 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c0f1f527a47..2d406df4710 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -53,7 +53,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 073b8c32e62..74c2432bbba 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -68,7 +68,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/conformance-nightly.yml b/.github/workflows/conformance-nightly.yml index 1b0d1a4a8d4..0d00bde58fe 100644 --- a/.github/workflows/conformance-nightly.yml +++ b/.github/workflows/conformance-nightly.yml @@ -34,7 +34,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index ef97435778d..53b3baf5890 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -36,7 +36,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index a4ff31d92f7..cff8bb27230 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -46,7 +46,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -66,7 +66,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -109,7 +109,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -142,7 +142,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index b18a72edf8f..cb233b3f1a8 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -55,7 +55,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index 44455166cf7..0178bbcd394 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -55,7 +55,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 87f362352a5..a5c358403bb 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -38,7 +38,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -64,7 +64,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 009d5dd798d..3c84047bd96 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -60,7 +60,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 2e7b129eac2..186a40c1071 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -65,7 +65,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -166,7 +166,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -199,7 +199,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true @@ -234,7 +234,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml index 63d45eae797..e231d875a11 100644 --- a/.github/workflows/verify-docgen.yaml +++ b/.github/workflows/verify-docgen.yaml @@ -44,7 +44,7 @@ jobs: - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '${{ env.GOVERSION }}' check-latest: true From 0d478dc5f6e9ec4fbad47460f01c769b63a025c8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 14:16:15 -0700 Subject: [PATCH 051/136] chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 (#4395) Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.16.0 to 0.17.0. - [Commits](https://github.com/golang/sync/compare/v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a751e93844f..3d383f5b4ac 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( gitlab.com/gitlab-org/api/client-go v0.142.6 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 - golang.org/x/sync v0.16.0 + golang.org/x/sync v0.17.0 golang.org/x/term v0.34.0 google.golang.org/api v0.248.0 google.golang.org/protobuf v1.36.8 diff --git a/go.sum b/go.sum index 3088a8256e1..02c87fa90bb 100644 --- a/go.sum +++ b/go.sum @@ -1808,8 +1808,8 @@ golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= -golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= From 67d8d308023dc62efb0865a14b2ac38610b5f37a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 14:17:09 -0700 Subject: [PATCH 052/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.103.1 to 3.104.0 (#4390) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.103.1 to 3.104.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.103.1...v3.104.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.104.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 3d383f5b4ac..ddd8f5c4cd3 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.103.1 + github.com/buildkite/agent/v3 v3.104.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -126,7 +126,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.44.2 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 // indirect @@ -135,7 +135,7 @@ require ( github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/go-pipeline v0.15.0 // indirect github.com/buildkite/interpolate v0.1.5 // indirect - github.com/buildkite/roko v1.3.1 // indirect + github.com/buildkite/roko v1.4.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect diff --git a/go.sum b/go.sum index 02c87fa90bb..e7114d2b5ff 100644 --- a/go.sum +++ b/go.sum @@ -779,8 +779,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2J github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 h1:ueB2Te0NacDMnaC+68za9jLwkjzxGWm0KB5HTUHjLTI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4/go.mod h1:nLEfLnVMmLvyIG58/6gsSA03F1voKGaCfHV7+lR8S7s= -github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 h1:Z95XCqqSnwXr0AY7PgsiOUBhUG2GoDM5getw6RfD1Lg= -github.com/aws/aws-sdk-go-v2/service/kms v1.44.0/go.mod h1:DqcSngL7jJeU1fOzh5Ll5rSvX/MlMV6OZlE4mVdFAQc= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.2 h1:yTtMSIGWk8KzPDX2pS9k7wNCPKiNWpiJ9DdB2mCAMzo= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.2/go.mod h1:zgkQ8ige7qtxldA4cGtiXdbql3dBo4TfsP6uQyHwq0E= github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 h1:ve9dYBB8CfJGTFqcQ3ZLAAb/KXWgYlgu/2R2TZL2Ko0= github.com/aws/aws-sdk-go-v2/service/sso v1.28.2/go.mod h1:n9bTZFZcBa9hGGqVz3i/a6+NG0zmZgtkB9qVVFDqPA8= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 h1:Bnr+fXrlrPEoR1MAFrHVsge3M/WoK4n23VNhRM7TPHI= @@ -797,14 +797,14 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.103.1 h1:PdbUrGUeQaf4xIaWSXQEYWf4Q6SB9gHUWlC/r6bHHig= -github.com/buildkite/agent/v3 v3.103.1/go.mod h1:OSoURonIdwLChSvNXxnmywtqD0xnqbFdvgMAkfxTOPg= +github.com/buildkite/agent/v3 v3.104.0 h1:VLwNHHb5cmOeWp7clutY3Qnz88lfKb8yj+OTWrwDp+o= +github.com/buildkite/agent/v3 v3.104.0/go.mod h1:HPO/Bv8C/aC2wfwVarAgU8LSXjUh/fTa9P3pxuGB+vw= github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= -github.com/buildkite/roko v1.3.1 h1:t7K30ceLLYn6k7hQP4oq1c7dVlhgD5nRcuSRDEEnY1s= -github.com/buildkite/roko v1.3.1/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp2cP46I= +github.com/buildkite/roko v1.4.0 h1:DxixoCdpNqxu4/1lXrXbfsKbJSd7r1qoxtef/TT2J80= +github.com/buildkite/roko v1.4.0/go.mod h1:0vbODqUFEcVf4v2xVXRfZZRsqJVsCCHTG/TBRByGK4E= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= From f527319daee1e15bcb009299c18c549d31862db1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 14:17:23 -0700 Subject: [PATCH 053/136] chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#4392) Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/60a0d83039c74a4aee543508d2ffcb1c3799cdea...ed597411d8f924073f98dfc5c65a23a2325f34cd) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance-nightly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance-nightly.yml b/.github/workflows/conformance-nightly.yml index 0d00bde58fe..4567022e695 100644 --- a/.github/workflows/conformance-nightly.yml +++ b/.github/workflows/conformance-nightly.yml @@ -48,7 +48,7 @@ jobs: - name: Create Issue on Failure if: failure() - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | From 8e3dc335497e7849a5f7a5749a3161d929a97549 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 14:17:42 -0700 Subject: [PATCH 054/136] chore(deps): bump the actions group with 4 updates (#4396) Bumps the actions group with 4 updates: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance), [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `sigstore/sigstore-conformance` from 0.0.19 to 0.0.20 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](https://github.com/sigstore/sigstore-conformance/compare/a7ac671d8e55553de127c8b1ad96d8d416315e83...1d8b0cdd88fa7fb5a8510e51faf6ccad8c96f10a) Updates `chainguard-dev/actions` from 1.4.13 to 1.4.14 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09...f632aec66edeebe245ad686a33a0c0a2160cac31) Updates `mikefarah/yq` from 4.47.1 to 4.47.2 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/f03c9dc599c37bfcaf533427211d05e51e6fee64...6251e95af8df3505def48c71f3119836701495d6) Updates `codecov/codecov-action` from 5.5.0 to 5.5.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/fdcc8476540edceab3de004e990f80d881c6cc00...5a1091511ad55cbe89839c7260b706298ca349f7) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.47.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance.yml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 4 ++-- .github/workflows/tests.yaml | 4 ++-- .github/workflows/whitespace.yaml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 53b3baf5890..f884b8a3c8d 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -44,6 +44,6 @@ jobs: - run: make cosign conformance - - uses: sigstore/sigstore-conformance@a7ac671d8e55553de127c8b1ad96d8d416315e83 # v0.0.19 + - uses: sigstore/sigstore-conformance@1d8b0cdd88fa7fb5a8510e51faf6ccad8c96f10a # v0.0.20 with: entrypoint: ${{ github.workspace }}/conformance diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 30515131430..877d90fc4b9 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + uses: chainguard-dev/actions/donotsubmit@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index cff8bb27230..86450743533 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + uses: chainguard-dev/actions/setup-mirror@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 3c84047bd96..5ccd7457bad 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -70,7 +70,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install yq - uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 + uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 - name: build cosign run: | @@ -161,7 +161,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 186a40c1071..004209e97a3 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -75,7 +75,7 @@ jobs: run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) - name: Upload Coverage Report - uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: env_vars: OS @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index fa1f399e442..8516623b843 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + - uses: chainguard-dev/actions/trailing-space@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@3caedd3784c809ba873cbb8c6a12e2bc6bf6ab09 # v1.4.13 + - uses: chainguard-dev/actions/eof-newline@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 if: ${{ always() }} From a57176af2354d463ce3cb3a6345dfad49806825a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 21:51:40 +0000 Subject: [PATCH 055/136] chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 (#4388) Bumps [golang.org/x/term](https://github.com/golang/term) from 0.34.0 to 0.35.0. - [Commits](https://github.com/golang/term/compare/v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index ddd8f5c4cd3..6eecb3ac077 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.17.0 - golang.org/x/term v0.34.0 + golang.org/x/term v0.35.0 google.golang.org/api v0.248.0 google.golang.org/protobuf v1.36.8 k8s.io/api v0.34.0 @@ -298,7 +298,7 @@ require ( golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.43.0 // indirect - golang.org/x/sys v0.35.0 // indirect + golang.org/x/sys v0.36.0 // indirect golang.org/x/text v0.28.0 // indirect golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect diff --git a/go.sum b/go.sum index e7114d2b5ff..38eb51c885e 100644 --- a/go.sum +++ b/go.sum @@ -1900,8 +1900,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= -golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= +golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1913,8 +1913,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= -golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= +golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= +golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 8c7c09d4b1c9af9326f7f73f5da34d144bdbe323 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 22:01:37 +0000 Subject: [PATCH 056/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4394) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.142.6 to 0.143.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.142.6...v0.143.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6eecb3ac077..44e0f71d053 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.142.6 + gitlab.com/gitlab-org/api/client-go v0.143.1 golang.org/x/crypto v0.41.0 golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index 38eb51c885e..461aed1415f 100644 --- a/go.sum +++ b/go.sum @@ -1557,8 +1557,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.142.6 h1:RjqPb7XxJypn9DzkSTuQUOJN7wpRGXZFH8rJCLj4Bg8= -gitlab.com/gitlab-org/api/client-go v0.142.6/go.mod h1:t02B5oJWYEzalBlYIh+PmEJm2H4LPC/VFM1xks5qtG8= +gitlab.com/gitlab-org/api/client-go v0.143.1 h1:5HyFrXtBZ0WbWLl6Ighrv8wxZ/NWz/KimZiXw6gCT9s= +gitlab.com/gitlab-org/api/client-go v0.143.1/go.mod h1:wvte1ie2U9x25hadhyuCkYug/uxsWMWOTcrgm+f7Big= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 1a1ee13ce9edfb98dc50693f6f7efcc16dc35822 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 16:23:54 -0700 Subject: [PATCH 057/136] chore(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 (#4393) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.30.0 to 0.31.0. - [Commits](https://github.com/golang/oauth2/compare/v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 44e0f71d053..e305a74bece 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.143.1 golang.org/x/crypto v0.41.0 - golang.org/x/oauth2 v0.30.0 + golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 google.golang.org/api v0.248.0 diff --git a/go.sum b/go.sum index 461aed1415f..91217de9ba4 100644 --- a/go.sum +++ b/go.sum @@ -1789,8 +1789,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo= +golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 153df46c9ee93f73eba5a3b6379717d439ec2a37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Sep 2025 09:08:24 -0700 Subject: [PATCH 058/136] chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 (#4391) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.42.0. - [Commits](https://github.com/golang/crypto/compare/v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index e305a74bece..402c8fd633a 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.143.1 - golang.org/x/crypto v0.41.0 + golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 @@ -299,9 +299,9 @@ require ( golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.43.0 // indirect golang.org/x/sys v0.36.0 // indirect - golang.org/x/text v0.28.0 // indirect + golang.org/x/text v0.29.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.35.0 // indirect + golang.org/x/tools v0.36.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect diff --git a/go.sum b/go.sum index 91217de9ba4..129413d3200 100644 --- a/go.sum +++ b/go.sum @@ -1630,8 +1630,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= -golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= +golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= +golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1933,8 +1933,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= -golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2009,8 +2009,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= -golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= -golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= +golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= +golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 11163ae7d806cb13f2563ef837ce1c985ac788d3 Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 11 Sep 2025 08:32:25 -0700 Subject: [PATCH 059/136] Bump sigstore-go, support alternative hash algorithms with keys (#4386) * Bump sigstore-go, support alternative hash algorithms with keys sigstore-go now handles non-ECDSA-P-256 signatures with Rekor v2. To support verification, we also need a way to provide alternative hash algorithms to the default SHA-256. cosign verify already had a flag for this, so I added the flag to all verify commands. In the future, when we are only processing bundles, we can lookup the default hash algorithm given the key. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * lint fmt Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Drop support for Fulcio with ed25519ph key We've chosen to not support this in sigstore-go, so we'll also remove this from Cosign. This is a niche edge case where a user provides an ed25519 key or algorithm and requests a cert and logs it to Rekor. We'll revisit this if there's demand or when we support the prehash variant in Fulcio. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/fulcio/fulcio.go | 11 +---- .../fulcio/fulcioverifier/fulcioverifier.go | 6 +-- cmd/cosign/cli/options/verify.go | 6 +++ cmd/cosign/cli/sign/sign.go | 31 ++----------- cmd/cosign/cli/verify.go | 18 ++++++++ cmd/cosign/cli/verify/verify_attestation.go | 9 +++- cmd/cosign/cli/verify/verify_blob.go | 8 +++- .../cli/verify/verify_blob_attestation.go | 12 +++-- cmd/cosign/cli/verify/verify_blob_test.go | 14 +++--- doc/cosign_verify-attestation.md | 1 + doc/cosign_verify-blob-attestation.md | 1 + doc/cosign_verify-blob.md | 1 + go.mod | 21 ++++++--- go.sum | 42 +++++++++++++----- internal/key/svkeypair.go | 15 +++++++ internal/key/svkeypair_test.go | 13 ++++++ internal/pkg/cosign/rekor/signer_test.go | 4 +- pkg/cosign/bundle/protobundle_test.go | 16 +++---- pkg/cosign/bundle/rekor_test.go | 20 ++++----- pkg/cosign/tlog_test.go | 14 +++--- pkg/cosign/verify_test.go | 14 +++--- test/e2e_test.go | 44 ++++++++++++++++++- 22 files changed, 216 insertions(+), 105 deletions(-) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index adf3226730a..e13e4902e1d 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -72,15 +72,6 @@ type Signer struct { } func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier) (*Signer, error) { - return NewSignerWithAdapter(ctx, ko, signer, signer) -} - -// NewSignerWithAdapter creates a Fulcio Signer with a `fulcioSigner` that is -// used to sign the Proof Of Possession sent to Fulcio. In most cases this will -// be the same as the `signer`, however it is possible to use a different signer. -// For example when ed25519ph is used for signing, the `fulcioSigner` will be -// the equivalent PureED25519 signer, given that Fulcio does not support ed25519ph. -func NewSignerWithAdapter(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier, fulcioSigner signature.SignerVerifier) (*Signer, error) { fClient, err := NewClient(ko.FulcioURL) if err != nil { return nil, fmt.Errorf("creating Fulcio client: %w", err) @@ -96,7 +87,7 @@ func NewSignerWithAdapter(ctx context.Context, ko options.KeyOpts, signer signat return nil, fmt.Errorf("setting auth flow: %w", err) } - resp, err := GetCert(ctx, fulcioSigner, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) + resp, err := GetCert(ctx, signer, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) if err != nil { return nil, fmt.Errorf("retrieving cert: %w", err) } diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index 4b58808aaea..076a763c536 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -30,11 +30,7 @@ import ( ) func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier) (*fulcio.Signer, error) { - return NewSignerWithAdapter(ctx, ko, signer, signer) -} - -func NewSignerWithAdapter(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier, fulcioSigner signature.SignerVerifier) (*fulcio.Signer, error) { - fs, err := fulcio.NewSignerWithAdapter(ctx, ko, signer, fulcioSigner) + fs, err := fulcio.NewSigner(ctx, ko, signer) if err != nil { return nil, err } diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index 79c9a5421e6..d493ebe6309 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -137,6 +137,7 @@ type VerifyAttestationOptions struct { CertVerify CertVerifyOptions Registry RegistryOptions Predicate PredicateRemoteOptions + SignatureDigest SignatureDigestOptions Policies []string LocalImage bool } @@ -151,6 +152,7 @@ func (o *VerifyAttestationOptions) AddFlags(cmd *cobra.Command) { o.Registry.AddFlags(cmd) o.Predicate.AddFlags(cmd) o.CommonVerifyOptions.AddFlags(cmd) + o.SignatureDigest.AddFlags(cmd) cmd.Flags().StringVar(&o.Key, "key", "", "path to the public key file, KMS URI or Kubernetes Secret") @@ -178,6 +180,7 @@ type VerifyBlobOptions struct { CertVerify CertVerifyOptions Rekor RekorOptions CommonVerifyOptions CommonVerifyOptions + SignatureDigest SignatureDigestOptions RFC3161TimestampPath string } @@ -190,6 +193,7 @@ func (o *VerifyBlobOptions) AddFlags(cmd *cobra.Command) { o.Rekor.AddFlags(cmd) o.CertVerify.AddFlags(cmd) o.CommonVerifyOptions.AddFlags(cmd) + o.SignatureDigest.AddFlags(cmd) cmd.Flags().StringVar(&o.Key, "key", "", "path to the public key file, KMS URI or Kubernetes Secret") @@ -233,6 +237,7 @@ type VerifyBlobAttestationOptions struct { CertVerify CertVerifyOptions Rekor RekorOptions CommonVerifyOptions CommonVerifyOptions + SignatureDigest SignatureDigestOptions RFC3161TimestampPath string @@ -249,6 +254,7 @@ func (o *VerifyBlobAttestationOptions) AddFlags(cmd *cobra.Command) { o.Rekor.AddFlags(cmd) o.CertVerify.AddFlags(cmd) o.CommonVerifyOptions.AddFlags(cmd) + o.SignatureDigest.AddFlags(cmd) cmd.Flags().StringVar(&o.Key, "key", "", "path to the public key file, KMS URI or Kubernetes Secret") diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index f5ee16678e0..abba92aa6fe 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -702,45 +702,22 @@ func signerFromNewKey() (*SignerVerifier, error) { }, nil } -// adaptSignerVerifierToFulcio adapts, if necessary, the SignerVerifier to be -// used to interact with Fulcio. -// -// This is needed in particular for ED25519 keys with the pre-hashed version of -// the algorithm, which is not supported by Fulcio. This function creates a -// ED25519 SignerVerifier based on that instead. -func adaptSignerVerifierToFulcio(sv *SignerVerifier) (*SignerVerifier, error) { - if ed25519phSV, ok := sv.SignerVerifier.(*signature.ED25519phSignerVerifier); ok { - signerVerifier, err := ed25519phSV.ToED25519SignerVerifier() - if err != nil { - return nil, err - } - - return &SignerVerifier{ - SignerVerifier: signerVerifier, - Cert: sv.Cert, - Chain: sv.Chain, - }, nil - } - return sv, nil -} - func KeylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { var ( k *fulcio.Signer err error ) - fulcioSV, err := adaptSignerVerifierToFulcio(sv) - if err != nil { - return nil, fmt.Errorf("adapting signer verifier to Fulcio: %w", err) + if _, ok := sv.SignerVerifier.(*signature.ED25519phSignerVerifier); ok { + return nil, fmt.Errorf("ed25519ph unsupported by Fulcio") } if ko.InsecureSkipFulcioVerify { - if k, err = fulcio.NewSignerWithAdapter(ctx, ko, sv, fulcioSV); err != nil { + if k, err = fulcio.NewSigner(ctx, ko, sv); err != nil { return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } else { - if k, err = fulcioverifier.NewSignerWithAdapter(ctx, ko, sv, fulcioSV); err != nil { + if k, err = fulcioverifier.NewSigner(ctx, ko, sv); err != nil { return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index c891e754626..97006a73824 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -218,6 +218,11 @@ against the transparency log.`, o.CommonVerifyOptions.IgnoreTlog = true } + hashAlgorithm, err := o.SignatureDigest.HashAlgorithm() + if err != nil { + return err + } + v := &verify.VerifyAttestationCommand{ RegistryOptions: o.Registry, CommonVerifyOptions: o.CommonVerifyOptions, @@ -247,6 +252,7 @@ against the transparency log.`, TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath, IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog, MaxWorkers: o.CommonVerifyOptions.MaxWorkers, + HashAlgorithm: hashAlgorithm, UseSignedTimestamps: o.CommonVerifyOptions.UseSignedTimestamps, } @@ -330,6 +336,11 @@ The blob may be specified as a path to a file or - for stdin.`, o.CommonVerifyOptions.IgnoreTlog = true } + hashAlgorithm, err := o.SignatureDigest.HashAlgorithm() + if err != nil { + return err + } + ko := options.KeyOpts{ KeyRef: o.Key, Sk: o.SecurityKey.Use, @@ -359,6 +370,7 @@ The blob may be specified as a path to a file or - for stdin.`, IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog, UseSignedTimestamps: o.CommonVerifyOptions.UseSignedTimestamps, TrustedRootPath: o.CommonVerifyOptions.TrustedRootPath, + HashAlgorithm: hashAlgorithm, } ctx, cancel := context.WithTimeout(cmd.Context(), ro.Timeout) @@ -401,6 +413,11 @@ The blob may be specified as a path to a file.`, o.CommonVerifyOptions.IgnoreTlog = true } + hashAlgorithm, err := o.SignatureDigest.HashAlgorithm() + if err != nil { + return err + } + ko := options.KeyOpts{ KeyRef: o.Key, Sk: o.SecurityKey.Use, @@ -434,6 +451,7 @@ The blob may be specified as a path to a file.`, TrustedRootPath: o.CommonVerifyOptions.TrustedRootPath, Digest: o.Digest, DigestAlg: o.DigestAlg, + HashAlgorithm: hashAlgorithm, } // We only use the blob if we are checking claims. if o.CheckClaims && len(args) == 0 && (o.Digest == "" || o.DigestAlg == "") { diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index bb8ac96e057..9c53a70dc2a 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -17,6 +17,7 @@ package verify import ( "context" + "crypto" "errors" "flag" "fmt" @@ -73,6 +74,7 @@ type VerifyAttestationCommand struct { IgnoreTlog bool MaxWorkers int UseSignedTimestamps bool + HashAlgorithm crypto.Hash } // Exec runs the verification command @@ -81,6 +83,11 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return flag.ErrHelp } + // always default to sha256 if the algorithm hasn't been explicitly set + if c.HashAlgorithm == 0 { + c.HashAlgorithm = crypto.SHA256 + } + // We can't have both a key and a security key if options.NOf(c.KeyRef, c.Sk) > 1 { return &options.KeyParseError{} @@ -191,7 +198,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e // Keys are optional! switch { case keyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, keyRef) + co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, c.HashAlgorithm) if err != nil { return fmt.Errorf("loading public key: %w", err) } diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 926ad71fe48..125ccbfdce5 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -74,10 +74,16 @@ type VerifyBlobCmd struct { Offline bool UseSignedTimestamps bool IgnoreTlog bool + HashAlgorithm crypto.Hash } // nolint func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { + // always default to sha256 if the algorithm hasn't been explicitly set + if c.HashAlgorithm == 0 { + c.HashAlgorithm = crypto.SHA256 + } + // Require a certificate/key OR a local bundle file that has the cert. if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath) == 0 { return fmt.Errorf("provide a key with --key or --sk, a certificate to verify against with --certificate, or a bundle with --bundle") @@ -116,7 +122,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { opts := make([]static.Option, 0) switch { case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) + co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, c.KeyRef, c.HashAlgorithm) if err != nil { return fmt.Errorf("loading public key: %w", err) } diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index b88d185cd15..de50f4ab968 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -79,8 +79,9 @@ type VerifyBlobAttestationCommand struct { SignaturePath string // Path to the signature UseSignedTimestamps bool - Digest string - DigestAlg string + Digest string + DigestAlg string + HashAlgorithm crypto.Hash } // Exec runs the verification command @@ -89,6 +90,11 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st return fmt.Errorf("please specify path to the DSSE envelope signature via --signature or --bundle") } + // always default to sha256 if the algorithm hasn't been explicitly set + if c.HashAlgorithm == 0 { + c.HashAlgorithm = crypto.SHA256 + } + // Require a certificate/key OR a local bundle file that has the cert. if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath) == 0 { return fmt.Errorf("provide a key with --key or --sk, a certificate to verify against with --certificate, or a bundle with --bundle") @@ -126,7 +132,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st opts := make([]static.Option, 0) switch { case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) + co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, c.KeyRef, c.HashAlgorithm) if err != nil { return fmt.Errorf("loading public key: %w", err) } diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go index fb746bc0288..56e3291a0e6 100644 --- a/cmd/cosign/cli/verify/verify_blob_test.go +++ b/cmd/cosign/cli/verify/verify_blob_test.go @@ -37,7 +37,7 @@ import ( "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/go-openapi/runtime" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" "github.com/sigstore/cosign/v2/internal/test" @@ -701,9 +701,9 @@ func makeRekorEntry(t *testing.T, rekorSigner signature.ECDSASignerVerifier, } e := models.LogEntryAnon{ Body: base64.StdEncoding.EncodeToString(leaf), - IntegratedTime: swag.Int64(integratedTime.Unix()), - LogIndex: swag.Int64(0), - LogID: swag.String(logID), + IntegratedTime: conv.Pointer(integratedTime.Unix()), + LogIndex: conv.Pointer(int64(0)), + LogID: conv.Pointer(logID), } // Marshal payload, sign, and set SET in Bundle jsonPayload, err := json.Marshal(e) @@ -723,9 +723,9 @@ func makeRekorEntry(t *testing.T, rekorSigner signature.ECDSASignerVerifier, e.Verification = &models.LogEntryAnonVerification{ SignedEntryTimestamp: bundleSig, InclusionProof: &models.InclusionProof{ - LogIndex: swag.Int64(0), - TreeSize: swag.Int64(1), - RootHash: swag.String(hex.EncodeToString(uuid)), + LogIndex: conv.Pointer(int64(0)), + TreeSize: conv.Pointer(int64(1)), + RootHash: conv.Pointer(hex.EncodeToString(uuid)), Hashes: []string{}, }, } diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index c55cbefb18d..996e8e77276 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -95,6 +95,7 @@ cosign verify-attestation [flags] --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. + --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index 0ad3f795161..43eb9cbbbd3 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -58,6 +58,7 @@ cosign verify-blob-attestation [flags] --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string path to base64-encoded signature over attestation in DSSE format + --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 3aa0bd761a7..494e53fc54f 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -91,6 +91,7 @@ cosign verify-blob [flags] --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL + --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp diff --git a/go.mod b/go.mod index 402c8fd633a..754d5f09021 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,8 @@ require ( github.com/go-jose/go-jose/v4 v4.1.2 github.com/go-openapi/runtime v0.28.0 github.com/go-openapi/strfmt v0.23.0 - github.com/go-openapi/swag v0.23.1 + github.com/go-openapi/swag v0.24.1 + github.com/go-openapi/swag/conv v0.24.0 github.com/go-piv/piv-go/v2 v2.4.0 github.com/google/certificate-transparency-go v1.3.2 github.com/google/go-cmp v0.7.0 @@ -34,10 +35,10 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 - github.com/sigstore/rekor v1.4.1 + github.com/sigstore/rekor v1.4.2 github.com/sigstore/rekor-tiles v0.1.10 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 - github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb + github.com/sigstore/sigstore-go v1.1.2 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 @@ -163,7 +164,7 @@ require ( github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect - github.com/go-chi/chi/v5 v5.2.2 // indirect + github.com/go-chi/chi/v5 v5.2.3 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -173,6 +174,16 @@ require ( github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.22.0 // indirect github.com/go-openapi/spec v0.21.0 // indirect + github.com/go-openapi/swag/cmdutils v0.24.0 // indirect + github.com/go-openapi/swag/fileutils v0.24.0 // indirect + github.com/go-openapi/swag/jsonname v0.24.0 // indirect + github.com/go-openapi/swag/jsonutils v0.24.0 // indirect + github.com/go-openapi/swag/loading v0.24.0 // indirect + github.com/go-openapi/swag/mangling v0.24.0 // indirect + github.com/go-openapi/swag/netutils v0.24.0 // indirect + github.com/go-openapi/swag/stringutils v0.24.0 // indirect + github.com/go-openapi/swag/typeutils v0.24.0 // indirect + github.com/go-openapi/swag/yamlutils v0.24.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect @@ -296,7 +307,7 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect - golang.org/x/mod v0.27.0 // indirect + golang.org/x/mod v0.28.0 // indirect golang.org/x/net v0.43.0 // indirect golang.org/x/sys v0.36.0 // indirect golang.org/x/text v0.29.0 // indirect diff --git a/go.sum b/go.sum index 129413d3200..2cc18e00db7 100644 --- a/go.sum +++ b/go.sum @@ -951,8 +951,8 @@ github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj2 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= -github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= -github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= +github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE= +github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= @@ -988,8 +988,30 @@ github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9Z github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= -github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= -github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8= +github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A= +github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I= +github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8= +github.com/go-openapi/swag/conv v0.24.0 h1:ejB9+7yogkWly6pnruRX45D1/6J+ZxRu92YFivx54ik= +github.com/go-openapi/swag/conv v0.24.0/go.mod h1:jbn140mZd7EW2g8a8Y5bwm8/Wy1slLySQQ0ND6DPc2c= +github.com/go-openapi/swag/fileutils v0.24.0 h1:U9pCpqp4RUytnD689Ek/N1d2N/a//XCeqoH508H5oak= +github.com/go-openapi/swag/fileutils v0.24.0/go.mod h1:3SCrCSBHyP1/N+3oErQ1gP+OX1GV2QYFSnrTbzwli90= +github.com/go-openapi/swag/jsonname v0.24.0 h1:2wKS9bgRV/xB8c62Qg16w4AUiIrqqiniJFtZGi3dg5k= +github.com/go-openapi/swag/jsonname v0.24.0/go.mod h1:GXqrPzGJe611P7LG4QB9JKPtUZ7flE4DOVechNaDd7Q= +github.com/go-openapi/swag/jsonutils v0.24.0 h1:F1vE1q4pg1xtO3HTyJYRmEuJ4jmIp2iZ30bzW5XgZts= +github.com/go-openapi/swag/jsonutils v0.24.0/go.mod h1:vBowZtF5Z4DDApIoxcIVfR8v0l9oq5PpYRUuteVu6f0= +github.com/go-openapi/swag/loading v0.24.0 h1:ln/fWTwJp2Zkj5DdaX4JPiddFC5CHQpvaBKycOlceYc= +github.com/go-openapi/swag/loading v0.24.0/go.mod h1:gShCN4woKZYIxPxbfbyHgjXAhO61m88tmjy0lp/LkJk= +github.com/go-openapi/swag/mangling v0.24.0 h1:PGOQpViCOUroIeak/Uj/sjGAq9LADS3mOyjznmHy2pk= +github.com/go-openapi/swag/mangling v0.24.0/go.mod h1:Jm5Go9LHkycsz0wfoaBDkdc4CkpuSnIEf62brzyCbhc= +github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w= +github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM= +github.com/go-openapi/swag/stringutils v0.24.0 h1:i4Z/Jawf9EvXOLUbT97O0HbPUja18VdBxeadyAqS1FM= +github.com/go-openapi/swag/stringutils v0.24.0/go.mod h1:5nUXB4xA0kw2df5PRipZDslPJgJut+NjL7D25zPZ/4w= +github.com/go-openapi/swag/typeutils v0.24.0 h1:d3szEGzGDf4L2y1gYOSSLeK6h46F+zibnEas2Jm/wIw= +github.com/go-openapi/swag/typeutils v0.24.0/go.mod h1:q8C3Kmk/vh2VhpCLaoR2MVWOGP8y7Jc8l82qCTd1DYI= +github.com/go-openapi/swag/yamlutils v0.24.0 h1:bhw4894A7Iw6ne+639hsBNRHg9iZg/ISrOVr+sJGp4c= +github.com/go-openapi/swag/yamlutils v0.24.0/go.mod h1:DpKv5aYuaGm/sULePoeiG8uwMpZSfReo1HR3Ik0yaG8= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= @@ -1423,14 +1445,14 @@ github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ github.com/sigstore/fulcio v1.7.1/go.mod h1:7lYY+hsd8Dt+IvKQRC+KEhWpCZ/GlmNvwIa5JhypMS8= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.4.1 h1:KK3McuHnptIE9mdNlrc9qh/OVE0AXf4rnScMxJE6xH4= -github.com/sigstore/rekor v1.4.1/go.mod h1:/McBsz/vrtfi4EInxSIk/MGbDXzgv2+1FQUg1R/uSnE= +github.com/sigstore/rekor v1.4.2 h1:Lx2xby7loviFYdg2C9pB1mESk2QU/LqcYSGsqqZwmg8= +github.com/sigstore/rekor v1.4.2/go.mod h1:nX/OYaLqpTeCOuMEt7ELE0+5cVjZWFnFKM+cZ+3hQRA= github.com/sigstore/rekor-tiles v0.1.10 h1:10LVWV+isl43KpjmAID/DH/wT7LeYj3j0eW5pVu6SXE= github.com/sigstore/rekor-tiles v0.1.10/go.mod h1:SDtO+1nGYo6hEPTyshgd4EFDP3gZyZuVCUukBCqaqz0= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= -github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb h1:Yy/pIVtUFjyTSAbr+7jIg5YKTaDXsoHAn9/a8DMyAhQ= -github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb/go.mod h1:kjsxkuzk8dd8bCODeVb9lDSYiMRxxomF3MvBMstHqJM= +github.com/sigstore/sigstore-go v1.1.2 h1:VFfqVQvUm3m7uAiqJFK+hDSH3I2rCBYH4l3wIDy+Ozo= +github.com/sigstore/sigstore-go v1.1.2/go.mod h1:mF7i7L6NlKYuUEnbUUxwtKQuz8BxQ7SGEqXDgnysbKc= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= @@ -1691,8 +1713,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= -golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= +golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= +golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/internal/key/svkeypair.go b/internal/key/svkeypair.go index 2bcdcc608f3..5bbf822d49e 100644 --- a/internal/key/svkeypair.go +++ b/internal/key/svkeypair.go @@ -17,6 +17,7 @@ package key import ( "bytes" "context" + "crypto" "crypto/ecdsa" "crypto/ed25519" "crypto/rsa" @@ -85,6 +86,10 @@ func (k *SignerVerifierKeypair) GetHashAlgorithm() protocommon.HashAlgorithm { return k.sigAlg.GetProtoHashType() } +func (k *SignerVerifierKeypair) GetSigningAlgorithm() protocommon.PublicKeyDetails { + return k.sigAlg.GetSignatureAlgorithm() +} + // GetHint returns a hint for the public key. func (k *SignerVerifierKeypair) GetHint() []byte { return k.hint @@ -95,6 +100,16 @@ func (k *SignerVerifierKeypair) GetKeyAlgorithm() string { return k.keyAlg } +// GetPublicKey returns the public key. +func (k *SignerVerifierKeypair) GetPublicKey() crypto.PublicKey { + pubKey, err := k.sv.PublicKey() + if err != nil { + // The interface does not allow returning an error + return nil + } + return pubKey +} + // GetPublicKeyPem returns the public key in PEM format. func (k *SignerVerifierKeypair) GetPublicKeyPem() (string, error) { pubKey, err := k.sv.PublicKey() diff --git a/internal/key/svkeypair_test.go b/internal/key/svkeypair_test.go index f1378aa07d2..15422b70dfa 100644 --- a/internal/key/svkeypair_test.go +++ b/internal/key/svkeypair_test.go @@ -158,6 +158,12 @@ func TestKMSKeypair_Methods(t *testing.T) { } }) + t.Run("GetSigningAlgorithm", func(t *testing.T) { + if kp.GetSigningAlgorithm() != protocommon.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256 { + t.Errorf("expected ECDSA_P256_SHA256, got %v", kp.GetSigningAlgorithm()) + } + }) + t.Run("GetHint", func(t *testing.T) { pubKeyBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPriv.PublicKey) if err != nil { @@ -177,6 +183,13 @@ func TestKMSKeypair_Methods(t *testing.T) { } }) + t.Run("GetPublicKey", func(t *testing.T) { + pub := kp.GetPublicKey() + if !pub.(*ecdsa.PublicKey).Equal(&ecdsaPriv.PublicKey) { + t.Error("public keys do not match") + } + }) + t.Run("GetPublicKeyPem", func(t *testing.T) { pem, err := kp.GetPublicKeyPem() if err != nil { diff --git a/internal/pkg/cosign/rekor/signer_test.go b/internal/pkg/cosign/rekor/signer_test.go index 5f3dfa02351..0469662157b 100644 --- a/internal/pkg/cosign/rekor/signer_test.go +++ b/internal/pkg/cosign/rekor/signer_test.go @@ -21,7 +21,7 @@ import ( "strings" "testing" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" "github.com/sigstore/cosign/v2/internal/pkg/cosign/rekor/mock" "github.com/sigstore/cosign/v2/pkg/cosign" @@ -52,7 +52,7 @@ func TestSigner(t *testing.T) { mClient.Entries = &mock.EntriesClient{ Entries: []*models.LogEntry{{"123": models.LogEntryAnon{ - LogIndex: swag.Int64(123), + LogIndex: conv.Pointer(int64(123)), }}}, } diff --git a/pkg/cosign/bundle/protobundle_test.go b/pkg/cosign/bundle/protobundle_test.go index dea1bce59bb..4de8851ea03 100644 --- a/pkg/cosign/bundle/protobundle_test.go +++ b/pkg/cosign/bundle/protobundle_test.go @@ -18,7 +18,7 @@ import ( "testing" "github.com/go-openapi/strfmt" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" "github.com/sigstore/rekor/pkg/generated/models" _ "github.com/sigstore/rekor/pkg/types/hashedrekord" _ "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1" @@ -52,16 +52,16 @@ func TestMakeProtobufBundle(t *testing.T) { rawCert: []byte("cert stuff"), rekorEntry: &models.LogEntryAnon{ Body: "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2MmQwOGYyOGM2OWNhZGE3YjQyYTQ1Nzk0YjQ3ZWU2YzgxYTdkZmE3MTY4NDZiMzljODhmMGFkMTljMjA2OTk3In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQm14U0N1TW1HSzhNQWRMd1FWZ21TZjVXKzlkdU5iQXN1cUNQNlNucUxCUkFpRUFvNGtGRVdDTG9HcTVUaysrUEhtTEgrb3N1emVTRjN4OTdBbmVicTRlbVRvPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUk1ha05EUVhKVFowRjNTVUpCWjBsVVRWQkRlVXdyYmxOb2MycHdaa2hZYUZkYVRVWkNUVUZIUlVSQlMwSm5aM0ZvYTJwUFVGRlJSRUY2UVhFS1RWSlZkMFYzV1VSV1VWRkxSWGQ0ZW1GWFpIcGtSemw1V2xNMWExcFlXWGhGVkVGUVFtZE9Wa0pCVFZSRFNFNXdXak5PTUdJelNteE5RalJZUkZSSmVRcE5SRWwzVFdwRmQwNUVXWGhOVm05WVJGUkplVTFFU1hkTmFrVjNUbFJaZUUxR2IzZEZla1ZTVFVFNFIwRXhWVVZEYUUxSll6SnNibU16VW5aamJWVjNDbGRVUVZSQ1oyTnhhR3RxVDFCUlNVSkNaMmR4YUd0cVQxQlJUVUpDZDA1RFFVRlVVMVJ2VEhWS2N5OTFSV05IU2tRME5VWmFiVE5wWmxKTU4yOXVRVWNLWlZaNWJuWkhVbmN6WnpKMU0wbFhTREZuU2tSamNERjRSWFI2UVZCUWJYQmhlVGRtTmxCNE1XeFpNa0ZyWnpsMGEyb3dRa1J2UTNkdk5FbENlbXBEUXdwQlkyOTNSR2RaUkZaU01GQkJVVWd2UWtGUlJFRm5aVUZOUWsxSFFURlZaRXBSVVUxTlFXOUhRME56UjBGUlZVWkNkMDFFVFVGM1IwRXhWV1JGZDBWQ0NpOTNVVU5OUVVGM1NGRlpSRlpTTUU5Q1FsbEZSazlSYTNZNVoyMVpXVFpWU0doQ1pWSnJMMWx4VlVsaU1WRldiMDFDT0VkQk1WVmtTWGRSV1UxQ1lVRUtSa1pxUVVoc0sxSlNZVlp0Y1ZoeVRXdExSMVJKZEVGeGVHTllOazFIVFVkQk1WVmtSVkZTWTAxR2NVZFhSMmd3WkVoQ2VrOXBPSFphTW13d1lVaFdhUXBNYlU1MllsTTVjbGx1VGpCTU0xSnNZMjVLYUZwdE9YbGlVekZ5WkZkS2JHTXpVbWhaTW5OMlRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyQ21KWFJuQmlhVFUxWWxkNFFXTnRWbTFqZVRsdldsZEdhMk41T1hSWldFNHdXbGhKZDBWbldVdExkMWxDUWtGSFJIWjZRVUpCWjFGRlkwaFdlbUZFUVcwS1FtZHZja0puUlVWQldVOHZUVUZGUmtKQ2FISlpiazR3VEROU2JHTnVTbWhhYlRsNVlsTXhjbVJYU214ak0xSm9XVEp6ZDA1bldVdExkMWxDUWtGSFJBcDJla0ZDUVhkUmIxcHFSVEZPVjFGNVdXMUplRTU2V210TlZFVTFXV3BHYlU5VVNUSk9WRlV6V1hwTk5WbDZTbWxQVkdzMVdtcFNhRnBxWjNkWmVrRTFDa0puYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQmhTRlpwWkZoT2JHTnRUbllLWW01U2JHSnVVWFZaTWpsMFRVSTRSME5wYzBkQlVWRkNaemM0ZDBGUldVVkZXRXBzV201TmRtRkhWbWhhU0UxMllsZEdlbVJIVm5sTlEwRkhRMmx6UndwQlVWRkNaemM0ZDBGUlVVVkZhMG94WVZkNGEwbEdVbXhqTTFGblZVaFdhV0pIYkhwaFJFRkxRbWRuY1docmFrOVFVVkZFUVhkT2IwRkVRbXhCYWtWQkNtdDJORTFLYUdGRGFFMUJaMHBWVTNWWll6bFBWRWt3WTB0bU9XTnlObU14Y1RreVYyOXFMM1ZsV0RKRFR6Z3JMMDQyU25SM1FVNTRVSElyTjNWNlpGQUtRV3BDYVhwR2NHZEVMelJzWW5aa1NuRnplWE5HYlVSeU1TdFNNSGhKWjI1S1N5c3JaWGROYmtKaVMxQkVMemd3VTNJelFYTTVMMWxxV1U5M05EVjRkUXA2ZVdzOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19", - IntegratedTime: swag.Int64(123), - LogID: swag.String("deadbeef"), - LogIndex: swag.Int64(2), + IntegratedTime: conv.Pointer(int64(123)), + LogID: conv.Pointer("deadbeef"), + LogIndex: conv.Pointer(int64(2)), Verification: &models.LogEntryAnonVerification{ InclusionProof: &models.InclusionProof{ - Checkpoint: swag.String("checkpoint"), + Checkpoint: conv.Pointer("checkpoint"), Hashes: []string{"deadbeef", "abcdefaa"}, - LogIndex: swag.Int64(1), - RootHash: swag.String("abcdefaa"), - TreeSize: swag.Int64(2), + LogIndex: conv.Pointer(int64(1)), + RootHash: conv.Pointer("abcdefaa"), + TreeSize: conv.Pointer(int64(2)), }, SignedEntryTimestamp: strfmt.Base64("set"), }, diff --git a/pkg/cosign/bundle/rekor_test.go b/pkg/cosign/bundle/rekor_test.go index eb0e26ad6fb..dbf5e6808a7 100644 --- a/pkg/cosign/bundle/rekor_test.go +++ b/pkg/cosign/bundle/rekor_test.go @@ -21,7 +21,7 @@ import ( "time" "github.com/go-openapi/strfmt" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" "github.com/sigstore/rekor/pkg/generated/models" ) @@ -34,24 +34,24 @@ func TestRekorBundle(t *testing.T) { name: "tlog entry without verification - nil bundle", logEntry: &models.LogEntryAnon{ Body: base64.StdEncoding.EncodeToString([]byte("TEST")), - IntegratedTime: swag.Int64(time.Now().Unix()), - LogIndex: swag.Int64(0), - LogID: swag.String("c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"), + IntegratedTime: conv.Pointer(time.Now().Unix()), + LogIndex: conv.Pointer(int64(0)), + LogID: conv.Pointer("c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"), }, expectedRekorBundle: nil, }, { name: "tlog entry with verification", logEntry: &models.LogEntryAnon{ Body: base64.StdEncoding.EncodeToString([]byte("TEST")), - IntegratedTime: swag.Int64(time.Now().Unix()), - LogIndex: swag.Int64(0), - LogID: swag.String("c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"), + IntegratedTime: conv.Pointer(time.Now().Unix()), + LogIndex: conv.Pointer(int64(0)), + LogID: conv.Pointer("c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"), Verification: &models.LogEntryAnonVerification{ SignedEntryTimestamp: strfmt.Base64([]byte("signature")), InclusionProof: &models.InclusionProof{ - LogIndex: swag.Int64(0), - TreeSize: swag.Int64(1), - RootHash: swag.String("TEST"), + LogIndex: conv.Pointer(int64(0)), + TreeSize: conv.Pointer(int64(1)), + RootHash: conv.Pointer("TEST"), Hashes: []string{}, }, }, diff --git a/pkg/cosign/tlog_test.go b/pkg/cosign/tlog_test.go index 16a1abd58cd..aeaf53e3b7d 100644 --- a/pkg/cosign/tlog_test.go +++ b/pkg/cosign/tlog_test.go @@ -29,7 +29,7 @@ import ( "testing" "time" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" ttestdata "github.com/google/certificate-transparency-go/trillian/testdata" "github.com/sigstore/rekor/pkg/generated/models" rtypes "github.com/sigstore/rekor/pkg/types" @@ -214,9 +214,9 @@ func TestVerifyTLogEntryOfflineFailsWithInvalidPublicKey(t *testing.T) { } lea := &models.LogEntryAnon{ Body: base64.StdEncoding.EncodeToString(canonicalEntry), - LogIndex: swag.Int64(0), - LogID: swag.String(logID), - IntegratedTime: swag.Int64(time.Now().Unix()), + LogIndex: conv.Pointer(int64(0)), + LogID: conv.Pointer(logID), + IntegratedTime: conv.Pointer(time.Now().Unix()), } entryUUID, err := ComputeLeafHash(lea) if err != nil { @@ -224,9 +224,9 @@ func TestVerifyTLogEntryOfflineFailsWithInvalidPublicKey(t *testing.T) { } lea.Verification = &models.LogEntryAnonVerification{ InclusionProof: &models.InclusionProof{ - LogIndex: swag.Int64(0), - TreeSize: swag.Int64(1), - RootHash: swag.String(hex.EncodeToString(entryUUID)), + LogIndex: conv.Pointer(int64(0)), + TreeSize: conv.Pointer(int64(1)), + RootHash: conv.Pointer(hex.EncodeToString(entryUUID)), Hashes: []string{}, }, } diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 0546cd9e27b..24d6f98be7c 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -40,7 +40,7 @@ import ( "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/go-openapi/strfmt" - "github.com/go-openapi/swag" + "github.com/go-openapi/swag/conv" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" @@ -1689,9 +1689,9 @@ func createRekorEntry(ctx context.Context, t *testing.T, logID string, signer si integratedTime := time.Now().Unix() logEntry := models.LogEntryAnon{ Body: base64.StdEncoding.EncodeToString(canonicalEntry), - IntegratedTime: swag.Int64(integratedTime), - LogIndex: swag.Int64(0), - LogID: swag.String(logID), + IntegratedTime: conv.Pointer(integratedTime), + LogIndex: conv.Pointer(int64(0)), + LogID: conv.Pointer(logID), } // Canonicalize the log entry and sign it @@ -1711,9 +1711,9 @@ func createRekorEntry(ctx context.Context, t *testing.T, logID string, signer si logEntry.Verification = &models.LogEntryAnonVerification{ SignedEntryTimestamp: signedEntryTimestamp, InclusionProof: &models.InclusionProof{ - LogIndex: swag.Int64(0), - TreeSize: swag.Int64(1), - RootHash: swag.String(hex.EncodeToString(entryUUID)), + LogIndex: conv.Pointer(int64(0)), + TreeSize: conv.Pointer(int64(1)), + RootHash: conv.Pointer(hex.EncodeToString(entryUUID)), Hashes: []string{}, }, } diff --git a/test/e2e_test.go b/test/e2e_test.go index 2c525f3557e..353afcf3cbe 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -2792,6 +2792,45 @@ func TestSignBlobNewBundle(t *testing.T) { must(verifyBlobCmd.Exec(ctx, blobPath), t) } +func TestSignBlobNewBundleNonSHA256(t *testing.T) { + td1 := t.TempDir() + + blob := "someblob" + blobPath := filepath.Join(td1, blob) + if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + t.Fatal(err) + } + + bundlePath := filepath.Join(td1, "bundle.sigstore.json") + + ctx := context.Background() + + // Generate ecdsa-p521 key + _, privKeyPath, pubKeyPath := keypairWithAlgorithm(t, td1, v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512) + + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + BundlePath: bundlePath, + NewBundleFormat: true, + } + if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", false); err != nil { + t.Fatal(err) + } + + ko1 := options.KeyOpts{ + KeyRef: pubKeyPath, + BundlePath: bundlePath, + NewBundleFormat: true, + } + verifyBlobCmd := cliverify.VerifyBlobCmd{ + KeyOpts: ko1, + IgnoreTlog: true, + HashAlgorithm: crypto.SHA512, + } + must(verifyBlobCmd.Exec(ctx, blobPath), t) +} + func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { tts := []struct { algo v1.PublicKeyDetails @@ -2801,8 +2840,9 @@ func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256}, {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256}, {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256}, - {v1.PublicKeyDetails_PKIX_ED25519}, - {v1.PublicKeyDetails_PKIX_ED25519_PH}, + // ed25519 and ed25519ph aren't supported for the default flow. + // By default, we sign using the prehash variant for a ed25519 key. + // Rekor supports ed25519ph for a hashedrekord, but Fulcio doesn't. } td := t.TempDir() From 2581dfd2bf9572f9b662367c6180434de46b358a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:07:29 +0000 Subject: [PATCH 060/136] chore(deps): bump the gomod group across 1 directory with 8 updates (#4401) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.10` | `0.1.11` | | [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) | `1.2.8` | `1.2.9` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `0.143.1` | `0.143.3` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.34.0` | `0.34.1` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.34.0` | `0.34.1` | Updates `github.com/sigstore/rekor-tiles` from 0.1.10 to 0.1.11 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/compare/v0.1.10...v0.1.11) Updates `github.com/sigstore/timestamp-authority` from 1.2.8 to 1.2.9 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/timestamp-authority/compare/v1.2.8...v1.2.9) Updates `github.com/spf13/pflag` from 1.0.9 to 1.0.10 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](https://github.com/spf13/pflag/compare/v1.0.9...v1.0.10) Updates `gitlab.com/gitlab-org/api/client-go` from 0.143.1 to 0.143.3 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.1...v0.143.3) Updates `google.golang.org/protobuf` from 1.36.8 to 1.36.9 Updates `k8s.io/api` from 0.34.0 to 0.34.1 - [Commits](https://github.com/kubernetes/api/compare/v0.34.0...v0.34.1) Updates `k8s.io/apimachinery` from 0.34.0 to 0.34.1 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.34.0...v0.34.1) Updates `k8s.io/client-go` from 0.34.0 to 0.34.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.34.0...v0.34.1) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles dependency-version: 0.1.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/timestamp-authority dependency-version: 1.2.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/spf13/pflag dependency-version: 1.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.143.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 34 ++++++++++++++--------------- go.sum | 67 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 51 insertions(+), 50 deletions(-) diff --git a/go.mod b/go.mod index 754d5f09021..b6e046d4d3f 100644 --- a/go.mod +++ b/go.mod @@ -36,32 +36,32 @@ require ( github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.2 - github.com/sigstore/rekor-tiles v0.1.10 + github.com/sigstore/rekor-tiles v0.1.11 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore-go v1.1.2 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 - github.com/sigstore/timestamp-authority v1.2.8 + github.com/sigstore/timestamp-authority v1.2.9 github.com/spf13/cobra v1.10.1 - github.com/spf13/pflag v1.0.9 + github.com/spf13/pflag v1.0.10 github.com/spf13/viper v1.20.1 github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/stretchr/testify v1.11.1 github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.143.1 + gitlab.com/gitlab-org/api/client-go v0.143.3 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 google.golang.org/api v0.248.0 - google.golang.org/protobuf v1.36.8 - k8s.io/api v0.34.0 - k8s.io/apimachinery v0.34.0 - k8s.io/client-go v0.34.0 + google.golang.org/protobuf v1.36.9 + k8s.io/api v0.34.1 + k8s.io/apimachinery v0.34.1 + k8s.io/client-go v0.34.1 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 sigs.k8s.io/release-utils v0.12.1 ) @@ -249,9 +249,9 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.23.0 // indirect + github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.65.0 // indirect + github.com/prometheus/common v0.66.1 // indirect github.com/prometheus/procfs v0.16.1 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect @@ -281,7 +281,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect - github.com/transparency-dev/tessera v1.0.0-rc2 // indirect + github.com/transparency-dev/tessera v1.0.0-rc3 // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/valyala/fastjson v1.6.4 // indirect github.com/vbatts/tar-split v0.12.1 // indirect @@ -293,14 +293,14 @@ require ( go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/detectors/gcp v1.37.0 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect - go.opentelemetry.io/otel v1.37.0 // indirect - go.opentelemetry.io/otel/metric v1.37.0 // indirect - go.opentelemetry.io/otel/sdk v1.37.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect - go.opentelemetry.io/otel/trace v1.37.0 // indirect + go.opentelemetry.io/otel v1.38.0 // indirect + go.opentelemetry.io/otel/metric v1.38.0 // indirect + go.opentelemetry.io/otel/sdk v1.38.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect + go.opentelemetry.io/otel/trace v1.38.0 // indirect go.step.sm/crypto v0.70.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect diff --git a/go.sum b/go.sum index 2cc18e00db7..c48047c32b8 100644 --- a/go.sum +++ b/go.sum @@ -1395,15 +1395,15 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc= -github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE= -github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZFnGobK5ZXNu+N9If+8PDNVB9xAqrib/stUXsV4= @@ -1447,8 +1447,8 @@ github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= github.com/sigstore/rekor v1.4.2 h1:Lx2xby7loviFYdg2C9pB1mESk2QU/LqcYSGsqqZwmg8= github.com/sigstore/rekor v1.4.2/go.mod h1:nX/OYaLqpTeCOuMEt7ELE0+5cVjZWFnFKM+cZ+3hQRA= -github.com/sigstore/rekor-tiles v0.1.10 h1:10LVWV+isl43KpjmAID/DH/wT7LeYj3j0eW5pVu6SXE= -github.com/sigstore/rekor-tiles v0.1.10/go.mod h1:SDtO+1nGYo6hEPTyshgd4EFDP3gZyZuVCUukBCqaqz0= +github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5ZCzFq0= +github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= github.com/sigstore/sigstore-go v1.1.2 h1:VFfqVQvUm3m7uAiqJFK+hDSH3I2rCBYH4l3wIDy+Ozo= @@ -1461,8 +1461,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:tRtJzSZ48MXJV9bmS8pkb3mP36PCad/Cs+BmVJ3Z4O4= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 h1:S2ukEfN1orLKw2wEQIUHDDlzk0YcylhcheeZ5TGk8LI= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5/go.mod h1:m7sQxVJmDa+rsmS1m6biQxaLX83pzNS7ThUEyjOqkCU= -github.com/sigstore/timestamp-authority v1.2.8 h1:BEV3fkphwU4zBp3allFAhCqQb99HkiyCXB853RIwuEE= -github.com/sigstore/timestamp-authority v1.2.8/go.mod h1:G2/0hAZmLPnevEwT1S9IvtNHUm9Ktzvso6xuRhl94ZY= +github.com/sigstore/timestamp-authority v1.2.9 h1:L9Fj070/EbMC8qUk8BchkrYCS1BT5i93Bl6McwydkFs= +github.com/sigstore/timestamp-authority v1.2.9/go.mod h1:QyRnZchz4o+xdHyK5rvCWacCHxWmpX+mgvJwB1OXcLY= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= @@ -1482,8 +1482,9 @@ github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= -github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= @@ -1537,8 +1538,8 @@ github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 h1:YTbkeF github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26/go.mod h1:ODywn0gGarHMMdSkWT56ULoK8Hk71luOyRseKek9COw= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/transparency-dev/tessera v1.0.0-rc2 h1:BKtDWr0nhL9dG66cS4DyKU9lpZFbUZrpHGh+BpqakcU= -github.com/transparency-dev/tessera v1.0.0-rc2/go.mod h1:aaLlvG/sEPMzT96iIF4hua6Z9pLzkfDtkbaUAR4IL8I= +github.com/transparency-dev/tessera v1.0.0-rc3 h1:v385KqMekDUKI3ZVJHCHE5MAz8LBrWsEKa6OzYLrz0k= +github.com/transparency-dev/tessera v1.0.0-rc3/go.mod h1:aaLlvG/sEPMzT96iIF4hua6Z9pLzkfDtkbaUAR4IL8I= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= @@ -1579,8 +1580,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.143.1 h1:5HyFrXtBZ0WbWLl6Ighrv8wxZ/NWz/KimZiXw6gCT9s= -gitlab.com/gitlab-org/api/client-go v0.143.1/go.mod h1:wvte1ie2U9x25hadhyuCkYug/uxsWMWOTcrgm+f7Big= +gitlab.com/gitlab-org/api/client-go v0.143.3 h1:4Q4zumLVUnxn/s06RD9U3fyibD1/zr43gTDDtRkjqbA= +gitlab.com/gitlab-org/api/client-go v0.143.3/go.mod h1:rw89Kl9AsKmxRhzkfUSfZ+1jpTewwueKvAYwoYmUoQ8= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -1594,14 +1595,14 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/detectors/gcp v1.37.0 h1:B+WbN9RPsvobe6q4vP6KgM8/9plR/HNjgGBrfcOlweA= -go.opentelemetry.io/contrib/detectors/gcp v1.37.0/go.mod h1:K5zQ3TT7p2ru9Qkzk0bKtCql0RGkPj9pRjpXgZJZ+rU= +go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs= +go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= -go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= -go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= +go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= +go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc= @@ -1610,14 +1611,14 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw= -go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= -go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= -go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI= -go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg= -go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc= -go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= -go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= -go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= +go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= +go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= +go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= +go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= +go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= +go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= +go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= +go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= @@ -2316,8 +2317,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= -google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= +google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -2354,12 +2355,12 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.34.0 h1:L+JtP2wDbEYPUeNGbeSa/5GwFtIA662EmT2YSLOkAVE= -k8s.io/api v0.34.0/go.mod h1:YzgkIzOOlhl9uwWCZNqpw6RJy9L2FK4dlJeayUoydug= -k8s.io/apimachinery v0.34.0 h1:eR1WO5fo0HyoQZt1wdISpFDffnWOvFLOOeJ7MgIv4z0= -k8s.io/apimachinery v0.34.0/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/client-go v0.34.0 h1:YoWv5r7bsBfb0Hs2jh8SOvFbKzzxyNo0nSb0zC19KZo= -k8s.io/client-go v0.34.0/go.mod h1:ozgMnEKXkRjeMvBZdV1AijMHLTh3pbACPvK7zFR+QQY= +k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= +k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= +k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= +k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= +k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= From b1acaeb92cc9e6a2a35f8d1a8f0a58c482914025 Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 12 Sep 2025 09:33:44 -0700 Subject: [PATCH 061/136] Add a terminal spinner while signing with sigstore-go (#4402) Recording signatures to Rekor v2 can take up to 10 seconds. We want to avoid someone killing the process while waiting for a response from Rekor, otherwise the user will have to re-sign the artifact. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest/attest.go | 2 +- cmd/cosign/cli/attest/attest_blob.go | 2 +- cmd/cosign/cli/sign/sign.go | 2 +- cmd/cosign/cli/sign/sign_blob.go | 2 +- internal/ui/spinner.go | 66 ++++++++++++++++++++++++++++ pkg/cosign/bundle/sign.go | 8 +++- 6 files changed, 77 insertions(+), 5 deletions(-) create mode 100644 internal/ui/spinner.go diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 67da902eb9f..7c38f7efb92 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -206,7 +206,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { Data: payload, PayloadType: "application/vnd.in-toto+json", } - bundle, err := cbundle.SignData(content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) if err != nil { return fmt.Errorf("signing bundle: %w", err) } diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index 4a49fae0925..bd369b91acc 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -207,7 +207,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error Data: payload, PayloadType: "application/vnd.in-toto+json", } - bundle, err := cbundle.SignData(content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) if err != nil { return fmt.Errorf("signing bundle: %w", err) } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index abba92aa6fe..51dcedd885e 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -298,7 +298,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt Data: payload, PayloadType: "application/vnd.in-toto+json", } - bundle, err := cbundle.SignData(content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) if err != nil { return fmt.Errorf("signing bundle: %w", err) } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 6d918650123..c04d830b313 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -137,7 +137,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string content := &sign.PlainData{ Data: data, } - bundle, err := cbundle.SignData(content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) if err != nil { return nil, fmt.Errorf("signing bundle: %w", err) } diff --git a/internal/ui/spinner.go b/internal/ui/spinner.go new file mode 100644 index 00000000000..f0598bfbf08 --- /dev/null +++ b/internal/ui/spinner.go @@ -0,0 +1,66 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ui + +import ( + "context" + "fmt" + "os" + "strings" + "time" + + "github.com/moby/term" +) + +// Spinner shows progress for long-running operations in the terminal +type Spinner struct { + done chan struct{} +} + +// NewSpinner starts a spinner in a goroutine and returns it. +func NewSpinner(ctx context.Context, message string) *Spinner { + s := &Spinner{ + done: make(chan struct{}), + } + + go func() { + // Don't show spinner if not in a terminal + fd := os.Stderr.Fd() + if !term.IsTerminal(fd) { + Infof(ctx, "%s", message) + return + } + + ticker := time.NewTicker(100 * time.Millisecond) + defer ticker.Stop() + spinnerChars := []rune{'|', '/', '-', '\\'} + i := 0 + for { + select { + case <-ticker.C: + i++ + fmt.Fprintf(os.Stderr, "\r%s %c ", message, spinnerChars[i%len(spinnerChars)]) + case <-s.done: + fmt.Fprintf(os.Stderr, "\r%s\r", strings.Repeat(" ", len(message)+3)) + return + } + } + }() + return s +} + +func (s *Spinner) Stop() { + close(s.done) +} diff --git a/pkg/cosign/bundle/sign.go b/pkg/cosign/bundle/sign.go index fbd6ac18be6..45a91aab981 100644 --- a/pkg/cosign/bundle/sign.go +++ b/pkg/cosign/bundle/sign.go @@ -15,19 +15,21 @@ package bundle import ( + "context" "crypto/x509" "encoding/pem" "fmt" "log" "time" + "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/signature" "google.golang.org/protobuf/encoding/protojson" ) -func SignData(content sign.Content, keypair sign.Keypair, idToken string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) ([]byte, error) { +func SignData(ctx context.Context, content sign.Content, keypair sign.Keypair, idToken string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) ([]byte, error) { var opts sign.BundleOptions if trustedMaterial != nil { @@ -109,7 +111,11 @@ func SignData(content sign.Content, keypair sign.Keypair, idToken string, signin } } + spinner := ui.NewSpinner(ctx, "Signing artifact...") + defer spinner.Stop() + bundle, err := sign.Bundle(content, keypair, opts) + if err != nil { return nil, fmt.Errorf("error signing bundle: %w", err) } From 37fbfc7018fb4d60a9a2c9175bd64c75dda5869a Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 12 Sep 2025 12:49:02 -0700 Subject: [PATCH 062/136] Require exclusively a SigningConfig or service URLs when signing (#4403) A signing config is a source of truth for the service URLs. We will disallow specifying multiple sources of truth for service URLs if the default values are overridden. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest.go | 16 ++++++++++++---- cmd/cosign/cli/attest_blob.go | 15 ++++++++++++--- cmd/cosign/cli/sign.go | 16 ++++++++++++---- cmd/cosign/cli/signblob.go | 15 ++++++++++++--- 4 files changed, 48 insertions(+), 14 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index f5a4427d149..74715c6829d 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -102,6 +102,18 @@ func Attest() *cobra.Command { IssueCertificateForExistingKey: o.IssueCertificate, NewBundleFormat: o.NewBundleFormat, } + // If a signing config is used, then service URLs cannot be specified + if (o.UseSigningConfig || o.SigningConfigPath != "") && + ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || + (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || + (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || + o.TSAServerURL != "") { + return fmt.Errorf("cannot specify service URLs and use signing config") + } + // Signing config requires a bundle as output for verification materials since sigstore-go is used + if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { + return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") + } // Fetch a trusted root when: // * requesting a certificate and no CT log key is provided to verify an SCT // * using a signing config and signing using sigstore-go @@ -119,10 +131,6 @@ func Attest() *cobra.Command { } } } - - if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { - return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") - } if o.UseSigningConfig { ko.SigningConfig, err = cosign.SigningConfig() if err != nil { diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 860ab474911..0afd6aa8f94 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -90,6 +90,18 @@ func AttestBlob() *cobra.Command { BundlePath: o.BundlePath, NewBundleFormat: o.NewBundleFormat, } + // If a signing config is used, then service URLs cannot be specified + if (o.UseSigningConfig || o.SigningConfigPath != "") && + ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || + (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || + (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || + o.TSAServerURL != "") { + return fmt.Errorf("cannot specify service URLs and use signing config") + } + // Signing config requires a bundle as output for verification materials since sigstore-go is used + if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { + return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") + } // Fetch a trusted root when: // * requesting a certificate and no CT log key is provided to verify an SCT // * using a signing config and signing using sigstore-go @@ -107,9 +119,6 @@ func AttestBlob() *cobra.Command { } } } - if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { - return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") - } if o.UseSigningConfig { ko.SigningConfig, err = cosign.SigningConfig() if err != nil { diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index c19ee56190d..9ae5fd2a2d2 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -132,6 +132,18 @@ race conditions or (worse) malicious tampering. TSAServerURL: o.TSAServerURL, IssueCertificateForExistingKey: o.IssueCertificate, } + // If a signing config is used, then service URLs cannot be specified + if (o.UseSigningConfig || o.SigningConfigPath != "") && + ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || + (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || + (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || + o.TSAServerURL != "") { + return fmt.Errorf("cannot specify service URLs and use signing config") + } + // Signing config requires a bundle as output for verification materials since sigstore-go is used + if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { + return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") + } // Fetch a trusted root when: // * requesting a certificate and no CT log key is provided to verify an SCT // * using a signing config and signing using sigstore-go @@ -149,10 +161,6 @@ race conditions or (worse) malicious tampering. } } } - - if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { - return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") - } if o.UseSigningConfig { ko.SigningConfig, err = cosign.SigningConfig() if err != nil { diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index b0f704114c4..349b7c9a9a7 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -100,6 +100,18 @@ func SignBlob() *cobra.Command { RFC3161TimestampPath: o.RFC3161TimestampPath, IssueCertificateForExistingKey: o.IssueCertificate, } + // If a signing config is used, then service URLs cannot be specified + if (o.UseSigningConfig || o.SigningConfigPath != "") && + ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || + (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || + (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || + o.TSAServerURL != "") { + return fmt.Errorf("cannot specify service URLs and use signing config") + } + // Signing config requires a bundle as output for verification materials since sigstore-go is used + if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { + return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") + } // Fetch a trusted root when: // * requesting a certificate and no CT log key is provided to verify an SCT // * using a signing config and signing using sigstore-go @@ -117,9 +129,6 @@ func SignBlob() *cobra.Command { } } } - if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { - return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") - } if o.UseSigningConfig { ko.SigningConfig, err = cosign.SigningConfig() if err != nil { From 6431af15a8066c4b33c7232fc2dba3f9278a16a5 Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 12 Sep 2025 14:04:52 -0700 Subject: [PATCH 063/136] Add CHANGELOG for v2.6.0 (#4404) Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- CHANGELOG.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4000a587d6..1999cb9d782 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,59 @@ +# v2.6.0 + +v2.6.0 introduces a number of new features, including: + +* Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#4306) +* Uploading a signature and its verification material (a ["bundle"](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto)) as an OCI Image 1.1 referring artifact, completing [#3927](https://github.com/sigstore/cosign/issues/3927) (#4316) +* Providing service URLs for signing and attesting using a [SigningConfig](https://github.com/sigstore/protobuf-specs/blob/4df5baadcdb582a70c2bc032e042c0a218eb3841/protos/sigstore_trustroot.proto#L185). Note that this is required when using a [Rekor v2](https://github.com/sigstore/rekor-tiles) instance (#4319) + +Example generation and verification of a signed in-toto statement: + +``` +cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt" +cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256" +``` + +Example container signing and verification using the new bundle format and referring artifacts: + +``` +cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733 +cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733 +``` + +Example usage of a signing config provided by the public good instance's TUF repository: + +``` +cosign sign-blob --use-signing-config --bundle sigstore.json README.md +cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md +``` + +v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be +updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs. + +## Features + +* Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306) +* Have cosign sign support bundle format (#4316) +* Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319) +* Add support for SigningConfig in sign/attest (#4371) +* Support self-managed keys when signing with sigstore-go (#4368) +* Don't require timestamps when verifying with a key (#4337) +* Don't load content from TUF if trusted root path is specified (#4347) +* Add a terminal spinner while signing with sigstore-go (#4402) +* Require exclusively a SigningConfig or service URLs when signing (#4403) +* Remove SHA256 assumption in sign-blob/verify-blob (#4050) +* Bump sigstore-go, support alternative hash algorithms with keys (#4386) + +## Breaking API Changes + +* `sign.SignerFromKeyOpts` no longer generates a key. Instead, it returns whether or not the client needs to generate a key, and if so, clients +should call `sign.KeylessSigner`. This allows clients to more easily manage key generation. + +## Bug Fixes + +* Verify subject with bundle only when checking claims (#4320) +* Fixes to cosign sign / verify for the new bundle format (#4346) + # v2.5.3 ## Features From b952363fb2bd6e23aaab30a710ee05e1d40d387b Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 16 Sep 2025 13:31:06 -0400 Subject: [PATCH 064/136] Default to using the new protobuf format (#4318) * Default to using the new protobuf format --------- Signed-off-by: Zach Steindler --- .../workflows/kind-verify-attestation.yaml | 27 ++++++++++++------- cmd/cosign/cli/options/attest.go | 3 +-- cmd/cosign/cli/options/attest_blob.go | 3 +-- cmd/cosign/cli/options/sign.go | 3 +-- cmd/cosign/cli/options/signblob.go | 3 +-- cmd/cosign/cli/options/verify.go | 3 +-- cmd/cosign/cli/verify/verify.go | 23 +++++++++++----- cmd/cosign/cli/verify/verify_attestation.go | 22 +++++++++++---- cmd/cosign/cli/verify/verify_blob.go | 2 +- .../cli/verify/verify_blob_attestation.go | 2 +- doc/cosign_attest-blob.md | 2 +- doc/cosign_attest.md | 2 +- doc/cosign_dockerfile_verify.md | 2 +- doc/cosign_manifest_verify.md | 2 +- doc/cosign_sign-blob.md | 2 +- doc/cosign_sign.md | 2 +- doc/cosign_verify-attestation.md | 2 +- doc/cosign_verify-blob-attestation.md | 2 +- doc/cosign_verify-blob.md | 2 +- doc/cosign_verify.md | 2 +- pkg/cosign/verify.go | 4 +-- pkg/cosign/verify_oci_test.go | 8 +++--- test/e2e_test.go | 12 +++++++++ test/e2e_test.ps1 | 6 ++--- 24 files changed, 90 insertions(+), 51 deletions(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 5ccd7457bad..7d16e7de890 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -105,17 +105,26 @@ jobs: TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') ./cosign initialize --mirror $TUF_MIRROR --root ./root.json - - name: Initialize with custom TUF root pointing to local filesystem - if: ${{ matrix.tuf-root == 'air-gap' }} + - name: Get copy of TUF repository run: | # Grab the compressed repository for airgap testing. kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz tar -zxvf ./repository.tar.gz + + - name: Initialize with custom TUF root pointing to local filesystem + if: ${{ matrix.tuf-root == 'air-gap' }} + run: | + # Grab the compressed repository for airgap testing. PWD=$(pwd) ROOT=${PWD}/repository/1.root.json REPOSITORY=${PWD}/repository ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} + - name: Set trustedroot + run: | + trustedroot=$(find ./repository/targets -name "*.trusted_root.json") + echo "trustedroot=$trustedroot" >> $GITHUB_ENV + - name: Sign demoimage with cosign run: | ./cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN} @@ -127,16 +136,16 @@ jobs: - name: Sign a blob run: | - ./cosign sign-blob README.md --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --output-certificate cert.pem --output-signature sig --yes --identity-token ${OIDC_TOKEN} + ./cosign sign-blob README.md --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --bundle blob.sigstore.json --yes --identity-token ${OIDC_TOKEN} - name: Verify with cosign run: | - ./cosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" + ./cosign verify --trusted-root=${trustedroot} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" - name: Verify custom attestation with cosign, works run: | echo '::group:: test custom verify-attestation success' - if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} ; then + if ! ./cosign verify-attestation --trusted-root=${trustedroot} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} ; then echo Failed to verify attestation with a valid policy exit 1 else @@ -147,7 +156,7 @@ jobs: - name: Verify custom attestation with cosign, fails run: | echo '::group:: test custom verify-attestation success' - if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ./cosign verify-attestation --trusted-root=${trustedroot} --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo custom verify-attestation succeeded with cue policy that should not work exit 1 else @@ -157,7 +166,7 @@ jobs: - name: Verify a blob run: | - ./cosign verify-blob README.md --rekor-url ${REKOR_URL} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" + ./cosign verify-blob README.md --trusted-root=${trustedroot} --bundle blob.sigstore.json --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" - name: Collect diagnostics if: ${{ failure() }} @@ -170,7 +179,7 @@ jobs: - name: Verify vuln attestation with cosign, works run: | echo '::group:: test vuln verify-attestation success' - if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ! ./cosign verify-attestation --trusted-root=${trustedroot} --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo Failed to verify attestation with a valid policy exit 1 else @@ -181,7 +190,7 @@ jobs: - name: Verify vuln attestation with cosign, fails run: | echo '::group:: test vuln verify-attestation success' - if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ./cosign verify-attestation --trusted-root=${trustedroot} --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo verify-attestation succeeded with cue policy that should not work exit 1 else diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index fa91ac8a207..a1f3a664bfc 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -114,8 +114,7 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "attach a Sigstore bundle using OCI referrers API") + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "attach a Sigstore bundle using OCI referrers API") // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index a3f73aede02..4f38ddb9112 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -98,8 +98,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { "write everything required to verify the blob to a FILE") _ = cmd.MarkFlagFilename("bundle", bundleExts...) - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "output bundle in new format that contains all verification material") // TODO: have this default to true as a breaking change diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 3cda1a3f839..028cb9a82ae 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -142,8 +142,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "expect the signature/attestation to be packaged in a Sigstore bundle") + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "expect the signature/attestation to be packaged in a Sigstore bundle") // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 51f14c67d0a..bf07bdcfed6 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -81,8 +81,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { "write everything required to verify the blob to a FILE") _ = cmd.MarkFlagFilename("bundle", bundleExts...) - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "output bundle in new format that contains all verification material") // TODO: have this default to true as a breaking change diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index d493ebe6309..ec3f6a6daa0 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -62,8 +62,7 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", "Path to a Sigstore TrustedRoot JSON file. Requires --new-bundle-format to be set.") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "expect the signature/attestation to be packaged in a Sigstore bundle") } diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index e04a5720795..aef668a2270 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -141,6 +141,17 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { NewBundleFormat: c.NewBundleFormat, } + // Check to see if we are using the new bundle format or not + if !c.LocalImage { + ref, err := name.ParseReference(images[0], c.NameOptions...) + if err == nil && c.NewBundleFormat { + newBundles, _, err := cosign.GetBundles(ctx, ref, co) + if len(newBundles) == 0 || err != nil { + co.NewBundleFormat = false + } + } + } + if c.TrustedRootPath != "" { co.TrustedMaterial, err = root.NewTrustedRootFromPath(c.TrustedRootPath) if err != nil { @@ -158,7 +169,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } } - if c.NewBundleFormat { + if co.NewBundleFormat { if c.CertRef != "" { return fmt.Errorf("unsupported: certificate may not be provided using --certificate when using --new-bundle-format (cert must be in bundle)") } @@ -181,7 +192,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } // If we are using signed timestamps and there is no trusted root, we need to load the TSA certificates - if co.UseSignedTimestamps && co.TrustedMaterial == nil && !c.NewBundleFormat { + if co.UseSignedTimestamps && co.TrustedMaterial == nil && !co.NewBundleFormat { tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) @@ -191,7 +202,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts } - if !c.IgnoreTlog && !c.NewBundleFormat { + if !c.IgnoreTlog && !co.NewBundleFormat { if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { @@ -248,7 +259,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { return fmt.Errorf("initializing piv token verifier: %w", err) } case certRef != "": - if c.NewBundleFormat { + if co.NewBundleFormat { // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions return fmt.Errorf("unsupported: certificate reference currently not supported with --new-bundle-format") } @@ -319,7 +330,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { var bundleVerified bool if c.LocalImage { - if c.NewBundleFormat { + if co.NewBundleFormat { verified, bundleVerified, err = cosign.VerifyLocalImageAttestations(ctx, img, co) if err != nil { return err @@ -338,7 +349,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { return fmt.Errorf("parsing reference: %w", err) } - if c.NewBundleFormat { + if co.NewBundleFormat { // OCI bundle always contains attestation verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co) if err != nil { diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 9c53a70dc2a..4536321c91c 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -121,6 +121,18 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, NewBundleFormat: c.NewBundleFormat, } + + // Check to see if we are using the new bundle format or not + if !c.LocalImage { + ref, err := name.ParseReference(images[0], c.NameOptions...) + if err == nil && c.NewBundleFormat { + newBundles, _, err := cosign.GetBundles(ctx, ref, co) + if len(newBundles) == 0 || err != nil { + co.NewBundleFormat = false + } + } + } + if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } @@ -141,7 +153,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } } - if c.NewBundleFormat { + if co.NewBundleFormat { if err = checkSigstoreBundleUnsupportedOptions(c); err != nil { return err } @@ -151,7 +163,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) && !c.NewBundleFormat { + if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) && !co.NewBundleFormat { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err) @@ -159,7 +171,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } // If we are using signed timestamps, we need to load the TSA certificates - if co.UseSignedTimestamps && co.TrustedMaterial == nil && !c.NewBundleFormat { + if co.UseSignedTimestamps && co.TrustedMaterial == nil && !co.NewBundleFormat { tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) @@ -217,7 +229,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return fmt.Errorf("initializing piv token verifier: %w", err) } case c.CertRef != "": - if c.NewBundleFormat { + if co.NewBundleFormat { // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions return fmt.Errorf("unsupported: certificate reference currently not supported with --new-bundle-format") } @@ -260,7 +272,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e co.SCT = sct } case c.TrustedRootPath != "": - if !c.NewBundleFormat { + if !co.NewBundleFormat { return fmt.Errorf("unsupported: trusted root path currently only supported with --new-bundle-format") } diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 125ccbfdce5..fb0bd081868 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -114,7 +114,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { Offline: c.Offline, IgnoreTlog: c.IgnoreTlog, UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, - NewBundleFormat: c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath), + NewBundleFormat: c.KeyOpts.NewBundleFormat && checkNewBundle(c.BundlePath), } // Keys are optional! diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index de50f4ab968..a84f4f3b2c4 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -124,7 +124,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st Offline: c.Offline, IgnoreTlog: c.IgnoreTlog, UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, - NewBundleFormat: c.NewBundleFormat || checkNewBundle(c.BundlePath), + NewBundleFormat: c.NewBundleFormat && checkNewBundle(c.BundlePath), } // Keys are optional! diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 6836ded3ba5..679d04b13d6 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -44,7 +44,7 @@ cosign attest-blob [flags] --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret - --new-bundle-format output bundle in new format that contains all verification material + --new-bundle-format output bundle in new format that contains all verification material (default true) --oidc-client-id string OIDC client ID for application (default "sigstore") --oidc-client-secret-file string Path to file containing OIDC client secret for application --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index ed95856f615..ae47750dc5e 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -61,7 +61,7 @@ cosign attest [flags] --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret - --new-bundle-format attach a Sigstore bundle using OCI referrers API + --new-bundle-format attach a Sigstore bundle using OCI referrers API (default true) --no-upload do not upload the generated attestation, but send the attestation output to STDOUT --oidc-client-id string OIDC client ID for application (default "sigstore") --oidc-client-secret-file string Path to file containing OIDC client secret for application diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index cef70479668..163e83568dd 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -77,7 +77,7 @@ cosign dockerfile verify [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index c8907d44b9e..f3387d97bfa 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -71,7 +71,7 @@ cosign manifest verify [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 7078de609c6..1b16b93c21f 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -45,7 +45,7 @@ cosign sign-blob [flags] --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret - --new-bundle-format output bundle in new format that contains all verification material + --new-bundle-format output bundle in new format that contains all verification material (default true) --oidc-client-id string OIDC client ID for application (default "sigstore") --oidc-client-secret-file string Path to file containing OIDC client secret for application --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 40fec19f5b9..51f89871af3 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -87,7 +87,7 @@ cosign sign [flags] --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --oidc-client-id string OIDC client ID for application (default "sigstore") --oidc-client-secret-file string Path to file containing OIDC client secret for application --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 996e8e77276..68c4d0982c9 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -81,7 +81,7 @@ cosign verify-attestation [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files with policies to be used for validation diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index 43eb9cbbbd3..019b47171fe 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -51,7 +51,7 @@ cosign verify-blob-attestation [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 494e53fc54f..ad4b1f36866 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -84,7 +84,7 @@ cosign verify-blob [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index ef47b2d7bbc..68df34f0dd3 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -98,7 +98,7 @@ cosign verify [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) - --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle + --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index d2f1c4163a6..215bd2cfa7b 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1618,7 +1618,7 @@ func verifyImageSignaturesExperimentalOCI(ctx context.Context, signedImgRef name return verifySignatures(ctx, sigs, h, co) } -func getBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ([]*sgbundle.Bundle, *v1.Hash, error) { +func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ([]*sgbundle.Bundle, *v1.Hash, error) { // This is a carefully optimized sequence for fetching the signatures of the // entity that minimizes registry requests when supplied with a digest input digest, err := ociremote.ResolveDigest(signedImgRef, co.RegistryClientOpts...) @@ -1665,7 +1665,7 @@ func getBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ( // verifyImageAttestationsSigstoreBundle verifies attestations from attached sigstore bundles func verifyImageAttestationsSigstoreBundle(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, atLeastOneBundleVerified bool, err error) { - bundles, hash, err := getBundles(ctx, signedImgRef, co) + bundles, hash, err := GetBundles(ctx, signedImgRef, co) if err != nil { return nil, false, err } diff --git a/pkg/cosign/verify_oci_test.go b/pkg/cosign/verify_oci_test.go index aa80eabf981..39672ce329a 100644 --- a/pkg/cosign/verify_oci_test.go +++ b/pkg/cosign/verify_oci_test.go @@ -53,7 +53,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, err) // If tag doesn't exist, should return ErrImageTagNotFound - bundles, hash, err := getBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err := GetBundles(context.Background(), ref, &CheckOpts{}) imgTagNotFound := &ErrImageTagNotFound{} assert.ErrorAs(t, err, &imgTagNotFound) assert.Len(t, bundles, 0) @@ -65,7 +65,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, remote.Write(ref, img)) // Check that no matching attestation error is returned - bundles, hash, err = getBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err = GetBundles(context.Background(), ref, &CheckOpts{}) var noMatchErr *ErrNoMatchingAttestations assert.ErrorAs(t, err, &noMatchErr) assert.Len(t, bundles, 0) @@ -81,7 +81,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, err) // Should still return no matching attestation error, as it failed to parse the bundle - bundles, hash, err = getBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err = GetBundles(context.Background(), ref, &CheckOpts{}) assert.ErrorAs(t, err, &noMatchErr) assert.Len(t, bundles, 0) assert.Nil(t, hash) @@ -111,7 +111,7 @@ func TestGetBundles_Valid(t *testing.T) { assert.NoError(t, err) // Retrieve the attestation - bundles, hash, err := getBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err := GetBundles(context.Background(), ref, &CheckOpts{}) assert.NoError(t, err) assert.Len(t, bundles, 1) assert.NotNil(t, hash) diff --git a/test/e2e_test.go b/test/e2e_test.go index 353afcf3cbe..ce40f6ba1d7 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -124,6 +124,14 @@ func TestSignVerify(t *testing.T) { must(verify(pubKeyPath, imgName, true, nil, "", false), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + // Ensure it verifies if you default to the new protobuf bundle format + cmd := cliverify.VerifyCommand{ + KeyRef: pubKeyPath, + RekorURL: rekorURL, + NewBundleFormat: true, + } + must(cmd.Exec(ctx, []string{imgName}), t) + // Look for a specific annotation mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) @@ -1878,6 +1886,10 @@ func TestAttestationRFC3161Timestamp(t *testing.T) { } must(verifyAttestation.Exec(ctx, []string{imgName}), t) + + // Ensure it verifies if you default to the new protobuf bundle format + verifyAttestation.NewBundleFormat = true + must(verifyAttestation.Exec(ctx, []string{imgName}), t) } func TestAttestationBlobRFC3161Timestamp(t *testing.T) { diff --git a/test/e2e_test.ps1 b/test/e2e_test.ps1 index 66e4c30edd7..dd6736f6321 100644 --- a/test/e2e_test.ps1 +++ b/test/e2e_test.ps1 @@ -34,9 +34,9 @@ Write-Output $pass | .\cosign.exe generate-key-pair $signing_key = "cosign.key" $verification_key = "cosign.pub" -$test_img = "ghcr.io/distroless/static" -Write-Output $pass | .\cosign.exe sign --key $signing_key --output-signature interactive.sig --output-payload interactive.payload --tlog-upload=false $test_img -.\cosign.exe verify --key $verification_key --signature interactive.sig --payload interactive.payload --insecure-ignore-tlog=true $test_img +Write-Output "hello world" | Out-File -FilePath "hello_world.txt" +Write-Output $pass | .\cosign.exe sign-blob --key $signing_key --bundle test.sigstore.json --tlog-upload=false hello_world.txt +.\cosign.exe verify-blob --key $verification_key --bundle test.sigstore.json --insecure-ignore-tlog=true hello_world.txt Pop-Location From fb2fb6b530cb117969949536d2cb5188f2675c2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:42:20 -0700 Subject: [PATCH 065/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.104.0 to 3.105.0 (#4411) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.104.0 to 3.105.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.104.0...v3.105.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.105.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 34 ++++++++++++------------ go.sum | 84 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 59 insertions(+), 59 deletions(-) diff --git a/go.mod b/go.mod index b6e046d4d3f..9507ce3c0f3 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.104.0 + github.com/buildkite/agent/v3 v3.105.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -57,7 +57,7 @@ require ( golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 - google.golang.org/api v0.248.0 + google.golang.org/api v0.249.0 google.golang.org/protobuf v1.36.9 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 @@ -116,22 +116,22 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.38.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.3 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.7 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.7 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.44.2 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 // indirect - github.com/aws/smithy-go v1.22.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.45.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.29.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.3 // indirect + github.com/aws/smithy-go v1.23.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/go-pipeline v0.15.0 // indirect @@ -314,8 +314,8 @@ require ( golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.36.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/grpc v1.75.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index c48047c32b8..1644d8c0f2f 100644 --- a/go.sum +++ b/go.sum @@ -757,38 +757,38 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8= -github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= -github.com/aws/aws-sdk-go-v2/config v1.31.3 h1:RIb3yr/+PZ18YYNe6MDiG/3jVoJrPmdoCARwNkMGvco= -github.com/aws/aws-sdk-go-v2/config v1.31.3/go.mod h1:jjgx1n7x0FAKl6TnakqrpkHWWKcX3xfWtdnIJs5K9CE= -github.com/aws/aws-sdk-go-v2/credentials v1.18.7 h1:zqg4OMrKj+t5HlswDApgvAHjxKtlduKS7KicXB+7RLg= -github.com/aws/aws-sdk-go-v2/credentials v1.18.7/go.mod h1:/4M5OidTskkgkv+nCIfC9/tbiQ/c8qTox9QcUDV0cgc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 h1:lpdMwTzmuDLkgW7086jE94HweHCqG+uOJwHf3LZs7T0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4/go.mod h1:9xzb8/SV62W6gHQGC/8rrvgNXU6ZoYM3sAIJCIrXJxY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 h1:IdCLsiiIj5YJ3AFevsewURCPV+YWUlOW8JiPhoAy8vg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4/go.mod h1:l4bdfCD7XyyZA9BolKBo1eLqgaJxl0/x91PL4Yqe0ao= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 h1:j7vjtr1YIssWQOMeOWRbh3z8g2oY/xPjnZH2gLY4sGw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4/go.mod h1:yDmJgqOiH4EA8Hndnv4KwAo8jCGTSnM5ASG1nBI+toA= +github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4= +github.com/aws/aws-sdk-go-v2 v1.39.0/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= +github.com/aws/aws-sdk-go-v2/config v1.31.7 h1:zS1O6hr6t0nZdBCMFc/c9OyZFyLhXhf/B2IZ9Y0lRQE= +github.com/aws/aws-sdk-go-v2/config v1.31.7/go.mod h1:GpHmi1PQDdL5pP4JaB00pU0ek4EXVcYH7IkjkUadQmM= +github.com/aws/aws-sdk-go-v2/credentials v1.18.11 h1:1Fnb+7Dk96/VYx/uYfzk5sU2V0b0y2RWZROiMZCN/Io= +github.com/aws/aws-sdk-go-v2/credentials v1.18.11/go.mod h1:iuvn9v10dkxU4sDgtTXGWY0MrtkEcmkUmjv4clxhuTc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 h1:Is2tPmieqGS2edBnmOJIbdvOA6Op+rRpaYR60iBAwXM= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7/go.mod h1:F1i5V5421EGci570yABvpIXgRIBPb5JM+lSkHF6Dq5w= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7/go.mod h1:rHRoJUNUASj5Z/0eqI4w32vKvC7atoWR0jC+IkmVH8k= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 h1:Y6DTZUn7ZUC4th9FMBbo8LVE+1fyq3ofw+tRwkUd3PY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7/go.mod h1:x3XE6vMnU9QvHN/Wrx2s44kwzV2o2g5x/siw4ZUJ9g8= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 h1:ueB2Te0NacDMnaC+68za9jLwkjzxGWm0KB5HTUHjLTI= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4/go.mod h1:nLEfLnVMmLvyIG58/6gsSA03F1voKGaCfHV7+lR8S7s= -github.com/aws/aws-sdk-go-v2/service/kms v1.44.2 h1:yTtMSIGWk8KzPDX2pS9k7wNCPKiNWpiJ9DdB2mCAMzo= -github.com/aws/aws-sdk-go-v2/service/kms v1.44.2/go.mod h1:zgkQ8ige7qtxldA4cGtiXdbql3dBo4TfsP6uQyHwq0E= -github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 h1:ve9dYBB8CfJGTFqcQ3ZLAAb/KXWgYlgu/2R2TZL2Ko0= -github.com/aws/aws-sdk-go-v2/service/sso v1.28.2/go.mod h1:n9bTZFZcBa9hGGqVz3i/a6+NG0zmZgtkB9qVVFDqPA8= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 h1:Bnr+fXrlrPEoR1MAFrHVsge3M/WoK4n23VNhRM7TPHI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0/go.mod h1:eknndR9rU8UpE/OmFpqU78V1EcXPKFTTm5l/buZYgvM= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 h1:iV1Ko4Em/lkJIsoKyGfc0nQySi+v0Udxr6Igq+y9JZc= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.0/go.mod h1:bEPcjW7IbolPfK67G1nilqWyoxYMSPrDiIQ3RdIdKgo= -github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw= -github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 h1:mLgc5QIgOy26qyh5bvW+nDoAppxgn3J2WV3m9ewq7+8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7/go.mod h1:wXb/eQnqt8mDQIQTTmcw58B5mYGxzLGZGK8PWNFZ0BA= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.2 h1:8ZT2x7reXVcZ1WTL1ZhbrtHAZ0FDoUckCOfCY3hj1n4= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.2/go.mod h1:EADaLXofJkof++MP9zhzSZ0byBMOZTIRjtJO/ZMuPVE= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.2 h1:rcoTaYOhGE/zfxE1uR6X5fvj+uKkqeCNRE0rBbiQM34= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.2/go.mod h1:Ql6jE9kyyWI5JHn+61UT/Y5Z0oyVJGmgmJbZD5g4unY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3 h1:BSIfeFtU9tlSt8vEYS7KzurMoAuYzYPWhcZiMtxVf2M= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3/go.mod h1:XclEty74bsGBCr1s0VSaA11hQ4ZidK4viWK7rRfO88I= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.3 h1:yEiZ0ztgji2GsCb/6uQSITXcGdtmWMfLRys0jJFiUkc= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.3/go.mod h1:Z+Gd23v97pX9zK97+tX4ppAgqCt3Z2dIXB02CtBncK8= +github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= +github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1/go.mod h1:EVJOSYOVeoD3VFFZ/dWCAzWJp5wZr9lTOCjW8ejAmO0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.104.0 h1:VLwNHHb5cmOeWp7clutY3Qnz88lfKb8yj+OTWrwDp+o= -github.com/buildkite/agent/v3 v3.104.0/go.mod h1:HPO/Bv8C/aC2wfwVarAgU8LSXjUh/fTa9P3pxuGB+vw= +github.com/buildkite/agent/v3 v3.105.0 h1:aZImNqqC/X+TbdiiGCHPV+01/EwMy38lNEQamZToheA= +github.com/buildkite/agent/v3 v3.105.0/go.mod h1:w0VDF1FpO1oFDJiiK9ZIdEGC34oN6I19OY6oqMQVIGw= github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= @@ -1603,12 +1603,12 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/X go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0/go.mod h1:QjUEoiGCPkvFZ/MjK6ZZfNOS6mfVEVKYE99dFhuN2LI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw= go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= @@ -1622,8 +1622,8 @@ go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42s go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os= -go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds= go.step.sm/crypto v0.70.0/go.mod h1:pzfUhS5/ue7ev64PLlEgXvhx1opwbhFCjkvlhsxVds0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -2109,8 +2109,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.248.0 h1:hUotakSkcwGdYUqzCRc5yGYsg4wXxpkKlW5ryVqvC1Y= -google.golang.org/api v0.248.0/go.mod h1:yAFUAF56Li7IuIQbTFoLwXTCI6XCFKueOlS7S9e4F9k= +google.golang.org/api v0.249.0 h1:0VrsWAKzIZi058aeq+I86uIXbNhm9GxSHpbmZ92a38w= +google.golang.org/api v0.249.0/go.mod h1:dGk9qyI0UYPwO/cjt2q06LG/EhUpwZGdAbYF14wHHrQ= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2252,10 +2252,10 @@ google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOl google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= -google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ= -google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From 5add8659bb96dafa1d0739af2d143cd5ea3291fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:42:44 -0700 Subject: [PATCH 066/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4410) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.143.3 to 0.144.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.143.3...v0.144.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.144.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9507ce3c0f3..be2ca8b4e07 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.143.3 + gitlab.com/gitlab-org/api/client-go v0.144.1 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index 1644d8c0f2f..b2f87a8ed30 100644 --- a/go.sum +++ b/go.sum @@ -1580,8 +1580,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.143.3 h1:4Q4zumLVUnxn/s06RD9U3fyibD1/zr43gTDDtRkjqbA= -gitlab.com/gitlab-org/api/client-go v0.143.3/go.mod h1:rw89Kl9AsKmxRhzkfUSfZ+1jpTewwueKvAYwoYmUoQ8= +gitlab.com/gitlab-org/api/client-go v0.144.1 h1:/3eMNjz5zhKQiEQzFl8a3aZgcCV4/0E5uNM8+lVgdlc= +gitlab.com/gitlab-org/api/client-go v0.144.1/go.mod h1:eABRp++g3IbUP10ZeBIys+9g59dgJnlQLEk8XgKNB54= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 78538ae058e514eea245197c83a4956b4796c9c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:43:10 -0700 Subject: [PATCH 067/136] chore(deps): bump the actions group with 2 updates (#4407) Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/cosign-installer` from 3.9.2 to 3.10.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d58896d6a1865668819e1d91763c7751a165e159...d7543c93d881b35a8faa02e8e3605f69b7a1ce62) Updates `chainguard-dev/actions` from 1.4.14 to 1.4.15 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/f632aec66edeebe245ad686a33a0c0a2160cac31...cd899cc96227b82170571cad1c3d6378d8cba678) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.4.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2d406df4710..03b369d2100 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -48,7 +48,7 @@ jobs: with: persist-credentials: false - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 877d90fc4b9..54de67f3947 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + uses: chainguard-dev/actions/donotsubmit@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 86450743533..01eb67d3917 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + uses: chainguard-dev/actions/setup-mirror@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 7d16e7de890..3efebb2e5aa 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -170,7 +170,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 004209e97a3..9dd32ef16f3 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 8516623b843..ca0a7a161a6 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + - uses: chainguard-dev/actions/trailing-space@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@f632aec66edeebe245ad686a33a0c0a2160cac31 # v1.4.14 + - uses: chainguard-dev/actions/eof-newline@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 if: ${{ always() }} From 0a1de88dd099d7babaa62de058f21963b54379a7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:44:00 -0700 Subject: [PATCH 068/136] chore(deps): bump github.com/spf13/viper from 1.20.1 to 1.21.0 (#4408) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.20.1 to 1.21.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](https://github.com/spf13/viper/compare/v1.20.1...v1.21.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index be2ca8b4e07..2c52e31fbf0 100644 --- a/go.mod +++ b/go.mod @@ -46,7 +46,7 @@ require ( github.com/sigstore/timestamp-authority v1.2.9 github.com/spf13/cobra v1.10.1 github.com/spf13/pflag v1.0.10 - github.com/spf13/viper v1.20.1 + github.com/spf13/viper v1.21.0 github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/stretchr/testify v1.11.1 github.com/theupdateframework/go-tuf/v2 v2.1.1 @@ -259,16 +259,16 @@ require ( github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/sagikazarmark/locafero v0.7.0 // indirect + github.com/sagikazarmark/locafero v0.11.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/segmentio/asm v1.2.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect - github.com/sourcegraph/conc v0.3.0 // indirect - github.com/spf13/afero v1.12.0 // indirect - github.com/spf13/cast v1.7.1 // indirect + github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect + github.com/spf13/afero v1.15.0 // indirect + github.com/spf13/cast v1.10.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.3 // indirect diff --git a/go.sum b/go.sum index b2f87a8ed30..d9ca31feff3 100644 --- a/go.sum +++ b/go.sum @@ -1425,8 +1425,8 @@ github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfF github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo= -github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k= +github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= +github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= @@ -1470,23 +1470,23 @@ github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:s github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= -github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= -github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs= -github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4= -github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= -github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= +github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg= +github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= +github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo= github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= -github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= +github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU= +github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY= github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= From 45bda40b8ef48fe4ba95e9c67bd3b390b902ed2d Mon Sep 17 00:00:00 2001 From: Hayden Date: Tue, 16 Sep 2025 17:58:53 -0700 Subject: [PATCH 069/136] Bump sigstore-go for more precise user agents (#4413) * Bump sigstore-go for more precise user agents Ref #4406 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * go mod tidy Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2c52e31fbf0..89c9ce52d12 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( github.com/sigstore/rekor v1.4.2 github.com/sigstore/rekor-tiles v0.1.11 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 - github.com/sigstore/sigstore-go v1.1.2 + github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 diff --git a/go.sum b/go.sum index d9ca31feff3..822656c545b 100644 --- a/go.sum +++ b/go.sum @@ -1451,8 +1451,8 @@ github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5 github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= -github.com/sigstore/sigstore-go v1.1.2 h1:VFfqVQvUm3m7uAiqJFK+hDSH3I2rCBYH4l3wIDy+Ozo= -github.com/sigstore/sigstore-go v1.1.2/go.mod h1:mF7i7L6NlKYuUEnbUUxwtKQuz8BxQ7SGEqXDgnysbKc= +github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531 h1:/faHK1f32POge9iYNJkQcIvnNuPEGj6jFYvanhdNo28= +github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531/go.mod h1:mF7i7L6NlKYuUEnbUUxwtKQuz8BxQ7SGEqXDgnysbKc= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= From da0a2f61d4b212e2c70a42a9dafa1bbde23ba12f Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 18 Sep 2025 23:43:16 +0200 Subject: [PATCH 070/136] bump go builder to use 1.25.1 and cosign (#4417) Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 8 ++++---- release/cloudbuild.yaml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 30034621aee..1adbd67092e 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,14 +26,14 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: ghcr.io/sigstore/cosign/cosign:v2.5.3-dev@sha256:fe84ab87222b60d2d87f5efcb8ef3cfd895897c088fbeb973280689c81aedff1 + image: ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 \ + cosign verify ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.0-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0" env: TUF_ROOT: /tmp @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 + image: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d volumes: - /usr:/host_usr - /opt:/host_opt diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 037247f5a51..c8c755b4587 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,20 +32,20 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'ghcr.io/sigstore/cosign/cosign:v2.5.3-dev@sha256:fe84ab87222b60d2d87f5efcb8ef3cfd895897c088fbeb973280689c81aedff1' + - name: 'ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49' + - 'ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.0-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 + - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.25.0-0@sha256:eb3b336de68dc8ec74640af10e37c727976a70f0d75042f6584ae1207c1e7c49 + - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: From 40f9e35d8122659b27b934d9fca3b34278d3a3e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 08:43:12 +0200 Subject: [PATCH 071/136] chore(deps): bump chainguard-dev/actions in the actions group (#4421) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.4.15 to 1.5.1 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/cd899cc96227b82170571cad1c3d6378d8cba678...de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 54de67f3947..4b4f1e99fcc 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + uses: chainguard-dev/actions/donotsubmit@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 01eb67d3917..8d7ec76f650 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + uses: chainguard-dev/actions/setup-mirror@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 3efebb2e5aa..bee5163dbc9 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -170,7 +170,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 9dd32ef16f3..9611e337ae2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index ca0a7a161a6..3db923b8552 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + - uses: chainguard-dev/actions/trailing-space@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15 + - uses: chainguard-dev/actions/eof-newline@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 if: ${{ always() }} From aa33f409f2ea9384589bd89d8dac21fc40a50346 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 08:43:38 +0200 Subject: [PATCH 072/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.105.0 to 3.107.0 (#4420) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.105.0 to 3.107.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.105.0...v3.107.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.107.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 89c9ce52d12..ee18ca5856e 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.105.0 + github.com/buildkite/agent/v3 v3.107.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -134,7 +134,7 @@ require ( github.com/aws/smithy-go v1.23.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect - github.com/buildkite/go-pipeline v0.15.0 // indirect + github.com/buildkite/go-pipeline v0.16.0 // indirect github.com/buildkite/interpolate v0.1.5 // indirect github.com/buildkite/roko v1.4.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -308,7 +308,7 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.28.0 // indirect - golang.org/x/net v0.43.0 // indirect + golang.org/x/net v0.44.0 // indirect golang.org/x/sys v0.36.0 // indirect golang.org/x/text v0.29.0 // indirect golang.org/x/time v0.12.0 // indirect diff --git a/go.sum b/go.sum index 822656c545b..4e5b6f27226 100644 --- a/go.sum +++ b/go.sum @@ -797,10 +797,10 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.105.0 h1:aZImNqqC/X+TbdiiGCHPV+01/EwMy38lNEQamZToheA= -github.com/buildkite/agent/v3 v3.105.0/go.mod h1:w0VDF1FpO1oFDJiiK9ZIdEGC34oN6I19OY6oqMQVIGw= -github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s= -github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= +github.com/buildkite/agent/v3 v3.107.0 h1:qZRP5SxlhngI0RpfuIAF7ikZUrx1aZ2FwqWv1Y59Brk= +github.com/buildkite/agent/v3 v3.107.0/go.mod h1:K/ooiPwl4JvSSyOvI710R9oY8uNHQtKZKqCnxC5fOog= +github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= +github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= github.com/buildkite/roko v1.4.0 h1:DxixoCdpNqxu4/1lXrXbfsKbJSd7r1qoxtef/TT2J80= @@ -1781,8 +1781,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= -golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= +golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I= +golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From 0d33bbcb75fb2d08d85a3db201ab6c50c51b66de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 08:44:00 +0200 Subject: [PATCH 073/136] chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4418) Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](https://github.com/theupdateframework/go-tuf/compare/v2.1.1...v2.2.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ee18ca5856e..50ef1ec5f3a 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/spf13/viper v1.21.0 github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/stretchr/testify v1.11.1 - github.com/theupdateframework/go-tuf/v2 v2.1.1 + github.com/theupdateframework/go-tuf/v2 v2.2.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.144.1 diff --git a/go.sum b/go.sum index 4e5b6f27226..75f2f4280ee 100644 --- a/go.sum +++ b/go.sum @@ -1519,8 +1519,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.1.1 h1:OWcoHItwsGO+7m0wLa7FDWPR4oB1cj0zOr1kosE4G+I= -github.com/theupdateframework/go-tuf/v2 v2.1.1/go.mod h1:V675cQGhZONR0OGQ8r1feO0uwtsTBYPDWHzAAPn5rjE= +github.com/theupdateframework/go-tuf/v2 v2.2.0 h1:Hmb+Azgd7IKOZeNJFT2C91y+YZ+F+TeloSIvQIaXCQw= +github.com/theupdateframework/go-tuf/v2 v2.2.0/go.mod h1:CubcJiJlBHQ2YkA5j9hlBO4B+tHFlLjRbWCJCT7EIKU= github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI= github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis= github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0= From f7506870aeaa52c99a13d21035970153405a666b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 08:44:24 +0200 Subject: [PATCH 074/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4419) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.144.1 to 0.147.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.144.1...v0.147.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.147.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 50ef1ec5f3a..5bddcbc00a9 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.2.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.144.1 + gitlab.com/gitlab-org/api/client-go v0.147.1 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index 75f2f4280ee..1fe10de50b2 100644 --- a/go.sum +++ b/go.sum @@ -1580,8 +1580,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.144.1 h1:/3eMNjz5zhKQiEQzFl8a3aZgcCV4/0E5uNM8+lVgdlc= -gitlab.com/gitlab-org/api/client-go v0.144.1/go.mod h1:eABRp++g3IbUP10ZeBIys+9g59dgJnlQLEk8XgKNB54= +gitlab.com/gitlab-org/api/client-go v0.147.1 h1:I6SqcetiBg/rfhK05CFdNS61YFsdiZBjIuzXqNY8BAk= +gitlab.com/gitlab-org/api/client-go v0.147.1/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 8d756cf2bdb40a2ca4cceb34b6904ba593df0c8b Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Thu, 25 Sep 2025 09:03:26 -0400 Subject: [PATCH 075/136] Partially populate the output of cosign verify when working with new bundles (#4416) * Implement container image context in verify command * Use conformance on main for now (waiting for new release) --------- Signed-off-by: Zach Steindler --- .github/workflows/conformance.yml | 2 +- cmd/cosign/cli/verify/verify.go | 61 ++++++++++++++++++++++++++++ cmd/cosign/cli/verify/verify_test.go | 49 ++++++++++++++++++++++ 3 files changed, 111 insertions(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index f884b8a3c8d..3671d7639fe 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -44,6 +44,6 @@ jobs: - run: make cosign conformance - - uses: sigstore/sigstore-conformance@1d8b0cdd88fa7fb5a8510e51faf6ccad8c96f10a # v0.0.20 + - uses: sigstore/sigstore-conformance@main with: entrypoint: ${{ github.workspace }}/conformance diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index aef668a2270..86b714df371 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -29,6 +29,7 @@ import ( "path/filepath" "github.com/google/go-containerregistry/pkg/name" + "github.com/in-toto/in-toto-golang/in_toto" "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" @@ -41,7 +42,9 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/oci/static" sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -355,6 +358,11 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if err != nil { return err } + + verifiedOutput, err := transformOutput(verified, ref.Name()) + if err == nil { + verified = verifiedOutput + } } else { ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...) if err != nil { @@ -644,3 +652,56 @@ func loadCertsKeylessVerification(certChainFile string, return nil } + +func transformOutput(verified []oci.Signature, name string) (verifiedOutput []oci.Signature, err error) { + for _, v := range verified { + dssePayload, err := v.Payload() + if err != nil { + return nil, err + } + var dsseEnvelope dsse.Envelope + err = json.Unmarshal(dssePayload, &dsseEnvelope) + if err != nil { + return nil, err + } + if dsseEnvelope.PayloadType != in_toto.PayloadType { + return nil, fmt.Errorf("unable to understand payload type %s", dsseEnvelope.PayloadType) + } + var intotoStatement in_toto.StatementHeader + err = json.Unmarshal(dsseEnvelope.Payload, &intotoStatement) + if err != nil { + return nil, err + } + if len(intotoStatement.Subject) < 1 || len(intotoStatement.Subject[0].Digest) < 1 { + return nil, fmt.Errorf("no intoto subject or digest found") + } + + var digest string + for k, v := range intotoStatement.Subject[0].Digest { + digest = k + ":" + v + } + + sci := payload.SimpleContainerImage{ + Critical: payload.Critical{ + Identity: payload.Identity{ + DockerReference: name, + }, + Image: payload.Image{ + DockerManifestDigest: digest, + }, + Type: intotoStatement.PredicateType, + }, + } + p, err := json.Marshal(sci) + if err != nil { + return nil, err + } + att, err := static.NewAttestation(p) + if err != nil { + return nil, err + } + verifiedOutput = append(verifiedOutput, att) + } + + return verifiedOutput, nil +} diff --git a/cmd/cosign/cli/verify/verify_test.go b/cmd/cosign/cli/verify/verify_test.go index c253533bef5..8b44df1f107 100644 --- a/cmd/cosign/cli/verify/verify_test.go +++ b/cmd/cosign/cli/verify/verify_test.go @@ -346,3 +346,52 @@ func TestLoadCertsKeylessVerification(t *testing.T) { }) } } +func TestTransformOutputSuccess(t *testing.T) { + // Build minimal in-toto statement + stmt := `{ + "_type": "https://in-toto.io/Statement/v0.1", + "subject": [ + { "name": "artifact", "digest": { "sha256": "deadbeef" } } + ], + "predicateType": "https://slsa.dev/provenance/v0.2" + }` + // DSSE payloadType for in-toto + payloadType := "application/vnd.in-toto+json" + encodedStmt := base64.StdEncoding.EncodeToString([]byte(stmt)) + dsseEnv := fmt.Sprintf(`{ + "payloadType": "%s", + "payload": "%s", + "signatures": [ + { "keyid": "test", "sig": "MAo=" } + ] + }`, payloadType, encodedStmt) + + sig, err := static.NewSignature([]byte(dsseEnv), "") + if err != nil { + t.Fatalf("creating static signature: %v", err) + } + fmt.Println(dsseEnv) + + name := "example.com/my/image" + out, err := transformOutput([]oci.Signature{sig}, name) + if err != nil { + t.Fatalf("transformOutput returned error: %v", err) + } + if len(out) != 1 { + t.Fatalf("expected 1 transformed signature, got %d", len(out)) + } + + payloadBytes, err := out[0].Payload() + if err != nil { + t.Fatalf("reading transformed payload: %v", err) + } + + var sci payload.SimpleContainerImage + if err := json.Unmarshal(payloadBytes, &sci); err != nil { + t.Fatalf("unmarshal transformed payload: %v", err) + } + + assert.Equal(t, name, sci.Critical.Identity.DockerReference, "docker reference mismatch") + assert.Equal(t, "sha256:deadbeef", sci.Critical.Image.DockerManifestDigest, "digest mismatch") + assert.Equal(t, "https://slsa.dev/provenance/v0.2", sci.Critical.Type, "type mismatch") +} From dfc71f9ff65c9fe30ecb3095a144722722d73ac8 Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 26 Sep 2025 09:31:34 -0700 Subject: [PATCH 076/136] Bump sigstore-go to v1.1.3 (#4423) Picks up a change to user agents when signing with sigstore-go Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5bddcbc00a9..233fce169c9 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( github.com/sigstore/rekor v1.4.2 github.com/sigstore/rekor-tiles v0.1.11 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 - github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531 + github.com/sigstore/sigstore-go v1.1.3 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 diff --git a/go.sum b/go.sum index 1fe10de50b2..43162ebd12c 100644 --- a/go.sum +++ b/go.sum @@ -1451,8 +1451,8 @@ github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5 github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= -github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531 h1:/faHK1f32POge9iYNJkQcIvnNuPEGj6jFYvanhdNo28= -github.com/sigstore/sigstore-go v1.1.3-0.20250916175810-070130677531/go.mod h1:mF7i7L6NlKYuUEnbUUxwtKQuz8BxQ7SGEqXDgnysbKc= +github.com/sigstore/sigstore-go v1.1.3 h1:5lKcbXZa5JC7wb/UVywyCulccfYTUju1D5h4tkn+fXE= +github.com/sigstore/sigstore-go v1.1.3/go.mod h1:3jKC4IDh7TEVtCSJCjx0lpq5YfJbDJmfp65WsMvY2mg= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= From 870b27d23d9df74b9d2fca891fa6bdc9aa7dbbf9 Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 26 Sep 2025 09:57:44 -0700 Subject: [PATCH 077/136] Move sigstore-conformance back to tagged release (#4425) 0.0.21 updates the signing config, making the tests work against staging again. Signed-off-by: Hayden --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 3671d7639fe..a3e47c1af95 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -44,6 +44,6 @@ jobs: - run: make cosign conformance - - uses: sigstore/sigstore-conformance@main + - uses: sigstore/sigstore-conformance@244638a7a138ae9f6106cfe2d44a698eccd3bef7 # v0.0.21 with: entrypoint: ${{ github.workspace }}/conformance From 8e3a787545efe51066c253d87900cac40f54828d Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 26 Sep 2025 13:31:26 -0700 Subject: [PATCH 078/136] Bump module version to v3 for Cosign v3.0 (#4427) Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- .github/workflows/golangci-lint.yml | 2 +- .golangci.yml | 4 +- Makefile | 8 +-- cmd/cosign/cli/attach.go | 4 +- cmd/cosign/cli/attach/attach.go | 12 ++--- cmd/cosign/cli/attach/sbom.go | 10 ++-- cmd/cosign/cli/attach/sig.go | 12 ++--- cmd/cosign/cli/attest.go | 12 ++--- cmd/cosign/cli/attest/attest.go | 32 ++++++------ cmd/cosign/cli/attest/attest_blob.go | 24 ++++----- cmd/cosign/cli/attest/attest_blob_test.go | 8 +-- cmd/cosign/cli/attest_blob.go | 12 ++--- cmd/cosign/cli/bundle.go | 4 +- cmd/cosign/cli/bundle/bundle.go | 16 +++--- cmd/cosign/cli/bundle/bundle_test.go | 4 +- cmd/cosign/cli/clean.go | 6 +-- cmd/cosign/cli/commands.go | 4 +- cmd/cosign/cli/copy.go | 4 +- cmd/cosign/cli/copy/copy.go | 10 ++-- cmd/cosign/cli/copy/copy_test.go | 4 +- cmd/cosign/cli/debug.go | 2 +- cmd/cosign/cli/debug/provider.go | 2 +- cmd/cosign/cli/dockerfile.go | 6 +-- cmd/cosign/cli/dockerfile/verify.go | 4 +- cmd/cosign/cli/download.go | 4 +- cmd/cosign/cli/download/attestation.go | 8 +-- cmd/cosign/cli/download/sbom.go | 8 +-- cmd/cosign/cli/download/signature.go | 4 +- cmd/cosign/cli/env.go | 4 +- cmd/cosign/cli/env_test.go | 2 +- cmd/cosign/cli/fulcio/depcheck_test.go | 2 +- cmd/cosign/cli/fulcio/fulcio.go | 6 +-- cmd/cosign/cli/fulcio/fulcio_test.go | 6 +-- .../fulcio/fulcioverifier/fulcioverifier.go | 8 +-- .../fulcioverifier/fulcioverifier_test.go | 6 +-- cmd/cosign/cli/generate.go | 4 +- cmd/cosign/cli/generate/generate.go | 4 +- cmd/cosign/cli/generate/generate_key_pair.go | 18 +++---- .../cli/generate/generate_key_pair_test.go | 2 +- cmd/cosign/cli/generate_key_pair.go | 4 +- cmd/cosign/cli/import_key_pair.go | 4 +- .../cli/importkeypair/import_key_pair.go | 10 ++-- .../cli/importkeypair/import_key_pair_test.go | 4 +- cmd/cosign/cli/initialize.go | 4 +- cmd/cosign/cli/initialize/init.go | 8 +-- cmd/cosign/cli/load.go | 6 +-- cmd/cosign/cli/manifest.go | 6 +-- cmd/cosign/cli/manifest/verify.go | 2 +- cmd/cosign/cli/options/annotations.go | 2 +- cmd/cosign/cli/options/annotations_test.go | 2 +- cmd/cosign/cli/options/attach.go | 2 +- cmd/cosign/cli/options/certificate.go | 2 +- cmd/cosign/cli/options/experimental.go | 2 +- cmd/cosign/cli/options/files.go | 2 +- cmd/cosign/cli/options/key.go | 4 +- cmd/cosign/cli/options/pkcs11_tool.go | 2 +- cmd/cosign/cli/options/predicate.go | 2 +- cmd/cosign/cli/options/registry.go | 2 +- cmd/cosign/cli/options/verify.go | 2 +- cmd/cosign/cli/piv_tool.go | 4 +- cmd/cosign/cli/pivcli/commands.go | 2 +- cmd/cosign/cli/pkcs11_tool.go | 4 +- cmd/cosign/cli/pkcs11cli/commands.go | 4 +- cmd/cosign/cli/public_key.go | 6 +-- cmd/cosign/cli/publickey/public_key.go | 10 ++-- cmd/cosign/cli/publickey/public_key_test.go | 2 +- cmd/cosign/cli/rekor/rekor.go | 2 +- cmd/cosign/cli/rekor/rekor_test.go | 2 +- cmd/cosign/cli/save.go | 8 +-- cmd/cosign/cli/sign.go | 12 ++--- cmd/cosign/cli/sign/sign.go | 52 +++++++++---------- cmd/cosign/cli/sign/sign_blob.go | 20 +++---- cmd/cosign/cli/sign/sign_blob_test.go | 4 +- cmd/cosign/cli/sign/sign_test.go | 10 ++-- cmd/cosign/cli/signblob.go | 12 ++--- cmd/cosign/cli/signingconfig.go | 4 +- cmd/cosign/cli/templates/templater.go | 2 +- cmd/cosign/cli/tree.go | 4 +- cmd/cosign/cli/triangulate.go | 4 +- cmd/cosign/cli/triangulate/triangulate.go | 6 +-- cmd/cosign/cli/trustedroot.go | 4 +- cmd/cosign/cli/trustedroot/trustedroot.go | 2 +- cmd/cosign/cli/upload.go | 4 +- cmd/cosign/cli/upload/blob.go | 4 +- cmd/cosign/cli/upload/wasm.go | 6 +-- cmd/cosign/cli/verify.go | 6 +-- cmd/cosign/cli/verify/verify.go | 28 +++++----- cmd/cosign/cli/verify/verify_attestation.go | 26 +++++----- .../cli/verify/verify_attestation_test.go | 2 +- cmd/cosign/cli/verify/verify_blob.go | 22 ++++---- .../cli/verify/verify_blob_attestation.go | 28 +++++----- .../verify/verify_blob_attestation_test.go | 4 +- cmd/cosign/cli/verify/verify_blob_test.go | 14 ++--- cmd/cosign/cli/verify/verify_bundle.go | 2 +- cmd/cosign/cli/verify/verify_test.go | 14 ++--- cmd/cosign/errors/exit_code_lookup.go | 2 +- cmd/cosign/errors/exit_code_lookup_test.go | 2 +- cmd/cosign/main.go | 6 +-- cmd/help/main.go | 6 +-- go.mod | 2 +- internal/auth/auth.go | 6 +-- internal/auth/auth_test.go | 2 +- internal/key/svkeypair.go | 2 +- internal/pkg/cosign/dsse.go | 2 +- internal/pkg/cosign/ephemeral/signer.go | 8 +-- .../cosign/fulcio/fulcioroots/fulcioroots.go | 2 +- .../fulcio/fulcioroots/fulcioroots_test.go | 2 +- internal/pkg/cosign/fulcio/signer.go | 6 +-- internal/pkg/cosign/fulcio/signer_test.go | 4 +- internal/pkg/cosign/payload/attestor.go | 8 +-- internal/pkg/cosign/payload/attestor_test.go | 2 +- internal/pkg/cosign/payload/signer.go | 6 +-- internal/pkg/cosign/payload/signer_test.go | 2 +- internal/pkg/cosign/payload/size/size.go | 2 +- internal/pkg/cosign/rekor/signer.go | 10 ++-- internal/pkg/cosign/rekor/signer_test.go | 6 +-- internal/pkg/cosign/sign.go | 2 +- .../pkg/cosign/tsa/mock/mock_tsa_client.go | 2 +- internal/pkg/cosign/tsa/signer.go | 10 ++-- internal/pkg/cosign/tsa/signer_test.go | 6 +-- internal/pkg/cosign/tsa/utils_test.go | 2 +- internal/ui/log_test.go | 2 +- internal/ui/prompt_test.go | 2 +- pkg/cosign/bundle/sign.go | 2 +- pkg/cosign/ctlog.go | 2 +- pkg/cosign/fetch.go | 6 +-- pkg/cosign/fuzz_test.go | 2 +- pkg/cosign/git/git.go | 6 +-- pkg/cosign/git/github/github.go | 4 +- pkg/cosign/git/gitlab/gitlab.go | 6 +-- pkg/cosign/keys.go | 2 +- pkg/cosign/kubernetes/secret.go | 2 +- pkg/cosign/kubernetes/secret_test.go | 2 +- pkg/cosign/obsolete.go | 2 +- pkg/cosign/obsolete_test.go | 2 +- pkg/cosign/pkcs11key/pkcs11key.go | 2 +- pkg/cosign/pkcs11key/util.go | 2 +- pkg/cosign/remote/index.go | 2 +- pkg/cosign/remote/remote.go | 6 +-- pkg/cosign/tlog.go | 6 +-- pkg/cosign/tsa.go | 2 +- pkg/cosign/tuf.go | 2 +- pkg/cosign/verifiers.go | 2 +- pkg/cosign/verifiers_test.go | 2 +- pkg/cosign/verify.go | 20 +++---- pkg/cosign/verify_bundle_test.go | 2 +- pkg/cosign/verify_oci_test.go | 2 +- pkg/cosign/verify_sct.go | 2 +- pkg/cosign/verify_test.go | 18 +++---- pkg/oci/empty/empty.go | 2 +- pkg/oci/empty/empty_test.go | 2 +- pkg/oci/empty/signed.go | 2 +- pkg/oci/internal/signature/layer.go | 6 +-- pkg/oci/internal/signature/layer_test.go | 2 +- pkg/oci/layout/index.go | 4 +- pkg/oci/layout/signatures.go | 4 +- pkg/oci/layout/write.go | 2 +- pkg/oci/layout/write_test.go | 10 ++-- pkg/oci/mediatypes.go | 2 +- pkg/oci/mutate/map.go | 2 +- pkg/oci/mutate/map_test.go | 4 +- pkg/oci/mutate/mutate.go | 6 +-- pkg/oci/mutate/mutate_test.go | 6 +-- pkg/oci/mutate/options.go | 4 +- pkg/oci/mutate/signature.go | 6 +-- pkg/oci/mutate/signature_test.go | 6 +-- pkg/oci/mutate/signatures.go | 6 +-- pkg/oci/mutate/signatures_test.go | 6 +-- pkg/oci/platform/platform.go | 2 +- pkg/oci/remote/image.go | 2 +- pkg/oci/remote/index.go | 2 +- pkg/oci/remote/index_test.go | 2 +- pkg/oci/remote/options.go | 2 +- pkg/oci/remote/remote.go | 6 +-- pkg/oci/remote/signatures.go | 6 +-- pkg/oci/remote/unknown.go | 2 +- pkg/oci/remote/write.go | 6 +-- pkg/oci/remote/write_test.go | 8 +-- pkg/oci/signature/layer.go | 6 +-- pkg/oci/signature/layer_test.go | 2 +- pkg/oci/signatures.go | 2 +- pkg/oci/signed/image.go | 4 +- pkg/oci/signed/index.go | 4 +- pkg/oci/signed/index_test.go | 2 +- pkg/oci/static/file.go | 8 +-- pkg/oci/static/options.go | 4 +- pkg/oci/static/options_test.go | 4 +- pkg/oci/static/signature.go | 4 +- pkg/oci/static/signature_test.go | 2 +- pkg/oci/walk/walk.go | 4 +- pkg/oci/walk/walk_test.go | 4 +- pkg/policy/attestation.go | 6 +-- pkg/policy/attestation_test.go | 8 +-- pkg/policy/eval.go | 2 +- pkg/providers/all/all.go | 14 ++--- pkg/providers/buildkite/buildkite.go | 4 +- pkg/providers/envvar/env.go | 4 +- pkg/providers/envvar/env_test.go | 2 +- pkg/providers/filesystem/filesystem.go | 2 +- pkg/providers/github/github.go | 4 +- pkg/providers/google/google.go | 4 +- pkg/providers/spiffe/spiffe.go | 4 +- pkg/signature/keys.go | 12 ++--- pkg/signature/keys_test.go | 4 +- test/config/gettoken/gettoken.yaml | 2 +- test/e2e_attach_test.go | 22 ++++---- test/e2e_insecure_registry_test.go | 10 ++-- test/e2e_kms_test.go | 8 +-- test/e2e_test.go | 48 ++++++++--------- test/e2e_test_pkcs11.sh | 2 +- test/e2e_tsa_test.go | 10 ++-- test/fuzz/oss_fuzz_build.sh | 12 ++--- test/helpers.go | 12 ++--- test/piv_test.go | 2 +- test/pkcs11_test.go | 4 +- 215 files changed, 649 insertions(+), 649 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a5c358403bb..720581ebbde 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -47,7 +47,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: - version: v2.4 + version: v2.5 golangci-test-e2e: name: lint-test-e2e diff --git a/.golangci.yml b/.golangci.yml index f6b550d9520..8d91818665a 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -51,8 +51,8 @@ linters: settings: printf: funcs: - - github.com/sigstore/cosign/v2/internal/ui.Infof - - github.com/sigstore/cosign/v2/internal/ui.Warnf + - github.com/sigstore/cosign/v3/internal/ui.Infof + - github.com/sigstore/cosign/v3/internal/ui.Warnf exclusions: generated: lax presets: diff --git a/Makefile b/Makefile index 92b2171e3b9..53ded438b33 100644 --- a/Makefile +++ b/Makefile @@ -171,7 +171,7 @@ ko-cosign: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ $(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/v3/cmd/cosign .PHONY: ko-cosign-dev ko-cosign-dev: @@ -180,7 +180,7 @@ ko-cosign-dev: KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ --platform=all --tags $(GIT_VERSION)-dev --tags $(GIT_HASH)-dev$(LATEST_TAG)-dev \ $(ARTIFACT_HUB_LABELS) --image-refs cosignDevImagerefs \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/v3/cmd/cosign .PHONY: ko-local ko-local: @@ -189,7 +189,7 @@ ko-local: KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ --tags $(GIT_VERSION) --tags $(GIT_HASH) \ $(ARTIFACT_HUB_LABELS) \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/v3/cmd/cosign .PHONY: ko-local-dev ko-local-dev: @@ -198,7 +198,7 @@ ko-local-dev: KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ --tags $(GIT_VERSION) --tags $(GIT_HASH) \ $(ARTIFACT_HUB_LABELS) \ - github.com/sigstore/cosign/v2/cmd/cosign + github.com/sigstore/cosign/v3/cmd/cosign ################## # help diff --git a/cmd/cosign/cli/attach.go b/cmd/cosign/cli/attach.go index f8c384f97ac..e2c56239276 100644 --- a/cmd/cosign/cli/attach.go +++ b/cmd/cosign/cli/attach.go @@ -19,8 +19,8 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attach" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/attach/attach.go b/cmd/cosign/cli/attach/attach.go index 76bb5078c8f..971d4bed45c 100644 --- a/cmd/cosign/cli/attach/attach.go +++ b/cmd/cosign/cli/attach/attach.go @@ -22,12 +22,12 @@ import ( "github.com/google/go-containerregistry/pkg/name" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" ) func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayloads []string, imageRef string) error { diff --git a/cmd/cosign/cli/attach/sbom.go b/cmd/cosign/cli/attach/sbom.go index df651197f63..a7a4f84dd78 100644 --- a/cmd/cosign/cli/attach/sbom.go +++ b/cmd/cosign/cli/attach/sbom.go @@ -33,11 +33,11 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote/transport" ocistatic "github.com/google/go-containerregistry/pkg/v1/static" ocitypes "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote" - "github.com/sigstore/cosign/v2/internal/ui" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + ociexperimental "github.com/sigstore/cosign/v3/internal/pkg/oci/remote" + "github.com/sigstore/cosign/v3/internal/ui" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts options.RegistryExperimentalOptions, sbomRef string, sbomType ocitypes.MediaType, imageRef string) error { diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index 812c5cc87a6..41418b01e63 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -24,12 +24,12 @@ import ( "path/filepath" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, timeStampedSigRef, rekorBundleRef, imageRef string) error { diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 74715c6829d..bcb0f1cad37 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -19,12 +19,12 @@ import ( "context" "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attest" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 7c38f7efb92..6cf7c0fcbdd 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -27,22 +27,22 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/internal/auth" - "github.com/sigstore/cosign/v2/internal/key" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/attestation" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + cosign_sign "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/key" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + tsaclient "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/attestation" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index bd369b91acc..cc1c76aee91 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -31,18 +31,18 @@ import ( "time" intotov1 "github.com/in-toto/attestation/go/v1" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - cosign_sign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/internal/auth" - "github.com/sigstore/cosign/v2/internal/key" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/attestation" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + cosign_sign "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/key" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + tsaclient "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/attestation" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" diff --git a/cmd/cosign/cli/attest/attest_blob_test.go b/cmd/cosign/cli/attest/attest_blob_test.go index 57f7d349a57..cf0a8c566b5 100644 --- a/cmd/cosign/cli/attest/attest_blob_test.go +++ b/cmd/cosign/cli/attest/attest_blob_test.go @@ -33,10 +33,10 @@ import ( "github.com/in-toto/in-toto-golang/in_toto" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/secure-systems-lab/go-securesystemslib/encrypted" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/stretchr/testify/assert" diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 0afd6aa8f94..70f48f75b6d 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -18,12 +18,12 @@ import ( "context" "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attest" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/bundle.go b/cmd/cosign/cli/bundle.go index ba08d6b6545..25e1a24509d 100644 --- a/cmd/cosign/cli/bundle.go +++ b/cmd/cosign/cli/bundle.go @@ -18,8 +18,8 @@ package cli import ( "context" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/bundle" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/bundle" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/bundle/bundle.go b/cmd/cosign/cli/bundle/bundle.go index 54778e45e99..8fe426ed9dd 100644 --- a/cmd/cosign/cli/bundle/bundle.go +++ b/cmd/cosign/cli/bundle/bundle.go @@ -29,14 +29,14 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + sigs "github.com/sigstore/cosign/v3/pkg/signature" ) type CreateCmd struct { diff --git a/cmd/cosign/cli/bundle/bundle_test.go b/cmd/cosign/cli/bundle/bundle_test.go index 94f6233775a..71c24355cd8 100644 --- a/cmd/cosign/cli/bundle/bundle_test.go +++ b/cmd/cosign/cli/bundle/bundle_test.go @@ -30,8 +30,8 @@ import ( "path/filepath" "testing" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" sgBundle "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/cmd/cosign/cli/clean.go b/cmd/cosign/cli/clean.go index 32b68385700..a9debf808ee 100644 --- a/cmd/cosign/cli/clean.go +++ b/cmd/cosign/cli/clean.go @@ -25,9 +25,9 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go index b4d5e5887c5..36c5fd6bb9c 100644 --- a/cmd/cosign/cli/commands.go +++ b/cmd/cosign/cli/commands.go @@ -21,8 +21,8 @@ import ( cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd" "github.com/google/go-containerregistry/pkg/logs" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/templates" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/templates" "github.com/spf13/cobra" "github.com/spf13/pflag" cobracompletefig "github.com/withfig/autocomplete-tools/integrations/cobra" diff --git a/cmd/cosign/cli/copy.go b/cmd/cosign/cli/copy.go index 62e487a508c..16e3c8ff798 100644 --- a/cmd/cosign/cli/copy.go +++ b/cmd/cosign/cli/copy.go @@ -16,8 +16,8 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/copy" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/copy" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/copy/copy.go b/cmd/cosign/cli/copy/copy.go index fefe8d3bc88..bcc4c2b1c51 100644 --- a/cmd/cosign/cli/copy/copy.go +++ b/cmd/cosign/cli/copy/copy.go @@ -26,11 +26,11 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/oci" - ociplatform "github.com/sigstore/cosign/v2/pkg/oci/platform" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/walk" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/oci" + ociplatform "github.com/sigstore/cosign/v3/pkg/oci/platform" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/walk" "golang.org/x/sync/errgroup" "k8s.io/apimachinery/pkg/util/sets" ) diff --git a/cmd/cosign/cli/copy/copy_test.go b/cmd/cosign/cli/copy/copy_test.go index 737e0df9dd6..d6ceed02b20 100644 --- a/cmd/cosign/cli/copy/copy_test.go +++ b/cmd/cosign/cli/copy/copy_test.go @@ -19,8 +19,8 @@ import ( "reflect" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) func TestCopyAttachmentTagPrefix(t *testing.T) { diff --git a/cmd/cosign/cli/debug.go b/cmd/cosign/cli/debug.go index 277c85a2830..a6c1bccd5a6 100644 --- a/cmd/cosign/cli/debug.go +++ b/cmd/cosign/cli/debug.go @@ -15,7 +15,7 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/debug" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/debug" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/debug/provider.go b/cmd/cosign/cli/debug/provider.go index debf57d1bd1..1d7af3d2c53 100644 --- a/cmd/cosign/cli/debug/provider.go +++ b/cmd/cosign/cli/debug/provider.go @@ -19,7 +19,7 @@ import ( "fmt" "io" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/providers" ) func ProviderCmd(ctx context.Context, w io.Writer) error { diff --git a/cmd/cosign/cli/dockerfile.go b/cmd/cosign/cli/dockerfile.go index 5f207af2cc9..f988ed89921 100644 --- a/cmd/cosign/cli/dockerfile.go +++ b/cmd/cosign/cli/dockerfile.go @@ -18,9 +18,9 @@ package cli import ( "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/dockerfile" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/dockerfile" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/dockerfile/verify.go b/cmd/cosign/cli/dockerfile/verify.go index e0ffb8851ee..a6d51e6e16b 100644 --- a/cmd/cosign/cli/dockerfile/verify.go +++ b/cmd/cosign/cli/dockerfile/verify.go @@ -24,8 +24,8 @@ import ( "os" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/internal/ui" ) // VerifyCommand verifies a signature on a supplied container image diff --git a/cmd/cosign/cli/download.go b/cmd/cosign/cli/download.go index 61d0b9eca2a..687fedb7084 100644 --- a/cmd/cosign/cli/download.go +++ b/cmd/cosign/cli/download.go @@ -19,8 +19,8 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/download" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/download" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/download/attestation.go b/cmd/cosign/cli/download/attestation.go index 152e934103d..814021eacff 100644 --- a/cmd/cosign/cli/download/attestation.go +++ b/cmd/cosign/cli/download/attestation.go @@ -22,10 +22,10 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci/platform" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci/platform" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, attOptions options.AttestationDownloadOptions, imageRef string) error { diff --git a/cmd/cosign/cli/download/sbom.go b/cmd/cosign/cli/download/sbom.go index 66ff4257259..4191d517dd1 100644 --- a/cmd/cosign/cli/download/sbom.go +++ b/cmd/cosign/cli/download/sbom.go @@ -23,10 +23,10 @@ import ( "os" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/platform" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/platform" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) func SBOMCmd( diff --git a/cmd/cosign/cli/download/signature.go b/cmd/cosign/cli/download/signature.go index 64639c3232f..67fb9b87e77 100644 --- a/cmd/cosign/cli/download/signature.go +++ b/cmd/cosign/cli/download/signature.go @@ -21,8 +21,8 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" ) func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string) error { diff --git a/cmd/cosign/cli/env.go b/cmd/cosign/cli/env.go index 981a7bbb785..ff4105d0099 100644 --- a/cmd/cosign/cli/env.go +++ b/cmd/cosign/cli/env.go @@ -21,8 +21,8 @@ import ( "sort" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/env_test.go b/cmd/cosign/cli/env_test.go index 7cb64c9206d..a8cc286e169 100644 --- a/cmd/cosign/cli/env_test.go +++ b/cmd/cosign/cli/env_test.go @@ -21,7 +21,7 @@ import ( "os" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const ( diff --git a/cmd/cosign/cli/fulcio/depcheck_test.go b/cmd/cosign/cli/fulcio/depcheck_test.go index 0a4562559b7..6a1ef76a769 100644 --- a/cmd/cosign/cli/fulcio/depcheck_test.go +++ b/cmd/cosign/cli/fulcio/depcheck_test.go @@ -23,7 +23,7 @@ import ( func TestNoDeps(t *testing.T) { depcheck.AssertNoDependency(t, map[string][]string{ - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio": { + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio": { // Avoid pulling in a variety of things that are massive dependencies. "github.com/google/trillian", "github.com/envoyproxy/go-control-plane", diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index e13e4902e1d..dec43db1329 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -24,9 +24,9 @@ import ( "os" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/auth" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/fulcio/fulcioroots" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/cmd/cosign/cli/fulcio/fulcio_test.go b/cmd/cosign/cli/fulcio/fulcio_test.go index 43b27b691b4..f728ed9db7a 100644 --- a/cmd/cosign/cli/fulcio/fulcio_test.go +++ b/cmd/cosign/cli/fulcio/fulcio_test.go @@ -28,9 +28,9 @@ import ( "net/http/httptest" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index 076a763c536..0a9850b5035 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -20,10 +20,10 @@ import ( "crypto/x509" "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go index 6b8d2b6b302..9622ca47874 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier_test.go @@ -40,9 +40,9 @@ import ( "github.com/google/certificate-transparency-go/trillian/ctfe" ctx509 "github.com/google/certificate-transparency-go/x509" ctx509util "github.com/google/certificate-transparency-go/x509util" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/initialize" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/fulcio/pkg/ctl" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" diff --git a/cmd/cosign/cli/generate.go b/cmd/cosign/cli/generate.go index 4560ce7693c..f1e0d76bf1d 100644 --- a/cmd/cosign/cli/generate.go +++ b/cmd/cosign/cli/generate.go @@ -16,8 +16,8 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/generate/generate.go b/cmd/cosign/cli/generate/generate.go index ee2e6b459a5..21d333945cb 100644 --- a/cmd/cosign/cli/generate/generate.go +++ b/cmd/cosign/cli/generate/generate.go @@ -20,8 +20,8 @@ import ( "io" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/sigstore/sigstore/pkg/signature/payload" ) diff --git a/cmd/cosign/cli/generate/generate_key_pair.go b/cmd/cosign/cli/generate/generate_key_pair.go index 2329f51b819..3e729eb9aec 100644 --- a/cmd/cosign/cli/generate/generate_key_pair.go +++ b/cmd/cosign/cli/generate/generate_key_pair.go @@ -24,15 +24,15 @@ import ( "os" "strings" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/git" - "github.com/sigstore/cosign/v2/pkg/cosign/git/github" - "github.com/sigstore/cosign/v2/pkg/cosign/git/gitlab" - - icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/kubernetes" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/git" + "github.com/sigstore/cosign/v3/pkg/cosign/git/github" + "github.com/sigstore/cosign/v3/pkg/cosign/git/gitlab" + + icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/kubernetes" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature/kms" ) diff --git a/cmd/cosign/cli/generate/generate_key_pair_test.go b/cmd/cosign/cli/generate/generate_key_pair_test.go index f860382ea4e..13ef47a5f74 100644 --- a/cmd/cosign/cli/generate/generate_key_pair_test.go +++ b/cmd/cosign/cli/generate/generate_key_pair_test.go @@ -21,7 +21,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" - icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" + icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" ) func TestReadPasswordFn_env(t *testing.T) { diff --git a/cmd/cosign/cli/generate_key_pair.go b/cmd/cosign/cli/generate_key_pair.go index 9e64f7b5981..6e22c052acb 100644 --- a/cmd/cosign/cli/generate_key_pair.go +++ b/cmd/cosign/cli/generate_key_pair.go @@ -16,8 +16,8 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/import_key_pair.go b/cmd/cosign/cli/import_key_pair.go index 3ba62aa68ec..f8a323afa93 100644 --- a/cmd/cosign/cli/import_key_pair.go +++ b/cmd/cosign/cli/import_key_pair.go @@ -18,8 +18,8 @@ package cli import ( "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/importkeypair" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" ) func ImportKeyPair() *cobra.Command { diff --git a/cmd/cosign/cli/importkeypair/import_key_pair.go b/cmd/cosign/cli/importkeypair/import_key_pair.go index b2d03628e62..3079648185f 100644 --- a/cmd/cosign/cli/importkeypair/import_key_pair.go +++ b/cmd/cosign/cli/importkeypair/import_key_pair.go @@ -21,11 +21,11 @@ import ( "io" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) var ( diff --git a/cmd/cosign/cli/importkeypair/import_key_pair_test.go b/cmd/cosign/cli/importkeypair/import_key_pair_test.go index bb1519cf17e..82e8e1e8119 100644 --- a/cmd/cosign/cli/importkeypair/import_key_pair_test.go +++ b/cmd/cosign/cli/importkeypair/import_key_pair_test.go @@ -25,8 +25,8 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" ) func TestReadPasswordFn_env(t *testing.T) { diff --git a/cmd/cosign/cli/initialize.go b/cmd/cosign/cli/initialize.go index 59b537147f8..4ed890456f2 100644 --- a/cmd/cosign/cli/initialize.go +++ b/cmd/cosign/cli/initialize.go @@ -16,8 +16,8 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/initialize" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go index fc726cd0d59..a44909c312e 100644 --- a/cmd/cosign/cli/initialize/init.go +++ b/cmd/cosign/cli/initialize/init.go @@ -24,10 +24,10 @@ import ( "path/filepath" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign/env" tufroot "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/tuf" tufv1 "github.com/sigstore/sigstore/pkg/tuf" diff --git a/cmd/cosign/cli/load.go b/cmd/cosign/cli/load.go index 80eb9ec7d0a..b2075291116 100644 --- a/cmd/cosign/cli/load.go +++ b/cmd/cosign/cli/load.go @@ -20,9 +20,9 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/oci/layout" - "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/oci/layout" + "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/manifest.go b/cmd/cosign/cli/manifest.go index 02bf8881f3c..786138668a4 100644 --- a/cmd/cosign/cli/manifest.go +++ b/cmd/cosign/cli/manifest.go @@ -18,9 +18,9 @@ package cli import ( "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/manifest" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/manifest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/manifest/verify.go b/cmd/cosign/cli/manifest/verify.go index 9f179b2d8d2..dac0afba31a 100644 --- a/cmd/cosign/cli/manifest/verify.go +++ b/cmd/cosign/cli/manifest/verify.go @@ -27,7 +27,7 @@ import ( "k8s.io/apimachinery/pkg/util/yaml" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" ) // VerifyManifestCommand verifies all image signatures on a supplied k8s resource diff --git a/cmd/cosign/cli/options/annotations.go b/cmd/cosign/cli/options/annotations.go index 5da30a3c910..601e2af657a 100644 --- a/cmd/cosign/cli/options/annotations.go +++ b/cmd/cosign/cli/options/annotations.go @@ -19,7 +19,7 @@ import ( "fmt" "strings" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/annotations_test.go b/cmd/cosign/cli/options/annotations_test.go index c575a397358..01a5faba8b7 100644 --- a/cmd/cosign/cli/options/annotations_test.go +++ b/cmd/cosign/cli/options/annotations_test.go @@ -20,7 +20,7 @@ import ( "github.com/google/go-cmp/cmp" - "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/pkg/signature" ) func TestAnnotationOptions_AnnotationsMap(t *testing.T) { diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go index 4e51d527f08..e0aac3fb85b 100644 --- a/cmd/cosign/cli/options/attach.go +++ b/cmd/cosign/cli/options/attach.go @@ -20,7 +20,7 @@ import ( "strings" "github.com/google/go-containerregistry/pkg/v1/types" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + ctypes "github.com/sigstore/cosign/v3/pkg/types" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go index b14d408fe20..62bbb2fd8f0 100644 --- a/cmd/cosign/cli/options/certificate.go +++ b/cmd/cosign/cli/options/certificate.go @@ -17,7 +17,7 @@ package options import ( "errors" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/experimental.go b/cmd/cosign/cli/options/experimental.go index 5a982fee45e..fed423e0c1b 100644 --- a/cmd/cosign/cli/options/experimental.go +++ b/cmd/cosign/cli/options/experimental.go @@ -17,7 +17,7 @@ package options import ( "strconv" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) func EnableExperimental() bool { diff --git a/cmd/cosign/cli/options/files.go b/cmd/cosign/cli/options/files.go index 5d3d185f1ee..7ba77a0b860 100644 --- a/cmd/cosign/cli/options/files.go +++ b/cmd/cosign/cli/options/files.go @@ -19,7 +19,7 @@ import ( "fmt" "strings" - cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" + cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index bf8d78b77b1..b62dc65fefd 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -16,7 +16,7 @@ package options import ( - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/signature" ) @@ -50,7 +50,7 @@ type KeyOpts struct { IssueCertificateForExistingKey bool // FulcioAuthFlow is the auth flow to use when authenticating against - // Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio#pkg-constants + // Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio#pkg-constants // for valid values. FulcioAuthFlow string diff --git a/cmd/cosign/cli/options/pkcs11_tool.go b/cmd/cosign/cli/options/pkcs11_tool.go index c391e9de7b6..ce1523fc94b 100644 --- a/cmd/cosign/cli/options/pkcs11_tool.go +++ b/cmd/cosign/cli/options/pkcs11_tool.go @@ -16,7 +16,7 @@ package options import ( - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go index e08325a376e..f33b347acfb 100644 --- a/cmd/cosign/cli/options/predicate.go +++ b/cmd/cosign/cli/options/predicate.go @@ -22,7 +22,7 @@ import ( "github.com/in-toto/in-toto-golang/in_toto" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1" - "github.com/sigstore/cosign/v2/pkg/cosign/attestation" + "github.com/sigstore/cosign/v3/pkg/cosign/attestation" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go index 6840d532974..011854d91b0 100644 --- a/cmd/cosign/cli/options/registry.go +++ b/cmd/cosign/cli/options/registry.go @@ -32,7 +32,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/remote" alibabaacr "github.com/mozillazg/docker-credential-acr-helper/pkg/credhelper" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index ec3f6a6daa0..9fc718eeb84 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -18,7 +18,7 @@ package options import ( "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" ) type CommonVerifyOptions struct { diff --git a/cmd/cosign/cli/piv_tool.go b/cmd/cosign/cli/piv_tool.go index 855b1a8dead..c30719acfd5 100644 --- a/cmd/cosign/cli/piv_tool.go +++ b/cmd/cosign/cli/piv_tool.go @@ -20,8 +20,8 @@ package cli import ( "encoding/json" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/pivcli" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/pivcli" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/pivcli/commands.go b/cmd/cosign/cli/pivcli/commands.go index 2f532eaaf79..a40771bbee9 100644 --- a/cmd/cosign/cli/pivcli/commands.go +++ b/cmd/cosign/cli/pivcli/commands.go @@ -32,7 +32,7 @@ import ( "github.com/go-piv/piv-go/v2/piv" "github.com/manifoldco/promptui" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" ) func SetManagementKeyCmd(_ context.Context, oldKey, newKey string, randomKey bool) error { diff --git a/cmd/cosign/cli/pkcs11_tool.go b/cmd/cosign/cli/pkcs11_tool.go index bc8e80a4bdc..5249c1e2422 100644 --- a/cmd/cosign/cli/pkcs11_tool.go +++ b/cmd/cosign/cli/pkcs11_tool.go @@ -18,8 +18,8 @@ package cli import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/pkcs11cli" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/pkcs11cli" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go index 6d4609f5161..59cd5ea8995 100644 --- a/cmd/cosign/cli/pkcs11cli/commands.go +++ b/cmd/cosign/cli/pkcs11cli/commands.go @@ -28,8 +28,8 @@ import ( "syscall" "github.com/miekg/pkcs11" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "golang.org/x/term" ) diff --git a/cmd/cosign/cli/public_key.go b/cmd/cosign/cli/public_key.go index 6f1b225082e..1f9c9769d1e 100644 --- a/cmd/cosign/cli/public_key.go +++ b/cmd/cosign/cli/public_key.go @@ -18,9 +18,9 @@ package cli import ( "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/publickey" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/publickey/public_key.go b/cmd/cosign/cli/publickey/public_key.go index 36158587912..85060b29597 100644 --- a/cmd/cosign/cli/publickey/public_key.go +++ b/cmd/cosign/cli/publickey/public_key.go @@ -20,11 +20,11 @@ import ( "fmt" "io" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/sigstore/pkg/signature" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) diff --git a/cmd/cosign/cli/publickey/public_key_test.go b/cmd/cosign/cli/publickey/public_key_test.go index 12a93439ff5..f7de44a9344 100644 --- a/cmd/cosign/cli/publickey/public_key_test.go +++ b/cmd/cosign/cli/publickey/public_key_test.go @@ -23,7 +23,7 @@ import ( "path/filepath" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" ) func pass(s string) cosign.PassFunc { diff --git a/cmd/cosign/cli/rekor/rekor.go b/cmd/cosign/cli/rekor/rekor.go index 76d57ad1b08..c06cef5a0d4 100644 --- a/cmd/cosign/cli/rekor/rekor.go +++ b/cmd/cosign/cli/rekor/rekor.go @@ -18,7 +18,7 @@ import ( rekor "github.com/sigstore/rekor/pkg/client" "github.com/sigstore/rekor/pkg/generated/client" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" ) func NewClient(rekorURL string) (*client.Rekor, error) { diff --git a/cmd/cosign/cli/rekor/rekor_test.go b/cmd/cosign/cli/rekor/rekor_test.go index 31b8f4eb999..94555f09348 100644 --- a/cmd/cosign/cli/rekor/rekor_test.go +++ b/cmd/cosign/cli/rekor/rekor_test.go @@ -19,7 +19,7 @@ import ( "net/http/httptest" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" ) func TestNewClient(t *testing.T) { diff --git a/cmd/cosign/cli/save.go b/cmd/cosign/cli/save.go index 018bd9f76ed..6c95c2059b9 100644 --- a/cmd/cosign/cli/save.go +++ b/cmd/cosign/cli/save.go @@ -21,10 +21,10 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/layout" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/layout" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 9ae5fd2a2d2..914278d53de 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -20,12 +20,12 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 51dcedd885e..43e060745fb 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -33,31 +33,31 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" intotov1 "github.com/in-toto/attestation/go/v1" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio/fulcioverifier" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" - "github.com/sigstore/cosign/v2/internal/auth" - "github.com/sigstore/cosign/v2/internal/key" - icos "github.com/sigstore/cosign/v2/internal/pkg/cosign" - ifulcio "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio" - ipayload "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" - irekor "github.com/sigstore/cosign/v2/internal/pkg/cosign/rekor" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/walk" - sigs "github.com/sigstore/cosign/v2/pkg/signature" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio/fulcioverifier" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/key" + icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" + ifulcio "github.com/sigstore/cosign/v3/internal/pkg/cosign/fulcio" + ipayload "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" + irekor "github.com/sigstore/cosign/v3/internal/pkg/cosign/rekor" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/walk" + sigs "github.com/sigstore/cosign/v3/pkg/signature" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -68,7 +68,7 @@ import ( "google.golang.org/protobuf/encoding/protojson" // Loads OIDC providers - _ "github.com/sigstore/cosign/v2/pkg/providers/all" + _ "github.com/sigstore/cosign/v3/pkg/providers/all" ) func ShouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) (bool, error) { diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index c04d830b313..cba9af705ac 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -29,16 +29,16 @@ import ( "google.golang.org/protobuf/encoding/protojson" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/internal/auth" - "github.com/sigstore/cosign/v2/internal/key" - internal "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/key" + internal "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/cmd/cosign/cli/sign/sign_blob_test.go b/cmd/cosign/cli/sign/sign_blob_test.go index 2f0853589a4..10880c711a0 100644 --- a/cmd/cosign/cli/sign/sign_blob_test.go +++ b/cmd/cosign/cli/sign/sign_blob_test.go @@ -19,8 +19,8 @@ import ( "path/filepath" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" ) func TestSignBlobCmd(t *testing.T) { diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index 5802f2b60c1..78ad209d7cc 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -29,11 +29,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/secure-systems-lab/go-securesystemslib/encrypted" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 349b7c9a9a7..de9ae339628 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -20,12 +20,12 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" "github.com/spf13/viper" diff --git a/cmd/cosign/cli/signingconfig.go b/cmd/cosign/cli/signingconfig.go index 088d2d53bfc..90c5347b311 100644 --- a/cmd/cosign/cli/signingconfig.go +++ b/cmd/cosign/cli/signingconfig.go @@ -17,8 +17,8 @@ package cli import ( "context" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/signingconfig" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signingconfig" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/templates/templater.go b/cmd/cosign/cli/templates/templater.go index f2aa7f183ca..d86f43378c8 100644 --- a/cmd/cosign/cli/templates/templater.go +++ b/cmd/cosign/cli/templates/templater.go @@ -21,7 +21,7 @@ import ( "text/template" "unicode" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/templates/term" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/templates/term" "github.com/spf13/cobra" flag "github.com/spf13/pflag" ) diff --git a/cmd/cosign/cli/tree.go b/cmd/cosign/cli/tree.go index 521edffc8af..5e3535970cc 100644 --- a/cmd/cosign/cli/tree.go +++ b/cmd/cosign/cli/tree.go @@ -22,8 +22,8 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/triangulate.go b/cmd/cosign/cli/triangulate.go index 711b564d02e..c1ad0980502 100644 --- a/cmd/cosign/cli/triangulate.go +++ b/cmd/cosign/cli/triangulate.go @@ -18,8 +18,8 @@ package cli import ( "flag" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/triangulate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/triangulate" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/triangulate/triangulate.go b/cmd/cosign/cli/triangulate/triangulate.go index 006c94277e6..3a5e558235e 100644 --- a/cmd/cosign/cli/triangulate/triangulate.go +++ b/cmd/cosign/cli/triangulate/triangulate.go @@ -21,9 +21,9 @@ import ( "os" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) func MungeCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string, attachmentType string) error { diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go index 70fa04bc53f..63857083a8f 100644 --- a/cmd/cosign/cli/trustedroot.go +++ b/cmd/cosign/cli/trustedroot.go @@ -18,8 +18,8 @@ package cli import ( "context" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/trustedroot" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/trustedroot" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go index 762433cf3e2..b51198f80ef 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot.go +++ b/cmd/cosign/cli/trustedroot/trustedroot.go @@ -30,7 +30,7 @@ import ( "strings" "time" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/rekor-tiles/pkg/note" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" diff --git a/cmd/cosign/cli/upload.go b/cmd/cosign/cli/upload.go index 69c8530d036..2e29144f509 100644 --- a/cmd/cosign/cli/upload.go +++ b/cmd/cosign/cli/upload.go @@ -18,8 +18,8 @@ package cli import ( "flag" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/upload" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/upload" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/upload/blob.go b/cmd/cosign/cli/upload/blob.go index 901775a9230..0f64ef92990 100644 --- a/cmd/cosign/cli/upload/blob.go +++ b/cmd/cosign/cli/upload/blob.go @@ -24,8 +24,8 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" ) func BlobCmd(ctx context.Context, regOpts options.RegistryOptions, files []cremote.File, annotations map[string]string, contentType, imageRef string) error { diff --git a/cmd/cosign/cli/upload/wasm.go b/cmd/cosign/cli/upload/wasm.go index d1b8c0d2de6..b515f5afdb9 100644 --- a/cmd/cosign/cli/upload/wasm.go +++ b/cmd/cosign/cli/upload/wasm.go @@ -22,9 +22,9 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" ) func WasmCmd(ctx context.Context, regOpts options.RegistryOptions, wasmPath, imageRef string) error { diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 97006a73824..48d02c0cb7c 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -20,9 +20,9 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/spf13/cobra" ) diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 86b714df371..4cc76ea88b8 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -30,20 +30,20 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - cosignError "github.com/sigstore/cosign/v2/cmd/cosign/errors" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + cosignError "github.com/sigstore/cosign/v3/cmd/cosign/errors" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" + sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 4536321c91c..cbcb19e4ef2 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -26,19 +26,19 @@ import ( "strings" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/cue" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - "github.com/sigstore/cosign/v2/pkg/cosign/rego" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/policy" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/cue" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/cosign/rego" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/policy" + sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/sigstore-go/pkg/root" ) diff --git a/cmd/cosign/cli/verify/verify_attestation_test.go b/cmd/cosign/cli/verify/verify_attestation_test.go index ee3c0d99659..23288390acc 100644 --- a/cmd/cosign/cli/verify/verify_attestation_test.go +++ b/cmd/cosign/cli/verify/verify_attestation_test.go @@ -18,7 +18,7 @@ import ( "context" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" ) func TestVerifyAttestationMissingSubject(t *testing.T) { diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index fb0bd081868..dd06cfc5c33 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -31,17 +31,17 @@ import ( "path/filepath" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - "github.com/sigstore/cosign/v2/pkg/oci/static" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/oci/static" + sigs "github.com/sigstore/cosign/v3/pkg/signature" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore-go/pkg/root" sgverify "github.com/sigstore/sigstore-go/pkg/verify" diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index a84f4f3b2c4..84a8aa47eb2 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -29,20 +29,20 @@ import ( "path/filepath" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - internal "github.com/sigstore/cosign/v2/internal/pkg/cosign" - payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/policy" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + internal "github.com/sigstore/cosign/v3/internal/pkg/cosign" + payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/policy" + sigs "github.com/sigstore/cosign/v3/pkg/signature" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore-go/pkg/root" sgverify "github.com/sigstore/sigstore-go/pkg/verify" diff --git a/cmd/cosign/cli/verify/verify_blob_attestation_test.go b/cmd/cosign/cli/verify/verify_blob_attestation_test.go index 6f9314ee6ad..aba94036aec 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation_test.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation_test.go @@ -25,8 +25,8 @@ import ( protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "google.golang.org/protobuf/encoding/protojson" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" ) const pubkey = `-----BEGIN PUBLIC KEY----- diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go index 56e3291a0e6..24dddcdf872 100644 --- a/cmd/cosign/cli/verify/verify_blob_test.go +++ b/cmd/cosign/cli/verify/verify_blob_test.go @@ -38,13 +38,13 @@ import ( "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/go-openapi/runtime" "github.com/go-openapi/swag/conv" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - sigs "github.com/sigstore/cosign/v2/pkg/signature" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/mock" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + sigs "github.com/sigstore/cosign/v3/pkg/signature" + ctypes "github.com/sigstore/cosign/v3/pkg/types" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go index 3d876f9a5c5..ab43fb2b44a 100644 --- a/cmd/cosign/cli/verify/verify_bundle.go +++ b/cmd/cosign/cli/verify/verify_bundle.go @@ -35,7 +35,7 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" ) func checkNewBundle(bundlePath string) bool { diff --git a/cmd/cosign/cli/verify/verify_test.go b/cmd/cosign/cli/verify/verify_test.go index 8b44df1f107..0882a978847 100644 --- a/cmd/cosign/cli/verify/verify_test.go +++ b/cmd/cosign/cli/verify/verify_test.go @@ -35,13 +35,13 @@ import ( "testing" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/fulcio/fulcioroots" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/sigstore/pkg/signature/payload" "github.com/stretchr/testify/assert" ) diff --git a/cmd/cosign/errors/exit_code_lookup.go b/cmd/cosign/errors/exit_code_lookup.go index 93d097ab79a..7b038d5a9fa 100644 --- a/cmd/cosign/errors/exit_code_lookup.go +++ b/cmd/cosign/errors/exit_code_lookup.go @@ -18,7 +18,7 @@ package errors import ( "errors" - cosignError "github.com/sigstore/cosign/v2/pkg/cosign" + cosignError "github.com/sigstore/cosign/v3/pkg/cosign" ) func LookupExitCodeForError(err interface{ error }) int { diff --git a/cmd/cosign/errors/exit_code_lookup_test.go b/cmd/cosign/errors/exit_code_lookup_test.go index 88ff7bef17c..edc2494cb6b 100644 --- a/cmd/cosign/errors/exit_code_lookup_test.go +++ b/cmd/cosign/errors/exit_code_lookup_test.go @@ -19,7 +19,7 @@ import ( "fmt" "testing" - pkgError "github.com/sigstore/cosign/v2/pkg/cosign" + pkgError "github.com/sigstore/cosign/v3/pkg/cosign" ) func TestDefaultExitCodeReturnIfErrorTypeToExitCodeMappingDoesNotExist(t *testing.T) { diff --git a/cmd/cosign/main.go b/cmd/cosign/main.go index 50edaefcecc..1f87be21333 100644 --- a/cmd/cosign/main.go +++ b/cmd/cosign/main.go @@ -22,9 +22,9 @@ import ( "os" "strings" - "github.com/sigstore/cosign/v2/cmd/cosign/cli" - cosignError "github.com/sigstore/cosign/v2/cmd/cosign/errors" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/cmd/cosign/cli" + cosignError "github.com/sigstore/cosign/v3/cmd/cosign/errors" + "github.com/sigstore/cosign/v3/internal/ui" // Register the provider-specific plugins _ "github.com/sigstore/sigstore/pkg/signature/kms/aws" diff --git a/cmd/help/main.go b/cmd/help/main.go index c91eb8b3bac..88e31e04277 100644 --- a/cmd/help/main.go +++ b/cmd/help/main.go @@ -18,9 +18,9 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/cmd/cosign/cli" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/templates" - errors "github.com/sigstore/cosign/v2/cmd/cosign/errors" + "github.com/sigstore/cosign/v3/cmd/cosign/cli" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/templates" + errors "github.com/sigstore/cosign/v3/cmd/cosign/errors" "github.com/spf13/cobra" "github.com/spf13/cobra/doc" ) diff --git a/go.mod b/go.mod index 233fce169c9..9c4180ea2da 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/sigstore/cosign/v2 +module github.com/sigstore/cosign/v3 go 1.24.6 diff --git a/internal/auth/auth.go b/internal/auth/auth.go index f820cfb7305..6a9e64a1221 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -22,9 +22,9 @@ import ( "github.com/go-jose/go-jose/v4" "github.com/go-jose/go-jose/v4/jwt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/providers" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/oauthflow" "golang.org/x/term" diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index 77633ad525a..8b1d32fbb38 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -21,7 +21,7 @@ import ( "path/filepath" "testing" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/providers" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/key/svkeypair.go b/internal/key/svkeypair.go index 5bbf822d49e..eee7d2eacc1 100644 --- a/internal/key/svkeypair.go +++ b/internal/key/svkeypair.go @@ -27,7 +27,7 @@ import ( "errors" "fmt" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/internal/pkg/cosign/dsse.go b/internal/pkg/cosign/dsse.go index 690e534508a..d33730fbf8b 100644 --- a/internal/pkg/cosign/dsse.go +++ b/internal/pkg/cosign/dsse.go @@ -19,7 +19,7 @@ import ( "crypto" "io" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // DSSEAttestor creates attestations in the form of `oci.Signature`s diff --git a/internal/pkg/cosign/ephemeral/signer.go b/internal/pkg/cosign/ephemeral/signer.go index 801dcabcd02..9e304a7bc24 100644 --- a/internal/pkg/cosign/ephemeral/signer.go +++ b/internal/pkg/cosign/ephemeral/signer.go @@ -22,10 +22,10 @@ import ( "fmt" "io" - icosign "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + icosign "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go index 3b44da88420..c68af1994b3 100644 --- a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go +++ b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go @@ -22,7 +22,7 @@ import ( "os" "sync" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/fulcioroots" ) diff --git a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go index 479c0575394..4c7095b60f4 100644 --- a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go +++ b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots_test.go @@ -19,7 +19,7 @@ import ( "sync" "testing" - "github.com/sigstore/cosign/v2/internal/test" + "github.com/sigstore/cosign/v3/internal/test" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/internal/pkg/cosign/fulcio/signer.go b/internal/pkg/cosign/fulcio/signer.go index fb805425f04..371c85bfae3 100644 --- a/internal/pkg/cosign/fulcio/signer.go +++ b/internal/pkg/cosign/fulcio/signer.go @@ -19,9 +19,9 @@ import ( "crypto" "io" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" ) // signerWrapper still needs to actually upload keys to Fulcio and receive diff --git a/internal/pkg/cosign/fulcio/signer_test.go b/internal/pkg/cosign/fulcio/signer_test.go index 5bac26fb87b..9119ae07e38 100644 --- a/internal/pkg/cosign/fulcio/signer_test.go +++ b/internal/pkg/cosign/fulcio/signer_test.go @@ -21,8 +21,8 @@ import ( "strings" "testing" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/payload/attestor.go b/internal/pkg/cosign/payload/attestor.go index d7bbb16c0a6..5c407124f97 100644 --- a/internal/pkg/cosign/payload/attestor.go +++ b/internal/pkg/cosign/payload/attestor.go @@ -22,10 +22,10 @@ import ( "io" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/payload/attestor_test.go b/internal/pkg/cosign/payload/attestor_test.go index 23cf90d2f9a..3e80c364829 100644 --- a/internal/pkg/cosign/payload/attestor_test.go +++ b/internal/pkg/cosign/payload/attestor_test.go @@ -24,7 +24,7 @@ import ( "testing" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/payload/signer.go b/internal/pkg/cosign/payload/signer.go index 6cefbe3a656..c9b1ff9e5d0 100644 --- a/internal/pkg/cosign/payload/signer.go +++ b/internal/pkg/cosign/payload/signer.go @@ -22,9 +22,9 @@ import ( "fmt" "io" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/sigstore/pkg/signature" signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) diff --git a/internal/pkg/cosign/payload/signer_test.go b/internal/pkg/cosign/payload/signer_test.go index d2ccf7dcb24..9f3bb55ce71 100644 --- a/internal/pkg/cosign/payload/signer_test.go +++ b/internal/pkg/cosign/payload/signer_test.go @@ -21,7 +21,7 @@ import ( "strings" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/payload/size/size.go b/internal/pkg/cosign/payload/size/size.go index f867477c732..aac4dca2c5b 100644 --- a/internal/pkg/cosign/payload/size/size.go +++ b/internal/pkg/cosign/payload/size/size.go @@ -16,7 +16,7 @@ package payload import ( "github.com/dustin/go-humanize" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const defaultMaxSize = uint64(134217728) // 128MiB diff --git a/internal/pkg/cosign/rekor/signer.go b/internal/pkg/cosign/rekor/signer.go index 2fa5e2595ef..a32c3afbd59 100644 --- a/internal/pkg/cosign/rekor/signer.go +++ b/internal/pkg/cosign/rekor/signer.go @@ -23,11 +23,11 @@ import ( "io" "os" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - cosignv1 "github.com/sigstore/cosign/v2/pkg/cosign" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + cosignv1 "github.com/sigstore/cosign/v3/pkg/cosign" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/internal/pkg/cosign/rekor/signer_test.go b/internal/pkg/cosign/rekor/signer_test.go index 0469662157b..b524f121731 100644 --- a/internal/pkg/cosign/rekor/signer_test.go +++ b/internal/pkg/cosign/rekor/signer_test.go @@ -22,9 +22,9 @@ import ( "testing" "github.com/go-openapi/swag/conv" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/rekor/mock" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/rekor/mock" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore/pkg/signature" diff --git a/internal/pkg/cosign/sign.go b/internal/pkg/cosign/sign.go index b2f746daee4..93873c101be 100644 --- a/internal/pkg/cosign/sign.go +++ b/internal/pkg/cosign/sign.go @@ -19,7 +19,7 @@ import ( "crypto" "io" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // Signer signs payloads in the form of `oci.Signature`s diff --git a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go index f85b5f0a8b6..ccb9a0598b9 100644 --- a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go +++ b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go @@ -24,7 +24,7 @@ import ( "time" "github.com/digitorus/timestamp" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/timestamp-authority/pkg/signer" diff --git a/internal/pkg/cosign/tsa/signer.go b/internal/pkg/cosign/tsa/signer.go index 9fb0b66b407..721117a7d58 100644 --- a/internal/pkg/cosign/tsa/signer.go +++ b/internal/pkg/cosign/tsa/signer.go @@ -24,11 +24,11 @@ import ( "strings" "github.com/digitorus/timestamp" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/internal/pkg/cosign/tsa/signer_test.go b/internal/pkg/cosign/tsa/signer_test.go index 4cb136b5de6..c06de523569 100644 --- a/internal/pkg/cosign/tsa/signer_test.go +++ b/internal/pkg/cosign/tsa/signer_test.go @@ -22,9 +22,9 @@ import ( "testing" "time" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/mock" + "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/internal/pkg/cosign/tsa/utils_test.go b/internal/pkg/cosign/tsa/utils_test.go index 4a7951b46df..a0769ab9aaa 100644 --- a/internal/pkg/cosign/tsa/utils_test.go +++ b/internal/pkg/cosign/tsa/utils_test.go @@ -19,7 +19,7 @@ import ( "reflect" "testing" - "github.com/sigstore/cosign/v2/internal/test" + "github.com/sigstore/cosign/v3/internal/test" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/internal/ui/log_test.go b/internal/ui/log_test.go index b1172367f02..01b96aad044 100644 --- a/internal/ui/log_test.go +++ b/internal/ui/log_test.go @@ -17,7 +17,7 @@ import ( "context" "testing" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/stretchr/testify/assert" ) diff --git a/internal/ui/prompt_test.go b/internal/ui/prompt_test.go index 26c97ca49d1..3910d9b8bdf 100644 --- a/internal/ui/prompt_test.go +++ b/internal/ui/prompt_test.go @@ -19,7 +19,7 @@ import ( "errors" "testing" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/stretchr/testify/assert" ) diff --git a/pkg/cosign/bundle/sign.go b/pkg/cosign/bundle/sign.go index 45a91aab981..2b944d9ead6 100644 --- a/pkg/cosign/bundle/sign.go +++ b/pkg/cosign/bundle/sign.go @@ -22,7 +22,7 @@ import ( "log" "time" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/signature" diff --git a/pkg/cosign/ctlog.go b/pkg/cosign/ctlog.go index 9f2ebc3d5ec..5ad76a00b14 100644 --- a/pkg/cosign/ctlog.go +++ b/pkg/cosign/ctlog.go @@ -20,7 +20,7 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore/pkg/tuf" ) diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go index 709333ac77f..53e3ce34a38 100644 --- a/pkg/cosign/fetch.go +++ b/pkg/cosign/fetch.go @@ -28,9 +28,9 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "golang.org/x/sync/errgroup" ) diff --git a/pkg/cosign/fuzz_test.go b/pkg/cosign/fuzz_test.go index 0ea3e39036b..9cf9afc579f 100644 --- a/pkg/cosign/fuzz_test.go +++ b/pkg/cosign/fuzz_test.go @@ -24,7 +24,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" ) var ( diff --git a/pkg/cosign/git/git.go b/pkg/cosign/git/git.go index b4380f2c137..4a1b81d0ece 100644 --- a/pkg/cosign/git/git.go +++ b/pkg/cosign/git/git.go @@ -18,9 +18,9 @@ package git import ( "context" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/git/github" - "github.com/sigstore/cosign/v2/pkg/cosign/git/gitlab" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/git/github" + "github.com/sigstore/cosign/v3/pkg/cosign/git/gitlab" ) var providerMap = map[string]Git{ diff --git a/pkg/cosign/git/github/github.go b/pkg/cosign/git/github/github.go index 3b8ce918308..07ff3634108 100644 --- a/pkg/cosign/git/github/github.go +++ b/pkg/cosign/git/github/github.go @@ -29,8 +29,8 @@ import ( "golang.org/x/crypto/nacl/box" "golang.org/x/oauth2" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const ( diff --git a/pkg/cosign/git/gitlab/gitlab.go b/pkg/cosign/git/gitlab/gitlab.go index b1246913218..1c25b5fe74e 100644 --- a/pkg/cosign/git/gitlab/gitlab.go +++ b/pkg/cosign/git/gitlab/gitlab.go @@ -21,9 +21,9 @@ import ( "io" "os" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" gitlab "gitlab.com/gitlab-org/api/client-go" ) diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go index 29d498b6a4a..26d7ed49059 100644 --- a/pkg/cosign/keys.go +++ b/pkg/cosign/keys.go @@ -30,7 +30,7 @@ import ( "path/filepath" "github.com/secure-systems-lab/go-securesystemslib/encrypted" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci/static" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/pkg/cosign/kubernetes/secret.go b/pkg/cosign/kubernetes/secret.go index 11289888192..3aaa0f16364 100644 --- a/pkg/cosign/kubernetes/secret.go +++ b/pkg/cosign/kubernetes/secret.go @@ -21,7 +21,7 @@ import ( "os" "strings" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" v1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/pkg/cosign/kubernetes/secret_test.go b/pkg/cosign/kubernetes/secret_test.go index d626d9eada6..4b257ce31db 100644 --- a/pkg/cosign/kubernetes/secret_test.go +++ b/pkg/cosign/kubernetes/secret_test.go @@ -18,7 +18,7 @@ import ( "reflect" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" diff --git a/pkg/cosign/obsolete.go b/pkg/cosign/obsolete.go index 817f05bead0..66ceed55678 100644 --- a/pkg/cosign/obsolete.go +++ b/pkg/cosign/obsolete.go @@ -19,7 +19,7 @@ import ( "context" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/sigstore/pkg/signature/payload" ) diff --git a/pkg/cosign/obsolete_test.go b/pkg/cosign/obsolete_test.go index b03ddb91312..22b2b1c8098 100644 --- a/pkg/cosign/obsolete_test.go +++ b/pkg/cosign/obsolete_test.go @@ -20,7 +20,7 @@ import ( "testing" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v3/internal/ui" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/pkg/cosign/pkcs11key/pkcs11key.go b/pkg/cosign/pkcs11key/pkcs11key.go index c034a3f4fac..50dfb1ed178 100644 --- a/pkg/cosign/pkcs11key/pkcs11key.go +++ b/pkg/cosign/pkcs11key/pkcs11key.go @@ -34,7 +34,7 @@ import ( "github.com/ThalesIgnite/crypto11" "github.com/miekg/pkcs11" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore/pkg/signature" "golang.org/x/term" ) diff --git a/pkg/cosign/pkcs11key/util.go b/pkg/cosign/pkcs11key/util.go index beb74a70770..ce30a873ef4 100644 --- a/pkg/cosign/pkcs11key/util.go +++ b/pkg/cosign/pkcs11key/util.go @@ -21,7 +21,7 @@ import ( "strconv" "strings" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const ( diff --git a/pkg/cosign/remote/index.go b/pkg/cosign/remote/index.go index f14f42911cf..e62d875d0ad 100644 --- a/pkg/cosign/remote/index.go +++ b/pkg/cosign/remote/index.go @@ -27,7 +27,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) type File interface { diff --git a/pkg/cosign/remote/remote.go b/pkg/cosign/remote/remote.go index 5c1b800af1c..8c46a65dbcd 100644 --- a/pkg/cosign/remote/remote.go +++ b/pkg/cosign/remote/remote.go @@ -22,9 +22,9 @@ import ( "fmt" "os" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index cb8c10de525..875dc2a3975 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -32,9 +32,9 @@ import ( "github.com/go-openapi/strfmt" "github.com/go-openapi/swag" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/pkg/cosign/tsa.go b/pkg/cosign/tsa.go index 425639e4625..b97b96bb4c6 100644 --- a/pkg/cosign/tsa.go +++ b/pkg/cosign/tsa.go @@ -24,7 +24,7 @@ import ( "os" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/tuf" ) diff --git a/pkg/cosign/tuf.go b/pkg/cosign/tuf.go index 22d7a804af8..bf664b4bc4e 100644 --- a/pkg/cosign/tuf.go +++ b/pkg/cosign/tuf.go @@ -21,7 +21,7 @@ import ( "os" "path/filepath" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/tuf" ) diff --git a/pkg/cosign/verifiers.go b/pkg/cosign/verifiers.go index 41f82491907..391a05b796b 100644 --- a/pkg/cosign/verifiers.go +++ b/pkg/cosign/verifiers.go @@ -25,7 +25,7 @@ import ( "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/sigstore/pkg/signature/payload" ) diff --git a/pkg/cosign/verifiers_test.go b/pkg/cosign/verifiers_test.go index 81633dcbff5..766d2300ac0 100644 --- a/pkg/cosign/verifiers_test.go +++ b/pkg/cosign/verifiers_test.go @@ -18,7 +18,7 @@ import ( "testing" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) /* diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 215bd2cfa7b..8d4e56b8260 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -44,16 +44,16 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote/transport" "github.com/nozzle/throttler" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote" - "github.com/sigstore/cosign/v2/internal/ui" - "github.com/sigstore/cosign/v2/pkg/blob" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/layout" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/internal/pkg/cosign" + ociexperimental "github.com/sigstore/cosign/v3/internal/pkg/oci/remote" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/layout" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/pkg/cosign/verify_bundle_test.go b/pkg/cosign/verify_bundle_test.go index e3f9cd38b24..57cdcb286a5 100644 --- a/pkg/cosign/verify_bundle_test.go +++ b/pkg/cosign/verify_bundle_test.go @@ -27,7 +27,7 @@ import ( "fmt" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" diff --git a/pkg/cosign/verify_oci_test.go b/pkg/cosign/verify_oci_test.go index 39672ce329a..f9d44b7c379 100644 --- a/pkg/cosign/verify_oci_test.go +++ b/pkg/cosign/verify_oci_test.go @@ -30,7 +30,7 @@ import ( "github.com/stretchr/testify/assert" "google.golang.org/protobuf/proto" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore-go/pkg/root" ) diff --git a/pkg/cosign/verify_sct.go b/pkg/cosign/verify_sct.go index 444c488149c..fc5e7d75051 100644 --- a/pkg/cosign/verify_sct.go +++ b/pkg/cosign/verify_sct.go @@ -25,7 +25,7 @@ import ( ct "github.com/google/certificate-transparency-go" ctx509 "github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509util" - "github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil" + "github.com/sigstore/cosign/v3/pkg/cosign/fulcioverifier/ctutil" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/tuf" diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 24d6f98be7c..0d4160364bc 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -44,15 +44,15 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/rekor/mock" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - tsaMock "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" - "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/rekor/mock" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + tsaMock "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/mock" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/types" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/models" diff --git a/pkg/oci/empty/empty.go b/pkg/oci/empty/empty.go index 599ad08f8ef..65d86542378 100644 --- a/pkg/oci/empty/empty.go +++ b/pkg/oci/empty/empty.go @@ -21,7 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // Signatures constructs an empty oci.Signatures. diff --git a/pkg/oci/empty/empty_test.go b/pkg/oci/empty/empty_test.go index c9aad1fc23d..ba123ca61ff 100644 --- a/pkg/oci/empty/empty_test.go +++ b/pkg/oci/empty/empty_test.go @@ -21,7 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) func TestEmptyImage(t *testing.T) { diff --git a/pkg/oci/empty/signed.go b/pkg/oci/empty/signed.go index 9847e128c4a..385ed0e2b5d 100644 --- a/pkg/oci/empty/signed.go +++ b/pkg/oci/empty/signed.go @@ -22,7 +22,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) type signedImage struct { diff --git a/pkg/oci/internal/signature/layer.go b/pkg/oci/internal/signature/layer.go index 4bd5e456c77..8106e983558 100644 --- a/pkg/oci/internal/signature/layer.go +++ b/pkg/oci/internal/signature/layer.go @@ -24,9 +24,9 @@ import ( "strings" v1 "github.com/google/go-containerregistry/pkg/v1" - payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" + payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/pkg/oci/internal/signature/layer_test.go b/pkg/oci/internal/signature/layer_test.go index d3895f9c42a..ef61de523b1 100644 --- a/pkg/oci/internal/signature/layer_test.go +++ b/pkg/oci/internal/signature/layer_test.go @@ -28,7 +28,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" ) func mustDecode(s string) []byte { diff --git a/pkg/oci/layout/index.go b/pkg/oci/layout/index.go index 1242740dc69..e122301a6af 100644 --- a/pkg/oci/layout/index.go +++ b/pkg/oci/layout/index.go @@ -20,8 +20,8 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/layout" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/signed" ) const ( diff --git a/pkg/oci/layout/signatures.go b/pkg/oci/layout/signatures.go index 80541f11a07..ca169d46757 100644 --- a/pkg/oci/layout/signatures.go +++ b/pkg/oci/layout/signatures.go @@ -17,8 +17,8 @@ package layout import ( v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/internal/signature" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/internal/signature" ) const maxLayers = 1000 diff --git a/pkg/oci/layout/write.go b/pkg/oci/layout/write.go index c3c8c2055d7..2917d5f5e44 100644 --- a/pkg/oci/layout/write.go +++ b/pkg/oci/layout/write.go @@ -21,7 +21,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/layout" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // WriteSignedImage writes the image and all related signatures, attestations and attachments diff --git a/pkg/oci/layout/write_test.go b/pkg/oci/layout/write_test.go index 823a27329f0..8e47254c358 100644 --- a/pkg/oci/layout/write_test.go +++ b/pkg/oci/layout/write_test.go @@ -23,15 +23,15 @@ import ( "github.com/google/go-cmp/cmp" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/random" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - "github.com/sigstore/cosign/v2/pkg/oci/signed" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) func TestReadWrite(t *testing.T) { if runtime.GOOS == "windows" { - t.Skip("test is flaky on windows, see https://github.com/sigstore/cosign/v2/issues/1389") + t.Skip("test is flaky on windows, see https://github.com/sigstore/cosign/issues/1389") } // write random signed image to disk si := randomSignedImage(t) diff --git a/pkg/oci/mediatypes.go b/pkg/oci/mediatypes.go index a189047720b..c23862f9b69 100644 --- a/pkg/oci/mediatypes.go +++ b/pkg/oci/mediatypes.go @@ -18,7 +18,7 @@ package oci import ( "strconv" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const ( diff --git a/pkg/oci/mutate/map.go b/pkg/oci/mutate/map.go index 8c31fc1892b..8af264aa4c8 100644 --- a/pkg/oci/mutate/map.go +++ b/pkg/oci/mutate/map.go @@ -24,7 +24,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // Fn is the signature of the callback supplied to Map. diff --git a/pkg/oci/mutate/map_test.go b/pkg/oci/mutate/map_test.go index b243de17c85..d1cbe585ff3 100644 --- a/pkg/oci/mutate/map_test.go +++ b/pkg/oci/mutate/map_test.go @@ -23,8 +23,8 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/signed" ) func TestMapImage(t *testing.T) { diff --git a/pkg/oci/mutate/mutate.go b/pkg/oci/mutate/mutate.go index 59ba2c0c0ff..f7e83087b3b 100644 --- a/pkg/oci/mutate/mutate.go +++ b/pkg/oci/mutate/mutate.go @@ -21,9 +21,9 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/mutate" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" - "github.com/sigstore/cosign/v2/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" + "github.com/sigstore/cosign/v3/pkg/oci/signed" ) // Appendable is our signed version of mutate.Appendable diff --git a/pkg/oci/mutate/mutate_test.go b/pkg/oci/mutate/mutate_test.go index b0e85be2a43..f6e93e39055 100644 --- a/pkg/oci/mutate/mutate_test.go +++ b/pkg/oci/mutate/mutate_test.go @@ -25,9 +25,9 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/random" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) func TestAppendManifests(t *testing.T) { diff --git a/pkg/oci/mutate/options.go b/pkg/oci/mutate/options.go index 342eea4e7c5..9299cfd223a 100644 --- a/pkg/oci/mutate/options.go +++ b/pkg/oci/mutate/options.go @@ -17,8 +17,8 @@ package mutate import ( "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" ) // DupeDetector scans a list of signatures looking for a duplicate. diff --git a/pkg/oci/mutate/signature.go b/pkg/oci/mutate/signature.go index f9b36a03abb..ad1cd018518 100644 --- a/pkg/oci/mutate/signature.go +++ b/pkg/oci/mutate/signature.go @@ -23,9 +23,9 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/pkg/oci/mutate/signature_test.go b/pkg/oci/mutate/signature_test.go index 578fe4fcbd7..ba4a1f6daf3 100644 --- a/pkg/oci/mutate/signature_test.go +++ b/pkg/oci/mutate/signature_test.go @@ -21,9 +21,9 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) var ( diff --git a/pkg/oci/mutate/signatures.go b/pkg/oci/mutate/signatures.go index 75a1053802e..ede9f678ffd 100644 --- a/pkg/oci/mutate/signatures.go +++ b/pkg/oci/mutate/signatures.go @@ -18,9 +18,9 @@ package mutate import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/mutate" - "github.com/sigstore/cosign/v2/internal/pkg/now" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" + "github.com/sigstore/cosign/v3/internal/pkg/now" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" ) const maxLayers = 1000 diff --git a/pkg/oci/mutate/signatures_test.go b/pkg/oci/mutate/signatures_test.go index 1a0bf6d5a69..6c525e11eee 100644 --- a/pkg/oci/mutate/signatures_test.go +++ b/pkg/oci/mutate/signatures_test.go @@ -21,9 +21,9 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) func TestAppendSignatures(t *testing.T) { diff --git a/pkg/oci/platform/platform.go b/pkg/oci/platform/platform.go index a2939d73660..b06e754fd00 100644 --- a/pkg/oci/platform/platform.go +++ b/pkg/oci/platform/platform.go @@ -19,7 +19,7 @@ import ( "strings" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) type List []struct { diff --git a/pkg/oci/remote/image.go b/pkg/oci/remote/image.go index 8c6eda5ff0e..30d30a7d53d 100644 --- a/pkg/oci/remote/image.go +++ b/pkg/oci/remote/image.go @@ -23,7 +23,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/partial" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) var ErrImageNotFound = errors.New("image not found in registry") diff --git a/pkg/oci/remote/index.go b/pkg/oci/remote/index.go index 6269e9bfaaf..0aad7480d7f 100644 --- a/pkg/oci/remote/index.go +++ b/pkg/oci/remote/index.go @@ -22,7 +22,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // SignedImageIndex provides access to a remote index reference, and its signatures. diff --git a/pkg/oci/remote/index_test.go b/pkg/oci/remote/index_test.go index 93e841808c9..8ef16012c35 100644 --- a/pkg/oci/remote/index_test.go +++ b/pkg/oci/remote/index_test.go @@ -25,7 +25,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) func TestSignedImageIndex(t *testing.T) { diff --git a/pkg/oci/remote/options.go b/pkg/oci/remote/options.go index 6eeaadd0105..c29c2970aeb 100644 --- a/pkg/oci/remote/options.go +++ b/pkg/oci/remote/options.go @@ -21,7 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) const ( diff --git a/pkg/oci/remote/remote.go b/pkg/oci/remote/remote.go index fc8ea148c5e..ad554ced1ea 100644 --- a/pkg/oci/remote/remote.go +++ b/pkg/oci/remote/remote.go @@ -26,9 +26,9 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/remote/transport" "github.com/google/go-containerregistry/pkg/v1/types" - payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" - ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci" + payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" + ociexperimental "github.com/sigstore/cosign/v3/internal/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci" ) // These enable mocking for unit testing without faking an entire registry. diff --git a/pkg/oci/remote/signatures.go b/pkg/oci/remote/signatures.go index bde786ae28c..24a3e4dc8e6 100644 --- a/pkg/oci/remote/signatures.go +++ b/pkg/oci/remote/signatures.go @@ -25,9 +25,9 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/partial" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" - "github.com/sigstore/cosign/v2/pkg/oci/internal/signature" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" + "github.com/sigstore/cosign/v3/pkg/oci/internal/signature" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" ) diff --git a/pkg/oci/remote/unknown.go b/pkg/oci/remote/unknown.go index 90a0fc9acb1..8ddb9f5a045 100644 --- a/pkg/oci/remote/unknown.go +++ b/pkg/oci/remote/unknown.go @@ -18,7 +18,7 @@ package remote import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) // SignedUnknown provides access to signed metadata without directly accessing diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index 20758b55261..0e73c951c24 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -27,9 +27,9 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/static" "github.com/google/go-containerregistry/pkg/v1/types" - ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + ociexperimental "github.com/sigstore/cosign/v3/internal/pkg/oci/remote" + "github.com/sigstore/cosign/v3/pkg/oci" + ctypes "github.com/sigstore/cosign/v3/pkg/types" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" ) diff --git a/pkg/oci/remote/write_test.go b/pkg/oci/remote/write_test.go index 89f3e58928d..b507c0bd046 100644 --- a/pkg/oci/remote/write_test.go +++ b/pkg/oci/remote/write_test.go @@ -26,10 +26,10 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/static" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - "github.com/sigstore/cosign/v2/pkg/oci/signed" - cosignstatic "github.com/sigstore/cosign/v2/pkg/oci/static" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/pkg/oci/signed" + cosignstatic "github.com/sigstore/cosign/v3/pkg/oci/static" + ctypes "github.com/sigstore/cosign/v3/pkg/types" ) func TestWriteSignatures(t *testing.T) { diff --git a/pkg/oci/signature/layer.go b/pkg/oci/signature/layer.go index 4bd5e456c77..8106e983558 100644 --- a/pkg/oci/signature/layer.go +++ b/pkg/oci/signature/layer.go @@ -24,9 +24,9 @@ import ( "strings" v1 "github.com/google/go-containerregistry/pkg/v1" - payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" + payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/pkg/oci/signature/layer_test.go b/pkg/oci/signature/layer_test.go index e88157d2150..ac894278266 100644 --- a/pkg/oci/signature/layer_test.go +++ b/pkg/oci/signature/layer_test.go @@ -28,7 +28,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" ) func mustDecode(s string) []byte { diff --git a/pkg/oci/signatures.go b/pkg/oci/signatures.go index 32f2f890c03..92526319506 100644 --- a/pkg/oci/signatures.go +++ b/pkg/oci/signatures.go @@ -19,7 +19,7 @@ import ( "crypto/x509" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" ) // Signatures represents a set of signatures that are associated with a particular diff --git a/pkg/oci/signed/image.go b/pkg/oci/signed/image.go index 2bcade64b02..ccdc383efab 100644 --- a/pkg/oci/signed/image.go +++ b/pkg/oci/signed/image.go @@ -20,8 +20,8 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" ) // Image returns an oci.SignedImage form of the v1.Image with no signatures. diff --git a/pkg/oci/signed/index.go b/pkg/oci/signed/index.go index b686b4f62e5..61da79403c2 100644 --- a/pkg/oci/signed/index.go +++ b/pkg/oci/signed/index.go @@ -20,8 +20,8 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/empty" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/empty" ) // ImageIndex returns an oci.SignedImageIndex form of the v1.ImageIndex with diff --git a/pkg/oci/signed/index_test.go b/pkg/oci/signed/index_test.go index 11523187df8..55c71b1baf5 100644 --- a/pkg/oci/signed/index_test.go +++ b/pkg/oci/signed/index_test.go @@ -22,7 +22,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci" ) func TestImageIndex(t *testing.T) { diff --git a/pkg/oci/static/file.go b/pkg/oci/static/file.go index 18ec65c3af8..5297d8666d0 100644 --- a/pkg/oci/static/file.go +++ b/pkg/oci/static/file.go @@ -22,10 +22,10 @@ import ( "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/types" - payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" - "github.com/sigstore/cosign/v2/internal/pkg/now" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" + payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" + "github.com/sigstore/cosign/v3/internal/pkg/now" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/signed" ) // NewFile constructs a new v1.Image with the provided payload. diff --git a/pkg/oci/static/options.go b/pkg/oci/static/options.go index b240fb228ae..f0515992ea4 100644 --- a/pkg/oci/static/options.go +++ b/pkg/oci/static/options.go @@ -19,8 +19,8 @@ import ( "encoding/json" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + ctypes "github.com/sigstore/cosign/v3/pkg/types" ) // Option is a functional option for customizing static signatures. diff --git a/pkg/oci/static/options_test.go b/pkg/oci/static/options_test.go index d63ec0fb01a..0f07dee2b0d 100644 --- a/pkg/oci/static/options_test.go +++ b/pkg/oci/static/options_test.go @@ -21,8 +21,8 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/v1/types" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - ctypes "github.com/sigstore/cosign/v2/pkg/types" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + ctypes "github.com/sigstore/cosign/v3/pkg/types" ) func TestOptions(t *testing.T) { diff --git a/pkg/oci/static/signature.go b/pkg/oci/static/signature.go index 406386347f2..817c7c6786f 100644 --- a/pkg/oci/static/signature.go +++ b/pkg/oci/static/signature.go @@ -23,8 +23,8 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/pkg/oci/static/signature_test.go b/pkg/oci/static/signature_test.go index 1ca8e96e3df..07096a8275d 100644 --- a/pkg/oci/static/signature_test.go +++ b/pkg/oci/static/signature_test.go @@ -24,7 +24,7 @@ import ( "github.com/google/go-cmp/cmp" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" ) func TestNewSignatureBasic(t *testing.T) { diff --git a/pkg/oci/walk/walk.go b/pkg/oci/walk/walk.go index 097d05bfa30..ec40c62b8da 100644 --- a/pkg/oci/walk/walk.go +++ b/pkg/oci/walk/walk.go @@ -18,8 +18,8 @@ package walk import ( "context" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" ) // Fn is the signature of the callback supplied to SignedEntity. diff --git a/pkg/oci/walk/walk_test.go b/pkg/oci/walk/walk_test.go index 8ba5b225508..3f2d3d7a56f 100644 --- a/pkg/oci/walk/walk_test.go +++ b/pkg/oci/walk/walk_test.go @@ -22,8 +22,8 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/random" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/signed" ) func TestMapImage(t *testing.T) { diff --git a/pkg/policy/attestation.go b/pkg/policy/attestation.go index 63377d44221..04c53bc7a00 100644 --- a/pkg/policy/attestation.go +++ b/pkg/policy/attestation.go @@ -23,9 +23,9 @@ import ( "fmt" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/pkg/cosign/attestation" - "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/pkg/cosign/attestation" + "github.com/sigstore/cosign/v3/pkg/oci" ) // PayloadProvider is a subset of oci.Signature that only provides the diff --git a/pkg/policy/attestation_test.go b/pkg/policy/attestation_test.go index 908f0696081..193a0faeff4 100644 --- a/pkg/policy/attestation_test.go +++ b/pkg/policy/attestation_test.go @@ -29,10 +29,10 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/types" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v2/pkg/cosign/attestation" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v3/pkg/cosign/attestation" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/oci" + "github.com/sigstore/cosign/v3/pkg/oci/static" ) type failingAttestation struct { diff --git a/pkg/policy/eval.go b/pkg/policy/eval.go index 9e33a8a005d..b29d86b342a 100644 --- a/pkg/policy/eval.go +++ b/pkg/policy/eval.go @@ -20,7 +20,7 @@ import ( "fmt" "cuelang.org/go/cue/cuecontext" - "github.com/sigstore/cosign/v2/pkg/cosign/rego" + "github.com/sigstore/cosign/v3/pkg/cosign/rego" ) // EvaluatePolicyAgainstJson is used to run a policy engine against JSON bytes. diff --git a/pkg/providers/all/all.go b/pkg/providers/all/all.go index 6f5952e7e98..7082e4c6e81 100644 --- a/pkg/providers/all/all.go +++ b/pkg/providers/all/all.go @@ -16,20 +16,20 @@ package all import ( - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/providers" // Link in all of the providers. // Link the GitHub one first, since we might be running in a GitHub self-hosted // runner running in one of the other environments, and we should prefer GitHub // credentials if we can find them. - _ "github.com/sigstore/cosign/v2/pkg/providers/github" + _ "github.com/sigstore/cosign/v3/pkg/providers/github" // Link in the rest of the providers. - _ "github.com/sigstore/cosign/v2/pkg/providers/buildkite" - _ "github.com/sigstore/cosign/v2/pkg/providers/envvar" - _ "github.com/sigstore/cosign/v2/pkg/providers/filesystem" - _ "github.com/sigstore/cosign/v2/pkg/providers/google" - _ "github.com/sigstore/cosign/v2/pkg/providers/spiffe" + _ "github.com/sigstore/cosign/v3/pkg/providers/buildkite" + _ "github.com/sigstore/cosign/v3/pkg/providers/envvar" + _ "github.com/sigstore/cosign/v3/pkg/providers/filesystem" + _ "github.com/sigstore/cosign/v3/pkg/providers/google" + _ "github.com/sigstore/cosign/v3/pkg/providers/spiffe" ) // Alias these methods, so that folks can import this to get all providers. diff --git a/pkg/providers/buildkite/buildkite.go b/pkg/providers/buildkite/buildkite.go index f225e68d1f7..63991710184 100644 --- a/pkg/providers/buildkite/buildkite.go +++ b/pkg/providers/buildkite/buildkite.go @@ -22,8 +22,8 @@ import ( "github.com/buildkite/agent/v3/api" "github.com/buildkite/agent/v3/logger" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/providers" ) func init() { diff --git a/pkg/providers/envvar/env.go b/pkg/providers/envvar/env.go index 67de28fa953..d6c9df85a83 100644 --- a/pkg/providers/envvar/env.go +++ b/pkg/providers/envvar/env.go @@ -18,8 +18,8 @@ package envvar import ( "context" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/providers" ) func init() { diff --git a/pkg/providers/envvar/env_test.go b/pkg/providers/envvar/env_test.go index cdc8f2ae9f3..2ecd28a8e9d 100644 --- a/pkg/providers/envvar/env_test.go +++ b/pkg/providers/envvar/env_test.go @@ -20,7 +20,7 @@ import ( "fmt" "testing" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/env" ) func TestEnvVar(t *testing.T) { diff --git a/pkg/providers/filesystem/filesystem.go b/pkg/providers/filesystem/filesystem.go index 56b57c34720..334aaf67dd5 100644 --- a/pkg/providers/filesystem/filesystem.go +++ b/pkg/providers/filesystem/filesystem.go @@ -19,7 +19,7 @@ import ( "context" "os" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/providers" ) func init() { diff --git a/pkg/providers/github/github.go b/pkg/providers/github/github.go index f7427d57857..e8bd1baebe9 100644 --- a/pkg/providers/github/github.go +++ b/pkg/providers/github/github.go @@ -24,8 +24,8 @@ import ( "strings" "time" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/providers" ) const ( diff --git a/pkg/providers/google/google.go b/pkg/providers/google/google.go index fc186dcfc50..30e3e5119e2 100644 --- a/pkg/providers/google/google.go +++ b/pkg/providers/google/google.go @@ -23,8 +23,8 @@ import ( "google.golang.org/api/idtoken" "google.golang.org/api/impersonate" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/providers" ) func init() { diff --git a/pkg/providers/spiffe/spiffe.go b/pkg/providers/spiffe/spiffe.go index 2e134ca7af0..3672f1e6960 100644 --- a/pkg/providers/spiffe/spiffe.go +++ b/pkg/providers/spiffe/spiffe.go @@ -21,8 +21,8 @@ import ( "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/providers" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/providers" "github.com/spiffe/go-spiffe/v2/workloadapi" ) diff --git a/pkg/signature/keys.go b/pkg/signature/keys.go index a396d096865..3b7879a6f4f 100644 --- a/pkg/signature/keys.go +++ b/pkg/signature/keys.go @@ -21,12 +21,12 @@ import ( "fmt" "strings" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/git" - "github.com/sigstore/cosign/v2/pkg/cosign/git/gitlab" - "github.com/sigstore/cosign/v2/pkg/cosign/kubernetes" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/git" + "github.com/sigstore/cosign/v3/pkg/cosign/git/gitlab" + "github.com/sigstore/cosign/v3/pkg/cosign/kubernetes" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" diff --git a/pkg/signature/keys_test.go b/pkg/signature/keys_test.go index 631625a62a1..7e2710ab2bc 100644 --- a/pkg/signature/keys_test.go +++ b/pkg/signature/keys_test.go @@ -21,8 +21,8 @@ import ( "os" "testing" - "github.com/sigstore/cosign/v2/pkg/blob" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" sigsignature "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms" ) diff --git a/test/config/gettoken/gettoken.yaml b/test/config/gettoken/gettoken.yaml index 16012b072fb..e5608621268 100644 --- a/test/config/gettoken/gettoken.yaml +++ b/test/config/gettoken/gettoken.yaml @@ -21,7 +21,7 @@ spec: spec: containers: - name: gettoken - image: ko://github.com/sigstore/cosign/v2/test/cmd/getoidctoken + image: ko://github.com/sigstore/cosign/v3/test/cmd/getoidctoken env: - name: OIDC_FILE value: "/var/run/sigstore/cosign/oidc-token" diff --git a/test/e2e_attach_test.go b/test/e2e_attach_test.go index 879fd170ddd..e07bd9ca59e 100644 --- a/test/e2e_attach_test.go +++ b/test/e2e_attach_test.go @@ -38,17 +38,17 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/download" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - cert_test "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attach" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/download" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + cert_test "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" tsaclient "github.com/sigstore/timestamp-authority/pkg/client" "github.com/sigstore/timestamp-authority/pkg/server" "github.com/spf13/viper" diff --git a/test/e2e_insecure_registry_test.go b/test/e2e_insecure_registry_test.go index 0da6ec6380d..aa826ff91a7 100644 --- a/test/e2e_insecure_registry_test.go +++ b/test/e2e_insecure_registry_test.go @@ -27,11 +27,11 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) const ( diff --git a/test/e2e_kms_test.go b/test/e2e_kms_test.go index 0050c2a39d4..9337c97320f 100644 --- a/test/e2e_kms_test.go +++ b/test/e2e_kms_test.go @@ -22,10 +22,10 @@ import ( "path" "testing" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" ) diff --git a/test/e2e_test.go b/test/e2e_test.go index ce40f6ba1d7..70bd92891c3 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -49,30 +49,30 @@ import ( "k8s.io/client-go/tools/clientcmd" // Initialize all known client auth plugins - "github.com/sigstore/cosign/v2/cmd/cosign/cli" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/attest" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/dockerfile" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/download" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/manifest" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/signingconfig" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/trustedroot" - cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" - cert_test "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/sigstore/cosign/v2/pkg/cosign/kubernetes" - "github.com/sigstore/cosign/v2/pkg/oci/mutate" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attach" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/dockerfile" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/download" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/initialize" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/manifest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/publickey" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signingconfig" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/trustedroot" + cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/fulcio/fulcioroots" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + cert_test "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/kubernetes" + "github.com/sigstore/cosign/v3/pkg/oci/mutate" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" diff --git a/test/e2e_test_pkcs11.sh b/test/e2e_test_pkcs11.sh index 703ce7c7beb..03f980f9327 100755 --- a/test/e2e_test_pkcs11.sh +++ b/test/e2e_test_pkcs11.sh @@ -36,7 +36,7 @@ apk add go@edge cd /root/cosign softhsm2-util --init-token --free --label "My Token" --pin 1234 --so-pin 1234 -go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key test/pkcs11_test.go +go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key test/pkcs11_test.go EOF diff --git a/test/e2e_tsa_test.go b/test/e2e_tsa_test.go index e46e1ccc70d..cd23d26199e 100644 --- a/test/e2e_tsa_test.go +++ b/test/e2e_tsa_test.go @@ -27,11 +27,11 @@ import ( "time" "github.com/secure-systems-lab/go-securesystemslib/encrypted" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - cert_test "github.com/sigstore/cosign/v2/internal/test" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" + cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + cert_test "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/pkg/cosign" tsaclient "github.com/sigstore/timestamp-authority/pkg/client" tsaserver "github.com/sigstore/timestamp-authority/pkg/server" "github.com/spf13/viper" diff --git a/test/fuzz/oss_fuzz_build.sh b/test/fuzz/oss_fuzz_build.sh index 0c0c949fd5c..48416184d49 100755 --- a/test/fuzz/oss_fuzz_build.sh +++ b/test/fuzz/oss_fuzz_build.sh @@ -17,12 +17,12 @@ go get github.com/AdamKorcz/go-118-fuzz-build/testing mv ./pkg/cosign/keys_test.go ./pkg/cosign/keys_test_keep_in_fuzz_scope.go -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzSigVerify FuzzSigVerify -compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign FuzzSigVerify FuzzSigVerify +compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed* zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/* diff --git a/test/helpers.go b/test/helpers.go index ccaf632c654..46ed4291b3b 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -52,12 +52,12 @@ import ( // Initialize all known client auth plugins _ "k8s.io/client-go/plugin/pkg/client/auth" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/cosign/env" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + sigs "github.com/sigstore/cosign/v3/pkg/signature" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/signature" ) diff --git a/test/piv_test.go b/test/piv_test.go index eb482e4318c..80d25b37dec 100644 --- a/test/piv_test.go +++ b/test/piv_test.go @@ -29,7 +29,7 @@ import ( "testing" // Import the functions directly for testing. - . "github.com/sigstore/cosign/v2/cmd/cosign/cli/pivcli" + . "github.com/sigstore/cosign/v3/cmd/cosign/cli/pivcli" ) func TestSetManagementKeyCmd(t *testing.T) { diff --git a/test/pkcs11_test.go b/test/pkcs11_test.go index bfe031b9d1c..4b232b6a99b 100644 --- a/test/pkcs11_test.go +++ b/test/pkcs11_test.go @@ -54,8 +54,8 @@ import ( // Import the functions directly for testing. "github.com/miekg/pkcs11" - . "github.com/sigstore/cosign/v2/cmd/cosign/cli/pkcs11cli" - "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" + . "github.com/sigstore/cosign/v3/cmd/cosign/cli/pkcs11cli" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/stretchr/testify/require" ) From 638cee6c1b7f46da34db29f902270a4b033d3f0e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 08:57:06 +0200 Subject: [PATCH 079/136] chore(deps): bump github.com/go-openapi/runtime from 0.28.0 to 0.29.0 (#4437) Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.28.0...v0.29.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 43 +++++++++++++--------------- go.sum | 88 ++++++++++++++++++++++++++++------------------------------ 2 files changed, 62 insertions(+), 69 deletions(-) diff --git a/go.mod b/go.mod index 9c4180ea2da..b66b0c46761 100644 --- a/go.mod +++ b/go.mod @@ -13,10 +13,10 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 github.com/go-jose/go-jose/v4 v4.1.2 - github.com/go-openapi/runtime v0.28.0 - github.com/go-openapi/strfmt v0.23.0 + github.com/go-openapi/runtime v0.29.0 + github.com/go-openapi/strfmt v0.24.0 github.com/go-openapi/swag v0.24.1 - github.com/go-openapi/swag/conv v0.24.0 + github.com/go-openapi/swag/conv v0.25.1 github.com/go-piv/piv-go/v2 v2.4.0 github.com/google/certificate-transparency-go v1.3.2 github.com/google/go-cmp v0.7.0 @@ -168,23 +168,23 @@ require ( github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/analysis v0.23.0 // indirect - github.com/go-openapi/errors v0.22.2 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.21.0 // indirect - github.com/go-openapi/loads v0.22.0 // indirect - github.com/go-openapi/spec v0.21.0 // indirect + github.com/go-openapi/analysis v0.24.0 // indirect + github.com/go-openapi/errors v0.22.3 // indirect + github.com/go-openapi/jsonpointer v0.22.1 // indirect + github.com/go-openapi/jsonreference v0.21.2 // indirect + github.com/go-openapi/loads v0.23.1 // indirect + github.com/go-openapi/spec v0.22.0 // indirect github.com/go-openapi/swag/cmdutils v0.24.0 // indirect - github.com/go-openapi/swag/fileutils v0.24.0 // indirect - github.com/go-openapi/swag/jsonname v0.24.0 // indirect - github.com/go-openapi/swag/jsonutils v0.24.0 // indirect - github.com/go-openapi/swag/loading v0.24.0 // indirect - github.com/go-openapi/swag/mangling v0.24.0 // indirect + github.com/go-openapi/swag/fileutils v0.25.1 // indirect + github.com/go-openapi/swag/jsonname v0.25.1 // indirect + github.com/go-openapi/swag/jsonutils v0.25.1 // indirect + github.com/go-openapi/swag/loading v0.25.1 // indirect + github.com/go-openapi/swag/mangling v0.25.1 // indirect github.com/go-openapi/swag/netutils v0.24.0 // indirect - github.com/go-openapi/swag/stringutils v0.24.0 // indirect - github.com/go-openapi/swag/typeutils v0.24.0 // indirect - github.com/go-openapi/swag/yamlutils v0.24.0 // indirect - github.com/go-openapi/validate v0.24.0 // indirect + github.com/go-openapi/swag/stringutils v0.25.1 // indirect + github.com/go-openapi/swag/typeutils v0.25.1 // indirect + github.com/go-openapi/swag/yamlutils v0.25.1 // indirect + github.com/go-openapi/validate v0.25.0 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect @@ -221,7 +221,6 @@ require ( github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jellydator/ttlcache/v3 v3.4.0 // indirect github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect - github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect @@ -232,7 +231,6 @@ require ( github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect - github.com/mailru/easyjson v0.9.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -242,7 +240,6 @@ require ( github.com/oleiade/reflections v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect - github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pborman/uuid v1.2.1 // indirect github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect @@ -290,9 +287,9 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.mongodb.org/mongo-driver v1.14.0 // indirect + go.mongodb.org/mongo-driver v1.17.4 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect diff --git a/go.sum b/go.sum index 43162ebd12c..f01cfced778 100644 --- a/go.sum +++ b/go.sum @@ -972,48 +972,50 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= -github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= -github.com/go-openapi/errors v0.22.2 h1:rdxhzcBUazEcGccKqbY1Y7NS8FDcMyIRr0934jrYnZg= -github.com/go-openapi/errors v0.22.2/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= -github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= -github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= -github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= -github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= -github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco= -github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs= -github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ= -github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc= -github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY= -github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= -github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= -github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= +github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA= +github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw= +github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs= +github.com/go-openapi/errors v0.22.3/go.mod h1:+WvbaBBULWCOna//9B9TbLNGSFOfF8lY9dw4hGiEiKQ= +github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk= +github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM= +github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU= +github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ= +github.com/go-openapi/loads v0.23.1 h1:H8A0dX2KDHxDzc797h0+uiCZ5kwE2+VojaQVaTlXvS0= +github.com/go-openapi/loads v0.23.1/go.mod h1:hZSXkyACCWzWPQqizAv/Ye0yhi2zzHwMmoXQ6YQml44= +github.com/go-openapi/runtime v0.29.0 h1:Y7iDTFarS9XaFQ+fA+lBLngMwH6nYfqig1G+pHxMRO0= +github.com/go-openapi/runtime v0.29.0/go.mod h1:52HOkEmLL/fE4Pg3Kf9nxc9fYQn0UsIWyGjGIJE9dkg= +github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0Tw= +github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0= +github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc= +github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4= github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8= github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A= github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I= github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8= -github.com/go-openapi/swag/conv v0.24.0 h1:ejB9+7yogkWly6pnruRX45D1/6J+ZxRu92YFivx54ik= -github.com/go-openapi/swag/conv v0.24.0/go.mod h1:jbn140mZd7EW2g8a8Y5bwm8/Wy1slLySQQ0ND6DPc2c= -github.com/go-openapi/swag/fileutils v0.24.0 h1:U9pCpqp4RUytnD689Ek/N1d2N/a//XCeqoH508H5oak= -github.com/go-openapi/swag/fileutils v0.24.0/go.mod h1:3SCrCSBHyP1/N+3oErQ1gP+OX1GV2QYFSnrTbzwli90= -github.com/go-openapi/swag/jsonname v0.24.0 h1:2wKS9bgRV/xB8c62Qg16w4AUiIrqqiniJFtZGi3dg5k= -github.com/go-openapi/swag/jsonname v0.24.0/go.mod h1:GXqrPzGJe611P7LG4QB9JKPtUZ7flE4DOVechNaDd7Q= -github.com/go-openapi/swag/jsonutils v0.24.0 h1:F1vE1q4pg1xtO3HTyJYRmEuJ4jmIp2iZ30bzW5XgZts= -github.com/go-openapi/swag/jsonutils v0.24.0/go.mod h1:vBowZtF5Z4DDApIoxcIVfR8v0l9oq5PpYRUuteVu6f0= -github.com/go-openapi/swag/loading v0.24.0 h1:ln/fWTwJp2Zkj5DdaX4JPiddFC5CHQpvaBKycOlceYc= -github.com/go-openapi/swag/loading v0.24.0/go.mod h1:gShCN4woKZYIxPxbfbyHgjXAhO61m88tmjy0lp/LkJk= -github.com/go-openapi/swag/mangling v0.24.0 h1:PGOQpViCOUroIeak/Uj/sjGAq9LADS3mOyjznmHy2pk= -github.com/go-openapi/swag/mangling v0.24.0/go.mod h1:Jm5Go9LHkycsz0wfoaBDkdc4CkpuSnIEf62brzyCbhc= +github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0= +github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs= +github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU= +github.com/go-openapi/swag/fileutils v0.25.1/go.mod h1:+NXtt5xNZZqmpIpjqcujqojGFek9/w55b3ecmOdtg8M= +github.com/go-openapi/swag/jsonname v0.25.1 h1:Sgx+qbwa4ej6AomWC6pEfXrA6uP2RkaNjA9BR8a1RJU= +github.com/go-openapi/swag/jsonname v0.25.1/go.mod h1:71Tekow6UOLBD3wS7XhdT98g5J5GR13NOTQ9/6Q11Zo= +github.com/go-openapi/swag/jsonutils v0.25.1 h1:AihLHaD0brrkJoMqEZOBNzTLnk81Kg9cWr+SPtxtgl8= +github.com/go-openapi/swag/jsonutils v0.25.1/go.mod h1:JpEkAjxQXpiaHmRO04N1zE4qbUEg3b7Udll7AMGTNOo= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1 h1:DSQGcdB6G0N9c/KhtpYc71PzzGEIc/fZ1no35x4/XBY= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1/go.mod h1:kjmweouyPwRUEYMSrbAidoLMGeJ5p6zdHi9BgZiqmsg= +github.com/go-openapi/swag/loading v0.25.1 h1:6OruqzjWoJyanZOim58iG2vj934TysYVptyaoXS24kw= +github.com/go-openapi/swag/loading v0.25.1/go.mod h1:xoIe2EG32NOYYbqxvXgPzne989bWvSNoWoyQVWEZicc= +github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync= +github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ= github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w= github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM= -github.com/go-openapi/swag/stringutils v0.24.0 h1:i4Z/Jawf9EvXOLUbT97O0HbPUja18VdBxeadyAqS1FM= -github.com/go-openapi/swag/stringutils v0.24.0/go.mod h1:5nUXB4xA0kw2df5PRipZDslPJgJut+NjL7D25zPZ/4w= -github.com/go-openapi/swag/typeutils v0.24.0 h1:d3szEGzGDf4L2y1gYOSSLeK6h46F+zibnEas2Jm/wIw= -github.com/go-openapi/swag/typeutils v0.24.0/go.mod h1:q8C3Kmk/vh2VhpCLaoR2MVWOGP8y7Jc8l82qCTd1DYI= -github.com/go-openapi/swag/yamlutils v0.24.0 h1:bhw4894A7Iw6ne+639hsBNRHg9iZg/ISrOVr+sJGp4c= -github.com/go-openapi/swag/yamlutils v0.24.0/go.mod h1:DpKv5aYuaGm/sULePoeiG8uwMpZSfReo1HR3Ik0yaG8= -github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= -github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= +github.com/go-openapi/swag/stringutils v0.25.1 h1:Xasqgjvk30eUe8VKdmyzKtjkVjeiXx1Iz0zDfMNpPbw= +github.com/go-openapi/swag/stringutils v0.25.1/go.mod h1:JLdSAq5169HaiDUbTvArA2yQxmgn4D6h4A+4HqVvAYg= +github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3I3ysiFZqukA= +github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8= +github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk= +github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg= +github.com/go-openapi/validate v0.25.0 h1:JD9eGX81hDTjoY3WOzh6WqxVBVl7xjsLnvDo1GL5WPU= +github.com/go-openapi/validate v0.25.0/go.mod h1:SUY7vKrN5FiwK6LyvSwKjDfLNirSfWwHNgxd2l29Mmw= github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-piv/piv-go/v2 v2.4.0 h1:xamQ/fR4MJiw/Ndbk6yi7MVwhjrwlnDAPuaH9zcGb+I= @@ -1250,8 +1252,6 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= @@ -1303,8 +1303,6 @@ github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA= github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= @@ -1372,8 +1370,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= -github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= @@ -1582,8 +1578,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= gitlab.com/gitlab-org/api/client-go v0.147.1 h1:I6SqcetiBg/rfhK05CFdNS61YFsdiZBjIuzXqNY8BAk= gitlab.com/gitlab-org/api/client-go v0.147.1/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= -go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= -go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= +go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= +go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -1593,8 +1589,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs= go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= From 0b25535a463e3c94a468d142287b2f7863ceb1a2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:46:31 +0200 Subject: [PATCH 080/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4436) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.147.1 to 0.148.1. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.147.1...v0.148.1) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.148.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b66b0c46761..dd9169d26d0 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.2.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.147.1 + gitlab.com/gitlab-org/api/client-go v0.148.1 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index f01cfced778..4e0e2a473b7 100644 --- a/go.sum +++ b/go.sum @@ -1576,8 +1576,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.147.1 h1:I6SqcetiBg/rfhK05CFdNS61YFsdiZBjIuzXqNY8BAk= -gitlab.com/gitlab-org/api/client-go v0.147.1/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= +gitlab.com/gitlab-org/api/client-go v0.148.1 h1:xds5sz/aylLFX9wdTnaqalRDPmlZTzbp0vKA64nbLo4= +gitlab.com/gitlab-org/api/client-go v0.148.1/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 148caf61b70a866af68ba8ac2367418d2653392f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:46:47 +0200 Subject: [PATCH 081/136] chore(deps): bump github.com/go-openapi/swag from 0.24.1 to 0.25.1 (#4435) Bumps [github.com/go-openapi/swag](https://github.com/go-openapi/swag) from 0.24.1 to 0.25.1. - [Commits](https://github.com/go-openapi/swag/compare/v0.24.1...v0.25.1) --- updated-dependencies: - dependency-name: github.com/go-openapi/swag dependency-version: 0.25.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index dd9169d26d0..a0a475bd1d7 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/go-jose/go-jose/v4 v4.1.2 github.com/go-openapi/runtime v0.29.0 github.com/go-openapi/strfmt v0.24.0 - github.com/go-openapi/swag v0.24.1 + github.com/go-openapi/swag v0.25.1 github.com/go-openapi/swag/conv v0.25.1 github.com/go-piv/piv-go/v2 v2.4.0 github.com/google/certificate-transparency-go v1.3.2 @@ -174,13 +174,13 @@ require ( github.com/go-openapi/jsonreference v0.21.2 // indirect github.com/go-openapi/loads v0.23.1 // indirect github.com/go-openapi/spec v0.22.0 // indirect - github.com/go-openapi/swag/cmdutils v0.24.0 // indirect + github.com/go-openapi/swag/cmdutils v0.25.1 // indirect github.com/go-openapi/swag/fileutils v0.25.1 // indirect github.com/go-openapi/swag/jsonname v0.25.1 // indirect github.com/go-openapi/swag/jsonutils v0.25.1 // indirect github.com/go-openapi/swag/loading v0.25.1 // indirect github.com/go-openapi/swag/mangling v0.25.1 // indirect - github.com/go-openapi/swag/netutils v0.24.0 // indirect + github.com/go-openapi/swag/netutils v0.25.1 // indirect github.com/go-openapi/swag/stringutils v0.25.1 // indirect github.com/go-openapi/swag/typeutils v0.25.1 // indirect github.com/go-openapi/swag/yamlutils v0.25.1 // indirect diff --git a/go.sum b/go.sum index 4e0e2a473b7..571382f852b 100644 --- a/go.sum +++ b/go.sum @@ -988,10 +988,10 @@ github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0T github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0= github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc= github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4= -github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8= -github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A= -github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I= -github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8= +github.com/go-openapi/swag v0.25.1 h1:6uwVsx+/OuvFVPqfQmOOPsqTcm5/GkBhNwLqIR916n8= +github.com/go-openapi/swag v0.25.1/go.mod h1:bzONdGlT0fkStgGPd3bhZf1MnuPkf2YAys6h+jZipOo= +github.com/go-openapi/swag/cmdutils v0.25.1 h1:nDke3nAFDArAa631aitksFGj2omusks88GF1VwdYqPY= +github.com/go-openapi/swag/cmdutils v0.25.1/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0= github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0= github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs= github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU= @@ -1006,8 +1006,8 @@ github.com/go-openapi/swag/loading v0.25.1 h1:6OruqzjWoJyanZOim58iG2vj934TysYVpt github.com/go-openapi/swag/loading v0.25.1/go.mod h1:xoIe2EG32NOYYbqxvXgPzne989bWvSNoWoyQVWEZicc= github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync= github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ= -github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w= -github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM= +github.com/go-openapi/swag/netutils v0.25.1 h1:2wFLYahe40tDUHfKT1GRC4rfa5T1B4GWZ+msEFA4Fl4= +github.com/go-openapi/swag/netutils v0.25.1/go.mod h1:CAkkvqnUJX8NV96tNhEQvKz8SQo2KF0f7LleiJwIeRE= github.com/go-openapi/swag/stringutils v0.25.1 h1:Xasqgjvk30eUe8VKdmyzKtjkVjeiXx1Iz0zDfMNpPbw= github.com/go-openapi/swag/stringutils v0.25.1/go.mod h1:JLdSAq5169HaiDUbTvArA2yQxmgn4D6h4A+4HqVvAYg= github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3I3ysiFZqukA= From 7fb2415b77af5594028eb794210b446f955b7944 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:47:13 +0200 Subject: [PATCH 082/136] chore(deps): bump the actions group with 3 updates (#4434) Bumps the actions group with 3 updates: [docker/login-action](https://github.com/docker/login-action), [actions/cache](https://github.com/actions/cache) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `docker/login-action` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/184bdaa0721073962dff0199f1fb9940f07167d1...5e57cd118135c172c3672efd75eb46360885c0ef) Updates `actions/cache` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0400d5f644dc74513175e3cd8d07132dd4860809...0057852bfaa89a56745cba8c7296529d2fc39830) Updates `chainguard-dev/actions` from 1.5.1 to 1.5.2 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8...8e97c1fc72515d627456cb0b92e9c9f299356375) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 8 ++++---- .github/workflows/whitespace.yaml | 4 ++-- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 03b369d2100..123bd2b8456 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -72,7 +72,7 @@ jobs: run: gcloud auth configure-docker --quiet - name: Login to GitHub Container Registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 74c2432bbba..d347ee21eb7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -56,7 +56,7 @@ jobs: persist-credentials: false - name: Utilize Go Module Cache - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 4b4f1e99fcc..b881b9b7386 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + uses: chainguard-dev/actions/donotsubmit@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 8d7ec76f650..6e2d041349c 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + uses: chainguard-dev/actions/setup-mirror@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index bee5163dbc9..eede28c4d21 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -170,7 +170,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 9611e337ae2..52f877e9010 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -46,7 +46,7 @@ jobs: persist-credentials: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: # In order: # * Module download cache @@ -147,7 +147,7 @@ jobs: - name: check disk space run: df -h # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: # In order: # * Module download cache @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 e2e-windows-powershell-tests: name: Run PowerShell E2E tests @@ -206,7 +206,7 @@ jobs: cache: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: # In order: # * Module download cache diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 3db923b8552..248bd907798 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + - uses: chainguard-dev/actions/trailing-space@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@de56c2728beb0a0f371bff2ce2ee4b8afee4b5e8 # v1.5.1 + - uses: chainguard-dev/actions/eof-newline@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 if: ${{ always() }} From 2c0f5789f804f35ee8936a06e16df3faf741f63a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:50:49 +0200 Subject: [PATCH 083/136] chore(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#4433) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 22 ++++++++++++---------- go.sum | 44 ++++++++++++++++++++++++-------------------- 2 files changed, 36 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index a0a475bd1d7..15763f4b526 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/moby/term v0.5.2 github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 - github.com/open-policy-agent/opa v1.8.0 + github.com/open-policy-agent/opa v1.9.0 github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 @@ -188,7 +188,7 @@ require ( github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect - github.com/goccy/go-json v0.10.3 // indirect + github.com/goccy/go-json v0.10.5 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect github.com/golang-jwt/jwt/v5 v5.3.0 // indirect @@ -225,9 +225,11 @@ require ( github.com/klauspost/compress v1.18.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/blackmagic v1.0.4 // indirect + github.com/lestrrat-go/dsig v1.0.0 // indirect + github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect - github.com/lestrrat-go/httprc/v3 v3.0.0 // indirect - github.com/lestrrat-go/jwx/v3 v3.0.10 // indirect + github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect + github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect @@ -249,9 +251,9 @@ require ( github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.66.1 // indirect - github.com/prometheus/procfs v0.16.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 // indirect - github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect + github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -261,7 +263,7 @@ require ( github.com/segmentio/asm v1.2.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect github.com/spf13/afero v1.15.0 // indirect @@ -292,7 +294,7 @@ require ( go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/metric v1.38.0 // indirect go.opentelemetry.io/otel/sdk v1.38.0 // indirect @@ -308,12 +310,12 @@ require ( golang.org/x/net v0.44.0 // indirect golang.org/x/sys v0.36.0 // indirect golang.org/x/text v0.29.0 // indirect - golang.org/x/time v0.12.0 // indirect + golang.org/x/time v0.13.0 // indirect golang.org/x/tools v0.36.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/grpc v1.75.0 // indirect + google.golang.org/grpc v1.75.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 571382f852b..f4769d10115 100644 --- a/go.sum +++ b/go.sum @@ -1037,8 +1037,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlnd github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= -github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= -github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= +github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= +github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -1286,12 +1286,16 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA= github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= +github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38= +github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc= -github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q= -github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw= -github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk= +github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI= +github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk= +github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w= +github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= @@ -1364,8 +1368,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/open-policy-agent/opa v1.8.0 h1:4JdYuZcANeUF1v/87NGpirocpaZzJA0PcuL7xfmsMNM= -github.com/open-policy-agent/opa v1.8.0/go.mod h1:vOVZuIJQISnaYcZtQ58yTDkVCp1FmGPwK43pO9qPDqM= +github.com/open-policy-agent/opa v1.9.0 h1:QWFNwbcc29IRy0xwD3hRrMc/RtSersLY1Z6TaID3vgI= +github.com/open-policy-agent/opa v1.9.0/go.mod h1:72+lKmTda0O48m1VKAxxYl7MjP/EWFZu9fxHQK2xihs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -1400,12 +1404,12 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZFnGobK5ZXNu+N9If+8PDNVB9xAqrib/stUXsV4= github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5/go.mod h1:BnHogPTyzYAReeQLZrOxyxzS739DaTNtTvohVdbENmA= -github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= -github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= +github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -1459,8 +1463,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 h1:S2ukEfN1orLK github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5/go.mod h1:m7sQxVJmDa+rsmS1m6biQxaLX83pzNS7ThUEyjOqkCU= github.com/sigstore/timestamp-authority v1.2.9 h1:L9Fj070/EbMC8qUk8BchkrYCS1BT5i93Bl6McwydkFs= github.com/sigstore/timestamp-authority v1.2.9/go.mod h1:QyRnZchz4o+xdHyK5rvCWacCHxWmpX+mgvJwB1OXcLY= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= @@ -1595,8 +1599,8 @@ go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= @@ -1960,8 +1964,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= -golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= +golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -2293,8 +2297,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.75.0 h1:+TW+dqTd2Biwe6KKfhE5JpiYIBWq865PhKGSXiivqt4= -google.golang.org/grpc v1.75.0/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= +google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From a5c4e8e0e387f2c4f965d599af482eabee8e2730 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:51:45 +0200 Subject: [PATCH 084/136] chore(deps): bump the gomod group with 2 updates (#4429) Bumps the gomod group with 2 updates: [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `github.com/buildkite/agent/v3` from 3.107.0 to 3.107.2 - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.107.0...v3.107.2) Updates `sigs.k8s.io/release-utils` from 0.12.1 to 0.12.2 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.12.1...v0.12.2) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.107.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 26 +++++++++++++------------- go.sum | 52 ++++++++++++++++++++++++++-------------------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index 15763f4b526..e516c6fb496 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.107.0 + github.com/buildkite/agent/v3 v3.107.2 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -62,8 +62,8 @@ require ( k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 k8s.io/client-go v0.34.1 - k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 - sigs.k8s.io/release-utils v0.12.1 + k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + sigs.k8s.io/release-utils v0.12.2 ) require ( @@ -71,7 +71,7 @@ require ( cloud.google.com/go v0.121.6 // indirect cloud.google.com/go/auth v0.16.5 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect - cloud.google.com/go/compute/metadata v0.8.0 // indirect + cloud.google.com/go/compute/metadata v0.8.4 // indirect cloud.google.com/go/iam v1.5.2 // indirect cloud.google.com/go/kms v1.22.0 // indirect cloud.google.com/go/longrunning v0.6.7 // indirect @@ -82,8 +82,8 @@ require ( filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect @@ -96,7 +96,7 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect @@ -117,8 +117,8 @@ require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.7 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.11 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.8 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.12 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect @@ -127,10 +127,10 @@ require ( github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.45.2 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.29.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.3 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.45.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 // indirect github.com/aws/smithy-go v1.23.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect diff --git a/go.sum b/go.sum index f4769d10115..03b04ac1eab 100644 --- a/go.sum +++ b/go.sum @@ -186,8 +186,8 @@ cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/compute/metadata v0.8.0 h1:HxMRIbao8w17ZX6wBnjhcDkW6lTFpgcaobyVfZWqRLA= -cloud.google.com/go/compute/metadata v0.8.0/go.mod h1:sYOGTp851OV9bOFJ9CH7elVvyzopvWQFNNghtDQ/Biw= +cloud.google.com/go/compute/metadata v0.8.4 h1:oXMa1VMQBVCyewMIOm3WQsnVd9FbKBtm8reqWRaXnHQ= +cloud.google.com/go/compute/metadata v0.8.4/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= @@ -635,10 +635,10 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 h1:Hr5FTipp7SL07o2FvoVOX9HRiRH3CR3Mj8pxqCcdD5A= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2/go.mod h1:QyVsSSN64v5TGltphKLQ2sQxe4OBQg0J1eKRcVBnfgE= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 h1:MhRfI58HblXzCtWEZCO0feHs8LweePB3s90r7WaR1KU= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0/go.mod h1:okZ+ZURbArNdlJ+ptXoyHNuOETzOl1Oww19rm8I2WLA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= @@ -674,8 +674,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= @@ -759,10 +759,10 @@ github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4= github.com/aws/aws-sdk-go-v2 v1.39.0/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= -github.com/aws/aws-sdk-go-v2/config v1.31.7 h1:zS1O6hr6t0nZdBCMFc/c9OyZFyLhXhf/B2IZ9Y0lRQE= -github.com/aws/aws-sdk-go-v2/config v1.31.7/go.mod h1:GpHmi1PQDdL5pP4JaB00pU0ek4EXVcYH7IkjkUadQmM= -github.com/aws/aws-sdk-go-v2/credentials v1.18.11 h1:1Fnb+7Dk96/VYx/uYfzk5sU2V0b0y2RWZROiMZCN/Io= -github.com/aws/aws-sdk-go-v2/credentials v1.18.11/go.mod h1:iuvn9v10dkxU4sDgtTXGWY0MrtkEcmkUmjv4clxhuTc= +github.com/aws/aws-sdk-go-v2/config v1.31.8 h1:kQjtOLlTU4m4A64TsRcqwNChhGCwaPBt+zCQt/oWsHU= +github.com/aws/aws-sdk-go-v2/config v1.31.8/go.mod h1:QPpc7IgljrKwH0+E6/KolCgr4WPLerURiU592AYzfSY= +github.com/aws/aws-sdk-go-v2/credentials v1.18.12 h1:zmc9e1q90wMn8wQbjryy8IwA6Q4XlaL9Bx2zIqdNNbk= +github.com/aws/aws-sdk-go-v2/credentials v1.18.12/go.mod h1:3VzdRDR5u3sSJRI4kYcOSIBbeYsgtVk7dG5R/U6qLWY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 h1:Is2tPmieqGS2edBnmOJIbdvOA6Op+rRpaYR60iBAwXM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7/go.mod h1:F1i5V5421EGci570yABvpIXgRIBPb5JM+lSkHF6Dq5w= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg= @@ -779,14 +779,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebP github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 h1:mLgc5QIgOy26qyh5bvW+nDoAppxgn3J2WV3m9ewq7+8= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7/go.mod h1:wXb/eQnqt8mDQIQTTmcw58B5mYGxzLGZGK8PWNFZ0BA= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.2 h1:8ZT2x7reXVcZ1WTL1ZhbrtHAZ0FDoUckCOfCY3hj1n4= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.2/go.mod h1:EADaLXofJkof++MP9zhzSZ0byBMOZTIRjtJO/ZMuPVE= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.2 h1:rcoTaYOhGE/zfxE1uR6X5fvj+uKkqeCNRE0rBbiQM34= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.2/go.mod h1:Ql6jE9kyyWI5JHn+61UT/Y5Z0oyVJGmgmJbZD5g4unY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3 h1:BSIfeFtU9tlSt8vEYS7KzurMoAuYzYPWhcZiMtxVf2M= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.3/go.mod h1:XclEty74bsGBCr1s0VSaA11hQ4ZidK4viWK7rRfO88I= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.3 h1:yEiZ0ztgji2GsCb/6uQSITXcGdtmWMfLRys0jJFiUkc= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.3/go.mod h1:Z+Gd23v97pX9zK97+tX4ppAgqCt3Z2dIXB02CtBncK8= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.3 h1:hp7qDEQkW3IwV5eaTy2inECTgRHo0o/vgIVxq+ydNiU= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.3/go.mod h1:EADaLXofJkof++MP9zhzSZ0byBMOZTIRjtJO/ZMuPVE= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 h1:7PKX3VYsZ8LUWceVRuv0+PU+E7OtQb1lgmi5vmUE9CM= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.3/go.mod h1:Ql6jE9kyyWI5JHn+61UT/Y5Z0oyVJGmgmJbZD5g4unY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 h1:e0XBRn3AptQotkyBFrHAxFB8mDhAIOfsG+7KyJ0dg98= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4/go.mod h1:XclEty74bsGBCr1s0VSaA11hQ4ZidK4viWK7rRfO88I= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 h1:PR00NXRYgY4FWHqOGx3fC3lhVKjsp1GdloDv2ynMSd8= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.4/go.mod h1:Z+Gd23v97pX9zK97+tX4ppAgqCt3Z2dIXB02CtBncK8= github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.107.0 h1:qZRP5SxlhngI0RpfuIAF7ikZUrx1aZ2FwqWv1Y59Brk= -github.com/buildkite/agent/v3 v3.107.0/go.mod h1:K/ooiPwl4JvSSyOvI710R9oY8uNHQtKZKqCnxC5fOog= +github.com/buildkite/agent/v3 v3.107.2 h1:f04MkWVwSro9iwzCgfPsMsKEIY3Pm0TGp6M8dP3lQgk= +github.com/buildkite/agent/v3 v3.107.2/go.mod h1:6m3kUdqUKwcJDx8J/8w/eX5df73ak7zKfHR0uYpgFag= github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= @@ -2365,8 +2365,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= +k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= @@ -2409,8 +2409,8 @@ sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7np sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/release-utils v0.12.1 h1:3p9w137wBTTApHlL8izdJHcCuaBe8wZhQz+B0QIAaBE= -sigs.k8s.io/release-utils v0.12.1/go.mod h1:0z7JOb7iQcuDQcemQw5CSVrkH8evRHY0DMMjcyRB1e4= +sigs.k8s.io/release-utils v0.12.2 h1:H06v3FuLElAkf7Ikkd9ll8hnhdtQ+OgktJAni3iIAl8= +sigs.k8s.io/release-utils v0.12.2/go.mod h1:Ab9Lb/FpGUw4lUXj1QYbUcF2TRzll+GS7Md54W1G7sA= sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= From 2ec2734e8407ea90ea36103a882b3be2195567eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 12:54:17 +0200 Subject: [PATCH 085/136] chore(deps): bump google.golang.org/api from 0.249.0 to 0.250.0 (#4432) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.249.0 to 0.250.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.249.0...v0.250.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.250.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index e516c6fb496..9a910267392 100644 --- a/go.mod +++ b/go.mod @@ -57,7 +57,7 @@ require ( golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 - google.golang.org/api v0.249.0 + google.golang.org/api v0.250.0 google.golang.org/protobuf v1.36.9 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 @@ -314,7 +314,7 @@ require ( golang.org/x/tools v0.36.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 // indirect google.golang.org/grpc v1.75.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 03b04ac1eab..0f33dd83411 100644 --- a/go.sum +++ b/go.sum @@ -2109,8 +2109,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.249.0 h1:0VrsWAKzIZi058aeq+I86uIXbNhm9GxSHpbmZ92a38w= -google.golang.org/api v0.249.0/go.mod h1:dGk9qyI0UYPwO/cjt2q06LG/EhUpwZGdAbYF14wHHrQ= +google.golang.org/api v0.250.0 h1:qvkwrf/raASj82UegU2RSDGWi/89WkLckn4LuO4lVXM= +google.golang.org/api v0.250.0/go.mod h1:Y9Uup8bDLJJtMzJyQnu+rLRJLA0wn+wTtc6vTlOvfXo= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2254,8 +2254,8 @@ google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuO google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 h1:/OQuEa4YWtDt7uQWHd3q3sUMb+QOLQUg1xa8CEsRv5w= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090/go.mod h1:GmFNa4BdJZ2a8G+wCe9Bg3wwThLrJun751XstdJt5Og= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From 544d76a7098565aea9a77ab8e9ca60e5ea825d82 Mon Sep 17 00:00:00 2001 From: Hayden Date: Thu, 2 Oct 2025 12:01:09 -0700 Subject: [PATCH 086/136] Create changelog for v2.6.1 (#4439) Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1999cb9d782..95a53ce575a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# v2.6.1 + +## Bug Fixes + +* Partially populate the output of cosign verify when working with new bundles (#4416) +* Bump sigstore-go, move conformance back to tagged release (#4426) + # v2.6.0 v2.6.0 introduces a number of new features, including: From 479a0c128bf6721779fa1a8da10e1ed27f51758b Mon Sep 17 00:00:00 2001 From: Hayden Date: Tue, 7 Oct 2025 08:52:47 -0700 Subject: [PATCH 087/136] Fetch service URLs from the TUF PGI signing config by default (#4428) * Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Fetch service URLs from the TUF PGI signing config by default This will also use sigstore-go's signing API by default. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- .github/workflows/e2e-with-binary.yml | 20 ++------------- .../workflows/kind-verify-attestation.yaml | 25 +++++++++++++------ cmd/cosign/cli/attest.go | 12 ++++----- cmd/cosign/cli/attest_blob.go | 12 ++++----- cmd/cosign/cli/options/attest.go | 3 +-- cmd/cosign/cli/options/attest_blob.go | 3 +-- cmd/cosign/cli/options/sign.go | 3 +-- cmd/cosign/cli/options/signblob.go | 3 +-- cmd/cosign/cli/sign.go | 12 ++++----- cmd/cosign/cli/signblob.go | 12 ++++----- doc/cosign_attest-blob.md | 2 +- doc/cosign_attest.md | 2 +- doc/cosign_sign-blob.md | 2 +- doc/cosign_sign.md | 2 +- 14 files changed, 52 insertions(+), 61 deletions(-) diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index cb233b3f1a8..220afe70229 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -66,23 +66,7 @@ jobs: run: | set -e make cosign - ./cosign sign-blob --output-certificate certificate.pem --output-signature README.md.sig README.md - - if [ -s certificate.pem ] - then - echo "all good for key.pem" - else - echo "file does not exist, or is empty" - exit 1 - fi - - if [ -s README.md.sig ] - then - exit 0 - else - echo "file does not exist, or is empty" - exit 1 - fi + ./cosign sign-blob --bundle sigstore.json --yes README.md # Verify with sign-blob - ./cosign verify-blob README.md --certificate certificate.pem --signature README.md.sig + ./cosign verify-blob --bundle sigstore.json --certificate-identity-regexp ".*" --certificate-oidc-issuer-regexp ".*" README.md diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index eede28c4d21..5b517f090aa 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -120,23 +120,34 @@ jobs: REPOSITORY=${PWD}/repository ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} - - name: Set trustedroot + - name: Set TrustedRoot run: | trustedroot=$(find ./repository/targets -name "*.trusted_root.json") echo "trustedroot=$trustedroot" >> $GITHUB_ENV + - name: Create SigningConfig + run: | + ./cosign signing-config create \ + --fulcio="url=${FULCIO_URL},api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \ + --rekor="url=${REKOR_URL},api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \ + --rekor-config="ANY" \ + --tsa="url=${TSA_URL}/api/v1/timestamp,api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \ + --tsa-config="EXACT:1" \ + --out signingconfig.json + echo "signingconfig=signingconfig.json" >> $GITHUB_ENV + - name: Sign demoimage with cosign run: | - ./cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN} + ./cosign sign --signing-config=${signingconfig} --trusted-root=${trustedroot} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN} - name: Create attestation for it run: | echo -n 'foobar e2e test' > ./predicate-file - ./cosign attest --predicate ./predicate-file --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} + ./cosign attest --predicate ./predicate-file --signing-config=${signingconfig} --trusted-root=${trustedroot} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} - name: Sign a blob run: | - ./cosign sign-blob README.md --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --bundle blob.sigstore.json --yes --identity-token ${OIDC_TOKEN} + ./cosign sign-blob README.md --signing-config=${signingconfig} --trusted-root=${trustedroot} --bundle blob.sigstore.json --yes --identity-token ${OIDC_TOKEN} - name: Verify with cosign run: | @@ -145,7 +156,7 @@ jobs: - name: Verify custom attestation with cosign, works run: | echo '::group:: test custom verify-attestation success' - if ! ./cosign verify-attestation --trusted-root=${trustedroot} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} ; then + if ! ./cosign verify-attestation --trusted-root=${trustedroot} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --allow-insecure-registry ${demoimage} ; then echo Failed to verify attestation with a valid policy exit 1 else @@ -156,7 +167,7 @@ jobs: - name: Verify custom attestation with cosign, fails run: | echo '::group:: test custom verify-attestation success' - if ./cosign verify-attestation --trusted-root=${trustedroot} --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ./cosign verify-attestation --trusted-root=${trustedroot} --policy ./test/testdata/policies/cue-fails.cue --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo custom verify-attestation succeeded with cue policy that should not work exit 1 else @@ -174,7 +185,7 @@ jobs: - name: Create vuln attestation for it run: | - ./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} + ./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --signing-config=${signingconfig} --trusted-root=${trustedroot} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} - name: Verify vuln attestation with cosign, works run: | diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index bcb0f1cad37..1f66292628a 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -131,16 +131,16 @@ func Attest() *cobra.Command { } } } - if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } - } else if o.SigningConfigPath != "" { + if o.SigningConfigPath != "" { ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } + } else if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } } attestCommand := attest.AttestCommand{ diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 70f48f75b6d..454a02b9523 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -119,16 +119,16 @@ func AttestBlob() *cobra.Command { } } } - if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } - } else if o.SigningConfigPath != "" { + if o.SigningConfigPath != "" { ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } + } else if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } } v := attest.AttestBlobCommand{ diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index a1f3a664bfc..4c2280e037e 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -116,8 +116,7 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "attach a Sigstore bundle using OCI referrers API") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", true, "whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format") cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index 4f38ddb9112..4d906605c2e 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -101,8 +101,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "output bundle in new format that contains all verification material") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", true, "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 028cb9a82ae..0165e13f430 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -144,8 +144,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "expect the signature/attestation to be packaged in a Sigstore bundle") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", true, "whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format") cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index bf07bdcfed6..4d4b505cfb2 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -84,8 +84,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "output bundle in new format that contains all verification material") - // TODO: have this default to true as a breaking change - cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", false, + cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", true, "whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format") cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "", diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 914278d53de..b10034cbb09 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -161,16 +161,16 @@ race conditions or (worse) malicious tampering. } } } - if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } - } else if o.SigningConfigPath != "" { + if o.SigningConfigPath != "" { ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } + } else if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } } if err := sign.SignCmd(ro, ko, *o, args); err != nil { diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index de9ae339628..5ad293030c1 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -129,16 +129,16 @@ func SignBlob() *cobra.Command { } } } - if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } - } else if o.SigningConfigPath != "" { + if o.SigningConfigPath != "" { ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) if err != nil { return fmt.Errorf("error reading signing config from file: %w", err) } + } else if o.UseSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } } for _, blob := range args { diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 679d04b13d6..126f3f1444d 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -70,7 +70,7 @@ cosign attest-blob [flags] --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") - --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format (default true) -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index ae47750dc5e..b13c2f4f430 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -93,7 +93,7 @@ cosign attest [flags] --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") - --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format (default true) -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 1b16b93c21f..4135f3aac22 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -67,7 +67,7 @@ cosign sign-blob [flags] --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing - --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format (default true) -y, --yes skip confirmation prompts for non-destructive operations ``` diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 51f89871af3..7aba9c920dd 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -121,7 +121,7 @@ cosign sign [flags] --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --upload whether to upload the signature (default true) - --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format + --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format (default true) -y, --yes skip confirmation prompts for non-destructive operations ``` From 9b4b74c497119b5c28b6ca60e9c1ff15bbd7164a Mon Sep 17 00:00:00 2001 From: Hayden Date: Tue, 7 Oct 2025 09:02:53 -0700 Subject: [PATCH 088/136] Create changelog for v3.0.0 (#4440) Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- CHANGELOG.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 95a53ce575a..928852ccfd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,25 @@ +# v3.0.0 + +Announcing the next major release of Cosign! + +Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent +releases **on by default**, but will still allow you to disable them if you need the older functionality. +These new features include support for the standardized bundle format (`--new-bundle-fomat`), providing roots +of trust for verification and service URLs for signing via one file (`--trusted-root`, `--signing-config`), +and container signatures stored as an OCI Image 1.1 referring artifact. + +Learn more on our [v3 announcement blog post](https://blog.sigstore.dev/cosign-3-0-available/)! See +the changelogs for [v2.6.0](#v260), [v2.5.0](#v250), and [v2.4.0](#v240) for more information on recent +changes. + +If you have any feedback, please reach out on Slack or file an issue on GitHub. + +## Changes + +* Default to using the new protobuf format (#4318) +* Fetch service URLs from the TUF PGI signing config by default (#4428) +* Bump module version to v3 for Cosign v3.0 (#4427) + # v2.6.1 ## Bug Fixes From af194232f294a910d540f9ff8c9ff0db48c47523 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 7 Oct 2025 17:42:50 -0400 Subject: [PATCH 089/136] update goreleaser config for v3.0.0 release (#4446) * update goreleaser config for v3.0.0 release Signed-off-by: Bob Callaway * specify signature Signed-off-by: Bob Callaway --------- Signed-off-by: Bob Callaway --- .goreleaser.yml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index f9ad566f9d4..0f378d2b379 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -153,28 +153,25 @@ builds: signs: - id: cosign - signature: "${artifact}.sig" cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] + args: ["sign-blob", "--bundle", "${signature}", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] + signature: "${artifact}.sigstore.json" artifacts: binary # Keyless - id: cosign-keyless - signature: "${artifact}-keyless.sig" - certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] + args: ["sign-blob", "--bundle", "${signature}", "${artifact}"] + signature: "${artifact}.sigstore.json" artifacts: binary - id: checksum-keyless - signature: "${artifact}-keyless.sig" - certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] + args: ["sign-blob", "--bundle", "${signature}", "${artifact}"] + signature: "${artifact}.sigstore.json" artifacts: checksum - id: packages-keyless - signature: "${artifact}-keyless.sig" - certificate: "${artifact}-keyless.pem" cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] + args: ["sign-blob", "--bundle", "${signature}", "${artifact}"] + signature: "${artifact}.sigstore.json" artifacts: package nfpms: From 18f981e04b092593cb12a4d6982dfd19deca758a Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 7 Oct 2025 18:15:25 -0400 Subject: [PATCH 090/136] update CL for v3.0.1 release (#4447) Signed-off-by: Bob Callaway --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 928852ccfd7..c509083699b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# v3.0.1 + +v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows. + +* Note that the `--bundle` flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3. + +## Changes + +* update goreleaser config for v3.0.0 release (#4446) + # v3.0.0 Announcing the next major release of Cosign! From 9fee551d083c5e249e61efa2239a83a9fe050d47 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Thu, 9 Oct 2025 11:47:54 -0700 Subject: [PATCH 091/136] Update rekor-tiles version path The rekor-tiles package is starting at version 2.0. There are no interface changes with this version change. Signed-off-by: Colleen Murphy --- cmd/cosign/cli/trustedroot/trustedroot.go | 2 +- go.mod | 31 ++++++------ go.sum | 62 ++++++++++++----------- 3 files changed, 49 insertions(+), 46 deletions(-) diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go index b51198f80ef..f17041ac4f3 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot.go +++ b/cmd/cosign/cli/trustedroot/trustedroot.go @@ -31,7 +31,7 @@ import ( "time" "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/rekor-tiles/pkg/note" + "github.com/sigstore/rekor-tiles/v2/pkg/note" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" ) diff --git a/go.mod b/go.mod index 9a910267392..6484be6f9bd 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.2 - github.com/sigstore/rekor-tiles v0.1.11 + github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore-go v1.1.3 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 @@ -57,8 +57,8 @@ require ( golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 - google.golang.org/api v0.250.0 - google.golang.org/protobuf v1.36.9 + google.golang.org/api v0.251.0 + google.golang.org/protobuf v1.36.10 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 k8s.io/client-go v0.34.1 @@ -71,13 +71,13 @@ require ( cloud.google.com/go v0.121.6 // indirect cloud.google.com/go/auth v0.16.5 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect - cloud.google.com/go/compute/metadata v0.8.4 // indirect + cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect - cloud.google.com/go/kms v1.22.0 // indirect + cloud.google.com/go/kms v1.23.0 // indirect cloud.google.com/go/longrunning v0.6.7 // indirect cloud.google.com/go/monitoring v1.24.2 // indirect - cloud.google.com/go/spanner v1.84.1 // indirect - cloud.google.com/go/storage v1.56.1 // indirect + cloud.google.com/go/spanner v1.86.0 // indirect + cloud.google.com/go/storage v1.57.0 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect @@ -99,8 +99,8 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/agnivade/levenshtein v1.2.1 // indirect github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect @@ -201,7 +201,7 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect github.com/googleapis/gax-go/v2 v2.15.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -263,6 +263,7 @@ require ( github.com/segmentio/asm v1.2.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect + github.com/sigstore/rekor-tiles v0.1.11 // indirect github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect @@ -280,7 +281,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect - github.com/transparency-dev/tessera v1.0.0-rc3 // indirect + github.com/transparency-dev/tessera v1.0.0 // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/valyala/fastjson v1.6.4 // indirect github.com/vbatts/tar-split v0.12.1 // indirect @@ -293,7 +294,7 @@ require ( go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/metric v1.38.0 // indirect @@ -312,9 +313,9 @@ require ( golang.org/x/text v0.29.0 // indirect golang.org/x/time v0.13.0 // indirect golang.org/x/tools v0.36.0 // indirect - google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 // indirect + google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect google.golang.org/grpc v1.75.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 0f33dd83411..c6064a9c65e 100644 --- a/go.sum +++ b/go.sum @@ -186,8 +186,8 @@ cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/compute/metadata v0.8.4 h1:oXMa1VMQBVCyewMIOm3WQsnVd9FbKBtm8reqWRaXnHQ= -cloud.google.com/go/compute/metadata v0.8.4/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= +cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= +cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= @@ -342,8 +342,8 @@ cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4 cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/kms v1.22.0 h1:dBRIj7+GDeeEvatJeTB19oYZNV0aj6wEqSIT/7gLqtk= -cloud.google.com/go/kms v1.22.0/go.mod h1:U7mf8Sva5jpOb4bxYZdtw/9zsbIjrklYwPcvMk34AL8= +cloud.google.com/go/kms v1.23.0 h1:WaqAZsUptyHwOo9II8rFC1Kd2I+yvNsNP2IJ14H2sUw= +cloud.google.com/go/kms v1.23.0/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= @@ -532,8 +532,8 @@ cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+ cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos= cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk= cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M= -cloud.google.com/go/spanner v1.84.1 h1:ShH4Y3YeDtmHa55dFiSS3YtQ0dmCuP0okfAoHp/d68w= -cloud.google.com/go/spanner v1.84.1/go.mod h1:3GMEIjOcXINJSvb42H3M6TdlGCDzaCFpiiNQpjHPlCM= +cloud.google.com/go/spanner v1.86.0 h1:jlNWusBol1Jxa9PmYGknUBzLwvD1cebuEenzqebZ9xs= +cloud.google.com/go/spanner v1.86.0/go.mod h1:bbwCXbM+zljwSPLZ44wZOdzcdmy89hbUGmM/r9sD0ws= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= @@ -551,8 +551,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= -cloud.google.com/go/storage v1.56.1 h1:n6gy+yLnHn0hTwBFzNn8zJ1kqWfR91wzdM8hjRF4wP0= -cloud.google.com/go/storage v1.56.1/go.mod h1:C9xuCZgFl3buo2HZU/1FncgvvOgTAs/rnh4gF4lMg0s= +cloud.google.com/go/storage v1.57.0 h1:4g7NB7Ta7KetVbOMpCqy89C+Vg5VE8scqlSHUPm7Rds= +cloud.google.com/go/storage v1.57.0/go.mod h1:329cwlpzALLgJuu8beyJ/uvQznDHpa2U5lGjWednkzg= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= @@ -684,12 +684,12 @@ github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgP github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0/go.mod h1:jUZ5LYlw40WMd07qxcQJD5M40aUxrfwqQX1g7zxYnrQ= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 h1:lhhYARPUu3LmHysQ/igznQphfzynnqI3D75oUyw1HXk= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0/go.mod h1:l9rva3ApbBpEJxSNYnwT9N4CDLrWgtq3u8736C5hyJw= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.54.0 h1:xfK3bbi6F2RDtaZFtUdKO3osOBIhNb+xTs8lFW6yx9o= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.54.0/go.mod h1:vB2GH9GAYYJTO3mEn8oYwzEdhlayZIdQz6zdzgUIRvA= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 h1:s0WlVbf9qpvkh1c/uDAPElam0WrL7fHRIidgZJ7UqZI= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= @@ -1193,8 +1193,8 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vb github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1449,6 +1449,8 @@ github.com/sigstore/rekor v1.4.2 h1:Lx2xby7loviFYdg2C9pB1mESk2QU/LqcYSGsqqZwmg8= github.com/sigstore/rekor v1.4.2/go.mod h1:nX/OYaLqpTeCOuMEt7ELE0+5cVjZWFnFKM+cZ+3hQRA= github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5ZCzFq0= github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= +github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2 h1:6Jr9jbGIZD6Wsx/jrC8O8Lh0o+oJlx5EVWRstg9aSFo= +github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2/go.mod h1:1HyDsS2pQg36OoEZ0SeGmQIGflxK5W3nWW1Z+G6IWA8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= github.com/sigstore/sigstore-go v1.1.3 h1:5lKcbXZa5JC7wb/UVywyCulccfYTUju1D5h4tkn+fXE= @@ -1538,8 +1540,8 @@ github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 h1:YTbkeF github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26/go.mod h1:ODywn0gGarHMMdSkWT56ULoK8Hk71luOyRseKek9COw= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/transparency-dev/tessera v1.0.0-rc3 h1:v385KqMekDUKI3ZVJHCHE5MAz8LBrWsEKa6OzYLrz0k= -github.com/transparency-dev/tessera v1.0.0-rc3/go.mod h1:aaLlvG/sEPMzT96iIF4hua6Z9pLzkfDtkbaUAR4IL8I= +github.com/transparency-dev/tessera v1.0.0 h1:4OT1V9xJLa5NnYlFWWlCdZkCm18/o12rdd+bCTje7XE= +github.com/transparency-dev/tessera v1.0.0/go.mod h1:TLvfjlkbmsmKVEJUtzO2eb9Q2IBnK3EJ0dI4G0oxEOU= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= @@ -1597,8 +1599,8 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs= go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= @@ -2109,8 +2111,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.250.0 h1:qvkwrf/raASj82UegU2RSDGWi/89WkLckn4LuO4lVXM= -google.golang.org/api v0.250.0/go.mod h1:Y9Uup8bDLJJtMzJyQnu+rLRJLA0wn+wTtc6vTlOvfXo= +google.golang.org/api v0.251.0 h1:6lea5nHRT8RUmpy9kkC2PJYnhnDAB13LqrLSVQlMIE8= +google.golang.org/api v0.251.0/go.mod h1:Rwy0lPf/TD7+T2VhYcffCHhyyInyuxGjICxdfLqT7KI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2250,12 +2252,12 @@ google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOl google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= -google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 h1:/OQuEa4YWtDt7uQWHd3q3sUMb+QOLQUg1xa8CEsRv5w= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090/go.mod h1:GmFNa4BdJZ2a8G+wCe9Bg3wwThLrJun751XstdJt5Og= +google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 h1:LvZVVaPE0JSqL+ZWb6ErZfnEOKIqqFWUJE2D0fObSmc= +google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9/go.mod h1:QFOrLhdAe2PsTp3vQY4quuLKTi9j3XG3r6JPPaw7MSc= +google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU= +google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 h1:i8QOKZfYg6AbGVZzUAY3LrNWCKF8O6zFisU9Wl9RER4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -2317,8 +2319,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= -google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 9b10de46e95fc7f011000a369826ad7a3b389393 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Oct 2025 10:12:44 +0200 Subject: [PATCH 092/136] chore(deps): bump github.com/go-jose/go-jose/v4 (#4451) Bumps the gomod group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Updates `github.com/go-jose/go-jose/v4` from 4.1.2 to 4.1.3 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](https://github.com/go-jose/go-jose/compare/v4.1.2...v4.1.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6484be6f9bd..9bdd49b2903 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 - github.com/go-jose/go-jose/v4 v4.1.2 + github.com/go-jose/go-jose/v4 v4.1.3 github.com/go-openapi/runtime v0.29.0 github.com/go-openapi/strfmt v0.24.0 github.com/go-openapi/swag v0.25.1 diff --git a/go.sum b/go.sum index c6064a9c65e..30fb9a55a6e 100644 --- a/go.sum +++ b/go.sum @@ -963,8 +963,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= -github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= -github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= +github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= +github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= From 84449696f0658a5ef5f2abba87fdd3f8b17ca1be Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Fri, 10 Oct 2025 14:17:56 -0400 Subject: [PATCH 093/136] choose different signature filename for KMS-signed release signatures (#4448) * choose different signature filename for keyless release signatures Signed-off-by: Bob Callaway * switch, rename the kms-signed objects Signed-off-by: Bob Callaway * update README Signed-off-by: Bob Callaway * update README Signed-off-by: Bob Callaway --------- Signed-off-by: Bob Callaway --- .goreleaser.yml | 2 +- README.md | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 0f378d2b379..5c4f276f5b1 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -155,7 +155,7 @@ signs: - id: cosign cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--bundle", "${signature}", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] - signature: "${artifact}.sigstore.json" + signature: "${artifact}-kms.sigstore.json" artifacts: binary # Keyless - id: cosign-keyless diff --git a/README.md b/README.md index 7083fd71df4..6daab76355e 100644 --- a/README.md +++ b/README.md @@ -761,8 +761,6 @@ will be released when there are breaking features. Should you discover any security issues, please refer to sigstore's [security process](https://github.com/sigstore/.github/blob/main/SECURITY.md) -## PEM files in GitHub Release Assets +## Bundle files in GitHub Release Assets -The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries. - -By default, cosign output these PEM files in [base64 encoded format](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md#options), this approach might be good for air-gapped environments where the PEM file is stored in a file system. So, you should decode these PEM files before using them to verify the blobs. +The GitHub release assets for `cosign` contain Sigstore bundle files produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to [verify the integrity of the release binaries](https://docs.sigstore.dev/cosign/system_config/installation/#verifying-cosign-with-artifact-key). From 2c7631be5541f8c02864b5cdc85cbaf7e51bba1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 16:05:30 +0000 Subject: [PATCH 094/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.107.2 to 3.108.0 Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.107.2 to 3.108.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.107.2...v3.108.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.108.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 24 ++++++++++++------------ go.sum | 48 ++++++++++++++++++++++++------------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/go.mod b/go.mod index 9bdd49b2903..89ebbd43986 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.107.2 + github.com/buildkite/agent/v3 v3.108.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -116,21 +116,21 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.8 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.12 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.2 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.11 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.15 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.45.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.29.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 // indirect github.com/aws/smithy-go v1.23.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect diff --git a/go.sum b/go.sum index 30fb9a55a6e..00d0ea4c17e 100644 --- a/go.sum +++ b/go.sum @@ -757,18 +757,18 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4= -github.com/aws/aws-sdk-go-v2 v1.39.0/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= -github.com/aws/aws-sdk-go-v2/config v1.31.8 h1:kQjtOLlTU4m4A64TsRcqwNChhGCwaPBt+zCQt/oWsHU= -github.com/aws/aws-sdk-go-v2/config v1.31.8/go.mod h1:QPpc7IgljrKwH0+E6/KolCgr4WPLerURiU592AYzfSY= -github.com/aws/aws-sdk-go-v2/credentials v1.18.12 h1:zmc9e1q90wMn8wQbjryy8IwA6Q4XlaL9Bx2zIqdNNbk= -github.com/aws/aws-sdk-go-v2/credentials v1.18.12/go.mod h1:3VzdRDR5u3sSJRI4kYcOSIBbeYsgtVk7dG5R/U6qLWY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7 h1:Is2tPmieqGS2edBnmOJIbdvOA6Op+rRpaYR60iBAwXM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.7/go.mod h1:F1i5V5421EGci570yABvpIXgRIBPb5JM+lSkHF6Dq5w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7/go.mod h1:rHRoJUNUASj5Z/0eqI4w32vKvC7atoWR0jC+IkmVH8k= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 h1:Y6DTZUn7ZUC4th9FMBbo8LVE+1fyq3ofw+tRwkUd3PY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7/go.mod h1:x3XE6vMnU9QvHN/Wrx2s44kwzV2o2g5x/siw4ZUJ9g8= +github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I= +github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= +github.com/aws/aws-sdk-go-v2/config v1.31.11 h1:6QOO1mP0MgytbfKsL/r/gE1P6/c/4pPzrrU3hKxa5fs= +github.com/aws/aws-sdk-go-v2/config v1.31.11/go.mod h1:KzpDsPX/dLxaUzoqM3sN2NOhbQIW4HW/0W8rQA1YFEs= +github.com/aws/aws-sdk-go-v2/credentials v1.18.15 h1:Gqy7/05KEfUSulSvwxnB7t8DuZMR3ShzNcwmTD6HOLU= +github.com/aws/aws-sdk-go-v2/credentials v1.18.15/go.mod h1:VWDWSRpYHjcjURRaQ7NUzgeKFN8Iv31+EOMT/W+bFyc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 h1:Mv4Bc0mWmv6oDuSWTKnk+wgeqPL5DRFu5bQL9BGPQ8Y= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9/go.mod h1:IKlKfRppK2a1y0gy1yH6zD+yX5uplJ6UuPlgd48dJiQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= @@ -777,16 +777,16 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SU github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 h1:mLgc5QIgOy26qyh5bvW+nDoAppxgn3J2WV3m9ewq7+8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7/go.mod h1:wXb/eQnqt8mDQIQTTmcw58B5mYGxzLGZGK8PWNFZ0BA= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.3 h1:hp7qDEQkW3IwV5eaTy2inECTgRHo0o/vgIVxq+ydNiU= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.3/go.mod h1:EADaLXofJkof++MP9zhzSZ0byBMOZTIRjtJO/ZMuPVE= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.3 h1:7PKX3VYsZ8LUWceVRuv0+PU+E7OtQb1lgmi5vmUE9CM= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.3/go.mod h1:Ql6jE9kyyWI5JHn+61UT/Y5Z0oyVJGmgmJbZD5g4unY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4 h1:e0XBRn3AptQotkyBFrHAxFB8mDhAIOfsG+7KyJ0dg98= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.4/go.mod h1:XclEty74bsGBCr1s0VSaA11hQ4ZidK4viWK7rRfO88I= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.4 h1:PR00NXRYgY4FWHqOGx3fC3lhVKjsp1GdloDv2ynMSd8= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.4/go.mod h1:Z+Gd23v97pX9zK97+tX4ppAgqCt3Z2dIXB02CtBncK8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 h1:5r34CgVOD4WZudeEKZ9/iKpiT6cM1JyEROpXjOcdWv8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9/go.mod h1:dB12CEbNWPbzO2uC6QSWHteqOg4JfBVJOojbAoAUb5I= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 h1:Br3kil4j7RPW+7LoLVkYt8SuhIWlg6ylmbmzXJ7PgXY= +github.com/aws/aws-sdk-go-v2/service/kms v1.45.6/go.mod h1:FKXkHzw1fJZtg1P1qoAIiwen5thz/cDRTTDCIu8ljxc= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.5 h1:WwL5YLHabIBuAlEKRoLgqLz1LxTvCEpwsQr7MiW/vnM= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.5/go.mod h1:5PfYspyCU5Vw1wNPsxi15LZovOnULudOQuVxphSflQA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 h1:5fm5RTONng73/QA73LhCNR7UT9RpFH3hR6HWL6bIgVY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1/go.mod h1:xBEjWD13h+6nq+z4AkqSfSvqRKFgDIQeaMguAJndOWo= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 h1:p3jIvqYwUZgu/XYeI48bJxOhvm47hZb5HUQ0tn6Q9kA= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.6/go.mod h1:WtKK+ppze5yKPkZ0XwqIVWD4beCwv056ZbPQNoeHqM8= github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.107.2 h1:f04MkWVwSro9iwzCgfPsMsKEIY3Pm0TGp6M8dP3lQgk= -github.com/buildkite/agent/v3 v3.107.2/go.mod h1:6m3kUdqUKwcJDx8J/8w/eX5df73ak7zKfHR0uYpgFag= +github.com/buildkite/agent/v3 v3.108.0 h1:4ChSnFOPQxvecQ/A9MD74MAfGivMfwY+8YSouiZusPI= +github.com/buildkite/agent/v3 v3.108.0/go.mod h1:QXR5Q7CsIuqPgrtTCW4KsK4xLdY43eGWW6wsYaHiNk8= github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= From 711b28b38e5e53db4043b28a89be235572a8f4c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 16:04:19 +0000 Subject: [PATCH 095/136] chore(deps): bump the actions group with 3 updates Bumps the actions group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [cpanato/vault-installer](https://github.com/cpanato/vault-installer) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `chainguard-dev/actions` from 1.5.2 to 1.5.3 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/8e97c1fc72515d627456cb0b92e9c9f299356375...6f4f4de7549514e7b659741b30f6476f245600dd) Updates `cpanato/vault-installer` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/cpanato/vault-installer/releases) - [Commits](https://github.com/cpanato/vault-installer/compare/e7c1d664fa15219e89e43739e39a9df11ba00849...f7e2ad9737b49f351f233eba2df1bdfede939a21) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/05b42c624433fc40578a4040d5cf5e36ddca8cde...4eaacf0543bb3f2c246792bd56e8cdeffafb205a) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: cpanato/vault-installer dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 6 +++--- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/scorecard-action.yml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index b881b9b7386..a56422ebcf5 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + uses: chainguard-dev/actions/donotsubmit@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 6e2d041349c..98d36978f61 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -104,7 +104,7 @@ jobs: persist-credentials: false - name: setup vault - uses: cpanato/vault-installer@e7c1d664fa15219e89e43739e39a9df11ba00849 # v1.2.0 + uses: cpanato/vault-installer@f7e2ad9737b49f351f233eba2df1bdfede939a21 # v1.3.0 - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + uses: chainguard-dev/actions/setup-mirror@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 5b517f090aa..fa628cf0c22 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -181,7 +181,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml index ece453c92dc..52d86722d0c 100644 --- a/.github/workflows/scorecard-action.yml +++ b/.github/workflows/scorecard-action.yml @@ -45,7 +45,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 52f877e9010..a8acc93e479 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 248bd907798..94df9f36de3 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + - uses: chainguard-dev/actions/trailing-space@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@8e97c1fc72515d627456cb0b92e9c9f299356375 # v1.5.2 + - uses: chainguard-dev/actions/eof-newline@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 if: ${{ always() }} From a47a4a3c0c20093eac83ac5813fa6426ac857cac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Oct 2025 21:59:03 +0000 Subject: [PATCH 096/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.148.1 to 0.151.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.148.1...v0.151.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.151.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 89ebbd43986..2a7e085cbe0 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.2.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.148.1 + gitlab.com/gitlab-org/api/client-go v0.154.0 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index 00d0ea4c17e..e2fb6123c2f 100644 --- a/go.sum +++ b/go.sum @@ -867,8 +867,8 @@ github.com/creack/pty v1.1.19 h1:tUN6H7LWqNx4hQVxomd0CVsDwaDr9gaRQaI4GpSmrsA= github.com/creack/pty v1.1.19/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0= -github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8= +github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ= +github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -1582,8 +1582,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.148.1 h1:xds5sz/aylLFX9wdTnaqalRDPmlZTzbp0vKA64nbLo4= -gitlab.com/gitlab-org/api/client-go v0.148.1/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= +gitlab.com/gitlab-org/api/client-go v0.154.0 h1:RnAozG7ToCunYizz0v+vJEDj/id1dt820vV4mYOrLFw= +gitlab.com/gitlab-org/api/client-go v0.154.0/go.mod h1:CQVoxjEswJZeXft4Mi+H+OF1MVrpNVF6m4xvlPTQ2J4= go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From a96437a430874e0316179cb8745e31c964788cd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Oct 2025 21:59:19 +0000 Subject: [PATCH 097/136] chore(deps): bump google.golang.org/api from 0.250.0 to 0.251.0 Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.250.0 to 0.251.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.250.0...v0.251.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.251.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 2a7e085cbe0..5cd5f4e2842 100644 --- a/go.mod +++ b/go.mod @@ -57,7 +57,7 @@ require ( golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 - google.golang.org/api v0.251.0 + google.golang.org/api v0.252.0 google.golang.org/protobuf v1.36.10 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 @@ -69,7 +69,7 @@ require ( require ( cel.dev/expr v0.24.0 // indirect cloud.google.com/go v0.121.6 // indirect - cloud.google.com/go/auth v0.16.5 // indirect + cloud.google.com/go/auth v0.17.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect @@ -315,7 +315,7 @@ require ( golang.org/x/tools v0.36.0 // indirect google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect google.golang.org/grpc v1.75.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index e2fb6123c2f..090e018ecd3 100644 --- a/go.sum +++ b/go.sum @@ -103,8 +103,8 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E= -cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI= -cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ= +cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4= +cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= @@ -2111,8 +2111,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.251.0 h1:6lea5nHRT8RUmpy9kkC2PJYnhnDAB13LqrLSVQlMIE8= -google.golang.org/api v0.251.0/go.mod h1:Rwy0lPf/TD7+T2VhYcffCHhyyInyuxGjICxdfLqT7KI= +google.golang.org/api v0.252.0 h1:xfKJeAJaMwb8OC9fesr369rjciQ704AjU/psjkKURSI= +google.golang.org/api v0.252.0/go.mod h1:dnHOv81x5RAmumZ7BWLShB/u7JZNeyalImxHmtTHxqw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2256,8 +2256,8 @@ google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 h1:LvZVVaPE0JSqL+Z google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9/go.mod h1:QFOrLhdAe2PsTp3vQY4quuLKTi9j3XG3r6JPPaw7MSc= google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU= google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 h1:i8QOKZfYg6AbGVZzUAY3LrNWCKF8O6zFisU9Wl9RER4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 h1:CirRxTOwnRWVLKzDNrs0CXAaVozJoR4G9xvdRecrdpk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From dccda706ef56cd6f8a40a8fad8992ff46fb218de Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 10 Oct 2025 13:00:57 -0700 Subject: [PATCH 098/136] Update changelog for v3.0.2 (#4455) * Update changelog for v3.0.2 Signed-off-by: Hayden * Update CHANGELOG.md Signed-off-by: Hayden --------- Signed-off-by: Hayden --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c509083699b..ab38fe593d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# v3.0.2 + +v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format. + +* Note that the `--bundle` flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3. + +## Changes + +* choose different signature filename for KMS-signed release signatures (#4448) +* Update rekor-tiles version path (#4450) + # v3.0.1 v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows. From 925c965ff02d37fca9539391d4f56878d8594458 Mon Sep 17 00:00:00 2001 From: Hayden Date: Mon, 13 Oct 2025 11:07:22 -0700 Subject: [PATCH 099/136] Cache signing config when calling initialize (#4456) When calling cosign initialize, the client will cache the trusted root file if available. This PR adds support for caching the signing config as well. The public-good instance's TUF repo includes this file. Private deployments likely don't use this file, so like with the trusted root, Cosign will print a warning rather than fail initialization. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/initialize/init.go | 6 ++++++ cmd/cosign/cli/initialize/init_test.go | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go index a44909c312e..d629550aeb3 100644 --- a/cmd/cosign/cli/initialize/init.go +++ b/cmd/cosign/cli/initialize/init.go @@ -86,6 +86,12 @@ func doInitialize(ctx context.Context, root, mirror, rootChecksum string, forceS return fmt.Errorf("storing remote: %w", err) } + // Cache the signing config from the TUF repository + _, err = tufroot.FetchSigningConfigWithOptions(opts) + if err != nil { + ui.Warnf(ctx, "Could not fetch signing_config.json from the TUF mirror (encountered error: %v). It is recommended to use a signing config file rather than provide service URLs when signing.", err) + } + // Cache the trusted root from the TUF repository trustedRoot, err := tufroot.NewLiveTrustedRoot(opts) if err != nil { ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF mirror (encountered error: %v), falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.", err) diff --git a/cmd/cosign/cli/initialize/init_test.go b/cmd/cosign/cli/initialize/init_test.go index 0586a93e5d8..e2932a329ca 100644 --- a/cmd/cosign/cli/initialize/init_test.go +++ b/cmd/cosign/cli/initialize/init_test.go @@ -155,13 +155,16 @@ func TestDoInitialize(t *testing.T) { expectV2 bool }{ { - name: "tuf v2 with trusted root", - targets: map[string][]byte{"trusted_root.json": []byte(`{"mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1"}`)}, + name: "tuf v2 with trusted root and signing config", + targets: map[string][]byte{ + "trusted_root.json": []byte(`{"mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1"}`), + "signing_config.v0.2.json": []byte(`{"mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json"}`), + }, root: "1.root.json", wantStdOut: "", wantStdErr: "", wantErr: false, - wantFiles: []string{filepath.Join("targets", "trusted_root.json")}, + wantFiles: []string{filepath.Join("targets", "trusted_root.json"), filepath.Join("targets", "signing_config.v0.2.json")}, expectV2: true, }, { From b529ddf789f79cace95db56691e52b455077dbd5 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Mon, 13 Oct 2025 13:35:20 -0700 Subject: [PATCH 100/136] Deduplicate code in sign/attest* and verify* commands (#4449) * Deduplicate key/token handling in sign commands Move the nearly identical code for parsing key options and creating a key pair and token out of attest, attest-blob, sign, and sign-blob, and into a common helper package. Move functions that had been shared out of sign.go into the helper package too so that other commands do not have to import the sign command package. Signed-off-by: Colleen Murphy * Deduplicate signer-verifier creation Signed-off-by: Colleen Murphy * Deduplicate timestamp retrieval Signed-off-by: Colleen Murphy * Deduplicate rekor upload Signed-off-by: Colleen Murphy * Deduplicate bundle compilation Signed-off-by: Colleen Murphy * Move OCI parsing function to signcommon Signed-off-by: Colleen Murphy * Make flag compatibility checking consistent Move flag checks when --new-bundle-format is used to a common helper module and have all four verify commands use it. Remove redundant flag checker code. Signed-off-by: Colleen Murphy * Remove duplicate certs setting RootCerts and IntermediateCerts are already set on CheckOpts during loadCertsKeylessVerification. Signed-off-by: Colleen Murphy * Move loading key to common Move the setting of SigVerifier based on the key ref, key slot, or cert and cert chain, to the common file. For verifying blobs and blob attestations with a certificate instead of a key, we return the cert which is used directly in the options list for verification. For images, the cert and cert chain must be validated and then unpacked into the SigVerifier, where the cosign Verify* functions check its validity by extracting it from the verifier. Signed-off-by: Colleen Murphy * Deduplicate TUF v1 fetch and rekor client setup Signed-off-by: Colleen Murphy * Deduplicate trusted material setting Signed-off-by: Colleen Murphy * Move common functions to common.go Signed-off-by: Colleen Murphy --------- Signed-off-by: Colleen Murphy --- cmd/cosign/cli/attest/attest.go | 204 +----- cmd/cosign/cli/attest/attest_blob.go | 191 +----- cmd/cosign/cli/sign/sign.go | 461 +------------- cmd/cosign/cli/sign/sign_blob.go | 144 +---- cmd/cosign/cli/sign/sign_test.go | 186 ------ cmd/cosign/cli/signcommon/common.go | 583 ++++++++++++++++++ cmd/cosign/cli/signcommon/common_test.go | 205 ++++++ cmd/cosign/cli/verify/common.go | 465 ++++++++++++++ cmd/cosign/cli/verify/verify.go | 451 +------------- cmd/cosign/cli/verify/verify_attestation.go | 176 +----- cmd/cosign/cli/verify/verify_blob.go | 107 +--- .../cli/verify/verify_blob_attestation.go | 110 +--- 12 files changed, 1395 insertions(+), 1888 deletions(-) create mode 100644 cmd/cosign/cli/signcommon/common.go create mode 100644 cmd/cosign/cli/signcommon/common_test.go create mode 100644 cmd/cosign/cli/verify/common.go diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 6cf7c0fcbdd..4f17f0ae578 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -16,26 +16,16 @@ package attest import ( - "bytes" "context" _ "crypto/sha256" // for `crypto.SHA256` "encoding/json" "fmt" - "os" "time" - "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" - cosign_sign "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v3/internal/auth" - "github.com/sigstore/cosign/v3/internal/key" - "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" - tsaclient "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/sigstore/cosign/v3/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" @@ -43,33 +33,8 @@ import ( ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/cosign/v3/pkg/types" - "github.com/sigstore/rekor/pkg/generated/client" - "github.com/sigstore/rekor/pkg/generated/models" - "github.com/sigstore/sigstore-go/pkg/sign" - "github.com/sigstore/sigstore/pkg/signature/dsse" - signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) -type tlogUploadFn func(*client.Rekor, []byte) (*models.LogEntryAnon, error) - -func uploadToTlog(ctx context.Context, sv *cosign_sign.SignerVerifier, rekorURL string, upload tlogUploadFn) (*models.LogEntryAnon, error) { - rekorBytes, err := sv.Bytes(ctx) - if err != nil { - return nil, err - } - - rekorClient, err := rekor.NewClient(rekorURL) - if err != nil { - return nil, err - } - entry, err := upload(rekorClient, rekorBytes) - if err != nil { - return nil, err - } - fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex) - return entry, nil -} - // nolint type AttestCommand struct { options.KeyOpts @@ -106,14 +71,10 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if err != nil { return err } - ref, err := name.ParseReference(imageRef, c.NameOptions()...) + ref, err := signcommon.ParseOCIReference(ctx, imageRef, c.NameOptions()...) if err != nil { return fmt.Errorf("parsing reference: %w", err) } - if _, ok := ref.(name.Digest); !ok { - msg := fmt.Sprintf(ui.TagReferenceMessage, imageRef) - ui.Warnf(ctx, msg) - } if c.Timeout != 0 { var cancelFn context.CancelFunc @@ -157,88 +118,19 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { } if c.SigningConfig != nil { - var keypair sign.Keypair - var ephemeralKeypair bool - var idToken string - var sv *cosign_sign.SignerVerifier - var err error - - if c.Sk || c.Slot != "" || c.KeyRef != "" || c.CertPath != "" { - sv, _, err = cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - keypair, err = key.NewSignerVerifierKeypair(sv, c.DefaultLoadOptions) - if err != nil { - return fmt.Errorf("creating signerverifier keypair: %w", err) - } - } else { - keypair, err = sign.NewEphemeralKeypair(nil) - if err != nil { - return fmt.Errorf("generating keypair: %w", err) - } - ephemeralKeypair = true - } - defer func() { - if sv != nil { - sv.Close() - } - }() - - if ephemeralKeypair || c.IssueCertificateForExistingKey { - idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: c.IDToken, - DisableProviders: c.OIDCDisableProviders, - Provider: c.OIDCProvider, - AuthFlow: c.FulcioAuthFlow, - SkipConfirm: c.SkipConfirmation, - OIDCServices: c.SigningConfig.OIDCProviderURLs(), - ClientID: c.OIDCClientID, - ClientSecret: c.OIDCClientSecret, - RedirectURL: c.OIDCRedirectURL, - }) - if err != nil { - return fmt.Errorf("retrieving ID token: %w", err) - } - } - - content := &sign.DSSEData{ - Data: payload, - PayloadType: "application/vnd.in-toto+json", - } - bundle, err := cbundle.SignData(ctx, content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) - if err != nil { - return fmt.Errorf("signing bundle: %w", err) - } - - ociremoteOpts, err := c.RegistryOptions.ClientOpts(ctx) - if err != nil { - return err - } - return ociremote.WriteAttestationNewBundleFormat(digest, bundle, types.CosignSignPredicateType, ociremoteOpts...) + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, digest, types.CosignSignPredicateType, "", c.SigningConfig, c.TrustedMaterial, ociremoteOpts...) } - sv, genKey, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, c.NoUpload, c.TlogUpload, payload, digest, c.RekorEntryType) if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - if genKey || c.IssueCertificateForExistingKey { - sv, err = cosign_sign.KeylessSigner(ctx, c.KeyOpts, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } + return fmt.Errorf("getting bundle components: %w", err) } - defer sv.Close() - wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) - dd := cremote.NewDupeDetector(sv) + defer closeSV() - signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) - if err != nil { - return fmt.Errorf("signing: %w", err) - } + sv := bundleComponents.SV if c.NoUpload { - fmt.Println(string(signedPayload)) + fmt.Println(string(bundleComponents.SignedPayload)) return nil } @@ -246,39 +138,9 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if sv.Cert != nil { opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain)) } - var timestampBytes []byte - var tsaPayload []byte - if c.KeyOpts.TSAServerURL != "" { - // We need to decide what signature to send to the timestamp authority. - // - // Historically, cosign sent `signedPayload`, which is the entire JSON DSSE - // Envelope. However, when sigstore clients are verifying a bundle they - // will use the DSSE Sig field, so we choose what signature to send to - // the timestamp authority based on our output format. - if c.KeyOpts.NewBundleFormat { - tsaPayload, err = cosign.GetDSSESigBytes(signedPayload) - if err != nil { - return err - } - } else { - tsaPayload = signedPayload - } - tc := tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL) - if c.KeyOpts.TSAClientCert != "" { - tc = tsaclient.NewTSAClientMTLS(c.KeyOpts.TSAServerURL, - c.KeyOpts.TSAClientCACert, - c.KeyOpts.TSAClientCert, - c.KeyOpts.TSAClientKey, - c.KeyOpts.TSAServerName, - ) - } - timestampBytes, err = tsa.GetTimestampedSignature(tsaPayload, tc) - if err != nil { - return err - } - bundle := cbundle.TimestampToRFC3161Timestamp(timestampBytes) - opts = append(opts, static.WithRFC3161Timestamp(bundle)) + if bundleComponents.RFC3161Timestamp != nil { + opts = append(opts, static.WithRFC3161Timestamp(bundleComponents.RFC3161Timestamp)) } predicateType, err := options.ParsePredicateType(c.PredicateType) @@ -292,52 +154,19 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { // Add predicateType as manifest annotation opts = append(opts, static.WithAnnotations(predicateTypeAnnotation)) - // Check whether we should be uploading to the transparency log - shouldUpload, err := cosign_sign.ShouldUploadToTlog(ctx, c.KeyOpts, digest, c.TlogUpload) - if err != nil { - return fmt.Errorf("should upload to tlog: %w", err) - } - var rekorEntry *models.LogEntryAnon - if shouldUpload { - rekorEntry, err = uploadToTlog(ctx, sv, c.RekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) { - if c.RekorEntryType == "intoto" { - return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b) - } else { - return cosign.TLogUploadDSSEEnvelope(ctx, r, signedPayload, b) - } - - }) - if err != nil { - return err - } - opts = append(opts, static.WithBundle(cbundle.EntryToBundle(rekorEntry))) - } - - sig, err := static.NewAttestation(signedPayload, opts...) - if err != nil { - return err + if bundleComponents.RekorEntry != nil { + opts = append(opts, static.WithBundle(cbundle.EntryToBundle(bundleComponents.RekorEntry))) } if c.KeyOpts.NewBundleFormat { - signerBytes, err := sv.Bytes(ctx) - if err != nil { - return err - } - pubKey, err := sv.PublicKey() - if err != nil { - return err - } - bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) - if err != nil { - return err - } - return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType, ociremoteOpts...) + return signcommon.WriteBundle(sv, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, predicateType, ociremoteOpts...) } // We don't actually need to access the remote entity to attach things to it // so we use a placeholder here. se := ociremote.SignedUnknown(digest, ociremoteOpts...) + dd := cremote.NewDupeDetector(sv) signOpts := []mutate.SignOption{ mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(c.RecordCreationTimestamp), @@ -348,6 +177,11 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { signOpts = append(signOpts, mutate.WithReplaceOp(ro)) } + sig, err := static.NewAttestation(bundleComponents.SignedPayload, opts...) + if err != nil { + return err + } + // Attach the attestation to the entity. newSE, err := mutate.AttachAttestationToEntity(se, sig, signOpts...) if err != nil { diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index cc1c76aee91..4f0b9748658 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -21,7 +21,6 @@ import ( "encoding/base64" "encoding/hex" "encoding/json" - "errors" "fmt" "io" "os" @@ -30,25 +29,15 @@ import ( "strings" "time" + "github.com/google/go-containerregistry/pkg/name" intotov1 "github.com/in-toto/attestation/go/v1" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" - cosign_sign "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v3/internal/auth" - "github.com/sigstore/cosign/v3/internal/key" - "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" - tsaclient "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" - "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/cosign/v3/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" - "github.com/sigstore/cosign/v3/pkg/types" - "github.com/sigstore/rekor/pkg/generated/models" - "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" - sigstoredsse "github.com/sigstore/sigstore/pkg/signature/dsse" - signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) // nolint @@ -94,10 +83,6 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error defer cancelFn() } - if c.TSAServerURL != "" && c.RFC3161TimestampPath == "" && !c.NewBundleFormat { - return errors.New("expected either new bundle or an rfc3161-timestamp path when using a TSA server") - } - base := path.Base(artifactPath) var payload []byte @@ -158,161 +143,21 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } if c.SigningConfig != nil { - var keypair sign.Keypair - var ephemeralKeypair bool - var idToken string - var sv *cosign_sign.SignerVerifier - var err error - - if c.Sk || c.Slot != "" || c.KeyRef != "" || c.CertPath != "" { - sv, _, err = cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - keypair, err = key.NewSignerVerifierKeypair(sv, c.DefaultLoadOptions) - if err != nil { - return fmt.Errorf("creating signerverifier keypair: %w", err) - } - } else { - keypair, err = sign.NewEphemeralKeypair(nil) - if err != nil { - return fmt.Errorf("generating keypair: %w", err) - } - ephemeralKeypair = true - } - defer func() { - if sv != nil { - sv.Close() - } - }() - - if ephemeralKeypair || c.IssueCertificateForExistingKey { - idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: c.IDToken, - DisableProviders: c.OIDCDisableProviders, - Provider: c.OIDCProvider, - AuthFlow: c.FulcioAuthFlow, - SkipConfirm: c.SkipConfirmation, - OIDCServices: c.SigningConfig.OIDCProviderURLs(), - ClientID: c.OIDCClientID, - ClientSecret: c.OIDCClientSecret, - RedirectURL: c.OIDCRedirectURL, - }) - if err != nil { - return fmt.Errorf("retrieving ID token: %w", err) - } - } - - content := &sign.DSSEData{ - Data: payload, - PayloadType: "application/vnd.in-toto+json", - } - bundle, err := cbundle.SignData(ctx, content, keypair, idToken, c.SigningConfig, c.TrustedMaterial) - if err != nil { - return fmt.Errorf("signing bundle: %w", err) - } - if err := os.WriteFile(c.BundlePath, bundle, 0600); err != nil { - return fmt.Errorf("create bundle file: %w", err) - } - ui.Infof(ctx, "Wrote bundle to file %s", c.BundlePath) - return nil + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, name.Digest{}, "", c.BundlePath, c.SigningConfig, c.TrustedMaterial, nil) } - sv, genKey, err := cosign_sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts) + bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, false, c.TlogUpload, payload, nil, c.RekorEntryType) if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - if genKey || c.IssueCertificateForExistingKey { - sv, err = cosign_sign.KeylessSigner(ctx, c.KeyOpts, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } + return fmt.Errorf("getting bundle components: %w", err) } - defer sv.Close() - wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType) + defer closeSV() - sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) - if err != nil { - return fmt.Errorf("signing: %w", err) - } + sv := bundleComponents.SV - var rfc3161Timestamp *cbundle.RFC3161Timestamp - var timestampBytes []byte - var tsaPayload []byte - var rekorEntry *models.LogEntryAnon - - if c.KeyOpts.TSAServerURL != "" { - tc := tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL) - if c.TSAClientCert != "" { - tc = tsaclient.NewTSAClientMTLS(c.KeyOpts.TSAServerURL, - c.KeyOpts.TSAClientCACert, - c.KeyOpts.TSAClientCert, - c.KeyOpts.TSAClientKey, - c.KeyOpts.TSAServerName, - ) - } - // We need to decide what signature to send to the timestamp authority. - // - // Historically, cosign sent `sig`, which is the entire JSON DSSE - // Envelope. However, when sigstore clients are verifying a bundle they - // will use the DSSE Sig field, so we choose what signature to send to - // the timestamp authority based on our output format. - if c.NewBundleFormat { - tsaPayload, err = cosign.GetDSSESigBytes(sig) - if err != nil { - return err - } - } else { - tsaPayload = sig - } - timestampBytes, err = tsa.GetTimestampedSignature(tsaPayload, tc) - if err != nil { - return err - } - rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(timestampBytes) - // TODO: Consider uploading RFC3161 TS to Rekor - - if rfc3161Timestamp == nil { - return fmt.Errorf("rfc3161 timestamp is nil") - } - - if c.RFC3161TimestampPath != "" { - ts, err := json.Marshal(rfc3161Timestamp) - if err != nil { - return err - } - if err := os.WriteFile(c.RFC3161TimestampPath, ts, 0600); err != nil { - return fmt.Errorf("create RFC3161 timestamp file: %w", err) - } - fmt.Fprintln(os.Stderr, "RFC3161 timestamp bundle written to file ", c.RFC3161TimestampPath) - } - } - - signer, err := sv.Bytes(ctx) - if err != nil { - return err - } - shouldUpload, err := cosign_sign.ShouldUploadToTlog(ctx, c.KeyOpts, nil, c.TlogUpload) - if err != nil { - return fmt.Errorf("upload to tlog: %w", err) - } signedPayload := cosign.LocalSignedPayload{} - if shouldUpload { - rekorClient, err := rekor.NewClient(c.RekorURL) - if err != nil { - return err - } - if c.RekorEntryType == "intoto" { - rekorEntry, err = cosign.TLogUploadInTotoAttestation(ctx, rekorClient, sig, signer) - } else { - rekorEntry, err = cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, sig, signer) - } - if err != nil { - return err - } - fmt.Fprintln(os.Stderr, "tlog entry created with index:", *rekorEntry.LogIndex) - signedPayload.Bundle = cbundle.EntryToBundle(rekorEntry) + if bundleComponents.RekorEntry != nil { + signedPayload.Bundle = cbundle.EntryToBundle(bundleComponents.RekorEntry) } if c.BundlePath != "" { @@ -323,13 +168,13 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return err } - contents, err = cbundle.MakeNewBundle(pubKey, rekorEntry, payload, sig, signer, timestampBytes) + contents, err = cbundle.MakeNewBundle(pubKey, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes) if err != nil { return err } } else { - signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig) - signedPayload.Cert = base64.StdEncoding.EncodeToString(signer) + signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(bundleComponents.SignedPayload) + signedPayload.Cert = base64.StdEncoding.EncodeToString(bundleComponents.SignerBytes) contents, err = json.Marshal(signedPayload) if err != nil { @@ -344,12 +189,12 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } if c.OutputSignature != "" { - if err := os.WriteFile(c.OutputSignature, sig, 0600); err != nil { + if err := os.WriteFile(c.OutputSignature, bundleComponents.SignedPayload, 0600); err != nil { return fmt.Errorf("create signature file: %w", err) } fmt.Fprintf(os.Stderr, "Signature written in %s\n", c.OutputSignature) } else { - fmt.Fprintln(os.Stdout, string(sig)) + fmt.Fprintln(os.Stdout, string(bundleComponents.SignedPayload)) } if c.OutputAttestation != "" { @@ -360,11 +205,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } if c.OutputCertificate != "" { - signer, err := sv.Bytes(ctx) - if err != nil { - return fmt.Errorf("error getting signer: %w", err) - } - cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) + cert, err := cryptoutils.UnmarshalCertificatesFromPEM(bundleComponents.SignerBytes) // signer is a certificate if err != nil { fmt.Fprintln(os.Stderr, "Could not output signer certificate. Was a certificate used? ", err) @@ -375,7 +216,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error fmt.Fprintln(os.Stderr, "Could not output signer certificate. Expected a single certificate") return nil } - bts := signer + bts := bundleComponents.SignerBytes if err := os.WriteFile(c.OutputCertificate, bts, 0600); err != nil { return fmt.Errorf("create certificate file: %w", err) } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 43e060745fb..443a62fb447 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -18,12 +18,8 @@ package sign import ( "bytes" "context" - "crypto" - "crypto/x509" "encoding/base64" "encoding/json" - "encoding/pem" - "errors" "fmt" "os" "path/filepath" @@ -31,15 +27,10 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/remote" intotov1 "github.com/in-toto/attestation/go/v1" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio/fulcioverifier" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/privacy" - "github.com/sigstore/cosign/v3/internal/auth" - "github.com/sigstore/cosign/v3/internal/key" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" icos "github.com/sigstore/cosign/v3/internal/pkg/cosign" ifulcio "github.com/sigstore/cosign/v3/internal/pkg/cosign/fulcio" ipayload "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload" @@ -48,22 +39,12 @@ import ( "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/cosign" - cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" - "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" cremote "github.com/sigstore/cosign/v3/pkg/cosign/remote" "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/cosign/v3/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/sigstore/cosign/v3/pkg/oci/walk" - sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/cosign/v3/pkg/types" - "github.com/sigstore/rekor/pkg/generated/models" - "github.com/sigstore/sigstore-go/pkg/sign" - "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/signature" - "github.com/sigstore/sigstore/pkg/signature/dsse" - signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" "google.golang.org/protobuf/encoding/protojson" @@ -71,49 +52,6 @@ import ( _ "github.com/sigstore/cosign/v3/pkg/providers/all" ) -func ShouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) (bool, error) { - upload := shouldUploadToTlog(ctx, ko, ref, tlogUpload) - var statementErr error - if upload { - privacy.StatementOnce.Do(func() { - ui.Infof(ctx, privacy.Statement) - ui.Infof(ctx, privacy.StatementConfirmation) - if !ko.SkipConfirmation { - if err := ui.ConfirmContinue(ctx); err != nil { - statementErr = err - } - } - }) - } - return upload, statementErr -} - -func shouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) bool { - // return false if not uploading to the tlog has been requested - if !tlogUpload { - return false - } - - if ko.SkipConfirmation { - return true - } - - // We don't need to validate the ref, just return true - if ref == nil { - return true - } - - // Check if the image is public (no auth in Get) - if _, err := remote.Get(ref, remote.WithContext(ctx)); err != nil { - ui.Warnf(ctx, "%q appears to be a private repository, please confirm uploading to the transparency log at %q", ref.Context().String(), ko.RekorURL) - if ui.ConfirmContinue(ctx) != nil { - ui.Infof(ctx, "not uploading to transparency log") - return false - } - } - return true -} - func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremote.Option) (name.Reference, error) { if attachment == "" { return ref, nil @@ -124,18 +62,6 @@ func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremot return nil, fmt.Errorf("unknown attachment type %s", attachment) } -// ParseOCIReference parses a string reference to an OCI image into a reference, warning if the reference did not include a digest. -func ParseOCIReference(ctx context.Context, refStr string, opts ...name.Option) (name.Reference, error) { - ref, err := name.ParseReference(refStr, opts...) - if err != nil { - return nil, fmt.Errorf("parsing reference: %w", err) - } - if _, ok := ref.(name.Digest); !ok { - ui.Warnf(ctx, ui.TagReferenceMessage, refStr) - } - return ref, nil -} - // nolint func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignOptions, imgs []string) error { if options.NOf(ko.KeyRef, ko.Sk) > 1 { @@ -171,7 +97,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO } annotations := am.Annotations for _, inputImg := range imgs { - ref, err := ParseOCIReference(ctx, inputImg, regOpts.NameOptions()...) + ref, err := signcommon.ParseOCIReference(ctx, inputImg, regOpts.NameOptions()...) if err != nil { return err } @@ -248,145 +174,23 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt return err } - if ko.SigningConfig != nil { - var keypair sign.Keypair - var ephemeralKeypair bool - var idToken string - var sv *SignerVerifier - var err error - - if ko.Sk || ko.Slot != "" || ko.KeyRef != "" || signOpts.Cert != "" { - sv, _, err = SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions) - if err != nil { - return fmt.Errorf("creating signerverifier keypair: %w", err) - } - } else { - keypair, err = sign.NewEphemeralKeypair(nil) - if err != nil { - return fmt.Errorf("generating keypair: %w", err) - } - ephemeralKeypair = true - } - defer func() { - if sv != nil { - sv.Close() - } - }() - - if ephemeralKeypair || ko.IssueCertificateForExistingKey { - idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: ko.IDToken, - DisableProviders: ko.OIDCDisableProviders, - Provider: ko.OIDCProvider, - AuthFlow: ko.FulcioAuthFlow, - SkipConfirm: ko.SkipConfirmation, - OIDCServices: ko.SigningConfig.OIDCProviderURLs(), - ClientID: ko.OIDCClientID, - ClientSecret: ko.OIDCClientSecret, - RedirectURL: ko.OIDCRedirectURL, - }) - if err != nil { - return fmt.Errorf("retrieving ID token: %w", err) - } - } - - content := &sign.DSSEData{ - Data: payload, - PayloadType: "application/vnd.in-toto+json", - } - bundle, err := cbundle.SignData(ctx, content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) - if err != nil { - return fmt.Errorf("signing bundle: %w", err) - } - - regOpts := signOpts.Registry - ociremoteOpts, err := regOpts.ClientOpts(ctx) - if err != nil { - return fmt.Errorf("constructing client options: %w", err) - } - return ociremote.WriteAttestationNewBundleFormat(digest, bundle, types.CosignSignPredicateType, ociremoteOpts...) - } - - sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) - if err != nil { - return fmt.Errorf("getting signer: %w", err) - } - if genKey || ko.IssueCertificateForExistingKey { - sv, err = KeylessSigner(ctx, ko, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } - } - defer sv.Close() - - wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) - signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) - if err != nil { - return fmt.Errorf("signing: %w", err) - } - - var timestampBytes []byte - if ko.TSAServerURL != "" { - tsaPayload, err := cosign.GetDSSESigBytes(signedPayload) - if err != nil { - return err - } - tc := client.NewTSAClient(ko.TSAServerURL) - if ko.TSAClientCert != "" { - tc = client.NewTSAClientMTLS(ko.TSAServerURL, - ko.TSAClientCACert, - ko.TSAClientCert, - ko.TSAClientKey, - ko.TSAServerName, - ) - } - timestampBytes, err = tsa.GetTimestampedSignature(tsaPayload, tc) - if err != nil { - return err - } - } - - signerBytes, err := sv.Bytes(ctx) - if err != nil { - return err - } - - var rekorEntry *models.LogEntryAnon - shouldUpload, err := ShouldUploadToTlog(ctx, ko, digest, signOpts.TlogUpload) - if err != nil { - return fmt.Errorf("should upload to tlog: %w", err) - } - if shouldUpload { - rClient, err := rekor.NewClient(ko.RekorURL) - if err != nil { - return err - } - rekorEntry, err = cosign.TLogUploadDSSEEnvelope(ctx, rClient, signedPayload, signerBytes) - if err != nil { - return err - } - } - regOpts := signOpts.Registry ociremoteOpts, err := regOpts.ClientOpts(ctx) if err != nil { return fmt.Errorf("constructing client options: %w", err) } - pubKey, err := sv.PublicKey() - if err != nil { - return err + if ko.SigningConfig != nil { + return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, payload, digest, types.CosignSignPredicateType, "", ko.SigningConfig, ko.TrustedMaterial, ociremoteOpts...) } - bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) + bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, signOpts.Cert, signOpts.CertChain, ko, false, signOpts.TlogUpload, payload, digest, "dsse") if err != nil { - return err + return fmt.Errorf("getting bundle components: %w", err) } - return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, types.CosignSignPredicateType, ociremoteOpts...) + defer closeSV() + + return signcommon.WriteBundle(bundleComponents.SV, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, types.CosignSignPredicateType, ociremoteOpts...) } func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, @@ -404,17 +208,12 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } } - sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko) + sv, closeSV, err := signcommon.GetSignerVerifier(ctx, signOpts.Cert, signOpts.CertChain, ko) if err != nil { return fmt.Errorf("getting signer: %w", err) } - if genKey || ko.IssueCertificateForExistingKey { - sv, err = KeylessSigner(ctx, ko, sv) - if err != nil { - return fmt.Errorf("getting Fulcio signer: %w", err) - } - } - defer sv.Close() + defer closeSV() + dd := cremote.NewDupeDetector(sv) var s icos.Signer @@ -435,7 +234,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti )) } } - shouldUpload, err := ShouldUploadToTlog(ctx, ko, digest, signOpts.TlogUpload) + shouldUpload, err := signcommon.ShouldUploadToTlog(ctx, ko, digest, signOpts.TlogUpload) if err != nil { return fmt.Errorf("should upload to tlog: %w", err) } @@ -540,240 +339,6 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti return ociremote.WriteSignatures(digest.Repository, newSE, walkOpts...) } -func signerFromSecurityKey(ctx context.Context, keySlot string) (*SignerVerifier, error) { - sk, err := pivkey.GetKeyWithSlot(keySlot) - if err != nil { - return nil, err - } - sv, err := sk.SignerVerifier() - if err != nil { - sk.Close() - return nil, err - } - - // Handle the -cert flag. - // With PIV, we assume the certificate is in the same slot on the PIV - // token as the private key. If it's not there, show a warning to the - // user. - certFromPIV, err := sk.Certificate() - var pemBytes []byte - if err != nil { - ui.Warnf(ctx, "no x509 certificate retrieved from the PIV token") - } else { - pemBytes, err = cryptoutils.MarshalCertificateToPEM(certFromPIV) - if err != nil { - sk.Close() - return nil, err - } - } - - return &SignerVerifier{ - Cert: pemBytes, - SignerVerifier: sv, - close: sk.Close, - }, nil -} - -func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef string, passFunc cosign.PassFunc, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { - k, err := sigs.SignerVerifierFromKeyRef(ctx, keyRef, passFunc, defaultLoadOptions) - if err != nil { - return nil, fmt.Errorf("reading key: %w", err) - } - certSigner := &SignerVerifier{ - SignerVerifier: k, - } - - var leafCert *x509.Certificate - - // Attempt to extract certificate from PKCS11 token - // With PKCS11, we assume the certificate is in the same slot on the PKCS11 - // token as the private key. If it's not there, show a warning to the - // user. - if pkcs11Key, ok := k.(*pkcs11key.Key); ok { - certFromPKCS11, _ := pkcs11Key.Certificate() - certSigner.close = pkcs11Key.Close - - if certFromPKCS11 == nil { - ui.Warnf(ctx, "no x509 certificate retrieved from the PKCS11 token") - } else { - pemBytes, err := cryptoutils.MarshalCertificateToPEM(certFromPKCS11) - if err != nil { - pkcs11Key.Close() - return nil, err - } - // Check that the provided public key and certificate key match - pubKey, err := k.PublicKey() - if err != nil { - pkcs11Key.Close() - return nil, err - } - if cryptoutils.EqualKeys(pubKey, certFromPKCS11.PublicKey) != nil { - pkcs11Key.Close() - return nil, errors.New("pkcs11 key and certificate do not match") - } - leafCert = certFromPKCS11 - certSigner.Cert = pemBytes - } - } - - // Handle --cert flag - if certPath != "" { - // Allow both DER and PEM encoding - certBytes, err := os.ReadFile(certPath) - if err != nil { - return nil, fmt.Errorf("read certificate: %w", err) - } - // Handle PEM - if bytes.HasPrefix(certBytes, []byte("-----")) { - decoded, _ := pem.Decode(certBytes) - if decoded.Type != "CERTIFICATE" { - return nil, fmt.Errorf("supplied PEM file is not a certificate: %s", certPath) - } - certBytes = decoded.Bytes - } - parsedCert, err := x509.ParseCertificate(certBytes) - if err != nil { - return nil, fmt.Errorf("parse x509 certificate: %w", err) - } - pk, err := k.PublicKey() - if err != nil { - return nil, fmt.Errorf("get public key: %w", err) - } - if cryptoutils.EqualKeys(pk, parsedCert.PublicKey) != nil { - return nil, errors.New("public key in certificate does not match the provided public key") - } - pemBytes, err := cryptoutils.MarshalCertificateToPEM(parsedCert) - if err != nil { - return nil, fmt.Errorf("marshaling certificate to PEM: %w", err) - } - if certSigner.Cert != nil { - ui.Warnf(ctx, "overriding x509 certificate retrieved from the PKCS11 token") - } - leafCert = parsedCert - certSigner.Cert = pemBytes - } - - if certChainPath == "" { - return certSigner, nil - } else if certSigner.Cert == nil { - return nil, errors.New("no leaf certificate found or provided while specifying chain") - } - - // Handle --cert-chain flag - // Accept only PEM encoded certificate chain - certChainBytes, err := os.ReadFile(certChainPath) - if err != nil { - return nil, fmt.Errorf("reading certificate chain from path: %w", err) - } - certChain, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(certChainBytes)) - if err != nil { - return nil, fmt.Errorf("loading certificate chain: %w", err) - } - if len(certChain) == 0 { - return nil, errors.New("no certificates in certificate chain") - } - // Verify certificate chain is valid - rootPool := x509.NewCertPool() - rootPool.AddCert(certChain[len(certChain)-1]) - subPool := x509.NewCertPool() - for _, c := range certChain[:len(certChain)-1] { - subPool.AddCert(c) - } - if _, err := cosign.TrustedCert(leafCert, rootPool, subPool); err != nil { - return nil, fmt.Errorf("unable to validate certificate chain: %w", err) - } - certSigner.Chain = certChainBytes - - return certSigner, nil -} - -func signerFromNewKey() (*SignerVerifier, error) { - privKey, err := cosign.GeneratePrivateKey() - if err != nil { - return nil, fmt.Errorf("generating cert: %w", err) - } - sv, err := signature.LoadECDSASignerVerifier(privKey, crypto.SHA256) - if err != nil { - return nil, err - } - - return &SignerVerifier{ - SignerVerifier: sv, - }, nil -} - -func KeylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { - var ( - k *fulcio.Signer - err error - ) - - if _, ok := sv.SignerVerifier.(*signature.ED25519phSignerVerifier); ok { - return nil, fmt.Errorf("ed25519ph unsupported by Fulcio") - } - - if ko.InsecureSkipFulcioVerify { - if k, err = fulcio.NewSigner(ctx, ko, sv); err != nil { - return nil, fmt.Errorf("getting key from Fulcio: %w", err) - } - } else { - if k, err = fulcioverifier.NewSigner(ctx, ko, sv); err != nil { - return nil, fmt.Errorf("getting key from Fulcio: %w", err) - } - } - - return &SignerVerifier{ - Cert: k.Cert, - Chain: k.Chain, - SignerVerifier: k, - }, nil -} - -func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, bool, error) { - var sv *SignerVerifier - var err error - genKey := false - switch { - case ko.Sk: - sv, err = signerFromSecurityKey(ctx, ko.Slot) - case ko.KeyRef != "": - sv, err = signerFromKeyRef(ctx, certPath, certChainPath, ko.KeyRef, ko.PassFunc, ko.DefaultLoadOptions) - default: - genKey = true - ui.Infof(ctx, "Generating ephemeral keys...") - sv, err = signerFromNewKey() - } - if err != nil { - return nil, false, err - } - return sv, genKey, nil -} - -type SignerVerifier struct { - Cert []byte - Chain []byte - signature.SignerVerifier - close func() -} - -func (c *SignerVerifier) Close() { - if c.close != nil { - c.close() - } -} - -func (c *SignerVerifier) Bytes(ctx context.Context) ([]byte, error) { - if c.Cert != nil { - return c.Cert, nil - } - - pemBytes, err := sigs.PublicKeyPem(c, signatureoptions.WithContext(ctx)) - if err != nil { - return nil, err - } - return pemBytes, nil -} - func fetchLocalSignedPayload(sig oci.Signature) (*cosign.LocalSignedPayload, error) { signedPayload := &cosign.LocalSignedPayload{} var err error diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index cba9af705ac..a3e462a1bae 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -30,17 +30,14 @@ import ( "google.golang.org/protobuf/encoding/protojson" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v3/internal/auth" - "github.com/sigstore/cosign/v3/internal/key" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" internal "github.com/sigstore/cosign/v3/internal/pkg/cosign" - "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/cosign" cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + rekorclient "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -67,7 +64,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() - shouldUpload, err := ShouldUploadToTlog(ctx, ko, nil, tlogUpload) + shouldUpload, err := signcommon.ShouldUploadToTlog(ctx, ko, nil, tlogUpload) if err != nil { return nil, fmt.Errorf("upload to tlog: %w", err) } @@ -80,49 +77,9 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } if ko.SigningConfig != nil { - var keypair sign.Keypair - var ephemeralKeypair bool - var idToken string - var sv *SignerVerifier - var err error - - if ko.Sk || ko.Slot != "" || ko.KeyRef != "" { - sv, _, err = SignerFromKeyOpts(ctx, "", "", ko) - if err != nil { - return nil, fmt.Errorf("getting signer: %w", err) - } - keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions) - if err != nil { - return nil, fmt.Errorf("creating signerverifier keypair: %w", err) - } - } else { - keypair, err = sign.NewEphemeralKeypair(nil) - if err != nil { - return nil, fmt.Errorf("generating keypair: %w", err) - } - ephemeralKeypair = true - } - defer func() { - if sv != nil { - sv.Close() - } - }() - - if ephemeralKeypair || ko.IssueCertificateForExistingKey { - idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ - TokenOrPath: ko.IDToken, - DisableProviders: ko.OIDCDisableProviders, - Provider: ko.OIDCProvider, - AuthFlow: ko.FulcioAuthFlow, - SkipConfirm: ko.SkipConfirmation, - OIDCServices: ko.SigningConfig.OIDCProviderURLs(), - ClientID: ko.OIDCClientID, - ClientSecret: ko.OIDCClientSecret, - RedirectURL: ko.OIDCRedirectURL, - }) - if err != nil { - return nil, fmt.Errorf("retrieving ID token: %w", err) - } + keypair, idToken, err := signcommon.GetKeypairAndToken(ctx, ko, "", "") + if err != nil { + return nil, fmt.Errorf("getting keypair and token: %w", err) } payload, closePayload, err := getPayload(ctx, payloadPath, protoHashAlgoToHash(keypair.GetHashAlgorithm())) @@ -137,6 +94,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string content := &sign.PlainData{ Data: data, } + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial) if err != nil { return nil, fmt.Errorf("signing bundle: %w", err) @@ -148,17 +106,11 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string return bundle, nil } - sv, genKey, err := SignerFromKeyOpts(ctx, "", "", ko) + sv, closeSV, err := signcommon.GetSignerVerifier(ctx, "", "", ko) if err != nil { - return nil, err + return nil, fmt.Errorf("getting signer: %w", err) } - if genKey || ko.IssueCertificateForExistingKey { - sv, err = KeylessSigner(ctx, ko, sv) - if err != nil { - return nil, fmt.Errorf("getting Fulcio signer: %w", err) - } - } - defer sv.Close() + defer closeSV() hashFunction, err := getHashFunction(sv, ko.DefaultLoadOptions) if err != nil { @@ -188,63 +140,23 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string digest := payload.Sum(nil) signedPayload := cosign.LocalSignedPayload{} - var rekorEntry *models.LogEntryAnon - var rfc3161Timestamp *cbundle.RFC3161Timestamp - var timestampBytes []byte - - if ko.TSAServerURL != "" { - if ko.RFC3161TimestampPath == "" && !ko.NewBundleFormat { - return nil, fmt.Errorf("must use protobuf bundle or set timestamp output path") - } - var err error - if ko.TSAClientCACert == "" && ko.TSAClientCert == "" { // no mTLS params or custom CA - timestampBytes, err = tsa.GetTimestampedSignature(sig, client.NewTSAClient(ko.TSAServerURL)) - if err != nil { - return nil, err - } - } else { - timestampBytes, err = tsa.GetTimestampedSignature(sig, client.NewTSAClientMTLS(ko.TSAServerURL, - ko.TSAClientCACert, - ko.TSAClientCert, - ko.TSAClientKey, - ko.TSAServerName, - )) - if err != nil { - return nil, err - } - } - rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(timestampBytes) - - if rfc3161Timestamp == nil { - return nil, fmt.Errorf("rfc3161 timestamp is nil") - } + timestampBytes, _, err := signcommon.GetRFC3161Timestamp(sig, ko) + if err != nil { + return nil, fmt.Errorf("getting timestamp: %w", err) + } - if ko.RFC3161TimestampPath != "" { - ts, err := json.Marshal(rfc3161Timestamp) - if err != nil { - return nil, err - } - if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil { - return nil, fmt.Errorf("create RFC3161 timestamp file: %w", err) - } - ui.Infof(ctx, "RFC3161 timestamp written to file %s\n", ko.RFC3161TimestampPath) - } + signer, err := sv.Bytes(ctx) + if err != nil { + return nil, err } - if shouldUpload { - rekorBytes, err := sv.Bytes(ctx) - if err != nil { - return nil, err - } - rekorClient, err := rekor.NewClient(ko.RekorURL) - if err != nil { - return nil, err - } - rekorEntry, err = cosign.TLogUploadWithCustomHash(ctx, rekorClient, sig, &payload, rekorBytes) - if err != nil { - return nil, err - } - ui.Infof(ctx, "tlog entry created with index: %d", *rekorEntry.LogIndex) + rekorEntry, err := signcommon.UploadToTlog(ctx, ko, nil, shouldUpload, signer, func(r *rekorclient.Rekor, b []byte) (*models.LogEntryAnon, error) { + return cosign.TLogUploadWithCustomHash(ctx, r, sig, &payload, b) + }) + if err != nil { + return nil, err + } + if rekorEntry != nil { signedPayload.Bundle = cbundle.EntryToBundle(rekorEntry) } @@ -256,10 +168,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string var hint string var rawCert []byte - signer, err := sv.Bytes(ctx) - if err != nil { - return nil, fmt.Errorf("error getting signer: %w", err) - } cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer) if err != nil || len(cert) == 0 { pubKey, err := sv.PublicKey() @@ -356,7 +264,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } // Extract an encoded certificate from the SignerVerifier. Returns (nil, nil) if verifier is not a certificate. -func extractCertificate(ctx context.Context, sv *SignerVerifier) ([]byte, error) { +func extractCertificate(ctx context.Context, sv *signcommon.SignerVerifier) ([]byte, error) { signer, err := sv.Bytes(ctx) if err != nil { return nil, fmt.Errorf("error getting signer: %w", err) @@ -369,7 +277,7 @@ func extractCertificate(ctx context.Context, sv *SignerVerifier) ([]byte, error) return nil, nil } -func getHashFunction(sv *SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (crypto.Hash, error) { +func getHashFunction(sv *signcommon.SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (crypto.Hash, error) { pubKey, err := sv.PublicKey() if err != nil { return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index 78ad209d7cc..a8be500276f 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -16,98 +16,13 @@ package sign import ( - "context" - "crypto/ecdsa" - "crypto/x509" - "encoding/pem" "errors" - "os" - "reflect" - "strings" "testing" - "github.com/stretchr/testify/assert" - - "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/internal/test" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/sigstore/pkg/cryptoutils" ) -func pass(s string) cosign.PassFunc { - return func(_ bool) ([]byte, error) { - return []byte(s), nil - } -} - -func generateCertificateFiles(t *testing.T, tmpDir string, pf cosign.PassFunc) (privFile, certFile, chainFile string, privKey *ecdsa.PrivateKey, cert *x509.Certificate, chain []*x509.Certificate) { - t.Helper() - - rootCert, rootKey, _ := test.GenerateRootCa() - subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := test.GenerateLeafCert("subject", "oidc-issuer", subCert, subKey) - pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) - pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) - pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - - x509Encoded, err := x509.MarshalPKCS8PrivateKey(privKey) - if err != nil { - t.Fatalf("failed to encode private key: %v", err) - } - password := []byte{} - if pf != nil { - password, err = pf(true) - if err != nil { - t.Fatalf("failed to read password: %v", err) - } - } - - encBytes, err := encrypted.Encrypt(x509Encoded, password) - if err != nil { - t.Fatalf("failed to encrypt key: %v", err) - } - - // store in PEM format - privBytes := pem.EncodeToMemory(&pem.Block{ - Bytes: encBytes, - Type: cosign.CosignPrivateKeyPemType, - }) - - tmpPrivFile, err := os.CreateTemp(tmpDir, "cosign_test_*.key") - if err != nil { - t.Fatalf("failed to create temp key file: %v", err) - } - defer tmpPrivFile.Close() - if _, err := tmpPrivFile.Write(privBytes); err != nil { - t.Fatalf("failed to write key file: %v", err) - } - - tmpCertFile, err := os.CreateTemp(tmpDir, "cosign.crt") - if err != nil { - t.Fatalf("failed to create temp certificate file: %v", err) - } - defer tmpCertFile.Close() - if _, err := tmpCertFile.Write(pemLeaf); err != nil { - t.Fatalf("failed to write certificate file: %v", err) - } - - tmpChainFile, err := os.CreateTemp(tmpDir, "cosign_chain.crt") - if err != nil { - t.Fatalf("failed to create temp chain file: %v", err) - } - defer tmpChainFile.Close() - pemChain := pemSub - pemChain = append(pemChain, pemRoot...) - if _, err := tmpChainFile.Write(pemChain); err != nil { - t.Fatalf("failed to write chain file: %v", err) - } - - return tmpPrivFile.Name(), tmpCertFile.Name(), tmpChainFile.Name(), privKey, leafCert, []*x509.Certificate{subCert, rootCert} -} - // TestSignCmdLocalKeyAndSk verifies the SignCmd returns an error // if both a local key path and a sk are specified func TestSignCmdLocalKeyAndSk(t *testing.T) { @@ -128,104 +43,3 @@ func TestSignCmdLocalKeyAndSk(t *testing.T) { } } } - -func Test_signerFromKeyRefSuccess(t *testing.T) { - tmpDir := t.TempDir() - ctx := context.Background() - keyFile, certFile, chainFile, privKey, cert, chain := generateCertificateFiles(t, tmpDir, pass("foo")) - - signer, err := signerFromKeyRef(ctx, certFile, chainFile, keyFile, pass("foo"), nil) - if err != nil { - t.Fatalf("unexpected error generating signer: %v", err) - } - // Expect public key matches - pubKey, err := signer.PublicKey() - if err != nil { - t.Fatalf("unexpected error fetching pubkey: %v", err) - } - if !privKey.Public().(*ecdsa.PublicKey).Equal(pubKey) { - t.Fatalf("public keys must be equal") - } - // Expect certificate matches - expectedPemBytes, err := cryptoutils.MarshalCertificateToPEM(cert) - if err != nil { - t.Fatalf("unexpected error marshalling certificate: %v", err) - } - if !reflect.DeepEqual(signer.Cert, expectedPemBytes) { - t.Fatalf("certificates must match") - } - // Expect certificate chain matches - expectedPemBytesChain, err := cryptoutils.MarshalCertificatesToPEM(chain) - if err != nil { - t.Fatalf("unexpected error marshalling certificate chain: %v", err) - } - if !reflect.DeepEqual(signer.Chain, expectedPemBytesChain) { - t.Fatalf("certificate chains must match") - } -} - -func Test_signerFromKeyRefFailure(t *testing.T) { - tmpDir := t.TempDir() - ctx := context.Background() - keyFile, certFile, _, _, _, _ := generateCertificateFiles(t, tmpDir, pass("foo")) - // Second set of files - tmpDir2 := t.TempDir() - _, certFile2, chainFile2, _, _, _ := generateCertificateFiles(t, tmpDir2, pass("bar")) - - // Public keys don't match - _, err := signerFromKeyRef(ctx, certFile2, chainFile2, keyFile, pass("foo"), nil) - if err == nil || err.Error() != "public key in certificate does not match the provided public key" { - t.Fatalf("expected mismatched keys error, got %v", err) - } - // Certificate chain cannot be verified - _, err = signerFromKeyRef(ctx, certFile, chainFile2, keyFile, pass("foo"), nil) - if err == nil || !strings.Contains(err.Error(), "unable to validate certificate chain") { - t.Fatalf("expected chain verification error, got %v", err) - } - // Certificate chain specified without certificate - _, err = signerFromKeyRef(ctx, "", chainFile2, keyFile, pass("foo"), nil) - if err == nil || !strings.Contains(err.Error(), "no leaf certificate found or provided while specifying chain") { - t.Fatalf("expected no leaf error, got %v", err) - } -} - -func Test_signerFromKeyRefFailureEmptyChainFile(t *testing.T) { - tmpDir := t.TempDir() - ctx := context.Background() - keyFile, certFile, _, _, _, _ := generateCertificateFiles(t, tmpDir, pass("foo")) - - tmpChainFile, err := os.CreateTemp(tmpDir, "cosign_chain_empty.crt") - if err != nil { - t.Fatalf("failed to create temp chain file: %v", err) - } - defer tmpChainFile.Close() - if _, err := tmpChainFile.Write([]byte{}); err != nil { - t.Fatalf("failed to write chain file: %v", err) - } - - _, err = signerFromKeyRef(ctx, certFile, tmpChainFile.Name(), keyFile, pass("foo"), nil) - if err == nil || err.Error() != "no certificates in certificate chain" { - t.Fatalf("expected empty chain error, got %v", err) - } -} - -func Test_ParseOCIReference(t *testing.T) { - var tests = []struct { - ref string - expectedWarning string - }{ - {"image:bytag", "WARNING: Image reference image:bytag uses a tag, not a digest"}, - {"image:bytag@sha256:abcdef", ""}, - {"image:@sha256:abcdef", ""}, - } - for _, tt := range tests { - stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) { - ParseOCIReference(ctx, tt.ref) - }) - if len(tt.expectedWarning) > 0 { - assert.Contains(t, stderr, tt.expectedWarning, stderr, "bad warning message") - } else { - assert.Empty(t, stderr, "expected no warning") - } - } -} diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go new file mode 100644 index 00000000000..6b1690693b2 --- /dev/null +++ b/cmd/cosign/cli/signcommon/common.go @@ -0,0 +1,583 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package signcommon + +import ( + "bytes" + "context" + "crypto" + "crypto/x509" + "encoding/json" + "encoding/pem" + "errors" + "fmt" + "os" + + "github.com/google/go-containerregistry/pkg/name" + "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio/fulcioverifier" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign/privacy" + "github.com/sigstore/cosign/v3/internal/auth" + "github.com/sigstore/cosign/v3/internal/key" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa" + "github.com/sigstore/cosign/v3/internal/pkg/cosign/tsa/client" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + sigs "github.com/sigstore/cosign/v3/pkg/signature" + "github.com/sigstore/cosign/v3/pkg/types" + rekorclient "github.com/sigstore/rekor/pkg/generated/client" + "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/sign" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/dsse" + signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" +) + +// SignerVerifier contains keys or certs to sign and verify. +type SignerVerifier struct { + Cert []byte + Chain []byte + signature.SignerVerifier + close func() +} + +// Close closes the key context if there is one. +func (c *SignerVerifier) Close() { + if c.close != nil { + c.close() + } +} + +// Bytes returns the raw bytes of the cert or key. +func (c *SignerVerifier) Bytes(ctx context.Context) ([]byte, error) { + if c.Cert != nil { + return c.Cert, nil + } + + pemBytes, err := sigs.PublicKeyPem(c, signatureoptions.WithContext(ctx)) + if err != nil { + return nil, err + } + return pemBytes, nil +} + +// GetKeypairAndToken creates a keypair object from provided key or cert flags or generates an ephemeral key. +// For an ephemeral key, it also uses the key to fetch an OIDC token, the pair of which are later used to get a Fulcio cert. +func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, string, error) { + var keypair sign.Keypair + var ephemeralKeypair bool + var idToken string + var sv *SignerVerifier + var err error + + if ko.Sk || ko.Slot != "" || ko.KeyRef != "" || cert != "" { + sv, _, err = signerFromKeyOpts(ctx, cert, certChain, ko) + if err != nil { + return nil, "", fmt.Errorf("getting signer: %w", err) + } + keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions) + if err != nil { + return nil, "", fmt.Errorf("creating signerverifier keypair: %w", err) + } + } else { + keypair, err = sign.NewEphemeralKeypair(nil) + if err != nil { + return nil, "", fmt.Errorf("generating keypair: %w", err) + } + ephemeralKeypair = true + } + defer func() { + if sv != nil { + sv.Close() + } + }() + + if ephemeralKeypair || ko.IssueCertificateForExistingKey { + idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{ + TokenOrPath: ko.IDToken, + DisableProviders: ko.OIDCDisableProviders, + Provider: ko.OIDCProvider, + AuthFlow: ko.FulcioAuthFlow, + SkipConfirm: ko.SkipConfirmation, + OIDCServices: ko.SigningConfig.OIDCProviderURLs(), + ClientID: ko.OIDCClientID, + ClientSecret: ko.OIDCClientSecret, + RedirectURL: ko.OIDCRedirectURL, + }) + if err != nil { + return nil, "", fmt.Errorf("retrieving ID token: %w", err) + } + } + + return keypair, idToken, nil +} + +func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) { + var ( + k *fulcio.Signer + err error + ) + + if _, ok := sv.SignerVerifier.(*signature.ED25519phSignerVerifier); ok { + return nil, fmt.Errorf("ed25519ph unsupported by Fulcio") + } + + if ko.InsecureSkipFulcioVerify { + if k, err = fulcio.NewSigner(ctx, ko, sv); err != nil { + return nil, fmt.Errorf("getting key from Fulcio: %w", err) + } + } else { + if k, err = fulcioverifier.NewSigner(ctx, ko, sv); err != nil { + return nil, fmt.Errorf("getting key from Fulcio: %w", err) + } + } + + return &SignerVerifier{ + Cert: k.Cert, + Chain: k.Chain, + SignerVerifier: k, + }, nil +} + +// ShouldUploadToTlog determines whether the user wants to upload the entry to Rekor. +func ShouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) (bool, error) { + upload := shouldUploadToTlog(ctx, ko, ref, tlogUpload) + var statementErr error + if upload { + privacy.StatementOnce.Do(func() { + ui.Infof(ctx, privacy.Statement) + ui.Infof(ctx, privacy.StatementConfirmation) + if !ko.SkipConfirmation { + if err := ui.ConfirmContinue(ctx); err != nil { + statementErr = err + } + } + }) + } + return upload, statementErr +} + +func shouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) bool { + // return false if not uploading to the tlog has been requested + if !tlogUpload { + return false + } + + if ko.SkipConfirmation { + return true + } + + // We don't need to validate the ref, just return true + if ref == nil { + return true + } + + // Check if the image is public (no auth in Get) + if _, err := remote.Get(ref, remote.WithContext(ctx)); err != nil { + ui.Warnf(ctx, "%q appears to be a private repository, please confirm uploading to the transparency log at %q", ref.Context().String(), ko.RekorURL) + if ui.ConfirmContinue(ctx) != nil { + ui.Infof(ctx, "not uploading to transparency log") + return false + } + } + return true +} + +// GetSignerVerifier generates a SignerVerifier from provided key flags. +func GetSignerVerifier(ctx context.Context, cert, certChain string, ko options.KeyOpts) (*SignerVerifier, func(), error) { + sv, genKey, err := signerFromKeyOpts(ctx, cert, certChain, ko) + if err != nil { + return nil, nil, fmt.Errorf("getting signer from opts: %w", err) + } + if genKey || ko.IssueCertificateForExistingKey { + sv, err = keylessSigner(ctx, ko, sv) + if err != nil { + return nil, nil, fmt.Errorf("getting Fulcio signer: %w", err) + } + } + return sv, sv.Close, nil +} + +func signerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, bool, error) { + var sv *SignerVerifier + var err error + genKey := false + switch { + case ko.Sk: + sv, err = signerFromSecurityKey(ctx, ko.Slot) + case ko.KeyRef != "": + sv, err = signerFromKeyRef(ctx, certPath, certChainPath, ko.KeyRef, ko.PassFunc, ko.DefaultLoadOptions) + default: + genKey = true + ui.Infof(ctx, "Generating ephemeral keys...") + sv, err = signerFromNewKey() + } + if err != nil { + return nil, false, err + } + return sv, genKey, nil +} + +func signerFromSecurityKey(ctx context.Context, keySlot string) (*SignerVerifier, error) { + sk, err := pivkey.GetKeyWithSlot(keySlot) + if err != nil { + return nil, err + } + sv, err := sk.SignerVerifier() + if err != nil { + sk.Close() + return nil, err + } + + // Handle the -cert flag. + // With PIV, we assume the certificate is in the same slot on the PIV + // token as the private key. If it's not there, show a warning to the + // user. + certFromPIV, err := sk.Certificate() + var pemBytes []byte + if err != nil { + ui.Warnf(ctx, "no x509 certificate retrieved from the PIV token") + } else { + pemBytes, err = cryptoutils.MarshalCertificateToPEM(certFromPIV) + if err != nil { + sk.Close() + return nil, err + } + } + + return &SignerVerifier{ + Cert: pemBytes, + SignerVerifier: sv, + close: sk.Close, + }, nil +} + +func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef string, passFunc cosign.PassFunc, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + k, err := sigs.SignerVerifierFromKeyRef(ctx, keyRef, passFunc, defaultLoadOptions) + if err != nil { + return nil, fmt.Errorf("reading key: %w", err) + } + certSigner := &SignerVerifier{ + SignerVerifier: k, + } + + var leafCert *x509.Certificate + + // Attempt to extract certificate from PKCS11 token + // With PKCS11, we assume the certificate is in the same slot on the PKCS11 + // token as the private key. If it's not there, show a warning to the + // user. + if pkcs11Key, ok := k.(*pkcs11key.Key); ok { + certFromPKCS11, _ := pkcs11Key.Certificate() + certSigner.close = pkcs11Key.Close + + if certFromPKCS11 == nil { + ui.Warnf(ctx, "no x509 certificate retrieved from the PKCS11 token") + } else { + pemBytes, err := cryptoutils.MarshalCertificateToPEM(certFromPKCS11) + if err != nil { + pkcs11Key.Close() + return nil, err + } + // Check that the provided public key and certificate key match + pubKey, err := k.PublicKey() + if err != nil { + pkcs11Key.Close() + return nil, err + } + if cryptoutils.EqualKeys(pubKey, certFromPKCS11.PublicKey) != nil { + pkcs11Key.Close() + return nil, errors.New("pkcs11 key and certificate do not match") + } + leafCert = certFromPKCS11 + certSigner.Cert = pemBytes + } + } + + // Handle --cert flag + if certPath != "" { + // Allow both DER and PEM encoding + certBytes, err := os.ReadFile(certPath) + if err != nil { + return nil, fmt.Errorf("read certificate: %w", err) + } + // Handle PEM + if bytes.HasPrefix(certBytes, []byte("-----")) { + decoded, _ := pem.Decode(certBytes) + if decoded.Type != "CERTIFICATE" { + return nil, fmt.Errorf("supplied PEM file is not a certificate: %s", certPath) + } + certBytes = decoded.Bytes + } + parsedCert, err := x509.ParseCertificate(certBytes) + if err != nil { + return nil, fmt.Errorf("parse x509 certificate: %w", err) + } + pk, err := k.PublicKey() + if err != nil { + return nil, fmt.Errorf("get public key: %w", err) + } + if cryptoutils.EqualKeys(pk, parsedCert.PublicKey) != nil { + return nil, errors.New("public key in certificate does not match the provided public key") + } + pemBytes, err := cryptoutils.MarshalCertificateToPEM(parsedCert) + if err != nil { + return nil, fmt.Errorf("marshaling certificate to PEM: %w", err) + } + if certSigner.Cert != nil { + ui.Warnf(ctx, "overriding x509 certificate retrieved from the PKCS11 token") + } + leafCert = parsedCert + certSigner.Cert = pemBytes + } + + if certChainPath == "" { + return certSigner, nil + } else if certSigner.Cert == nil { + return nil, errors.New("no leaf certificate found or provided while specifying chain") + } + + // Handle --cert-chain flag + // Accept only PEM encoded certificate chain + certChainBytes, err := os.ReadFile(certChainPath) + if err != nil { + return nil, fmt.Errorf("reading certificate chain from path: %w", err) + } + certChain, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(certChainBytes)) + if err != nil { + return nil, fmt.Errorf("loading certificate chain: %w", err) + } + if len(certChain) == 0 { + return nil, errors.New("no certificates in certificate chain") + } + // Verify certificate chain is valid + rootPool := x509.NewCertPool() + rootPool.AddCert(certChain[len(certChain)-1]) + subPool := x509.NewCertPool() + for _, c := range certChain[:len(certChain)-1] { + subPool.AddCert(c) + } + if _, err := cosign.TrustedCert(leafCert, rootPool, subPool); err != nil { + return nil, fmt.Errorf("unable to validate certificate chain: %w", err) + } + certSigner.Chain = certChainBytes + + return certSigner, nil +} + +func signerFromNewKey() (*SignerVerifier, error) { + privKey, err := cosign.GeneratePrivateKey() + if err != nil { + return nil, fmt.Errorf("generating cert: %w", err) + } + sv, err := signature.LoadECDSASignerVerifier(privKey, crypto.SHA256) + if err != nil { + return nil, err + } + + return &SignerVerifier{ + SignerVerifier: sv, + }, nil +} + +// GetRFC3161Timestamp fetches an RFC3161 timestamp as raw bytes and as a RFC3161Timestamp object. +// It either returns both objects to be assembled into a bundle by the calling function, +// or writes the formatted timestamp to the provided file path if not using the new bundle format. +func GetRFC3161Timestamp(payload []byte, ko options.KeyOpts) ([]byte, *cbundle.RFC3161Timestamp, error) { + if ko.TSAServerURL == "" { + return nil, nil, nil + } + if ko.RFC3161TimestampPath == "" && !ko.NewBundleFormat { + return nil, nil, fmt.Errorf("expected either new bundle or an rfc3161-timestamp path when using a TSA server") + } + tc := client.NewTSAClient(ko.TSAServerURL) + if ko.TSAClientCert != "" { + tc = client.NewTSAClientMTLS( + ko.TSAServerURL, + ko.TSAClientCACert, + ko.TSAClientCert, + ko.TSAClientKey, + ko.TSAServerName, + ) + } + timestampBytes, err := tsa.GetTimestampedSignature(payload, tc) + if err != nil { + return nil, nil, fmt.Errorf("getting timestamped signature: %w", err) + } + rfc3161Timestamp := cbundle.TimestampToRFC3161Timestamp(timestampBytes) + if rfc3161Timestamp == nil { + return nil, nil, fmt.Errorf("rfc3161 timestamp is nil") + } + if ko.NewBundleFormat || ko.RFC3161TimestampPath == "" { + return timestampBytes, rfc3161Timestamp, nil + } + ts, err := json.Marshal(rfc3161Timestamp) + if err != nil { + return nil, nil, fmt.Errorf("marshalling timestamp: %w", err) + } + if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil { + return nil, nil, fmt.Errorf("creating RFC3161 timestamp file: %w", err) + } + fmt.Fprintln(os.Stderr, "RFC3161 timestamp written to file ", ko.RFC3161TimestampPath) + return timestampBytes, rfc3161Timestamp, nil +} + +type tlogUploadFn func(*rekorclient.Rekor, []byte) (*models.LogEntryAnon, error) + +// UploadToTlog uploads an entry to rekor v1 and returns the response from rekor. +func UploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool, rekorBytes []byte, upload tlogUploadFn) (*models.LogEntryAnon, error) { + shouldUpload, err := ShouldUploadToTlog(ctx, ko, ref, tlogUpload) + if err != nil { + return nil, fmt.Errorf("checking upload to tlog: %w", err) + } + if !shouldUpload { + return nil, nil + } + rekorClient, err := rekor.NewClient(ko.RekorURL) + if err != nil { + return nil, fmt.Errorf("creating rekor client: %w", err) + } + entry, err := upload(rekorClient, rekorBytes) + if err != nil { + return nil, fmt.Errorf("uploading to rekor: %w", err) + } + fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex) + return entry, nil +} + +// WriteBundle compiles a protobuf bundle from components and writes the bundle to the OCI remote layer. +func WriteBundle(sv *SignerVerifier, rekorEntry *models.LogEntryAnon, payload, signedPayload, signerBytes, timestampBytes []byte, digest name.Digest, predicateType string, ociremoteOpts ...ociremote.Option) error { + pubKey, err := sv.PublicKey() + if err != nil { + return err + } + bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) + if err != nil { + return err + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType, ociremoteOpts...) +} + +// WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer. +func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, payload []byte, digest name.Digest, predicateType, bundlePath string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial, ociremoteOpts ...ociremote.Option) error { + keypair, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain) + if err != nil { + return fmt.Errorf("getting keypair and token: %w", err) + } + + content := &sign.DSSEData{ + Data: payload, + PayloadType: "application/vnd.in-toto+json", + } + bundle, err := cbundle.SignData(ctx, content, keypair, idToken, signingConfig, trustedMaterial) + if err != nil { + return fmt.Errorf("signing bundle: %w", err) + } + + if bundlePath != "" { + if err := os.WriteFile(bundlePath, bundle, 0600); err != nil { + return fmt.Errorf("creating bundle file: %w", err) + } + ui.Infof(ctx, "Wrote bundle to file %s", bundlePath) + return nil + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundle, predicateType, ociremoteOpts...) +} + +type bundleComponents struct { + SV *SignerVerifier + SignedPayload []byte + TimestampBytes []byte + RFC3161Timestamp *cbundle.RFC3161Timestamp + SignerBytes []byte + RekorEntry *models.LogEntryAnon +} + +// GetBundleComponents fetches data needed to compose the bundle or disparate verification material for any signing command. +func GetBundleComponents(ctx context.Context, cert, certChain string, ko options.KeyOpts, noupload, tlogUpload bool, payload []byte, digest name.Reference, rekorEntryType string) (*bundleComponents, func(), error) { //nolint:revive + bc := &bundleComponents{} + var err error + var closeSV func() + bc.SV, closeSV, err = GetSignerVerifier(ctx, cert, certChain, ko) + if err != nil { + return nil, nil, fmt.Errorf("getting signer: %w", err) + } + wrapped := dsse.WrapSigner(bc.SV, types.IntotoPayloadType) + + bc.SignedPayload, err = wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) + if err != nil { + closeSV() + return nil, nil, fmt.Errorf("signing: %w", err) + } + if noupload { + return bc, closeSV, nil + } + // We need to decide what signature to send to the timestamp authority. + // + // Historically, cosign sent `signedPayload`, which is the entire JSON DSSE + // Envelope. However, when sigstore clients are verifying a bundle they + // will use the DSSE Sig field, so we choose what signature to send to + // the timestamp authority based on our output format. + tsaPayload := bc.SignedPayload + if ko.NewBundleFormat { + tsaPayload, err = cosign.GetDSSESigBytes(bc.SignedPayload) + if err != nil { + closeSV() + return nil, nil, fmt.Errorf("getting DSSE signature: %w", err) + } + } + bc.TimestampBytes, bc.RFC3161Timestamp, err = GetRFC3161Timestamp(tsaPayload, ko) + if err != nil { + closeSV() + return nil, nil, fmt.Errorf("getting timestamp: %w", err) + } + bc.SignerBytes, err = bc.SV.Bytes(ctx) + if err != nil { + closeSV() + return nil, nil, fmt.Errorf("converting signer to bytes: %w", err) + } + bc.RekorEntry, err = UploadToTlog(ctx, ko, digest, tlogUpload, bc.SignerBytes, func(r *rekorclient.Rekor, b []byte) (*models.LogEntryAnon, error) { + if rekorEntryType == "intoto" { + return cosign.TLogUploadInTotoAttestation(ctx, r, bc.SignedPayload, b) + } + return cosign.TLogUploadDSSEEnvelope(ctx, r, bc.SignedPayload, b) + }) + if err != nil { + closeSV() + return nil, nil, fmt.Errorf("uploading to tlog: %w", err) + } + return bc, closeSV, nil +} + +// ParseOCIReference parses a string reference to an OCI image into a reference, warning if the reference did not include a digest. +func ParseOCIReference(ctx context.Context, refStr string, opts ...name.Option) (name.Reference, error) { + ref, err := name.ParseReference(refStr, opts...) + if err != nil { + return nil, fmt.Errorf("parsing reference: %w", err) + } + if _, ok := ref.(name.Digest); !ok { + ui.Warnf(ctx, ui.TagReferenceMessage, refStr) + } + return ref, nil +} diff --git a/cmd/cosign/cli/signcommon/common_test.go b/cmd/cosign/cli/signcommon/common_test.go new file mode 100644 index 00000000000..3c17baed0a0 --- /dev/null +++ b/cmd/cosign/cli/signcommon/common_test.go @@ -0,0 +1,205 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package signcommon + +import ( + "context" + "crypto/ecdsa" + "crypto/x509" + "encoding/pem" + "os" + "reflect" + "strings" + "testing" + + "github.com/secure-systems-lab/go-securesystemslib/encrypted" + "github.com/sigstore/cosign/v3/internal/test" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/stretchr/testify/assert" +) + +func pass(s string) cosign.PassFunc { + return func(_ bool) ([]byte, error) { + return []byte(s), nil + } +} + +func generateCertificateFiles(t *testing.T, tmpDir string, pf cosign.PassFunc) (privFile, certFile, chainFile string, privKey *ecdsa.PrivateKey, cert *x509.Certificate, chain []*x509.Certificate) { + t.Helper() + + rootCert, rootKey, _ := test.GenerateRootCa() + subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey) + leafCert, privKey, _ := test.GenerateLeafCert("subject", "oidc-issuer", subCert, subKey) + pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) + pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) + pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) + + x509Encoded, err := x509.MarshalPKCS8PrivateKey(privKey) + if err != nil { + t.Fatalf("failed to encode private key: %v", err) + } + password := []byte{} + if pf != nil { + password, err = pf(true) + if err != nil { + t.Fatalf("failed to read password: %v", err) + } + } + + encBytes, err := encrypted.Encrypt(x509Encoded, password) + if err != nil { + t.Fatalf("failed to encrypt key: %v", err) + } + + // store in PEM format + privBytes := pem.EncodeToMemory(&pem.Block{ + Bytes: encBytes, + Type: cosign.CosignPrivateKeyPemType, + }) + + tmpPrivFile, err := os.CreateTemp(tmpDir, "cosign_test_*.key") + if err != nil { + t.Fatalf("failed to create temp key file: %v", err) + } + defer tmpPrivFile.Close() + if _, err := tmpPrivFile.Write(privBytes); err != nil { + t.Fatalf("failed to write key file: %v", err) + } + + tmpCertFile, err := os.CreateTemp(tmpDir, "cosign.crt") + if err != nil { + t.Fatalf("failed to create temp certificate file: %v", err) + } + defer tmpCertFile.Close() + if _, err := tmpCertFile.Write(pemLeaf); err != nil { + t.Fatalf("failed to write certificate file: %v", err) + } + + tmpChainFile, err := os.CreateTemp(tmpDir, "cosign_chain.crt") + if err != nil { + t.Fatalf("failed to create temp chain file: %v", err) + } + defer tmpChainFile.Close() + pemChain := pemSub + pemChain = append(pemChain, pemRoot...) + if _, err := tmpChainFile.Write(pemChain); err != nil { + t.Fatalf("failed to write chain file: %v", err) + } + + return tmpPrivFile.Name(), tmpCertFile.Name(), tmpChainFile.Name(), privKey, leafCert, []*x509.Certificate{subCert, rootCert} +} + +func Test_signerFromKeyRefSuccess(t *testing.T) { + tmpDir := t.TempDir() + ctx := context.Background() + keyFile, certFile, chainFile, privKey, cert, chain := generateCertificateFiles(t, tmpDir, pass("foo")) + + signer, err := signerFromKeyRef(ctx, certFile, chainFile, keyFile, pass("foo"), nil) + if err != nil { + t.Fatalf("unexpected error generating signer: %v", err) + } + // Expect public key matches + pubKey, err := signer.PublicKey() + if err != nil { + t.Fatalf("unexpected error fetching pubkey: %v", err) + } + if !privKey.Public().(*ecdsa.PublicKey).Equal(pubKey) { + t.Fatalf("public keys must be equal") + } + // Expect certificate matches + expectedPemBytes, err := cryptoutils.MarshalCertificateToPEM(cert) + if err != nil { + t.Fatalf("unexpected error marshalling certificate: %v", err) + } + if !reflect.DeepEqual(signer.Cert, expectedPemBytes) { + t.Fatalf("certificates must match") + } + // Expect certificate chain matches + expectedPemBytesChain, err := cryptoutils.MarshalCertificatesToPEM(chain) + if err != nil { + t.Fatalf("unexpected error marshalling certificate chain: %v", err) + } + if !reflect.DeepEqual(signer.Chain, expectedPemBytesChain) { + t.Fatalf("certificate chains must match") + } +} + +func Test_signerFromKeyRefFailure(t *testing.T) { + tmpDir := t.TempDir() + ctx := context.Background() + keyFile, certFile, _, _, _, _ := generateCertificateFiles(t, tmpDir, pass("foo")) + // Second set of files + tmpDir2 := t.TempDir() + _, certFile2, chainFile2, _, _, _ := generateCertificateFiles(t, tmpDir2, pass("bar")) + + // Public keys don't match + _, err := signerFromKeyRef(ctx, certFile2, chainFile2, keyFile, pass("foo"), nil) + if err == nil || err.Error() != "public key in certificate does not match the provided public key" { + t.Fatalf("expected mismatched keys error, got %v", err) + } + // Certificate chain cannot be verified + _, err = signerFromKeyRef(ctx, certFile, chainFile2, keyFile, pass("foo"), nil) + if err == nil || !strings.Contains(err.Error(), "unable to validate certificate chain") { + t.Fatalf("expected chain verification error, got %v", err) + } + // Certificate chain specified without certificate + _, err = signerFromKeyRef(ctx, "", chainFile2, keyFile, pass("foo"), nil) + if err == nil || !strings.Contains(err.Error(), "no leaf certificate found or provided while specifying chain") { + t.Fatalf("expected no leaf error, got %v", err) + } +} + +func Test_signerFromKeyRefFailureEmptyChainFile(t *testing.T) { + tmpDir := t.TempDir() + ctx := context.Background() + keyFile, certFile, _, _, _, _ := generateCertificateFiles(t, tmpDir, pass("foo")) + + tmpChainFile, err := os.CreateTemp(tmpDir, "cosign_chain_empty.crt") + if err != nil { + t.Fatalf("failed to create temp chain file: %v", err) + } + defer tmpChainFile.Close() + if _, err := tmpChainFile.Write([]byte{}); err != nil { + t.Fatalf("failed to write chain file: %v", err) + } + + _, err = signerFromKeyRef(ctx, certFile, tmpChainFile.Name(), keyFile, pass("foo"), nil) + if err == nil || err.Error() != "no certificates in certificate chain" { + t.Fatalf("expected empty chain error, got %v", err) + } +} + +func Test_ParseOCIReference(t *testing.T) { + var tests = []struct { + ref string + expectedWarning string + }{ + {"image:bytag", "WARNING: Image reference image:bytag uses a tag, not a digest"}, + {"image:bytag@sha256:abcdef", ""}, + {"image:@sha256:abcdef", ""}, + } + for _, tt := range tests { + stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) { + ParseOCIReference(ctx, tt.ref) + }) + if len(tt.expectedWarning) > 0 { + assert.Contains(t, stderr, tt.expectedWarning, stderr, "bad warning message") + } else { + assert.Empty(t, stderr, "expected no warning") + } + } +} diff --git a/cmd/cosign/cli/verify/common.go b/cmd/cosign/cli/verify/common.go new file mode 100644 index 00000000000..57cecfffc23 --- /dev/null +++ b/cmd/cosign/cli/verify/common.go @@ -0,0 +1,465 @@ +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package verify + +import ( + "bytes" + "context" + "crypto" + "crypto/x509" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "os" + "reflect" + + "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/pkg/blob" + "github.com/sigstore/cosign/v3/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" + "github.com/sigstore/cosign/v3/pkg/oci" + csignature "github.com/sigstore/cosign/v3/pkg/signature" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/payload" +) + +// CheckSigstoreBundleUnsupportedOptions checks for incompatible settings on any Verify* command struct when NewBundleFormat is used. +func CheckSigstoreBundleUnsupportedOptions(cmd any, co *cosign.CheckOpts) error { + if !co.NewBundleFormat { + return nil + } + fieldToErr := map[string]string{ + "CertRef": "certificate must be in bundle and may not be provided using --certificate", + "CertChain": "certificate chain must be in bundle and may not be provided using --certificate-chain", + "CARoots": "CA roots/intermediates must be provided using --trusted-root", + "CAIntermedias": "CA roots/intermediates must be provided using --trusted-root", + "TSACertChainPath": "TSA certificate chain path may only be provided using --trusted-root", + "RFC3161TimestampPath": "RFC3161 timestamp may not be provided using --rfc3161-timestamp", + "SigRef": "signature may not be provided using --signature", + "SCTRef": "SCT may not be provided using --sct", + } + v := reflect.ValueOf(cmd) + for f, e := range fieldToErr { + if field := v.FieldByName(f); field.IsValid() && field.String() != "" { + return fmt.Errorf("unsupported: %s when using --new-bundle-format", e) + } + } + if co.TrustedMaterial == nil { + return fmt.Errorf("trusted root is required when using new bundle format") + } + return nil +} + +// LoadVerifierFromKeyOrCert returns either a signature.Verifier or a certificate from the provided flags to use for verifying an artifact. +// In the case of certain types of keys, it returns a close function that must be called by the calling method. +func LoadVerifierFromKeyOrCert(ctx context.Context, keyRef, slot, certRef, certChain string, hashAlgorithm crypto.Hash, sk, withGetCert bool, co *cosign.CheckOpts) (signature.Verifier, *x509.Certificate, func(), error) { + var sigVerifier signature.Verifier + var err error + switch { + case keyRef != "": + sigVerifier, err = csignature.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, hashAlgorithm) + if err != nil { + return nil, nil, nil, fmt.Errorf("loading public key: %w", err) + } + pkcs11Key, ok := sigVerifier.(*pkcs11key.Key) + closeSV := func() {} + if ok { + closeSV = pkcs11Key.Close + } + return sigVerifier, nil, closeSV, nil + case sk: + sk, err := pivkey.GetKeyWithSlot(slot) + if err != nil { + return nil, nil, nil, fmt.Errorf("opening piv token: %w", err) + } + sigVerifier, err = sk.Verifier() + if err != nil { + sk.Close() + return nil, nil, nil, fmt.Errorf("initializing piv token verifier: %w", err) + } + return sigVerifier, nil, sk.Close, nil + case certRef != "": + cert, err := loadCertFromFileOrURL(certRef) + if err != nil { + return nil, nil, nil, fmt.Errorf("loading cert: %w", err) + } + if withGetCert { + return nil, cert, func() {}, nil + } + if certChain == "" { + sigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) + if err != nil { + return nil, nil, nil, fmt.Errorf("validating cert: %w", err) + } + return sigVerifier, nil, func() {}, nil + } + chain, err := loadCertChainFromFileOrURL(certChain) + if err != nil { + return nil, nil, nil, fmt.Errorf("loading cert chain: %w", err) + } + sigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co) + if err != nil { + return nil, nil, nil, fmt.Errorf("validating cert with chain: %w", err) + } + return sigVerifier, nil, func() {}, nil + } + return nil, nil, func() {}, nil +} + +// SetLegacyClientsAndKeys sets up TSA and rekor clients and keys for TSA, rekor, and CT log. +// It may perform an online fetch of keys, so using trusted root instead of these TUF v1 methos is recommended. +// It takes a CheckOpts as input and modifies it. +func SetLegacyClientsAndKeys(ctx context.Context, ignoreTlog, shouldVerifySCT, keylessVerification bool, rekorURL, tsaCertChain, certChain, caRoots, caIntermediates string, co *cosign.CheckOpts) error { + var err error + if !ignoreTlog && !co.NewBundleFormat && rekorURL != "" { + co.RekorClient, err = rekor.NewClient(rekorURL) + if err != nil { + return fmt.Errorf("creating rekor client: %w", err) + } + } + // If trusted material is set, we don't need to fetch disparate keys. + if co.TrustedMaterial != nil { + return nil + } + if co.UseSignedTimestamps { + tsaCertificates, err := cosign.GetTSACerts(ctx, tsaCertChain, cosign.GetTufTargets) + if err != nil { + return fmt.Errorf("loading TSA certificates: %w", err) + } + co.TSACertificate = tsaCertificates.LeafCert + co.TSARootCertificates = tsaCertificates.RootCert + co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts + } + if !ignoreTlog { + co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) + if err != nil { + return fmt.Errorf("getting rekor public keys: %w", err) + } + } + if shouldVerifySCT { + co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) + if err != nil { + return fmt.Errorf("getting ctlog public keys: %w", err) + } + } + if keylessVerification { + if err := loadCertsKeylessVerification(certChain, caRoots, caIntermediates, co); err != nil { + return fmt.Errorf("loading certs for keyless verification: %w", err) + } + } + return nil +} + +// SetTrustedMaterial sets TrustedMaterial on CheckOpts, either from the provided trusted root path or from TUF. +// It does not set TrustedMaterial if the user provided trusted material via other flags or environment variables. +func SetTrustedMaterial(ctx context.Context, trustedRootPath, certChain, caRoots, caIntermediates, tsaCertChainPath string, co *cosign.CheckOpts) error { + var err error + if trustedRootPath != "" { + co.TrustedMaterial, err = root.NewTrustedRootFromPath(trustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + return nil + } + if options.NOf(certChain, caRoots, caIntermediates, tsaCertChainPath) == 0 && + env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" && + env.Getenv(env.VariableSigstoreRootFile) == "" && + env.Getenv(env.VariableSigstoreRekorPublicKey) == "" && + env.Getenv(env.VariableSigstoreTSACertificateFile) == "" { + co.TrustedMaterial, err = cosign.TrustedRoot() + if err != nil { + ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + } + return nil +} + +// PrintVerificationHeader prints boilerplate information after successful verification. +func PrintVerificationHeader(ctx context.Context, imgRef string, co *cosign.CheckOpts, bundleVerified, fulcioVerified bool) { + ui.Infof(ctx, "\nVerification for %s --", imgRef) + ui.Infof(ctx, "The following checks were performed on each of these signatures:") + if co.ClaimVerifier != nil { + if co.Annotations != nil { + ui.Infof(ctx, " - The specified annotations were verified.") + } + ui.Infof(ctx, " - The cosign claims were validated") + } + if bundleVerified { + ui.Infof(ctx, " - Existence of the claims in the transparency log was verified offline") + } else if co.RekorClient != nil { + ui.Infof(ctx, " - The claims were present in the transparency log") + ui.Infof(ctx, " - The signatures were integrated into the transparency log when the certificate was valid") + } + if co.SigVerifier != nil { + ui.Infof(ctx, " - The signatures were verified against the specified public key") + } + if fulcioVerified { + ui.Infof(ctx, " - The code-signing certificate was verified using trusted certificate authority certificates") + } +} + +// PrintVerification logs details about the verification to stdout. +func PrintVerification(ctx context.Context, verified []oci.Signature, output string) { + switch output { + case "text": + for _, sig := range verified { + if cert, err := sig.Cert(); err == nil && cert != nil { + ce := cosign.CertExtensions{Cert: cert} + sub := "" + if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { + sub = sans[0] + } + ui.Infof(ctx, "Certificate subject: %s", sub) + if issuerURL := ce.GetIssuer(); issuerURL != "" { + ui.Infof(ctx, "Certificate issuer URL: %s", issuerURL) + } + + if githubWorkflowTrigger := ce.GetCertExtensionGithubWorkflowTrigger(); githubWorkflowTrigger != "" { + ui.Infof(ctx, "GitHub Workflow Trigger: %s", githubWorkflowTrigger) + } + + if githubWorkflowSha := ce.GetExtensionGithubWorkflowSha(); githubWorkflowSha != "" { + ui.Infof(ctx, "GitHub Workflow SHA: %s", githubWorkflowSha) + } + if githubWorkflowName := ce.GetCertExtensionGithubWorkflowName(); githubWorkflowName != "" { + ui.Infof(ctx, "GitHub Workflow Name: %s", githubWorkflowName) + } + + if githubWorkflowRepository := ce.GetCertExtensionGithubWorkflowRepository(); githubWorkflowRepository != "" { + ui.Infof(ctx, "GitHub Workflow Repository: %s", githubWorkflowRepository) + } + + if githubWorkflowRef := ce.GetCertExtensionGithubWorkflowRef(); githubWorkflowRef != "" { + ui.Infof(ctx, "GitHub Workflow Ref: %s", githubWorkflowRef) + } + } + + p, err := sig.Payload() + if err != nil { + fmt.Fprintf(os.Stderr, "Error fetching payload: %v", err) + return + } + fmt.Println(string(p)) + } + + default: + var outputKeys []payload.SimpleContainerImage + for _, sig := range verified { + p, err := sig.Payload() + if err != nil { + fmt.Fprintf(os.Stderr, "Error fetching payload: %v", err) + return + } + + ss := payload.SimpleContainerImage{} + if err := json.Unmarshal(p, &ss); err != nil { + fmt.Println("error decoding the payload:", err.Error()) + return + } + + if cert, err := sig.Cert(); err == nil && cert != nil { + ce := cosign.CertExtensions{Cert: cert} + if ss.Optional == nil { + ss.Optional = make(map[string]interface{}) + } + sub := "" + if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { + sub = sans[0] + } + ss.Optional["Subject"] = sub + if issuerURL := ce.GetIssuer(); issuerURL != "" { + ss.Optional["Issuer"] = issuerURL + ss.Optional[cosign.CertExtensionOIDCIssuer] = issuerURL + } + if githubWorkflowTrigger := ce.GetCertExtensionGithubWorkflowTrigger(); githubWorkflowTrigger != "" { + ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowTrigger]] = githubWorkflowTrigger + ss.Optional[cosign.CertExtensionGithubWorkflowTrigger] = githubWorkflowTrigger + } + + if githubWorkflowSha := ce.GetExtensionGithubWorkflowSha(); githubWorkflowSha != "" { + ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowSha]] = githubWorkflowSha + ss.Optional[cosign.CertExtensionGithubWorkflowSha] = githubWorkflowSha + } + if githubWorkflowName := ce.GetCertExtensionGithubWorkflowName(); githubWorkflowName != "" { + ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowName]] = githubWorkflowName + ss.Optional[cosign.CertExtensionGithubWorkflowName] = githubWorkflowName + } + + if githubWorkflowRepository := ce.GetCertExtensionGithubWorkflowRepository(); githubWorkflowRepository != "" { + ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRepository]] = githubWorkflowRepository + ss.Optional[cosign.CertExtensionGithubWorkflowRepository] = githubWorkflowRepository + } + + if githubWorkflowRef := ce.GetCertExtensionGithubWorkflowRef(); githubWorkflowRef != "" { + ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRef]] = githubWorkflowRef + ss.Optional[cosign.CertExtensionGithubWorkflowRef] = githubWorkflowRef + } + } + if bundle, err := sig.Bundle(); err == nil && bundle != nil { + if ss.Optional == nil { + ss.Optional = make(map[string]interface{}) + } + ss.Optional["Bundle"] = bundle + } + if rfc3161Timestamp, err := sig.RFC3161Timestamp(); err == nil && rfc3161Timestamp != nil { + if ss.Optional == nil { + ss.Optional = make(map[string]interface{}) + } + ss.Optional["RFC3161Timestamp"] = rfc3161Timestamp + } + + outputKeys = append(outputKeys, ss) + } + + b, err := json.Marshal(outputKeys) + if err != nil { + fmt.Println("error when generating the output:", err.Error()) + return + } + + fmt.Printf("\n%s\n", string(b)) + } +} + +func loadCertFromFileOrURL(path string) (*x509.Certificate, error) { + pems, err := blob.LoadFileOrURL(path) + if err != nil { + return nil, err + } + return loadCertFromPEM(pems) +} + +func loadCertFromPEM(pems []byte) (*x509.Certificate, error) { + var out []byte + out, err := base64.StdEncoding.DecodeString(string(pems)) + if err != nil { + // not a base64 + out = pems + } + + certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out) + if err != nil { + return nil, err + } + if len(certs) == 0 { + return nil, errors.New("no certs found in pem file") + } + return certs[0], nil +} + +func loadCertChainFromFileOrURL(path string) ([]*x509.Certificate, error) { + pems, err := blob.LoadFileOrURL(path) + if err != nil { + return nil, err + } + certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pems)) + if err != nil { + return nil, err + } + return certs, nil +} + +func keylessVerification(keyRef string, sk bool) bool { + if keyRef != "" { + return false + } + if sk { + return false + } + return true +} + +func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool { + if keyRef != "" { + return false + } + if sk { + return false + } + if ignoreSCT { + return false + } + return true +} + +// loadCertsKeylessVerification loads certificates provided as a certificate chain or CA roots + CA intermediate +// certificate files. If both certChain and caRootsFile are empty strings, the Fulcio roots are loaded. +// +// The co *cosign.CheckOpts is both input and output parameter - it gets updated +// with the root and intermediate certificates needed for verification. +func loadCertsKeylessVerification(certChainFile string, + caRootsFile string, + caIntermediatesFile string, + co *cosign.CheckOpts) error { + var err error + switch { + case certChainFile != "": + chain, err := loadCertChainFromFileOrURL(certChainFile) + if err != nil { + return err + } + co.RootCerts = x509.NewCertPool() + co.RootCerts.AddCert(chain[len(chain)-1]) + if len(chain) > 1 { + co.IntermediateCerts = x509.NewCertPool() + for _, cert := range chain[:len(chain)-1] { + co.IntermediateCerts.AddCert(cert) + } + } + case caRootsFile != "": + caRoots, err := loadCertChainFromFileOrURL(caRootsFile) + if err != nil { + return err + } + co.RootCerts = x509.NewCertPool() + if len(caRoots) > 0 { + for _, cert := range caRoots { + co.RootCerts.AddCert(cert) + } + } + if caIntermediatesFile != "" { + caIntermediates, err := loadCertChainFromFileOrURL(caIntermediatesFile) + if err != nil { + return err + } + if len(caIntermediates) > 0 { + co.IntermediateCerts = x509.NewCertPool() + for _, cert := range caIntermediates { + co.IntermediateCerts.AddCert(cert) + } + } + } + default: + // This performs an online fetch of the Fulcio roots from a TUF repository. + // This is needed for verifying keyless certificates (both online and offline). + co.RootCerts, err = fulcio.GetRoots() + if err != nil { + return fmt.Errorf("getting Fulcio roots: %w", err) + } + co.IntermediateCerts, err = fulcio.GetIntermediates() + if err != nil { + return fmt.Errorf("getting Fulcio intermediates: %w", err) + } + } + + return nil +} diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 4cc76ea88b8..3607466dfc8 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -16,13 +16,9 @@ package verify import ( - "bytes" "context" "crypto" - "crypto/x509" - "encoding/base64" "encoding/json" - "errors" "flag" "fmt" "os" @@ -30,24 +26,14 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" cosignError "github.com/sigstore/cosign/v3/cmd/cosign/errors" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/blob" "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/cosign/v3/pkg/oci/static" sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" - "github.com/sigstore/sigstore-go/pkg/root" - "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/payload" ) @@ -155,171 +141,40 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } } - if c.TrustedRootPath != "" { - co.TrustedMaterial, err = root.NewTrustedRootFromPath(c.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else if options.NOf(c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath) == 0 && - env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" && - env.Getenv(env.VariableSigstoreRootFile) == "" && - env.Getenv(env.VariableSigstoreRekorPublicKey) == "" && - env.Getenv(env.VariableSigstoreTSACertificateFile) == "" { - // don't overrule the user's intentions if they provided their own keys - co.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } + err = SetTrustedMaterial(ctx, c.TrustedRootPath, c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath, co) + if err != nil { + return fmt.Errorf("setting trusted material: %w", err) } - if co.NewBundleFormat { - if c.CertRef != "" { - return fmt.Errorf("unsupported: certificate may not be provided using --certificate when using --new-bundle-format (cert must be in bundle)") - } - if c.CertChain != "" { - return fmt.Errorf("unsupported: certificate chain may not be provided using --certificate-chain when using --new-bundle-format (cert must be in bundle)") - } - if c.CARoots != "" || c.CAIntermediates != "" { - return fmt.Errorf("unsupported: CA roots/intermediates must be provided using --trusted-root when using --new-bundle-format") - } - if c.TSACertChainPath != "" { - return fmt.Errorf("unsupported: TSA certificate chain path may only be provided using --trusted-root when using --new-bundle-format") - } - if co.TrustedMaterial == nil { - return fmt.Errorf("trusted root is required when using new bundle format") - } + if err = CheckSigstoreBundleUnsupportedOptions(*c, co); err != nil { + return err } if c.CheckClaims { co.ClaimVerifier = cosign.SimpleClaimVerifier } - // If we are using signed timestamps and there is no trusted root, we need to load the TSA certificates - if co.UseSignedTimestamps && co.TrustedMaterial == nil && !co.NewBundleFormat { - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return fmt.Errorf("unable to load TSA certificates: %w", err) - } - co.TSACertificate = tsaCertificates.LeafCert - co.TSARootCertificates = tsaCertificates.RootCert - co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts + err = SetLegacyClientsAndKeys(ctx, c.IgnoreTlog, shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk), keylessVerification(c.KeyRef, c.Sk), c.RekorURL, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, co) + if err != nil { + return fmt.Errorf("setting up clients and keys: %w", err) } - if !c.IgnoreTlog && !co.NewBundleFormat { - if c.RekorURL != "" { - rekorClient, err := rekor.NewClient(c.RekorURL) - if err != nil { - return fmt.Errorf("creating Rekor client: %w", err) - } - co.RekorClient = rekorClient - } - if co.TrustedMaterial == nil { - // This performs an online fetch of the Rekor public keys, but this is needed - // for verifying tlog entries (both online and offline). - co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) - if err != nil { - return fmt.Errorf("getting Rekor public keys: %w", err) - } - } - } - if co.TrustedMaterial == nil && keylessVerification(c.KeyRef, c.Sk) { - if err := loadCertsKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil { - return err - } + // Keys are optional! + var closeSV func() + co.SigVerifier, _, closeSV, err = LoadVerifierFromKeyOrCert(ctx, c.KeyRef, c.Slot, c.CertRef, c.CertChain, c.HashAlgorithm, c.Sk, false, co) + if err != nil { + return fmt.Errorf("loading verifier from key opts: %w", err) } + defer closeSV() - keyRef := c.KeyRef - certRef := c.CertRef - - // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) { - co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) + if c.CertRef != "" && c.SCTRef != "" { + sct, err := os.ReadFile(filepath.Clean(c.SCTRef)) if err != nil { - return fmt.Errorf("getting ctlog public keys: %w", err) + return fmt.Errorf("reading sct from file: %w", err) } + co.SCT = sct } - // Keys are optional! - var pubKey signature.Verifier - switch { - case keyRef != "": - pubKey, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, c.HashAlgorithm) - if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := pubKey.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() - } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - pubKey, err = sk.Verifier() - if err != nil { - return fmt.Errorf("initializing piv token verifier: %w", err) - } - case certRef != "": - if co.NewBundleFormat { - // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions - return fmt.Errorf("unsupported: certificate reference currently not supported with --new-bundle-format") - } - cert, err := loadCertFromFileOrURL(c.CertRef) - if err != nil { - return err - } - switch { - case c.CertChain == "" && co.RootCerts == nil: - // If no certChain and no CARoots are passed, the Fulcio root certificate will be used - if co.TrustedMaterial == nil { - co.RootCerts, err = fulcio.GetRoots() - if err != nil { - return fmt.Errorf("getting Fulcio roots: %w", err) - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - if err != nil { - return fmt.Errorf("getting Fulcio intermediates: %w", err) - } - } - pubKey, err = cosign.ValidateAndUnpackCert(cert, co) - if err != nil { - return err - } - case c.CertChain != "": - // Verify certificate with chain - chain, err := loadCertChainFromFileOrURL(c.CertChain) - if err != nil { - return err - } - pubKey, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co) - if err != nil { - return err - } - case co.RootCerts != nil: - // Verify certificate with root (and if given, intermediate) certificate - pubKey, err = cosign.ValidateAndUnpackCert(cert, co) - if err != nil { - return err - } - default: - return errors.New("no certificate chain provided to verify certificate") - } - - if c.SCTRef != "" { - sct, err := os.ReadFile(filepath.Clean(c.SCTRef)) - if err != nil { - return fmt.Errorf("reading sct from file: %w", err) - } - co.SCT = sct - } - default: - // Do nothing. Neither keyRef, c.Sk, nor certRef were set - can happen for example when using Fulcio and TSA. - // For an example see the TestAttachWithRFC3161Timestamp test in test/e2e_test.go. - } - co.SigVerifier = pubKey - // NB: There are only 2 kinds of verification right now: // 1. You gave us the public key explicitly to verify against so co.SigVerifier is non-nil or, // 2. We’re going to find an x509 certificate on the signature and verify against @@ -383,276 +238,6 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { return nil } -func PrintVerificationHeader(ctx context.Context, imgRef string, co *cosign.CheckOpts, bundleVerified, fulcioVerified bool) { - ui.Infof(ctx, "\nVerification for %s --", imgRef) - ui.Infof(ctx, "The following checks were performed on each of these signatures:") - if co.ClaimVerifier != nil { - if co.Annotations != nil { - ui.Infof(ctx, " - The specified annotations were verified.") - } - ui.Infof(ctx, " - The cosign claims were validated") - } - if bundleVerified { - ui.Infof(ctx, " - Existence of the claims in the transparency log was verified offline") - } else if co.RekorClient != nil { - ui.Infof(ctx, " - The claims were present in the transparency log") - ui.Infof(ctx, " - The signatures were integrated into the transparency log when the certificate was valid") - } - if co.SigVerifier != nil { - ui.Infof(ctx, " - The signatures were verified against the specified public key") - } - if fulcioVerified { - ui.Infof(ctx, " - The code-signing certificate was verified using trusted certificate authority certificates") - } -} - -// PrintVerification logs details about the verification to stdout -func PrintVerification(ctx context.Context, verified []oci.Signature, output string) { - switch output { - case "text": - for _, sig := range verified { - if cert, err := sig.Cert(); err == nil && cert != nil { - ce := cosign.CertExtensions{Cert: cert} - sub := "" - if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { - sub = sans[0] - } - ui.Infof(ctx, "Certificate subject: %s", sub) - if issuerURL := ce.GetIssuer(); issuerURL != "" { - ui.Infof(ctx, "Certificate issuer URL: %s", issuerURL) - } - - if githubWorkflowTrigger := ce.GetCertExtensionGithubWorkflowTrigger(); githubWorkflowTrigger != "" { - ui.Infof(ctx, "GitHub Workflow Trigger: %s", githubWorkflowTrigger) - } - - if githubWorkflowSha := ce.GetExtensionGithubWorkflowSha(); githubWorkflowSha != "" { - ui.Infof(ctx, "GitHub Workflow SHA: %s", githubWorkflowSha) - } - if githubWorkflowName := ce.GetCertExtensionGithubWorkflowName(); githubWorkflowName != "" { - ui.Infof(ctx, "GitHub Workflow Name: %s", githubWorkflowName) - } - - if githubWorkflowRepository := ce.GetCertExtensionGithubWorkflowRepository(); githubWorkflowRepository != "" { - ui.Infof(ctx, "GitHub Workflow Repository: %s", githubWorkflowRepository) - } - - if githubWorkflowRef := ce.GetCertExtensionGithubWorkflowRef(); githubWorkflowRef != "" { - ui.Infof(ctx, "GitHub Workflow Ref: %s", githubWorkflowRef) - } - } - - p, err := sig.Payload() - if err != nil { - fmt.Fprintf(os.Stderr, "Error fetching payload: %v", err) - return - } - fmt.Println(string(p)) - } - - default: - var outputKeys []payload.SimpleContainerImage - for _, sig := range verified { - p, err := sig.Payload() - if err != nil { - fmt.Fprintf(os.Stderr, "Error fetching payload: %v", err) - return - } - - ss := payload.SimpleContainerImage{} - if err := json.Unmarshal(p, &ss); err != nil { - fmt.Println("error decoding the payload:", err.Error()) - return - } - - if cert, err := sig.Cert(); err == nil && cert != nil { - ce := cosign.CertExtensions{Cert: cert} - if ss.Optional == nil { - ss.Optional = make(map[string]interface{}) - } - sub := "" - if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { - sub = sans[0] - } - ss.Optional["Subject"] = sub - if issuerURL := ce.GetIssuer(); issuerURL != "" { - ss.Optional["Issuer"] = issuerURL - ss.Optional[cosign.CertExtensionOIDCIssuer] = issuerURL - } - if githubWorkflowTrigger := ce.GetCertExtensionGithubWorkflowTrigger(); githubWorkflowTrigger != "" { - ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowTrigger]] = githubWorkflowTrigger - ss.Optional[cosign.CertExtensionGithubWorkflowTrigger] = githubWorkflowTrigger - } - - if githubWorkflowSha := ce.GetExtensionGithubWorkflowSha(); githubWorkflowSha != "" { - ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowSha]] = githubWorkflowSha - ss.Optional[cosign.CertExtensionGithubWorkflowSha] = githubWorkflowSha - } - if githubWorkflowName := ce.GetCertExtensionGithubWorkflowName(); githubWorkflowName != "" { - ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowName]] = githubWorkflowName - ss.Optional[cosign.CertExtensionGithubWorkflowName] = githubWorkflowName - } - - if githubWorkflowRepository := ce.GetCertExtensionGithubWorkflowRepository(); githubWorkflowRepository != "" { - ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRepository]] = githubWorkflowRepository - ss.Optional[cosign.CertExtensionGithubWorkflowRepository] = githubWorkflowRepository - } - - if githubWorkflowRef := ce.GetCertExtensionGithubWorkflowRef(); githubWorkflowRef != "" { - ss.Optional[cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRef]] = githubWorkflowRef - ss.Optional[cosign.CertExtensionGithubWorkflowRef] = githubWorkflowRef - } - } - if bundle, err := sig.Bundle(); err == nil && bundle != nil { - if ss.Optional == nil { - ss.Optional = make(map[string]interface{}) - } - ss.Optional["Bundle"] = bundle - } - if rfc3161Timestamp, err := sig.RFC3161Timestamp(); err == nil && rfc3161Timestamp != nil { - if ss.Optional == nil { - ss.Optional = make(map[string]interface{}) - } - ss.Optional["RFC3161Timestamp"] = rfc3161Timestamp - } - - outputKeys = append(outputKeys, ss) - } - - b, err := json.Marshal(outputKeys) - if err != nil { - fmt.Println("error when generating the output:", err.Error()) - return - } - - fmt.Printf("\n%s\n", string(b)) - } -} - -func loadCertFromFileOrURL(path string) (*x509.Certificate, error) { - pems, err := blob.LoadFileOrURL(path) - if err != nil { - return nil, err - } - return loadCertFromPEM(pems) -} - -func loadCertFromPEM(pems []byte) (*x509.Certificate, error) { - var out []byte - out, err := base64.StdEncoding.DecodeString(string(pems)) - if err != nil { - // not a base64 - out = pems - } - - certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out) - if err != nil { - return nil, err - } - if len(certs) == 0 { - return nil, errors.New("no certs found in pem file") - } - return certs[0], nil -} - -func loadCertChainFromFileOrURL(path string) ([]*x509.Certificate, error) { - pems, err := blob.LoadFileOrURL(path) - if err != nil { - return nil, err - } - certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pems)) - if err != nil { - return nil, err - } - return certs, nil -} - -func keylessVerification(keyRef string, sk bool) bool { - if keyRef != "" { - return false - } - if sk { - return false - } - return true -} - -func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool { - if keyRef != "" { - return false - } - if sk { - return false - } - if ignoreSCT { - return false - } - return true -} - -// loadCertsKeylessVerification loads certificates provided as a certificate chain or CA roots + CA intermediate -// certificate files. If both certChain and caRootsFile are empty strings, the Fulcio roots are loaded. -// -// The co *cosign.CheckOpts is both input and output parameter - it gets updated -// with the root and intermediate certificates needed for verification. -func loadCertsKeylessVerification(certChainFile string, - caRootsFile string, - caIntermediatesFile string, - co *cosign.CheckOpts) error { - var err error - switch { - case certChainFile != "": - chain, err := loadCertChainFromFileOrURL(certChainFile) - if err != nil { - return err - } - co.RootCerts = x509.NewCertPool() - co.RootCerts.AddCert(chain[len(chain)-1]) - if len(chain) > 1 { - co.IntermediateCerts = x509.NewCertPool() - for _, cert := range chain[:len(chain)-1] { - co.IntermediateCerts.AddCert(cert) - } - } - case caRootsFile != "": - caRoots, err := loadCertChainFromFileOrURL(caRootsFile) - if err != nil { - return err - } - co.RootCerts = x509.NewCertPool() - if len(caRoots) > 0 { - for _, cert := range caRoots { - co.RootCerts.AddCert(cert) - } - } - if caIntermediatesFile != "" { - caIntermediates, err := loadCertChainFromFileOrURL(caIntermediatesFile) - if err != nil { - return err - } - if len(caIntermediates) > 0 { - co.IntermediateCerts = x509.NewCertPool() - for _, cert := range caIntermediates { - co.IntermediateCerts.AddCert(cert) - } - } - } - default: - // This performs an online fetch of the Fulcio roots from a TUF repository. - // This is needed for verifying keyless certificates (both online and offline). - co.RootCerts, err = fulcio.GetRoots() - if err != nil { - return fmt.Errorf("getting Fulcio roots: %w", err) - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - if err != nil { - return fmt.Errorf("getting Fulcio intermediates: %w", err) - } - } - - return nil -} - func transformOutput(verified []oci.Signature, name string) (verifiedOutput []oci.Signature, err error) { for _, v := range verified { dssePayload, err := v.Payload() diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index cbcb19e4ef2..f1d3719eeeb 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -26,20 +26,13 @@ import ( "strings" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/cosign/v3/pkg/cosign/cue" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v3/pkg/cosign/rego" "github.com/sigstore/cosign/v3/pkg/oci" "github.com/sigstore/cosign/v3/pkg/policy" - sigs "github.com/sigstore/cosign/v3/pkg/signature" - "github.com/sigstore/sigstore-go/pkg/root" ) // VerifyAttestationCommand verifies a signature on a supplied container image @@ -137,151 +130,34 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - if c.TrustedRootPath != "" { - co.TrustedMaterial, err = root.NewTrustedRootFromPath(c.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else if options.NOf(c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath) == 0 && - env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" && - env.Getenv(env.VariableSigstoreRootFile) == "" && - env.Getenv(env.VariableSigstoreRekorPublicKey) == "" && - env.Getenv(env.VariableSigstoreTSACertificateFile) == "" { - co.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - } - - if co.NewBundleFormat { - if err = checkSigstoreBundleUnsupportedOptions(c); err != nil { - return err - } - if co.TrustedMaterial == nil { - return fmt.Errorf("trusted root is required when using new bundle format") - } - } - - // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) && !co.NewBundleFormat { - co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) - if err != nil { - return fmt.Errorf("getting ctlog public keys: %w", err) - } + err = SetTrustedMaterial(ctx, c.TrustedRootPath, c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath, co) + if err != nil { + return fmt.Errorf("setting trusted material: %w", err) } - // If we are using signed timestamps, we need to load the TSA certificates - if co.UseSignedTimestamps && co.TrustedMaterial == nil && !co.NewBundleFormat { - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return fmt.Errorf("unable to load TSA certificates: %w", err) - } - co.TSACertificate = tsaCertificates.LeafCert - co.TSARootCertificates = tsaCertificates.RootCert - co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts + if err = CheckSigstoreBundleUnsupportedOptions(*c, co); err != nil { + return err } - if !c.IgnoreTlog && !co.NewBundleFormat { - if c.RekorURL != "" { - rekorClient, err := rekor.NewClient(c.RekorURL) - if err != nil { - return fmt.Errorf("creating Rekor client: %w", err) - } - co.RekorClient = rekorClient - } - if co.TrustedMaterial == nil { - // This performs an online fetch of the Rekor public keys, but this is needed - // for verifying tlog entries (both online and offline). - co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) - if err != nil { - return fmt.Errorf("getting Rekor public keys: %w", err) - } - } + err = SetLegacyClientsAndKeys(ctx, c.IgnoreTlog, shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk), keylessVerification(c.KeyRef, c.Sk), c.RekorURL, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, co) + if err != nil { + return fmt.Errorf("setting up clients and keys: %w", err) } - if co.TrustedMaterial == nil && keylessVerification(c.KeyRef, c.Sk) { - if err := loadCertsKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil { - return err - } + // Keys are optional! + var closeSV func() + co.SigVerifier, _, closeSV, err = LoadVerifierFromKeyOrCert(ctx, c.KeyRef, c.Slot, c.CertRef, c.CertChain, c.HashAlgorithm, c.Sk, false, co) + if err != nil { + return fmt.Errorf("loading verifierfrom key opts: %w", err) } + defer closeSV() - keyRef := c.KeyRef - - // Keys are optional! - switch { - case keyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, c.HashAlgorithm) + if c.CertRef != "" && c.SCTRef != "" { + sct, err := os.ReadFile(filepath.Clean(c.SCTRef)) if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() + return fmt.Errorf("reading sct from file: %w", err) } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - co.SigVerifier, err = sk.Verifier() - if err != nil { - return fmt.Errorf("initializing piv token verifier: %w", err) - } - case c.CertRef != "": - if co.NewBundleFormat { - // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions - return fmt.Errorf("unsupported: certificate reference currently not supported with --new-bundle-format") - } - cert, err := loadCertFromFileOrURL(c.CertRef) - if err != nil { - return fmt.Errorf("loading certificate from reference: %w", err) - } - if c.CertChain == "" { - // If no certChain is passed, the Fulcio root certificate will be used - if co.TrustedMaterial == nil { - co.RootCerts, err = fulcio.GetRoots() - if err != nil { - return fmt.Errorf("getting Fulcio roots: %w", err) - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - if err != nil { - return fmt.Errorf("getting Fulcio intermediates: %w", err) - } - } - co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) - if err != nil { - return fmt.Errorf("creating certificate verifier: %w", err) - } - } else { - // Verify certificate with chain - chain, err := loadCertChainFromFileOrURL(c.CertChain) - if err != nil { - return err - } - co.SigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co) - if err != nil { - return fmt.Errorf("creating certificate verifier: %w", err) - } - } - if c.SCTRef != "" { - sct, err := os.ReadFile(filepath.Clean(c.SCTRef)) - if err != nil { - return fmt.Errorf("reading sct from file: %w", err) - } - co.SCT = sct - } - case c.TrustedRootPath != "": - if !co.NewBundleFormat { - return fmt.Errorf("unsupported: trusted root path currently only supported with --new-bundle-format") - } - - // If a trusted root path is provided, we will use it to verify the bundle. - // Otherwise, the verifier will default to the public good instance. - // co.TrustedMaterial is already loaded from c.TrustedRootPath above, - case c.CARoots != "": - // CA roots + possible intermediates are already loaded into co.RootCerts with the call to - // loadCertsKeylessVerification above. + co.SCT = sct } // NB: There are only 2 kinds of verification right now: @@ -383,19 +259,3 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return nil } - -func checkSigstoreBundleUnsupportedOptions(c *VerifyAttestationCommand) error { - if c.CertRef != "" { - return fmt.Errorf("unsupported: certificate may not be provided using --certificate when using --new-bundle-format (cert must be in bundle)") - } - if c.CertChain != "" { - return fmt.Errorf("unsupported: certificate chain may not be provided using --certificate-chain when using --new-bundle-format (cert must be in bundle)") - } - if c.CARoots != "" || c.CAIntermediates != "" { - return fmt.Errorf("unsupported: CA roots/intermediates must be provided using --trusted-root when using --new-bundle-format") - } - if c.TSACertChainPath != "" { - return fmt.Errorf("unsupported: TSA certificate chain path may only be provided using --trusted-root when using --new-bundle-format") - } - return nil -} diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index dd06cfc5c33..bfe73b965f0 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -32,18 +32,13 @@ import ( "strings" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/blob" "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/cosign/v3/pkg/cosign/bundle" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v3/pkg/oci/static" sigs "github.com/sigstore/cosign/v3/pkg/signature" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" - "github.com/sigstore/sigstore-go/pkg/root" sgverify "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -118,60 +113,24 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { } // Keys are optional! + var closeSV func() var cert *x509.Certificate - opts := make([]static.Option, 0) - switch { - case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, c.KeyRef, c.HashAlgorithm) - if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() - } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - co.SigVerifier, err = sk.Verifier() - if err != nil { - return fmt.Errorf("loading public key from token: %w", err) - } - case c.CertRef != "": - cert, err = loadCertFromFileOrURL(c.CertRef) - if err != nil { - return err - } + co.SigVerifier, cert, closeSV, err = LoadVerifierFromKeyOrCert(ctx, c.KeyRef, c.Slot, c.CertRef, "", c.HashAlgorithm, c.Sk, true, co) + if err != nil { + return fmt.Errorf("loading verifier from key opts: %w", err) } + defer closeSV() - if c.TrustedRootPath != "" { - co.TrustedMaterial, err = root.NewTrustedRootFromPath(c.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else if options.NOf(c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath) == 0 && - env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" && - env.Getenv(env.VariableSigstoreRootFile) == "" && - env.Getenv(env.VariableSigstoreRekorPublicKey) == "" && - env.Getenv(env.VariableSigstoreTSACertificateFile) == "" { - co.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } + err = SetTrustedMaterial(ctx, c.TrustedRootPath, c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath, co) + if err != nil { + return fmt.Errorf("setting trusted material: %w", err) } - if co.NewBundleFormat { - if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 0 { - return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") - } - - if co.TrustedMaterial == nil { - return fmt.Errorf("trusted root is required when using new bundle format") - } + if err = CheckSigstoreBundleUnsupportedOptions(*c, co); err != nil { + return err + } + if co.NewBundleFormat { bundle, err := sgbundle.LoadJSONFromPath(c.BundlePath) if err != nil { return err @@ -211,39 +170,13 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { } else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps { return fmt.Errorf("when specifying --use-signed-timestamps or --timestamp-certificate-chain, you must also specify --rfc3161-timestamp-path") } - if co.UseSignedTimestamps && co.TrustedMaterial == nil { - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return fmt.Errorf("unable to load TSA certificates: %w", err) - } - co.TSACertificate = tsaCertificates.LeafCert - co.TSARootCertificates = tsaCertificates.RootCert - co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts - } - if !c.IgnoreTlog { - if c.RekorURL != "" { - rekorClient, err := rekor.NewClient(c.RekorURL) - if err != nil { - return fmt.Errorf("creating Rekor client: %w", err) - } - co.RekorClient = rekorClient - } - if co.TrustedMaterial == nil { - // This performs an online fetch of the Rekor public keys, but this is needed - // for verifying tlog entries (both online and offline). - co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) - if err != nil { - return fmt.Errorf("getting Rekor public keys: %w", err) - } - } + err = SetLegacyClientsAndKeys(ctx, c.IgnoreTlog, shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk), keylessVerification(c.KeyRef, c.Sk), c.RekorURL, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, co) + if err != nil { + return fmt.Errorf("setting up clients and keys: %w", err) } - if co.TrustedMaterial == nil && keylessVerification(c.KeyRef, c.Sk) { - if err := loadCertsKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil { - return err - } - } + opts := make([]static.Option, 0) if c.BundlePath != "" { b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath) if err != nil { @@ -336,14 +269,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { opts = append(opts, static.WithCertChain(certPEM, chainPEM)) } - // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) { - co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) - if err != nil { - return fmt.Errorf("getting ctlog public keys: %w", err) - } - } - sig, err := base64signature(c.SigRef, c.BundlePath) if err != nil { return err diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index 84a8aa47eb2..8ca38177baf 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -30,21 +30,16 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor" internal "github.com/sigstore/cosign/v3/internal/pkg/cosign" payloadsize "github.com/sigstore/cosign/v3/internal/pkg/cosign/payload/size" "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/blob" "github.com/sigstore/cosign/v3/pkg/cosign" "github.com/sigstore/cosign/v3/pkg/cosign/bundle" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" - "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/cosign/v3/pkg/policy" sigs "github.com/sigstore/cosign/v3/pkg/signature" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" - "github.com/sigstore/sigstore-go/pkg/root" sgverify "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" ) @@ -128,37 +123,13 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st } // Keys are optional! + var closeSV func() var cert *x509.Certificate - opts := make([]static.Option, 0) - switch { - case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, c.KeyRef, c.HashAlgorithm) - if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() - } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - co.SigVerifier, err = sk.Verifier() - if err != nil { - return fmt.Errorf("loading public key from token: %w", err) - } - case c.CertRef != "": - cert, err = loadCertFromFileOrURL(c.CertRef) - if err != nil { - return err - } - case c.CARoots != "": - // CA roots + possible intermediates are already loaded into co.RootCerts with the call to - // loadCertsKeylessVerification above. + co.SigVerifier, cert, closeSV, err = LoadVerifierFromKeyOrCert(ctx, c.KeyRef, c.Slot, c.CertRef, "", c.HashAlgorithm, c.Sk, true, co) + if err != nil { + return fmt.Errorf("loading verifier from key opts: %w", err) } + defer closeSV() var h v1.Hash var digest []byte @@ -205,31 +176,16 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - if c.TrustedRootPath != "" { - co.TrustedMaterial, err = root.NewTrustedRootFromPath(c.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else if options.NOf(c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath) == 0 && - env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" && - env.Getenv(env.VariableSigstoreRootFile) == "" && - env.Getenv(env.VariableSigstoreRekorPublicKey) == "" && - env.Getenv(env.VariableSigstoreTSACertificateFile) == "" { - co.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } + err = SetTrustedMaterial(ctx, c.TrustedRootPath, c.CertChain, c.CARoots, c.CAIntermediates, c.TSACertChainPath, co) + if err != nil { + return fmt.Errorf("setting trusted material: %w", err) } - if co.NewBundleFormat { - if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 0 { - return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") - } - - if co.TrustedMaterial == nil { - return fmt.Errorf("trusted root is required when using new bundle format") - } + if err = CheckSigstoreBundleUnsupportedOptions(*c, co); err != nil { + return err + } + if co.NewBundleFormat { bundle, err := sgbundle.LoadJSONFromPath(c.BundlePath) if err != nil { return err @@ -259,45 +215,10 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st } else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps { return fmt.Errorf("when specifying --use-signed-timestamps or --timestamp-certificate-chain, you must also specify --rfc3161-timestamp-path") } - if co.UseSignedTimestamps && co.TrustedMaterial == nil { - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return fmt.Errorf("unable to load TSA certificates: %w", err) - } - co.TSACertificate = tsaCertificates.LeafCert - co.TSARootCertificates = tsaCertificates.RootCert - co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts - } - if !c.IgnoreTlog { - if c.RekorURL != "" { - rekorClient, err := rekor.NewClient(c.RekorURL) - if err != nil { - return fmt.Errorf("creating Rekor client: %w", err) - } - co.RekorClient = rekorClient - } - if co.TrustedMaterial == nil { - // This performs an online fetch of the Rekor public keys, but this is needed - // for verifying tlog entries (both online and offline). - co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) - if err != nil { - return fmt.Errorf("getting Rekor public keys: %w", err) - } - } - } - if co.TrustedMaterial == nil && keylessVerification(c.KeyRef, c.Sk) { - if err := loadCertsKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil { - return err - } - } - - // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if co.TrustedMaterial == nil && shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) { - co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) - if err != nil { - return fmt.Errorf("getting ctlog public keys: %w", err) - } + err = SetLegacyClientsAndKeys(ctx, c.IgnoreTlog, shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk), keylessVerification(c.KeyRef, c.Sk), c.RekorURL, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, co) + if err != nil { + return fmt.Errorf("setting up clients and keys: %w", err) } var encodedSig []byte @@ -308,6 +229,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st } } + opts := make([]static.Option, 0) if c.BundlePath != "" { b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath) if err != nil { From aab0126a88618835d6ffe00d75d26a5711246aab Mon Sep 17 00:00:00 2001 From: Hayden Date: Mon, 13 Oct 2025 14:02:19 -0700 Subject: [PATCH 101/136] Deprecate offline flag (#4457) The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired. I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags. Fixes #4454 Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- README.md | 8 ++++++++ cmd/cosign/cli/options/verify.go | 3 ++- doc/cosign_dockerfile_verify.md | 1 - doc/cosign_manifest_verify.md | 1 - doc/cosign_verify-attestation.md | 1 - doc/cosign_verify-blob-attestation.md | 1 - doc/cosign_verify-blob.md | 1 - doc/cosign_verify.md | 1 - 8 files changed, 10 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6daab76355e..81b59f07b78 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,14 @@ The following checks were performed on these signatures: ### Verify a container in an air-gapped environment +**Note:** This section is out of date. + +**Note:** Most verification workflows require periodically requesting service keys from a TUF repository. +For airgapped verification of signatures using the public-good instance, you will need to retrieve the +[trusted root](https://github.com/sigstore/root-signing/blob/main/targets/trusted_root.json) file from the production +TUF repository. The contents of this file will change without notification. By not using TUF, you will need +to build your own mechanism to keep your airgapped copy of this file up-to-date. + Cosign can do completely offline verification by verifying a [bundle](./specs/SIGNATURE_SPEC.md#properties) which is typically distributed as an annotation on the image manifest. As long as this annotation is present, then offline verification can be done. This bundle annotation is always included by default for keyless signing, so the default `cosign sign` functionality will include all materials needed for offline verification. diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index 9fc718eeb84..0df169b3bda 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -37,7 +37,8 @@ type CommonVerifyOptions struct { func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.Offline, "offline", false, - "only allow offline verification") + "only verify an artifact's inclusion in a transparency log using a provided proof, rather than querying the log. May still include network requests to retrieve service keys from a TUF repository") + _ = cmd.Flags().MarkDeprecated("offline", "To verify in an airgapped environment, provide a --bundle with the signature and verification material, and a --trusted-root file with the service keys and certificates") cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-certificate-chain", "", "path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+ diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index 163e83568dd..c522e3c8915 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -78,7 +78,6 @@ cosign dockerfile verify [flags] --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index f3387d97bfa..316a88ed827 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -72,7 +72,6 @@ cosign manifest verify [flags] --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 68c4d0982c9..19c0f2629e2 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -82,7 +82,6 @@ cosign verify-attestation [flags] --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files with policies to be used for validation --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index 019b47171fe..d09c868c345 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -52,7 +52,6 @@ cosign verify-blob-attestation [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index ad4b1f36866..04d9e1665f6 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -85,7 +85,6 @@ cosign verify-blob [flags] --key string path to the public key file, KMS URI or Kubernetes Secret --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 68df34f0dd3..edfc4cce485 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -99,7 +99,6 @@ cosign verify [flags] --local-image whether the specified image is a path to an image saved locally via 'cosign save' --max-workers int the amount of maximum workers for parallel executions (default 10) --new-bundle-format expect the signature/attestation to be packaged in a Sigstore bundle (default true) - --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure From 6d95e9b522122770a3c271a28ebca726e535f0a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 18:26:09 +0200 Subject: [PATCH 102/136] chore(deps): bump the actions group with 2 updates (#4460) Bumps the actions group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `chainguard-dev/actions` from 1.5.3 to 1.5.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/6f4f4de7549514e7b659741b30f6476f245600dd...7b18ea9960f945cabf19a84752e580829347f4ed) Updates `mikefarah/yq` from 4.47.2 to 4.48.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/6251e95af8df3505def48c71f3119836701495d6...0ecdce24e83f0fa127940334be98c86b07b0c488) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 4 ++-- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index a56422ebcf5..727a832fe42 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + uses: chainguard-dev/actions/donotsubmit@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 98d36978f61..96bb964b6aa 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + uses: chainguard-dev/actions/setup-mirror@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index fa628cf0c22..e107b497d38 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -70,7 +70,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install yq - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 - name: build cosign run: | @@ -181,7 +181,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index a8acc93e479..268c8cf3cf8 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 94df9f36de3..c031bc6ca35 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + - uses: chainguard-dev/actions/trailing-space@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3 + - uses: chainguard-dev/actions/eof-newline@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 if: ${{ always() }} From ae3eecb2c41c2854390e39d7258fd19d6ece247a Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Thu, 16 Oct 2025 20:54:09 +0300 Subject: [PATCH 103/136] Remove --out flag from `cosign initialize` (#4462) Remove any mention of the `--out` flag from the `cosign initialize` command, since it's no longer used. Signed-off-by: Alex Pyrgiotis --- cmd/cosign/cli/initialize.go | 6 +++--- doc/cosign_initialize.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/cosign/cli/initialize.go b/cmd/cosign/cli/initialize.go index 4ed890456f2..7bf407d4620 100644 --- a/cmd/cosign/cli/initialize.go +++ b/cmd/cosign/cli/initialize.go @@ -39,10 +39,10 @@ This will enable you to point cosign to a separate TUF root. Any updated TUF repository will be written to $HOME/.sigstore/root/. Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates -with Fulcio root CA) are pulled form the trusted metadata.`, - Example: `cosign initialize --mirror --out +with Fulcio root CA) are pulled from the trusted metadata.`, + Example: `cosign initialize --mirror -# initialize root with distributed root keys, default mirror, and default out path. +# initialize root with distributed root keys, using the default mirror. cosign initialize # initialize with an out-of-band root key file, using the default mirror. diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md index 1b927192696..e36930e67c7 100644 --- a/doc/cosign_initialize.md +++ b/doc/cosign_initialize.md @@ -16,7 +16,7 @@ This will enable you to point cosign to a separate TUF root. Any updated TUF repository will be written to $HOME/.sigstore/root/. Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates -with Fulcio root CA) are pulled form the trusted metadata. +with Fulcio root CA) are pulled from the trusted metadata. ``` cosign initialize [flags] @@ -25,9 +25,9 @@ cosign initialize [flags] ### Examples ``` -cosign initialize --mirror --out +cosign initialize --mirror -# initialize root with distributed root keys, default mirror, and default out path. +# initialize root with distributed root keys, using the default mirror. cosign initialize # initialize with an out-of-band root key file, using the default mirror. From 03ab1867f7777f361357b93f785fe6b3ef6653de Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 17 Oct 2025 20:22:40 +0200 Subject: [PATCH 104/136] update go to 1.25.3 (#4471) --- .github/workflows/validate-release.yml | 8 ++++---- Dockerfile | 2 +- release/cloudbuild.yaml | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 1adbd67092e..d92d5f2a86e 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,14 +26,14 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c + image: ghcr.io/sigstore/cosign/cosign:v2.6.1-dev@sha256:40523fa4ca7ba0d9930154f0f6e1730b7a57bee61cadc9612730dfc992bc8abc steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d \ + cosign verify ghcr.io/gythialy/golang-cross:v1.25.3-0@sha256:5f7e91a9e3c2411fe1973d9a5ab2f34eddd166251a95654b66c1171128f013c6 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.3-0" env: TUF_ROOT: /tmp @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d + image: ghcr.io/gythialy/golang-cross:v1.25.3-0@sha256:5f7e91a9e3c2411fe1973d9a5ab2f34eddd166251a95654b66c1171128f013c6 volumes: - /usr:/host_usr - /opt:/host_opt diff --git a/Dockerfile b/Dockerfile index 856f771c0be..eb59fd6f167 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,4 +15,4 @@ # This is used to we scrap the go version and use in CI to get the latest go version # and we use dependabot to keep the go version up to date -FROM golang:1.25.1 +FROM golang:1.25.3 diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index c8c755b4587..6882f7ae3fc 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,20 +32,20 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c' + - name: 'ghcr.io/sigstore/cosign/cosign:v2.6.1-dev@sha256:40523fa4ca7ba0d9930154f0f6e1730b7a57bee61cadc9612730dfc992bc8abc' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d' + - 'ghcr.io/gythialy/golang-cross:v1.25.3-0@sha256:5f7e91a9e3c2411fe1973d9a5ab2f34eddd166251a95654b66c1171128f013c6' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.3-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d + - name: ghcr.io/gythialy/golang-cross:v1.25.3-0@sha256:5f7e91a9e3c2411fe1973d9a5ab2f34eddd166251a95654b66c1171128f013c6 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d + - name: ghcr.io/gythialy/golang-cross:v1.25.3-0@sha256:5f7e91a9e3c2411fe1973d9a5ab2f34eddd166251a95654b66c1171128f013c6 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: From 5ae3d57365b7ef40530fdeef96bd14e548a55226 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Sat, 18 Oct 2025 03:04:37 -0700 Subject: [PATCH 105/136] Use overridden repository for new bundle format (#4473) Ensure COSIGN_REPOSITORY environment variable is respected both for the legacy attachment format and the new bundle format. Signed-off-by: Colleen Murphy --- pkg/oci/remote/write.go | 6 +-- test/e2e_test.go | 97 +++++++++++++++++++++++++++++++++++++++++ test/e2e_test.sh | 14 +++++- 3 files changed, 112 insertions(+), 5 deletions(-) diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index 0e73c951c24..b67dd376277 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -249,7 +249,7 @@ func WriteReferrer(d name.Digest, artifactType string, layers []v1.Layer, annota if err != nil { return fmt.Errorf("failed to calculate size: %w", err) } - err = remoteWriteLayer(d.Repository, configLayer, o.ROpt...) + err = remoteWriteLayer(o.TargetRepository, configLayer, o.ROpt...) if err != nil { return fmt.Errorf("failed to upload layer: %w", err) } @@ -269,7 +269,7 @@ func WriteReferrer(d name.Digest, artifactType string, layers []v1.Layer, annota return fmt.Errorf("failed to calculate size: %w", err) } - err = remoteWriteLayer(d.Repository, layer, o.ROpt...) + err = remoteWriteLayer(o.TargetRepository, layer, o.ROpt...) if err != nil { return fmt.Errorf("failed to upload layer: %w", err) } @@ -299,7 +299,7 @@ func WriteReferrer(d name.Digest, artifactType string, layers []v1.Layer, annota Annotations: annotations, }, artifactType} - targetRef, err := manifest.targetRef(d.Repository) + targetRef, err := manifest.targetRef(o.TargetRepository) if err != nil { return fmt.Errorf("failed to create target reference: %w", err) } diff --git a/test/e2e_test.go b/test/e2e_test.go index 70bd92891c3..ac987ab7de5 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -41,8 +41,10 @@ import ( "time" "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/crane" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/stretchr/testify/assert" "github.com/theupdateframework/go-tuf/v2/metadata" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" k8s "k8s.io/client-go/kubernetes" @@ -3883,3 +3885,98 @@ func getOIDCToken() (string, error) { } return string(body), nil } + +func TestSignVerifyWithRepoOverride(t *testing.T) { + cosignRepo := env.Getenv(env.VariableRepository) + if cosignRepo == "" { + t.Skip("Skipping COSIGN_REPOSITORY test because a second repository and COSIGN_REPOSITORY must be set up") + } + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "cosign-e2e") + + name, _, cleanup := mkimage(t, imgName) + defer cleanup() + + digest, err := crane.Digest(name.String()) + must(err, t) + + _, privKeyPath, pubKeyPath := keypair(t, td) + + // Verify should fail at first + mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) + + // No artifacts yet in the second registry + _, err = crane.ListTags(cosignRepo) + mustErr(err, t) + + // Only one tag in the first registry + tags, err := crane.ListTags(name.String()) + must(err, t) + assert.Len(t, tags, 1, "expected 1 tag in the first repo") + assert.Equal(t, tags[0], "latest", "expected tag name to be 'latest'") + + // Now sign the image + + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } + + so := options.SignOptions{ + Upload: true, + TlogUpload: true, + } + + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Bundle should appear in the second repo + tags, err = crane.ListTags(cosignRepo) + must(err, t) + assert.Len(t, tags, 1, "expected 1 signature tag in the second repo") + expectedTagName := fmt.Sprintf("%s.sig", strings.ReplaceAll(digest, ":", "-")) + assert.Equal(t, tags[0], expectedTagName, "expected signature tag to match sha256-.sig") + // but not in the first repo + tags, err = crane.ListTags(name.String()) + must(err, t) + assert.Len(t, tags, 1, "expected no extra tags in the first repo") + assert.Equal(t, tags[0], "latest", "expected tag name to be 'latest'") + + // Now verify and download should work! + must(verify(pubKeyPath, imgName, true, nil, "", false), t) + + // Sign another image with the new protobuf bundle format + so.NewBundleFormat = true + must(sign.SignCmd(ro, ko, so, []string{name.String()}), t) + + // The new bundle should appear under a new tag for the second repo + tags, err = crane.ListTags(cosignRepo) + must(err, t) + assert.Len(t, tags, 2, "expected new tag in the second repo") + expectedTagName = strings.ReplaceAll(digest, ":", "-") + assert.Equal(t, tags[0], expectedTagName, "expected new tag to match referrers format") + // but not in the first repo + tags, err = crane.ListTags(name.String()) + must(err, t) + assert.Len(t, tags, 1, "expected no extra tags in the first repo") + assert.Equal(t, tags[0], "latest", "expected tag name to be 'latest'") + + // Verify should work with new bundle format + cmd := cliverify.VerifyCommand{ + KeyRef: pubKeyPath, + RekorURL: rekorURL, + NewBundleFormat: true, + } + + ctx := context.Background() + must(cmd.Exec(ctx, []string{imgName}), t) +} diff --git a/test/e2e_test.sh b/test/e2e_test.sh index 32c45566456..d3ccd5bb34e 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -111,15 +111,25 @@ go test -tags=e2e -v -race ./test/... # Test on a private registry echo "testing sign/verify/clean on private registry" -cleanup() { +cleanup_registry() { cleanup_services docker rm -f registry } -trap cleanup EXIT +trap cleanup_registry EXIT docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=true --name registry registry:latest export COSIGN_TEST_REPO=localhost:5000 go test -tags=e2e -v ./test/... -run TestSignVerifyClean +# Test with signature in separate registry +cleanup() { + cleanup_registry + docker rm -f registry-2 +} +trap cleanup EXIT +docker run -d -p 5001:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=true --name registry-2 registry:latest +export COSIGN_REPOSITORY=localhost:5001/hello +go test -tags=e2e -v ./test/... -run TestSignVerifyWithRepoOverride + # Run the built container to make sure it doesn't crash make ko-local img="ko.local/cosign:$(git rev-parse HEAD)" From 33b3939a3402691ff76f3074e3d15d5ad75bbad6 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 21 Oct 2025 07:41:32 -0400 Subject: [PATCH 106/136] Fix segfault when no attestations are found (#4472) * Ensure attestations are set --------- Signed-off-by: Zach Steindler --- pkg/cosign/verify.go | 3 +++ pkg/cosign/verify_test.go | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 8d4e56b8260..0475086afd9 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1097,6 +1097,9 @@ func VerifyBlobAttestation(ctx context.Context, att oci.Signature, h v1.Hash, co } func VerifyImageAttestation(ctx context.Context, atts oci.Signatures, h v1.Hash, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) { + if atts == nil { + return nil, false, errors.New("no attestations provided") + } sl, err := atts.Get() if err != nil { return nil, false, err diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 0d4160364bc..4329dedb305 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -1648,6 +1648,12 @@ func TestVerifyRFC3161Timestamp(t *testing.T) { } } +func TestVerifyImageAttestation(t *testing.T) { + if _, _, err := VerifyImageAttestation(context.TODO(), nil, v1.Hash{}, nil); err == nil { + t.Error("VerifyImageAttestation() should error when given nil attestations") + } +} + // Mock Rekor client type mockEntriesClient struct { entries.ClientService From 6826722cb078de3121632fbaa86fd5c902c1bec3 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 21 Oct 2025 16:56:00 +0100 Subject: [PATCH 107/136] upgrade OSS-Fuzz build tooling (#4487) Signed-off-by: Adam Korczynski --- test/fuzz/oss_fuzz_build.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/test/fuzz/oss_fuzz_build.sh b/test/fuzz/oss_fuzz_build.sh index 48416184d49..d74b4aafc96 100755 --- a/test/fuzz/oss_fuzz_build.sh +++ b/test/fuzz/oss_fuzz_build.sh @@ -14,15 +14,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -go get github.com/AdamKorcz/go-118-fuzz-build/testing - mv ./pkg/cosign/keys_test.go ./pkg/cosign/keys_test_keep_in_fuzz_scope.go -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/cosign FuzzSigVerify FuzzSigVerify -compile_native_go_fuzzer github.com/sigstore/cosign/v3/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON +rm ./pkg/cosign/verify_bundle_test.go +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/cosign FuzzSigVerify FuzzSigVerify +compile_native_go_fuzzer_v2 github.com/sigstore/cosign/v3/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed* zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/* From a0bf3d98669988ae381d4ce684aa968239eeb2cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Oct 2025 05:33:29 -0700 Subject: [PATCH 108/136] chore(deps): bump cuelang.org/go in the gomod group (#4479) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5cd5f4e2842..c1799367a8f 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/sigstore/cosign/v3 go 1.24.6 require ( - cuelang.org/go v0.14.1 + cuelang.org/go v0.14.2 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 github.com/buildkite/agent/v3 v3.108.0 diff --git a/go.sum b/go.sum index 090e018ecd3..f9bab185062 100644 --- a/go.sum +++ b/go.sum @@ -622,8 +622,8 @@ cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d h1:lX0EawyoAu4kgMJJfy7MmNkIHioBcdBGFRSKDZ+CWo0= cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= -cuelang.org/go v0.14.1 h1:kxFAHr7bvrCikbtVps2chPIARazVdnRmlz65dAzKyWg= -cuelang.org/go v0.14.1/go.mod h1:aSP9UZUM5m2izHAHUvqtq0wTlWn5oLjuv2iBMQZBLLs= +cuelang.org/go v0.14.2 h1:LDlMXbfp0/AHjNbmuDYSGBbHDekaXei/RhAOCihpSgg= +cuelang.org/go v0.14.2/go.mod h1:53oOiowh5oAlniD+ynbHPaHxHFO5qc3QkzlUiB/9kps= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= From f72baa9d27e15f65337615b779fa82b72312efd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Oct 2025 05:33:44 -0700 Subject: [PATCH 109/136] chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 (#4486) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.43.0. - [Commits](https://github.com/golang/crypto/compare/v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index c1799367a8f..7fdb8609854 100644 --- a/go.mod +++ b/go.mod @@ -53,10 +53,10 @@ require ( github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.154.0 - golang.org/x/crypto v0.42.0 + golang.org/x/crypto v0.43.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 - golang.org/x/term v0.35.0 + golang.org/x/term v0.36.0 google.golang.org/api v0.252.0 google.golang.org/protobuf v1.36.10 k8s.io/api v0.34.1 @@ -308,11 +308,11 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.28.0 // indirect - golang.org/x/net v0.44.0 // indirect - golang.org/x/sys v0.36.0 // indirect - golang.org/x/text v0.29.0 // indirect + golang.org/x/net v0.45.0 // indirect + golang.org/x/sys v0.37.0 // indirect + golang.org/x/text v0.30.0 // indirect golang.org/x/time v0.13.0 // indirect - golang.org/x/tools v0.36.0 // indirect + golang.org/x/tools v0.37.0 // indirect google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect diff --git a/go.sum b/go.sum index f9bab185062..747c36c66da 100644 --- a/go.sum +++ b/go.sum @@ -1655,8 +1655,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= -golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1783,8 +1783,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I= -golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= +golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM= +golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1925,8 +1925,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1938,8 +1938,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1958,8 +1958,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= -golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2034,8 +2034,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= -golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= -golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= +golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= +golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 0c2865255845924aeb84bba789c654ecd4db3d70 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Oct 2025 05:34:25 -0700 Subject: [PATCH 110/136] chore(deps): bump github.com/sigstore/rekor-tiles/v2 (#4485) Bumps [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles) from 2.0.0-rc2 to 2.0.0. - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/compare/v2.0.0-rc2...v2.0.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7fdb8609854..c7d8d4740df 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.2 - github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2 + github.com/sigstore/rekor-tiles/v2 v2.0.0 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore-go v1.1.3 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 diff --git a/go.sum b/go.sum index 747c36c66da..83f0fe13cd9 100644 --- a/go.sum +++ b/go.sum @@ -1449,8 +1449,8 @@ github.com/sigstore/rekor v1.4.2 h1:Lx2xby7loviFYdg2C9pB1mESk2QU/LqcYSGsqqZwmg8= github.com/sigstore/rekor v1.4.2/go.mod h1:nX/OYaLqpTeCOuMEt7ELE0+5cVjZWFnFKM+cZ+3hQRA= github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5ZCzFq0= github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= -github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2 h1:6Jr9jbGIZD6Wsx/jrC8O8Lh0o+oJlx5EVWRstg9aSFo= -github.com/sigstore/rekor-tiles/v2 v2.0.0-rc2/go.mod h1:1HyDsS2pQg36OoEZ0SeGmQIGflxK5W3nWW1Z+G6IWA8= +github.com/sigstore/rekor-tiles/v2 v2.0.0 h1:RDi03W/k7TOB+1StMOVdUaufKqtFImrh0KpOEPwsiV0= +github.com/sigstore/rekor-tiles/v2 v2.0.0/go.mod h1:1HyDsS2pQg36OoEZ0SeGmQIGflxK5W3nWW1Z+G6IWA8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= github.com/sigstore/sigstore-go v1.1.3 h1:5lKcbXZa5JC7wb/UVywyCulccfYTUju1D5h4tkn+fXE= From 32070b7c6bf77a781112372851c42b549580b307 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Oct 2025 05:34:52 -0700 Subject: [PATCH 111/136] chore(deps): bump chainguard-dev/actions in the actions group (#4480) Bumps the actions group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.5.4 to 1.5.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/7b18ea9960f945cabf19a84752e580829347f4ed...1b32103f5aa389c31ab0be75a8edc38d7e4750d8) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 727a832fe42..c0b211bc1cd 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + uses: chainguard-dev/actions/donotsubmit@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 96bb964b6aa..eb5e59c4769 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + uses: chainguard-dev/actions/setup-mirror@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 with: mirror: mirror.gcr.io @@ -239,4 +239,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index e107b497d38..216c8e36028 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -181,7 +181,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 268c8cf3cf8..ed3a3fc3ec8 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index c031bc6ca35..3acbcd924c3 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + - uses: chainguard-dev/actions/trailing-space@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@7b18ea9960f945cabf19a84752e580829347f4ed # v1.5.4 + - uses: chainguard-dev/actions/eof-newline@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 if: ${{ always() }} From 3c9b15c999f3b6c4babc87f7c09538f1eda04b50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Oct 2025 15:35:18 +0200 Subject: [PATCH 112/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4484) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c7d8d4740df..f2cc88a218c 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.2.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.154.0 + gitlab.com/gitlab-org/api/client-go v0.157.0 golang.org/x/crypto v0.43.0 golang.org/x/oauth2 v0.31.0 golang.org/x/sync v0.17.0 diff --git a/go.sum b/go.sum index 83f0fe13cd9..5d95bb08565 100644 --- a/go.sum +++ b/go.sum @@ -1582,8 +1582,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.154.0 h1:RnAozG7ToCunYizz0v+vJEDj/id1dt820vV4mYOrLFw= -gitlab.com/gitlab-org/api/client-go v0.154.0/go.mod h1:CQVoxjEswJZeXft4Mi+H+OF1MVrpNVF6m4xvlPTQ2J4= +gitlab.com/gitlab-org/api/client-go v0.157.0 h1:B+/Ku1ek3V/MInR/SmvL4FOqE0YYx51u7lBVYIHC2ic= +gitlab.com/gitlab-org/api/client-go v0.157.0/go.mod h1:CQVoxjEswJZeXft4Mi+H+OF1MVrpNVF6m4xvlPTQ2J4= go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From f9a9a0b805bf85ab663b55e1e0af8510b0bf954a Mon Sep 17 00:00:00 2001 From: Emily Zheng Date: Tue, 2 Sep 2025 14:59:35 +0800 Subject: [PATCH 113/136] Support multiple container identities With this change, cosign sign can be run only once when an image has multiple pull references. Closes #4330 Signed-off-by: Emily Zheng --- cmd/cosign/cli/options/sign.go | 6 +-- cmd/cosign/cli/sign/sign.go | 79 ++++++++++++++++++++++------------ doc/cosign_sign.md | 2 +- test/e2e_test.go | 38 ++++++++++++++++ 4 files changed, 94 insertions(+), 31 deletions(-) diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 0165e13f430..75b9ffc93b8 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -40,7 +40,7 @@ type SignOptions struct { TSAServerName string TSAServerURL string IssueCertificate bool - SignContainerIdentity string + SignContainerIdentities []string RecordCreationTimestamp bool NewBundleFormat bool UseSigningConfig bool @@ -137,8 +137,8 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") - cmd.Flags().StringVar(&o.SignContainerIdentity, "sign-container-identity", "", - "manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature") + cmd.Flags().StringSliceVar(&o.SignContainerIdentities, "sign-container-identity", nil, + "manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature, this flag is comma delimited. ex: --sign-container-identity=identity1,identity2") cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value") diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 443a62fb447..3a39064d9de 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -196,16 +196,26 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, annotations map[string]interface{}, se oci.SignedEntity) error { var err error + var payloads [][]byte // The payload can be passed to skip generation. if len(payload) == 0 { - payload, err = (&sigPayload.Cosign{ - Image: digest, - ClaimedIdentity: signOpts.SignContainerIdentity, - Annotations: annotations, - }).MarshalJSON() - if err != nil { - return fmt.Errorf("payload: %w", err) + identities := signOpts.SignContainerIdentities + if len(identities) == 0 { + identities = append(identities, "") + } + for _, identity := range identities { + payload, err = (&sigPayload.Cosign{ + Image: digest, + ClaimedIdentity: identity, + Annotations: annotations, + }).MarshalJSON() + if err != nil { + return fmt.Errorf("payload: %w", err) + } + payloads = append(payloads, payload) } + } else { + payloads = append(payloads, payload) } sv, closeSV, err := signcommon.GetSignerVerifier(ctx, signOpts.Cert, signOpts.CertChain, ko) @@ -246,14 +256,21 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti s = irekor.NewSigner(s, rClient) } - ociSig, _, err := s.Sign(ctx, bytes.NewReader(payload)) - if err != nil { - return err - } + ociSigs := make([]oci.Signature, len(payloads)) + b64sigs := make([]string, len(payloads)) - b64sig, err := ociSig.Base64Signature() - if err != nil { - return err + for i, payload := range payloads { + ociSig, _, err := s.Sign(ctx, bytes.NewReader(payload)) + if err != nil { + return err + } + ociSigs[i] = ociSig + + b64sig, err := ociSig.Base64Signature() + if err != nil { + return err + } + b64sigs[i] = b64sig } outputSignature := signOpts.OutputSignature @@ -262,7 +279,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti if signOpts.Recursive { outputSignature = fmt.Sprintf("%s-%s", outputSignature, strings.Replace(digest.DigestStr(), ":", "-", 1)) } - if err := os.WriteFile(outputSignature, []byte(b64sig), 0600); err != nil { + if err := os.WriteFile(outputSignature, []byte(strings.Join(b64sigs, "\n")), 0600); err != nil { return fmt.Errorf("create signature file: %w", err) } } @@ -272,7 +289,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti if signOpts.Recursive { outputPayload = fmt.Sprintf("%s-%s", outputPayload, strings.Replace(digest.DigestStr(), ":", "-", 1)) } - if err := os.WriteFile(outputPayload, payload, 0600); err != nil { + if err := os.WriteFile(outputPayload, bytes.Join(payloads, []byte("\n")), 0600); err != nil { return fmt.Errorf("create payload file: %w", err) } } @@ -291,16 +308,20 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } if ko.BundlePath != "" { - signedPayload, err := fetchLocalSignedPayload(ociSig) - if err != nil { - return fmt.Errorf("failed to fetch signed payload: %w", err) - } + var contents [][]byte + for _, ociSig := range ociSigs { + signedPayload, err := fetchLocalSignedPayload(ociSig) + if err != nil { + return fmt.Errorf("failed to fetch signed payload: %w", err) + } - contents, err := json.Marshal(signedPayload) - if err != nil { - return fmt.Errorf("failed to marshal signed payload: %w", err) + content, err := json.Marshal(signedPayload) + if err != nil { + return fmt.Errorf("failed to marshal signed payload: %w", err) + } + contents = append(contents, content) } - if err := os.WriteFile(ko.BundlePath, contents, 0600); err != nil { + if err := os.WriteFile(ko.BundlePath, bytes.Join(contents, []byte("\n")), 0600); err != nil { return fmt.Errorf("create bundle file: %w", err) } ui.Infof(ctx, "Wrote bundle to file %s", ko.BundlePath) @@ -311,9 +332,13 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } // Attach the signature to the entity. - newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp)) - if err != nil { - return err + var newSE oci.SignedEntity + for _, ociSig := range ociSigs { + newSE, err = mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp)) + if err != nil { + return err + } + se = newSE } // Publish the signatures associated with this entity diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 7aba9c920dd..d505bdbc953 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -109,7 +109,7 @@ cosign sign [flags] --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") - --sign-container-identity string manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature + --sign-container-identity strings manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature, this flag is comma delimited. ex: --sign-container-identity=identity1,identity2 --signing-config string path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/test/e2e_test.go b/test/e2e_test.go index ac987ab7de5..017aebe319a 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -3980,3 +3980,41 @@ func TestSignVerifyWithRepoOverride(t *testing.T) { ctx := context.Background() must(cmd.Exec(ctx, []string{imgName}), t) } + +func TestSignVerifyMultipleIdentities(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "cosign-e2e") + + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + _, privKeyPath, pubKeyPath := keypair(t, td) + + // Verify should fail at first + mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) + + // Now sign the image with multiple container identities + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } + so := options.SignOptions{ + Upload: true, + TlogUpload: true, + SignContainerIdentities: []string{"registry/cosign-e2e:tag1", "registry/cosign-e2e:tag2"}, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Now verify should work + must(verify(pubKeyPath, imgName, true, nil, "", false), t) +} From 1861d595ced62232d0be5d2426cee1f08d1a3fe4 Mon Sep 17 00:00:00 2001 From: Joonas Bergius Date: Fri, 24 Oct 2025 10:53:42 -0500 Subject: [PATCH 114/136] Remove stale embed import (#4492) Signed-off-by: Joonas Bergius --- cmd/cosign/cli/initialize/init.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go index d629550aeb3..29fcbb9221a 100644 --- a/cmd/cosign/cli/initialize/init.go +++ b/cmd/cosign/cli/initialize/init.go @@ -17,7 +17,6 @@ package initialize import ( "context" - _ "embed" // To enable the `go:embed` directive. "encoding/json" "fmt" "os" From 3c5b34b6158cfab9ec54dea7cfc74ffcac599e37 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Fri, 24 Oct 2025 15:40:13 -0400 Subject: [PATCH 115/136] Add protobuf bundle support for tree subcommand (#4491) * Add protobuf bundle support for tree subcommand --------- Signed-off-by: Zach Steindler --- cmd/cosign/cli/options/tree.go | 4 ++-- cmd/cosign/cli/tree.go | 38 ++++++++++++++++++++++------------ doc/cosign_tree.md | 2 +- pkg/oci/remote/write.go | 8 ++++--- test/e2e_test.go | 33 +++++++++++++++++++++++++++++ 5 files changed, 66 insertions(+), 19 deletions(-) diff --git a/cmd/cosign/cli/options/tree.go b/cmd/cosign/cli/options/tree.go index cbd55967749..965b3478a3a 100644 --- a/cmd/cosign/cli/options/tree.go +++ b/cmd/cosign/cli/options/tree.go @@ -29,6 +29,6 @@ func (c *TreeOptions) AddFlags(cmd *cobra.Command) { c.Registry.AddFlags(cmd) c.RegistryExperimental.AddFlags(cmd) - cmd.Flags().BoolVar(&c.ExperimentalOCI11, "experimental-oci11", false, - "set to true to enable experimental OCI 1.1 behaviour") + cmd.Flags().BoolVar(&c.ExperimentalOCI11, "experimental-oci11", true, + "set to false to ignore OCI 1.1 behavior") } diff --git a/cmd/cosign/cli/tree.go b/cmd/cosign/cli/tree.go index 5e3535970cc..6a53081348b 100644 --- a/cmd/cosign/cli/tree.go +++ b/cmd/cosign/cli/tree.go @@ -18,6 +18,7 @@ package cli import ( "context" "fmt" + "io" "os" "github.com/google/go-containerregistry/pkg/name" @@ -37,7 +38,7 @@ func Tree() *cobra.Command { Args: cobra.ExactArgs(1), PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, args []string) error { - return TreeCmd(cmd.Context(), c.Registry, c.RegistryExperimental, c.ExperimentalOCI11, args[0]) + return TreeCmd(cmd.Context(), c.Registry, c.RegistryExperimental, c.ExperimentalOCI11, args[0], cmd.OutOrStdout()) }, } @@ -50,7 +51,7 @@ type OCIRelationsKey struct { artifactDigest name.Digest } -func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts options.RegistryExperimentalOptions, experimentalOCI11 bool, imageRef string) error { +func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts options.RegistryExperimentalOptions, experimentalOCI11 bool, imageRef string, out io.Writer) error { scsaMap := map[name.Tag][]v1.Layer{} ociRelationsMap := map[OCIRelationsKey][]v1.Layer{} @@ -63,7 +64,7 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op if err != nil { return err } - fmt.Fprintf(os.Stdout, "📦 Supply Chain Security Related artifacts for an image: %s\n", ref.String()) + fmt.Fprintf(out, "📦 Supply Chain Security Related artifacts for an image: %s\n", ref.String()) simg, err := ociremote.SignedEntity(ref, remoteOpts...) if err != nil { @@ -151,6 +152,17 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op continue } + artifactType := manifest.ArtifactType + // Check if we are using protobuf bundle, + // and if so update artifactType to the bundle predicate + imageManifest, err := artifactImage.Manifest() + if err == nil { + val, ok := imageManifest.Annotations[ociremote.BundlePredicateType] + if ok { + artifactType = val + } + } + // Get layers for this artifact layers, err := artifactImage.Layers() if err != nil { @@ -159,13 +171,13 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op } // Add to the map - key := OCIRelationsKey{manifest.ArtifactType, artifactRef} + key := OCIRelationsKey{artifactType, artifactRef} ociRelationsMap[key] = append(ociRelationsMap[key], layers...) } } if len(scsaMap) == 0 && len(ociRelationsMap) == 0 { - fmt.Fprintf(os.Stdout, "No Supply Chain Security Related Artifacts found for image %s,\n start creating one with simply running"+ + fmt.Fprintf(out, "No Supply Chain Security Related Artifacts found for image %s,\n start creating one with simply running"+ "$ cosign sign ", ref.String()) return nil } @@ -173,14 +185,14 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op for t, k := range scsaMap { switch t { case sigRef: - fmt.Fprintf(os.Stdout, "└── 🔐 Signatures for an image tag: %s\n", t.String()) + fmt.Fprintf(out, "└── 🔐 Signatures for an image tag: %s\n", t.String()) case sbomRef: - fmt.Fprintf(os.Stdout, "└── 📦 SBOMs for an image tag: %s\n", t.String()) + fmt.Fprintf(out, "└── 📦 SBOMs for an image tag: %s\n", t.String()) case attRef: - fmt.Fprintf(os.Stdout, "└── 💾 Attestations for an image tag: %s\n", t.String()) + fmt.Fprintf(out, "└── 💾 Attestations for an image tag: %s\n", t.String()) } - if err := printLayers(k); err != nil { + if err := printLayers(k, out); err != nil { return err } } @@ -190,8 +202,8 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op // TODO - We could apply different emojis here for different values of key.artifactType - fmt.Fprintf(os.Stdout, "└── %s %s artifacts via OCI referrer: %s\n", emoji, key.artifactType, key.artifactDigest) - if err := printLayers(layers); err != nil { + fmt.Fprintf(out, "└── %s %s artifacts via OCI referrer: %s\n", emoji, key.artifactType, key.artifactDigest) + if err := printLayers(layers, out); err != nil { return err } } @@ -199,7 +211,7 @@ func TreeCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts op return nil } -func printLayers(layers []v1.Layer) error { +func printLayers(layers []v1.Layer, out io.Writer) error { for i, l := range layers { last := i == len(layers)-1 var sym string @@ -212,7 +224,7 @@ func printLayers(layers []v1.Layer) error { if err != nil { return err } - fmt.Printf("%s 🍒 %s\n", sym, digest) + fmt.Fprintf(out, "%s 🍒 %s\n", sym, digest) } return nil } diff --git a/doc/cosign_tree.md b/doc/cosign_tree.md index fc005d9c244..c272a7a675e 100644 --- a/doc/cosign_tree.md +++ b/doc/cosign_tree.md @@ -18,7 +18,7 @@ cosign tree [flags] --allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing --allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour + --experimental-oci11 set to false to ignore OCI 1.1 behavior (default true) -h, --help help for tree --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index b67dd376277..8d1050bd367 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -33,6 +33,8 @@ import ( sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" ) +const BundlePredicateType string = "dev.sigstore.bundle.predicateType" + // WriteSignedImageIndexImages writes the images within the image index // This includes the signed image and associated signatures in the image index // TODO (priyawadhwa@): write the `index.json` itself to the repo as well @@ -322,9 +324,9 @@ func WriteAttestationNewBundleFormat(d name.Digest, bundleBytes []byte, predicat layer := static.NewLayer(bundleBytes, types.MediaType(bundleMediaType)) annotations := map[string]string{ - "org.opencontainers.image.created": time.Now().UTC().Format(time.RFC3339), - "dev.sigstore.bundle.content": "dsse-envelope", - "dev.sigstore.bundle.predicateType": predicateType, + "org.opencontainers.image.created": time.Now().UTC().Format(time.RFC3339), + "dev.sigstore.bundle.content": "dsse-envelope", + BundlePredicateType: predicateType, } return WriteReferrer(d, bundleMediaType, []v1.Layer{layer}, annotations, opts...) diff --git a/test/e2e_test.go b/test/e2e_test.go index 017aebe319a..2f5a2fd925c 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -4018,3 +4018,36 @@ func TestSignVerifyMultipleIdentities(t *testing.T) { // Now verify should work must(verify(pubKeyPath, imgName, true, nil, "", false), t) } + +func TestTree(t *testing.T) { + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "tree") + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + // Test out tree command before + ctx := context.Background() + regOpts := options.RegistryOptions{} + regExpOpts := options.RegistryExperimentalOptions{} + out := bytes.Buffer{} + + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.False(t, strings.Contains(out.String(), "https://sigstore.dev/cosign/sign/v1")) + + // Sign the image + td := t.TempDir() + _, privKeyPath, _ := keypair(t, td) + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + so := options.SignOptions{ + NewBundleFormat: true, + } + + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Test out tree command after sign + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.True(t, strings.Contains(out.String(), "https://sigstore.dev/cosign/sign/v1")) +} From 9ab3a732106263486bbcb8b0c3904c6399c890fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 Oct 2025 17:27:11 -0400 Subject: [PATCH 116/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.108.0 to 3.109.1 (#4483) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.108.0 to 3.109.1. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.108.0...v3.109.1) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.109.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 36 ++++++++++++++--------------- go.sum | 72 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 54 insertions(+), 54 deletions(-) diff --git a/go.mod b/go.mod index f2cc88a218c..b31e371cb85 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.2 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.108.0 + github.com/buildkite/agent/v3 v3.110.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -54,7 +54,7 @@ require ( github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.157.0 golang.org/x/crypto v0.43.0 - golang.org/x/oauth2 v0.31.0 + golang.org/x/oauth2 v0.32.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.36.0 google.golang.org/api v0.252.0 @@ -83,7 +83,7 @@ require ( github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect @@ -116,22 +116,22 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.39.2 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.11 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.15 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.3 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.13 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.17 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.29.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 // indirect - github.com/aws/smithy-go v1.23.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.7 // indirect + github.com/aws/smithy-go v1.23.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/go-pipeline v0.16.0 // indirect @@ -308,7 +308,7 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect golang.org/x/mod v0.28.0 // indirect - golang.org/x/net v0.45.0 // indirect + golang.org/x/net v0.46.0 // indirect golang.org/x/sys v0.37.0 // indirect golang.org/x/text v0.30.0 // indirect golang.org/x/time v0.13.0 // indirect diff --git a/go.sum b/go.sum index 5d95bb08565..c34b4436127 100644 --- a/go.sum +++ b/go.sum @@ -637,8 +637,8 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= @@ -757,38 +757,38 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I= -github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= -github.com/aws/aws-sdk-go-v2/config v1.31.11 h1:6QOO1mP0MgytbfKsL/r/gE1P6/c/4pPzrrU3hKxa5fs= -github.com/aws/aws-sdk-go-v2/config v1.31.11/go.mod h1:KzpDsPX/dLxaUzoqM3sN2NOhbQIW4HW/0W8rQA1YFEs= -github.com/aws/aws-sdk-go-v2/credentials v1.18.15 h1:Gqy7/05KEfUSulSvwxnB7t8DuZMR3ShzNcwmTD6HOLU= -github.com/aws/aws-sdk-go-v2/credentials v1.18.15/go.mod h1:VWDWSRpYHjcjURRaQ7NUzgeKFN8Iv31+EOMT/W+bFyc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 h1:Mv4Bc0mWmv6oDuSWTKnk+wgeqPL5DRFu5bQL9BGPQ8Y= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9/go.mod h1:IKlKfRppK2a1y0gy1yH6zD+yX5uplJ6UuPlgd48dJiQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= +github.com/aws/aws-sdk-go-v2 v1.39.3 h1:h7xSsanJ4EQJXG5iuW4UqgP7qBopLpj84mpkNx3wPjM= +github.com/aws/aws-sdk-go-v2 v1.39.3/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM= +github.com/aws/aws-sdk-go-v2/config v1.31.13 h1:wcqQB3B0PgRPUF5ZE/QL1JVOyB0mbPevHFoAMpemR9k= +github.com/aws/aws-sdk-go-v2/config v1.31.13/go.mod h1:ySB5D5ybwqGbT6c3GszZ+u+3KvrlYCUQNo62+hkKOFk= +github.com/aws/aws-sdk-go-v2/credentials v1.18.17 h1:skpEwzN/+H8cdrrtT8y+rvWJGiWWv0DeNAe+4VTf+Vs= +github.com/aws/aws-sdk-go-v2/credentials v1.18.17/go.mod h1:Ed+nXsaYa5uBINovJhcAWkALvXw2ZLk36opcuiSZfJM= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10 h1:UuGVOX48oP4vgQ36oiKmW9RuSeT8jlgQgBFQD+HUiHY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10/go.mod h1:vM/Ini41PzvudT4YkQyE/+WiQJiQ6jzeDyU8pQKwCac= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10 h1:mj/bdWleWEh81DtpdHKkw41IrS+r3uw1J/VQtbwYYp8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10/go.mod h1:7+oEMxAZWP8gZCyjcm9VicI0M61Sx4DJtcGfKYv2yKQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10 h1:wh+/mn57yhUrFtLIxyFPh2RgxgQz/u+Yrf7hiHGHqKY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10/go.mod h1:7zirD+ryp5gitJJ2m1BBux56ai8RIRDykXZrJSp540w= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 h1:5r34CgVOD4WZudeEKZ9/iKpiT6cM1JyEROpXjOcdWv8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9/go.mod h1:dB12CEbNWPbzO2uC6QSWHteqOg4JfBVJOojbAoAUb5I= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 h1:Br3kil4j7RPW+7LoLVkYt8SuhIWlg6ylmbmzXJ7PgXY= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6/go.mod h1:FKXkHzw1fJZtg1P1qoAIiwen5thz/cDRTTDCIu8ljxc= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.5 h1:WwL5YLHabIBuAlEKRoLgqLz1LxTvCEpwsQr7MiW/vnM= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.5/go.mod h1:5PfYspyCU5Vw1wNPsxi15LZovOnULudOQuVxphSflQA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 h1:5fm5RTONng73/QA73LhCNR7UT9RpFH3hR6HWL6bIgVY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1/go.mod h1:xBEjWD13h+6nq+z4AkqSfSvqRKFgDIQeaMguAJndOWo= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 h1:p3jIvqYwUZgu/XYeI48bJxOhvm47hZb5HUQ0tn6Q9kA= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6/go.mod h1:WtKK+ppze5yKPkZ0XwqIVWD4beCwv056ZbPQNoeHqM8= -github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= -github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10 h1:DRND0dkCKtJzCj4Xl4OpVbXZgfttY5q712H9Zj7qc/0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10/go.mod h1:tGGNmJKOTernmR2+VJ0fCzQRurcPZj9ut60Zu5Fi6us= +github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 h1:vSXYridw+tT3AHuK1PWdJto2qEc30/wG/fm8dmCHHis= +github.com/aws/aws-sdk-go-v2/service/kms v1.46.0/go.mod h1:YXPskkMuiMgp6qUG96NSTl7UpideOQT/Kx0u9Y1MKn0= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 h1:fspVFg6qMx0svs40YgRmE7LZXh9VRZvTT35PfdQR6FM= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.7/go.mod h1:BQTKL3uMECaLaUV3Zc2L4Qybv8C6BIXjuu1dOPyxTQs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 h1:scVnW+NLXasGOhy7HhkdT9AGb6kjgW7fJ5xYkUaqHs0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2/go.mod h1:FRNCY3zTEWZXBKm2h5UBUPvCVDOecTad9KhynDyGBc0= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.7 h1:VEO5dqFkMsl8QZ2yHsFDJAIZLAkEbaYDB+xdKi0Feic= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.7/go.mod h1:L1xxV3zAdB+qVrVW/pBIrIAnHFWHo6FBbFe4xOGsG/o= +github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M= +github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1/go.mod h1:EVJOSYOVeoD3VFFZ/dWCAzWJp5wZr9lTOCjW8ejAmO0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.108.0 h1:4ChSnFOPQxvecQ/A9MD74MAfGivMfwY+8YSouiZusPI= -github.com/buildkite/agent/v3 v3.108.0/go.mod h1:QXR5Q7CsIuqPgrtTCW4KsK4xLdY43eGWW6wsYaHiNk8= +github.com/buildkite/agent/v3 v3.110.0 h1:fcNbcaIRnC8Q4545mXqFSmQCWUxZCNUJrvbyHgYUOz0= +github.com/buildkite/agent/v3 v3.110.0/go.mod h1:ynBDBI5OcKElHKHtsxEVeHctG54MKxUZ9dRHqXI+6Jk= github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= @@ -1783,8 +1783,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM= -golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= +golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1814,8 +1814,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo= -golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY= +golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From d470294ce624070fb765ff2654b003bc8e71f767 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 21 Oct 2025 17:33:10 -0700 Subject: [PATCH 117/136] Pass insecure registry flags through to referrers Also updates the registry tests to use TUF so that they can be re-used for both the legacy format and protobuf bundle format. Signed-off-by: Colleen Murphy --- .github/workflows/e2e-tests.yml | 18 ++++ cmd/cosign/cli/attest/attest.go | 4 + cmd/cosign/cli/sign/sign.go | 3 + cmd/cosign/cli/verify/verify.go | 7 +- cmd/cosign/cli/verify/verify_attestation.go | 7 +- pkg/cosign/verify.go | 12 +-- pkg/oci/remote/write.go | 7 +- test/e2e_insecure_registry_test.go | 114 +++++++++++++++++++- 8 files changed, 154 insertions(+), 18 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index eb5e59c4769..e7707c6032a 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -186,6 +186,7 @@ jobs: run: go test -tags=e2e,registry -v ./test/... env: COSIGN_TEST_REPO: insecure-registry.notlocal:5001 + TUF_ROOT_JSON: ${{ github.workspace }}/root.json - name: Setup local insecure OCI 1.1 registry run: | @@ -236,6 +237,23 @@ jobs: env: OCI11: yes COSIGN_TEST_REPO: insecure-oci-registry.notlocal:5002 + TUF_ROOT_JSON: ${{ github.workspace }}/root.json + + - name: Set up local HTTP registry + run: | + docker run -d --restart=always \ + --name $HTTP_REGISTRY_NAME \ + -p $HTTP_REGISTRY_PORT:5000 registry:2.8.1 + sudo echo "127.0.0.1 $HTTP_REGISTRY_NAME" | sudo tee -a /etc/hosts + env: + HTTP_REGISTRY_NAME: http-registry.notlocal + HTTP_REGISTRY_PORT: 5003 + + - name: Run HTTP registry tests + run: go test -tags=e2e,registry -v ./test/... + env: + COSIGN_TEST_REPO: http-registry.notlocal:5003 + TUF_ROOT_JSON: ${{ github.workspace }}/root.json - name: Collect diagnostics if: ${{ failure() }} diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 4f17f0ae578..695f8d8c128 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -22,6 +22,7 @@ import ( "fmt" "time" + "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" @@ -86,6 +87,9 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { if err != nil { return err } + if c.RegistryOptions.AllowHTTPRegistry || c.RegistryOptions.AllowInsecure { + ociremoteOpts = append(ociremoteOpts, ociremote.WithNameOptions(name.Insecure)) + } digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) if err != nil { return err diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 3a39064d9de..f9c1761a2e9 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -179,6 +179,9 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt if err != nil { return fmt.Errorf("constructing client options: %w", err) } + if regOpts.AllowHTTPRegistry || regOpts.AllowInsecure { + ociremoteOpts = append(ociremoteOpts, ociremote.WithNameOptions(name.Insecure)) + } if ko.SigningConfig != nil { return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, payload, digest, types.CosignSignPredicateType, "", ko.SigningConfig, ko.TrustedMaterial, ociremoteOpts...) diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 3607466dfc8..9f8427863aa 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -109,6 +109,9 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if err != nil { return fmt.Errorf("constructing client options: %w", err) } + if c.AllowHTTPRegistry || c.AllowInsecure { + c.NameOptions = append(c.NameOptions, name.Insecure) + } co := &cosign.CheckOpts{ Annotations: c.Annotations.Annotations, @@ -134,7 +137,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if !c.LocalImage { ref, err := name.ParseReference(images[0], c.NameOptions...) if err == nil && c.NewBundleFormat { - newBundles, _, err := cosign.GetBundles(ctx, ref, co) + newBundles, _, err := cosign.GetBundles(ctx, ref, co, c.NameOptions...) if len(newBundles) == 0 || err != nil { co.NewBundleFormat = false } @@ -209,7 +212,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if co.NewBundleFormat { // OCI bundle always contains attestation - verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co) + verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co, c.NameOptions...) if err != nil { return err } diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index f1d3719eeeb..781626f202b 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -98,6 +98,9 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if err != nil { return fmt.Errorf("constructing client options: %w", err) } + if c.AllowHTTPRegistry || c.AllowInsecure { + c.NameOptions = append(c.NameOptions, name.Insecure) + } co := &cosign.CheckOpts{ RegistryClientOpts: ociremoteOpts, @@ -119,7 +122,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if !c.LocalImage { ref, err := name.ParseReference(images[0], c.NameOptions...) if err == nil && c.NewBundleFormat { - newBundles, _, err := cosign.GetBundles(ctx, ref, co) + newBundles, _, err := cosign.GetBundles(ctx, ref, co, c.NameOptions...) if len(newBundles) == 0 || err != nil { co.NewBundleFormat = false } @@ -182,7 +185,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return err } - verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co) + verified, bundleVerified, err = cosign.VerifyImageAttestations(ctx, ref, co, c.NameOptions...) if err != nil { return err } diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 0475086afd9..f4755934d53 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1013,13 +1013,13 @@ func loadSignatureFromFile(ctx context.Context, sigRef string, signedImgRef name // VerifyImageAttestations does all the main cosign checks in a loop, returning the verified attestations. // If there were no valid attestations, we return an error. -func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) { +func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts, nameOpts ...name.Option) (checkedAttestations []oci.Signature, bundleVerified bool, err error) { // Enforce this up front. if co.RootCerts == nil && co.SigVerifier == nil && co.TrustedMaterial == nil { return nil, false, errors.New("one of verifier, root certs, or TrustedMaterial is required") } if co.NewBundleFormat { - return verifyImageAttestationsSigstoreBundle(ctx, signedImgRef, co) + return verifyImageAttestationsSigstoreBundle(ctx, signedImgRef, co, nameOpts...) } // This is a carefully optimized sequence for fetching the attestations of @@ -1621,7 +1621,7 @@ func verifyImageSignaturesExperimentalOCI(ctx context.Context, signedImgRef name return verifySignatures(ctx, sigs, h, co) } -func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ([]*sgbundle.Bundle, *v1.Hash, error) { +func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts, nameOpts ...name.Option) ([]*sgbundle.Bundle, *v1.Hash, error) { // This is a carefully optimized sequence for fetching the signatures of the // entity that minimizes registry requests when supplied with a digest input digest, err := ociremote.ResolveDigest(signedImgRef, co.RegistryClientOpts...) @@ -1644,7 +1644,7 @@ func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ( } var bundles = make([]*sgbundle.Bundle, 0, len(index.Manifests)) for _, result := range index.Manifests { - st, err := name.ParseReference(fmt.Sprintf("%s@%s", digest.Repository, result.Digest.String())) + st, err := name.ParseReference(fmt.Sprintf("%s@%s", digest.Repository, result.Digest.String()), nameOpts...) if err != nil { return nil, nil, err } @@ -1667,8 +1667,8 @@ func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts) ( } // verifyImageAttestationsSigstoreBundle verifies attestations from attached sigstore bundles -func verifyImageAttestationsSigstoreBundle(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, atLeastOneBundleVerified bool, err error) { - bundles, hash, err := GetBundles(ctx, signedImgRef, co) +func verifyImageAttestationsSigstoreBundle(ctx context.Context, signedImgRef name.Reference, co *CheckOpts, nameOpts ...name.Option) (checkedAttestations []oci.Signature, atLeastOneBundleVerified bool, err error) { + bundles, hash, err := GetBundles(ctx, signedImgRef, co, nameOpts...) if err != nil { return nil, false, err } diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index 8d1050bd367..c612759212c 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -301,7 +301,7 @@ func WriteReferrer(d name.Digest, artifactType string, layers []v1.Layer, annota Annotations: annotations, }, artifactType} - targetRef, err := manifest.targetRef(o.TargetRepository) + targetRef, err := manifest.targetRef(o.TargetRepository, opts...) if err != nil { return fmt.Errorf("failed to create target reference: %w", err) } @@ -372,7 +372,8 @@ func (r referrerManifest) RawManifest() ([]byte, error) { return json.Marshal(r) } -func (r referrerManifest) targetRef(repo name.Repository) (name.Reference, error) { +func (r referrerManifest) targetRef(repo name.Repository, opts ...Option) (name.Reference, error) { + o := makeOptions(repo, opts...) manifestBytes, err := r.RawManifest() if err != nil { return nil, err @@ -381,7 +382,7 @@ func (r referrerManifest) targetRef(repo name.Repository) (name.Reference, error if err != nil { return nil, err } - return name.ParseReference(fmt.Sprintf("%s/%s@%s", repo.RegistryStr(), repo.RepositoryStr(), digest.String())) + return name.ParseReference(fmt.Sprintf("%s/%s@%s", repo.RegistryStr(), repo.RepositoryStr(), digest.String()), o.NameOpts...) } func (r referrerManifest) MediaType() (types.MediaType, error) { diff --git a/test/e2e_insecure_registry_test.go b/test/e2e_insecure_registry_test.go index aa826ff91a7..26f546ecaf0 100644 --- a/test/e2e_insecure_registry_test.go +++ b/test/e2e_insecure_registry_test.go @@ -22,15 +22,19 @@ import ( "net/http" "os" "path" + "path/filepath" "testing" + "time" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/initialize" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" cliverify "github.com/sigstore/cosign/v3/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v3/pkg/cosign/env" + "github.com/sigstore/cosign/v3/pkg/cosign" ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) @@ -56,7 +60,13 @@ func TestInsecureRegistry(t *testing.T) { useOCI11 := os.Getenv("oci11Var") != "" rekorURL := os.Getenv(rekorURLVar) - must(downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td), t) + + ctx := context.Background() + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + rootPath := os.Getenv("TUF_ROOT_JSON") + mirror := os.Getenv("TUF_MIRROR") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) ko := options.KeyOpts{ KeyRef: privKey, @@ -64,13 +74,19 @@ func TestInsecureRegistry(t *testing.T) { RekorURL: rekorURL, SkipConfirmation: true, } + trustedMaterial, err := cosign.TrustedRoot() + must(err, t) + ko.TrustedMaterial = trustedMaterial + + // Sign without bundle format so := options.SignOptions{ Upload: true, TlogUpload: true, } mustErr(sign.SignCmd(ro, ko, so, []string{imgName}), t) so.Registry = options.RegistryOptions{ - AllowInsecure: true, + AllowInsecure: true, + AllowHTTPRegistry: true, } if useOCI11 { so.RegistryExperimental = options.RegistryExperimentalOptions{ @@ -83,17 +99,105 @@ func TestInsecureRegistry(t *testing.T) { KeyRef: pubKey, CheckClaims: true, RegistryOptions: options.RegistryOptions{ - AllowInsecure: true, + AllowInsecure: true, + AllowHTTPRegistry: true, }, } if useOCI11 { cmd.ExperimentalOCI11 = true } must(cmd.Exec(context.Background(), []string{imgName}), t) + + // Sign new image with new bundle format + // (Must be a new image or the old bundle may be verified instead) + imgName = path.Join(repo, "cosign-registry-e2e-2") + cleanup2 := makeImageIndexWithInsecureRegistry(t, imgName) + defer cleanup2() + + so.NewBundleFormat = true + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + cmd.NewBundleFormat = true + must(cmd.Exec(context.Background(), []string{imgName}), t) +} + +func TestAttestInsecureRegistry(t *testing.T) { + if os.Getenv("COSIGN_TEST_REPO") == "" { + t.Fatal("COSIGN_TEST_REPO must be set to an insecure registry for this test") + } + repo, stop := reg(t) + defer stop() + td := t.TempDir() + + imgName := path.Join(repo, "cosign-registry-e2e") + cleanup := makeImageIndexWithInsecureRegistry(t, imgName) + defer cleanup() + + _, privKey, pubKey := keypair(t, td) + + rekorURL := os.Getenv(rekorURLVar) + + ctx := context.Background() + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + rootPath := os.Getenv("TUF_ROOT_JSON") + mirror := os.Getenv("TUF_MIRROR") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) + + ko := options.KeyOpts{ + KeyRef: privKey, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } + trustedMaterial, err := cosign.TrustedRoot() + must(err, t) + ko.TrustedMaterial = trustedMaterial + + slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` + slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + t.Fatal(err) + } + + // Attest without bundle + attestCmd := attest.AttestCommand{ + KeyOpts: ko, + PredicatePath: slsaAttestationPath, + PredicateType: "slsaprovenance", + Timeout: 30 * time.Second, + RekorEntryType: "dsse", + TlogUpload: true, + RegistryOptions: options.RegistryOptions{ + AllowInsecure: true, + AllowHTTPRegistry: true, + }, + } + must(attestCmd.Exec(ctx, imgName), t) + verifyAttestation := cliverify.VerifyAttestationCommand{ + KeyRef: pubKey, + PredicateType: "slsaprovenance", + RegistryOptions: options.RegistryOptions{ + AllowInsecure: true, + AllowHTTPRegistry: true, + }, + } + must(verifyAttestation.Exec(ctx, []string{imgName}), t) + + // Attest with new bundle + imgName = path.Join(repo, "cosign-registry-e2e-2") + cleanup2 := makeImageIndexWithInsecureRegistry(t, imgName) + defer cleanup2() + + ko.NewBundleFormat = true + attestCmd.KeyOpts = ko + must(attestCmd.Exec(ctx, imgName), t) + verifyAttestation.CommonVerifyOptions.NewBundleFormat = true + verifyAttestation.IgnoreTlog = false + must(verifyAttestation.Exec(ctx, []string{imgName}), t) } func makeImageIndexWithInsecureRegistry(t *testing.T, n string) func() { - ref, err := name.ParseReference(n, name.WeakValidation) + ref, err := name.ParseReference(n, name.WeakValidation, name.Insecure) if err != nil { t.Fatal(err) } From 4a2caf9f74a7bfb4fdd9ee72a6852fcf6581287c Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 24 Oct 2025 17:36:11 -0700 Subject: [PATCH 118/136] Add --bundle and fix --upload for new bundle Without this change, --upload=false was not respected with the new bundle format. It also would not have made sense because there was no way to output the bundle locally. This change adds a flag --bundle so that the bundle can be created on disk without attaching it to the image, and also passes through the Upload parameter to bypass uploading it if desired. Signed-off-by: Colleen Murphy --- cmd/cosign/cli/attest.go | 1 + cmd/cosign/cli/attest/attest.go | 6 +- cmd/cosign/cli/attest/attest_blob.go | 2 +- cmd/cosign/cli/options/attest.go | 5 + cmd/cosign/cli/options/sign.go | 5 + cmd/cosign/cli/sign/sign.go | 4 +- cmd/cosign/cli/signcommon/common.go | 16 ++- doc/cosign_attest.md | 1 + doc/cosign_sign.md | 1 + test/e2e_test.go | 184 +++++++++++++++++++++++++++ 10 files changed, 217 insertions(+), 8 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 1f66292628a..ffb20be7059 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -100,6 +100,7 @@ func Attest() *cobra.Command { TSAServerName: o.TSAServerName, TSAServerURL: o.TSAServerURL, IssueCertificateForExistingKey: o.IssueCertificate, + BundlePath: o.BundlePath, NewBundleFormat: o.NewBundleFormat, } // If a signing config is used, then service URLs cannot be specified diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 695f8d8c128..6f436271c11 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -122,7 +122,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { } if c.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, digest, types.CosignSignPredicateType, "", c.SigningConfig, c.TrustedMaterial, ociremoteOpts...) + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, digest, types.CosignSignPredicateType, c.BundlePath, !c.NoUpload, c.SigningConfig, c.TrustedMaterial, ociremoteOpts...) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, c.NoUpload, c.TlogUpload, payload, digest, c.RekorEntryType) @@ -133,7 +133,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { sv := bundleComponents.SV - if c.NoUpload { + if c.NoUpload && c.BundlePath == "" { fmt.Println(string(bundleComponents.SignedPayload)) return nil } @@ -163,7 +163,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { } if c.KeyOpts.NewBundleFormat { - return signcommon.WriteBundle(sv, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, predicateType, ociremoteOpts...) + return signcommon.WriteBundle(ctx, sv, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, predicateType, "", !c.NoUpload, ociremoteOpts...) } // We don't actually need to access the remote entity to attach things to it diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index 4f0b9748658..92108027680 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -143,7 +143,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } if c.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, name.Digest{}, "", c.BundlePath, c.SigningConfig, c.TrustedMaterial, nil) + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, name.Digest{}, "", c.BundlePath, false, c.SigningConfig, c.TrustedMaterial, nil) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, false, c.TlogUpload, payload, nil, c.RekorEntryType) diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index 4c2280e037e..d1791889730 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -38,6 +38,7 @@ type AttestOptions struct { TSAServerURL string RekorEntryType string RecordCreationTimestamp bool + BundlePath string NewBundleFormat bool UseSigningConfig bool SigningConfigPath string @@ -114,6 +115,10 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") + cmd.Flags().StringVar(&o.BundlePath, "bundle", "", + "write everything required to verify the blob to a FILE") + _ = cmd.MarkFlagFilename("bundle", bundleExts...) + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true, "attach a Sigstore bundle using OCI referrers API") cmd.Flags().BoolVar(&o.UseSigningConfig, "use-signing-config", true, diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 75b9ffc93b8..23eb93cab49 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -29,6 +29,7 @@ type SignOptions struct { OutputSignature string // TODO: this should be the root output file arg. OutputPayload string OutputCertificate string + BundlePath string PayloadPath string Recursive bool Attachment string @@ -97,6 +98,10 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { "write the certificate to FILE") _ = cmd.MarkFlagFilename("output-certificate", certificateExts...) + cmd.Flags().StringVar(&o.BundlePath, "bundle", "", + "write everything required to verify the image to FILE") + _ = cmd.MarkFlagFilename("bundle", bundleExts...) + cmd.Flags().StringVar(&o.PayloadPath, "payload", "", "path to a payload file to use rather than generating one") // _ = cmd.MarkFlagFilename("payload") // no typical extensions diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index f9c1761a2e9..2247c4b5c68 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -184,7 +184,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt } if ko.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, payload, digest, types.CosignSignPredicateType, "", ko.SigningConfig, ko.TrustedMaterial, ociremoteOpts...) + return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, payload, digest, types.CosignSignPredicateType, signOpts.BundlePath, signOpts.Upload, ko.SigningConfig, ko.TrustedMaterial, ociremoteOpts...) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, signOpts.Cert, signOpts.CertChain, ko, false, signOpts.TlogUpload, payload, digest, "dsse") @@ -193,7 +193,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt } defer closeSV() - return signcommon.WriteBundle(bundleComponents.SV, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, types.CosignSignPredicateType, ociremoteOpts...) + return signcommon.WriteBundle(ctx, bundleComponents.SV, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, types.CosignSignPredicateType, signOpts.BundlePath, signOpts.Upload, ociremoteOpts...) } func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go index 6b1690693b2..e51f27cfce7 100644 --- a/cmd/cosign/cli/signcommon/common.go +++ b/cmd/cosign/cli/signcommon/common.go @@ -467,7 +467,7 @@ func UploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, t } // WriteBundle compiles a protobuf bundle from components and writes the bundle to the OCI remote layer. -func WriteBundle(sv *SignerVerifier, rekorEntry *models.LogEntryAnon, payload, signedPayload, signerBytes, timestampBytes []byte, digest name.Digest, predicateType string, ociremoteOpts ...ociremote.Option) error { +func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.LogEntryAnon, payload, signedPayload, signerBytes, timestampBytes []byte, digest name.Digest, predicateType, bundlePath string, upload bool, ociremoteOpts ...ociremote.Option) error { pubKey, err := sv.PublicKey() if err != nil { return err @@ -476,11 +476,20 @@ func WriteBundle(sv *SignerVerifier, rekorEntry *models.LogEntryAnon, payload, s if err != nil { return err } + if bundlePath != "" { + if err := os.WriteFile(bundlePath, bundleBytes, 0600); err != nil { + return fmt.Errorf("creating bundle file: %w", err) + } + ui.Infof(ctx, "Wrote bundle to file %s", bundlePath) + } + if !upload { + return nil + } return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType, ociremoteOpts...) } // WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer. -func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, payload []byte, digest name.Digest, predicateType, bundlePath string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial, ociremoteOpts ...ociremote.Option) error { +func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, payload []byte, digest name.Digest, predicateType, bundlePath string, upload bool, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial, ociremoteOpts ...ociremote.Option) error { keypair, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain) if err != nil { return fmt.Errorf("getting keypair and token: %w", err) @@ -502,6 +511,9 @@ func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, ce ui.Infof(ctx, "Wrote bundle to file %s", bundlePath) return nil } + if !upload { + return nil + } return ociremote.WriteAttestationNewBundleFormat(digest, bundle, predicateType, ociremoteOpts...) } diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index b13c2f4f430..57601462a3a 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -51,6 +51,7 @@ cosign attest [flags] --allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing --allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] + --bundle string write everything required to verify the blob to a FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index d505bdbc953..8973b53aee8 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -77,6 +77,7 @@ cosign sign [flags] -a, --annotations strings extra key=value pairs to sign --attachment string DEPRECATED, related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] + --bundle string write everything required to verify the image to FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials diff --git a/test/e2e_test.go b/test/e2e_test.go index 2f5a2fd925c..95714bc34d7 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -26,6 +26,7 @@ import ( "crypto/sha256" "crypto/x509" "encoding/base64" + "encoding/hex" "encoding/json" "encoding/pem" "fmt" @@ -36,6 +37,7 @@ import ( "os" "path" "path/filepath" + "regexp" "strings" "testing" "time" @@ -4042,6 +4044,7 @@ func TestTree(t *testing.T) { ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} so := options.SignOptions{ NewBundleFormat: true, + Upload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) @@ -4051,3 +4054,184 @@ func TestTree(t *testing.T) { must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) assert.True(t, strings.Contains(out.String(), "https://sigstore.dev/cosign/sign/v1")) } + +func TestSignVerifyUploadFalse(t *testing.T) { + td := t.TempDir() + ctx := context.Background() + + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "cosign-e2e-no-upload") + name, desc, cleanup := mkimage(t, imgName) + defer cleanup() + + _, privKeyPath, _ := keypair(t, td) + + regOpts := options.RegistryOptions{} + regExpOpts := options.RegistryExperimentalOptions{} + out := bytes.Buffer{} + + // There should be no signatures yet + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now sign the image with Upload: false + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + SkipConfirmation: true, + } + so := options.SignOptions{ + Upload: false, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // There should still be no signatures + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now with Upload: true + so.Upload = true + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Now there should be signatures + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), fmt.Sprintf("Signatures for an image tag: %s:%s-%s.sig", name, desc.Digest.Algorithm, desc.Digest.Hex)) + + // Try on a new image with new bundle format + imgName = path.Join(repo, "cosign-e2e-no-upload-bundle") + name2, _, cleanup2 := mkimage(t, imgName) + defer cleanup2() + + // There should be no signatures yet + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now sign the image with Upload: false + so.Upload = false + so.NewBundleFormat = true + so.BundlePath = path.Join(td, "output.bundle") + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + assert.FileExists(t, so.BundlePath) + + // There should still be no signatures + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now with Upload: true + so.Upload = true + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Now there should be signatures + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Regexp(t, regexp.MustCompile(fmt.Sprintf("https://sigstore.dev/cosign/sign/v1 artifacts via OCI referrer: %s@sha256:[a-z0-9]*\n", name2)), out.String()) + assert.FileExists(t, so.BundlePath) + f, err := os.Open(so.BundlePath) + must(err, t) + defer f.Close() + h := sha256.New() + _, err = io.Copy(h, f) + must(err, t) + assert.Contains(t, out.String(), fmt.Sprintf("sha256:%s", hex.EncodeToString(h.Sum(nil)))) +} + +func TestAttestVerifyUploadFalse(t *testing.T) { + td := t.TempDir() + ctx := context.Background() + + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "cosign-e2e-no-upload") + name, desc, cleanup := mkimage(t, imgName) + defer cleanup() + + _, privKeyPath, _ := keypair(t, td) + + regOpts := options.RegistryOptions{} + regExpOpts := options.RegistryExperimentalOptions{} + out := bytes.Buffer{} + + // There should be no attestations yet + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now attest the image with NoUpload: true + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + SkipConfirmation: true, + } + predicate := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` + predicatePath := filepath.Join(t.TempDir(), "predicate.json") + if err := os.WriteFile(predicatePath, []byte(predicate), 0644); err != nil { + t.Fatal(err) + } + attestCmd := attest.AttestCommand{ + KeyOpts: ko, + PredicatePath: predicatePath, + PredicateType: "slsaprovenance", + RekorEntryType: "dsse", + NoUpload: true, + } + must(attestCmd.Exec(ctx, imgName), t) + + // There should still be no attestations + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now with NoUpload: false + attestCmd.NoUpload = false + must(attestCmd.Exec(ctx, imgName), t) + + // Now there should be attestations + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), fmt.Sprintf("Attestations for an image tag: %s:%s-%s.att", name, desc.Digest.Algorithm, desc.Digest.Hex)) + + // Try on a new image with new bundle format + imgName = path.Join(repo, "cosign-e2e-no-upload-bundle") + name2, _, cleanup2 := mkimage(t, imgName) + defer cleanup2() + + // There should be no attestations yet + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now attest the image with NoUpload: true + attestCmd.NoUpload = true + attestCmd.NewBundleFormat = true + attestCmd.BundlePath = path.Join(td, "output.bundle") + must(attestCmd.Exec(ctx, imgName), t) + assert.FileExists(t, attestCmd.BundlePath) + + // There should still be no attestations + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Contains(t, out.String(), "No Supply Chain Security Related Artifacts found for image") + + // Now with NoUpload: true + attestCmd.NoUpload = false + must(attestCmd.Exec(ctx, imgName), t) + + // Now there should be attestations + out.Reset() + must(cli.TreeCmd(ctx, regOpts, regExpOpts, true, imgName, &out), t) + assert.Regexp(t, regexp.MustCompile(fmt.Sprintf("https://slsa.dev/provenance/v0.2 artifacts via OCI referrer: %s@sha256:[a-z0-9]*\n", name2)), out.String()) + assert.FileExists(t, attestCmd.BundlePath) + f, err := os.Open(attestCmd.BundlePath) + must(err, t) + defer f.Close() + h := sha256.New() + _, err = io.Copy(h, f) + must(err, t) + assert.Contains(t, out.String(), fmt.Sprintf("sha256:%s", hex.EncodeToString(h.Sum(nil)))) +} From 0b4362b15ec8d430650cbdf16fa4e09a2dbea0c3 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Mon, 27 Oct 2025 14:02:22 -0700 Subject: [PATCH 119/136] Refactor signcommon bundle helpers Use a common options struct for WriteBundle and WriteNewBundleWithSigningConfig to reduce the number of arguments in each function. Signed-off-by: Colleen Murphy --- cmd/cosign/cli/attest/attest.go | 15 +++++++++-- cmd/cosign/cli/attest/attest_blob.go | 8 ++++-- cmd/cosign/cli/sign/sign.go | 13 ++++++++-- cmd/cosign/cli/signcommon/common.go | 37 +++++++++++++++++----------- 4 files changed, 53 insertions(+), 20 deletions(-) diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 6f436271c11..861a2b7716c 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -121,8 +121,17 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { return err } + bundleOpts := signcommon.CommonBundleOpts{ + Payload: payload, + Digest: digest, + PredicateType: types.CosignSignPredicateType, + BundlePath: c.BundlePath, + Upload: !c.NoUpload, + OCIRemoteOpts: ociremoteOpts, + } + if c.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, digest, types.CosignSignPredicateType, c.BundlePath, !c.NoUpload, c.SigningConfig, c.TrustedMaterial, ociremoteOpts...) + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, bundleOpts, c.SigningConfig, c.TrustedMaterial) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, c.NoUpload, c.TlogUpload, payload, digest, c.RekorEntryType) @@ -152,6 +161,8 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { return err } + bundleOpts.PredicateType = predicateType + predicateTypeAnnotation := map[string]string{ "predicateType": predicateType, } @@ -163,7 +174,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { } if c.KeyOpts.NewBundleFormat { - return signcommon.WriteBundle(ctx, sv, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, predicateType, "", !c.NoUpload, ociremoteOpts...) + return signcommon.WriteBundle(ctx, sv, bundleComponents.RekorEntry, bundleOpts, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes) } // We don't actually need to access the remote entity to attach things to it diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index 92108027680..9e611f663aa 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -29,7 +29,6 @@ import ( "strings" "time" - "github.com/google/go-containerregistry/pkg/name" intotov1 "github.com/in-toto/attestation/go/v1" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" @@ -142,8 +141,13 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error } } + bundleOpts := signcommon.CommonBundleOpts{ + Payload: payload, + BundlePath: c.BundlePath, + } + if c.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, payload, name.Digest{}, "", c.BundlePath, false, c.SigningConfig, c.TrustedMaterial, nil) + return signcommon.WriteNewBundleWithSigningConfig(ctx, c.KeyOpts, c.CertPath, c.CertChainPath, bundleOpts, c.SigningConfig, c.TrustedMaterial) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, c.CertPath, c.CertChainPath, c.KeyOpts, false, c.TlogUpload, payload, nil, c.RekorEntryType) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 2247c4b5c68..5ad44b746f5 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -183,8 +183,17 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt ociremoteOpts = append(ociremoteOpts, ociremote.WithNameOptions(name.Insecure)) } + bundleOpts := signcommon.CommonBundleOpts{ + Payload: payload, + Digest: digest, + PredicateType: types.CosignSignPredicateType, + BundlePath: signOpts.BundlePath, + Upload: signOpts.Upload, + OCIRemoteOpts: ociremoteOpts, + } + if ko.SigningConfig != nil { - return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, payload, digest, types.CosignSignPredicateType, signOpts.BundlePath, signOpts.Upload, ko.SigningConfig, ko.TrustedMaterial, ociremoteOpts...) + return signcommon.WriteNewBundleWithSigningConfig(ctx, ko, signOpts.Cert, signOpts.CertChain, bundleOpts, ko.SigningConfig, ko.TrustedMaterial) } bundleComponents, closeSV, err := signcommon.GetBundleComponents(ctx, signOpts.Cert, signOpts.CertChain, ko, false, signOpts.TlogUpload, payload, digest, "dsse") @@ -193,7 +202,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt } defer closeSV() - return signcommon.WriteBundle(ctx, bundleComponents.SV, bundleComponents.RekorEntry, payload, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes, digest, types.CosignSignPredicateType, signOpts.BundlePath, signOpts.Upload, ociremoteOpts...) + return signcommon.WriteBundle(ctx, bundleComponents.SV, bundleComponents.RekorEntry, bundleOpts, bundleComponents.SignedPayload, bundleComponents.SignerBytes, bundleComponents.TimestampBytes) } func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions, diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go index e51f27cfce7..9e70b17695a 100644 --- a/cmd/cosign/cli/signcommon/common.go +++ b/cmd/cosign/cli/signcommon/common.go @@ -466,37 +466,46 @@ func UploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, t return entry, nil } +type CommonBundleOpts struct { + Payload []byte + Digest name.Digest + PredicateType string + BundlePath string + Upload bool + OCIRemoteOpts []ociremote.Option +} + // WriteBundle compiles a protobuf bundle from components and writes the bundle to the OCI remote layer. -func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.LogEntryAnon, payload, signedPayload, signerBytes, timestampBytes []byte, digest name.Digest, predicateType, bundlePath string, upload bool, ociremoteOpts ...ociremote.Option) error { +func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.LogEntryAnon, bundleOpts CommonBundleOpts, signedPayload, signerBytes, timestampBytes []byte) error { pubKey, err := sv.PublicKey() if err != nil { return err } - bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes) + bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, bundleOpts.Payload, signedPayload, signerBytes, timestampBytes) if err != nil { return err } - if bundlePath != "" { - if err := os.WriteFile(bundlePath, bundleBytes, 0600); err != nil { + if bundleOpts.BundlePath != "" { + if err := os.WriteFile(bundleOpts.BundlePath, bundleBytes, 0600); err != nil { return fmt.Errorf("creating bundle file: %w", err) } - ui.Infof(ctx, "Wrote bundle to file %s", bundlePath) + ui.Infof(ctx, "Wrote bundle to file %s", bundleOpts.BundlePath) } - if !upload { + if !bundleOpts.Upload { return nil } - return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType, ociremoteOpts...) + return ociremote.WriteAttestationNewBundleFormat(bundleOpts.Digest, bundleBytes, bundleOpts.PredicateType, bundleOpts.OCIRemoteOpts...) } // WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer. -func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, payload []byte, digest name.Digest, predicateType, bundlePath string, upload bool, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial, ociremoteOpts ...ociremote.Option) error { +func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, bundleOpts CommonBundleOpts, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) error { keypair, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain) if err != nil { return fmt.Errorf("getting keypair and token: %w", err) } content := &sign.DSSEData{ - Data: payload, + Data: bundleOpts.Payload, PayloadType: "application/vnd.in-toto+json", } bundle, err := cbundle.SignData(ctx, content, keypair, idToken, signingConfig, trustedMaterial) @@ -504,17 +513,17 @@ func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, ce return fmt.Errorf("signing bundle: %w", err) } - if bundlePath != "" { - if err := os.WriteFile(bundlePath, bundle, 0600); err != nil { + if bundleOpts.BundlePath != "" { + if err := os.WriteFile(bundleOpts.BundlePath, bundle, 0600); err != nil { return fmt.Errorf("creating bundle file: %w", err) } - ui.Infof(ctx, "Wrote bundle to file %s", bundlePath) + ui.Infof(ctx, "Wrote bundle to file %s", bundleOpts.BundlePath) return nil } - if !upload { + if !bundleOpts.Upload { return nil } - return ociremote.WriteAttestationNewBundleFormat(digest, bundle, predicateType, ociremoteOpts...) + return ociremote.WriteAttestationNewBundleFormat(bundleOpts.Digest, bundle, bundleOpts.PredicateType, bundleOpts.OCIRemoteOpts...) } type bundleComponents struct { From 8e7e0571a0ccad90a883da3676562eb6e1fe5ab4 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone <562321+ret2libc@users.noreply.github.com> Date: Mon, 3 Nov 2025 05:11:29 +0100 Subject: [PATCH 120/136] Add --signing-algorithm flag (#3497) * cmd/cosign: add --signing-algorithm flag Signed-off-by: Riccardo Schirone * fix getHashFunction to use signingAlgorithm Signed-off-by: Riccardo Schirone * cmd/cosign: set default ko.SigningAlgorithm Signed-off-by: Riccardo Schirone * cmd/cosign: set default ko.SigningAlgorithm 2 Signed-off-by: Riccardo Schirone * Validate signing-algorithm immediately Signed-off-by: Riccardo Schirone * Use GetDefaultLoadOptions function Signed-off-by: Riccardo Schirone * Update documentation Signed-off-by: Riccardo Schirone * use v3 Signed-off-by: Riccardo Schirone * Disable ed25519ph Signed-off-by: Riccardo Schirone * Fix doc Signed-off-by: Riccardo Schirone * Fix getHashAlgorithm to have a default value for SigningAlgorithm Signed-off-by: Riccardo Schirone * fix unused argument Signed-off-by: Riccardo Schirone --------- Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/options/key.go | 4 +++ cmd/cosign/cli/options/signblob.go | 12 +++++++ cmd/cosign/cli/sign/sign_blob.go | 33 +++++++++++++------ cmd/cosign/cli/signblob.go | 17 ++++++++++ cmd/cosign/cli/signcommon/common.go | 49 +++++++++++++++++++++++++---- doc/cosign_sign-blob.md | 1 + pkg/cosign/keys.go | 26 +++++++++++++++ 7 files changed, 126 insertions(+), 16 deletions(-) diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index b62dc65fefd..66fab5523d3 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -72,4 +72,8 @@ type KeyOpts struct { // By default, Ed25519ph is used for ed25519 keys and RSA-PKCS1v15 is used // for RSA keys. DefaultLoadOptions *[]signature.LoadOption + + // SigningAlgorithm is the AlgorithmDetails string representation used to + // sign/hash the payload. + SigningAlgorithm string } diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 4d4b505cfb2..d40cfa783cf 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -16,6 +16,12 @@ package options import ( + "fmt" + "strings" + + "github.com/sigstore/cosign/v3/pkg/cosign" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/sigstore/sigstore/pkg/signature" "github.com/spf13/cobra" ) @@ -43,6 +49,7 @@ type SignBlobOptions struct { TSAServerURL string RFC3161TimestampPath string IssueCertificate bool + SigningAlgorithm string UseSigningConfig bool SigningConfigPath string @@ -127,4 +134,9 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") + + keyAlgorithmTypes := cosign.GetSupportedAlgorithms() + keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", ")) + defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp) } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index a3e462a1bae..622fedf4f26 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -112,7 +112,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } defer closeSV() - hashFunction, err := getHashFunction(sv, ko.DefaultLoadOptions) + hashFunction, err := getHashFunction(sv, ko) if err != nil { return nil, err } @@ -277,18 +277,31 @@ func extractCertificate(ctx context.Context, sv *signcommon.SignerVerifier) ([]b return nil, nil } -func getHashFunction(sv *signcommon.SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (crypto.Hash, error) { - pubKey, err := sv.PublicKey() - if err != nil { - return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) - } +func getHashFunction(sv *signcommon.SignerVerifier, ko options.KeyOpts) (crypto.Hash, error) { + if ko.Sk || ko.KeyRef != "" { + pubKey, err := sv.PublicKey() + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) + } + + defaultLoadOptions := cosign.GetDefaultLoadOptions(ko.DefaultLoadOptions) - defaultLoadOptions = cosign.GetDefaultLoadOptions(defaultLoadOptions) + // TODO: Ideally the SignerVerifier should have a method to get the hash function + algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...) + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err) + } + return algo.GetHashType(), nil + } - // TODO: Ideally the SignerVerifier should have a method to get the hash function - algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...) + // New key was generated, using the signing algorithm specified by the user + keyDetails, err := signcommon.ParseSignatureAlgorithmFlag(ko.SigningAlgorithm) + if err != nil { + return crypto.Hash(0), fmt.Errorf("parsing signature algorithm: %w", err) + } + algo, err := signature.GetAlgorithmDetails(keyDetails) if err != nil { - return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err) + return crypto.Hash(0), fmt.Errorf("getting algorithm details: %w", err) } return algo.GetHashType(), nil } diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 5ad293030c1..30cb298280b 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -19,6 +19,7 @@ import ( "context" "fmt" "os" + "strings" "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" @@ -66,6 +67,21 @@ func SignBlob() *cobra.Command { if options.NOf(o.Key, o.SecurityKey.Use) > 1 { return &options.KeyParseError{} } + + // Check if the algorithm is in the list of supported algorithms + supportedAlgorithms := cosign.GetSupportedAlgorithms() + isValid := false + for _, algo := range supportedAlgorithms { + if algo == o.SigningAlgorithm { + isValid = true + break + } + } + if !isValid { + return fmt.Errorf("invalid signing algorithm: %s. Supported algorithms are: %s", + o.SigningAlgorithm, strings.Join(supportedAlgorithms, ", ")) + } + return nil }, RunE: func(_ *cobra.Command, args []string) error { @@ -99,6 +115,7 @@ func SignBlob() *cobra.Command { TSAServerURL: o.TSAServerURL, RFC3161TimestampPath: o.RFC3161TimestampPath, IssueCertificateForExistingKey: o.IssueCertificate, + SigningAlgorithm: o.SigningAlgorithm, } // If a signing config is used, then service URLs cannot be specified if (o.UseSigningConfig || o.SigningConfigPath != "") && diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go index 9e70b17695a..f46b5851bbf 100644 --- a/cmd/cosign/cli/signcommon/common.go +++ b/cmd/cosign/cli/signcommon/common.go @@ -17,7 +17,6 @@ package signcommon import ( "bytes" "context" - "crypto" "crypto/x509" "encoding/json" "encoding/pem" @@ -44,6 +43,7 @@ import ( ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" sigs "github.com/sigstore/cosign/v3/pkg/signature" "github.com/sigstore/cosign/v3/pkg/types" + pb_go_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" rekorclient "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/root" @@ -82,6 +82,17 @@ func (c *SignerVerifier) Bytes(ctx context.Context) ([]byte, error) { return pemBytes, nil } +func getEphemeralKeypairOptions(signingAlgorithm string) (*sign.EphemeralKeypairOptions, error) { + keyDetails, err := ParseSignatureAlgorithmFlag(signingAlgorithm) + if err != nil { + return nil, fmt.Errorf("parsing signature algorithm: %w", err) + } + + return &sign.EphemeralKeypairOptions{ + Algorithm: keyDetails, + }, nil +} + // GetKeypairAndToken creates a keypair object from provided key or cert flags or generates an ephemeral key. // For an ephemeral key, it also uses the key to fetch an OIDC token, the pair of which are later used to get a Fulcio cert. func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, string, error) { @@ -101,7 +112,11 @@ func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain return nil, "", fmt.Errorf("creating signerverifier keypair: %w", err) } } else { - keypair, err = sign.NewEphemeralKeypair(nil) + ephemeralKeypairOptions, err := getEphemeralKeypairOptions(ko.SigningAlgorithm) + if err != nil { + return nil, "", fmt.Errorf("getting ephemeral keypair options: %w", err) + } + keypair, err = sign.NewEphemeralKeypair(ephemeralKeypairOptions) if err != nil { return nil, "", fmt.Errorf("generating keypair: %w", err) } @@ -231,7 +246,7 @@ func signerFromKeyOpts(ctx context.Context, certPath string, certChainPath strin default: genKey = true ui.Infof(ctx, "Generating ephemeral keys...") - sv, err = signerFromNewKey() + sv, err = signerFromNewKey(ko.SigningAlgorithm, ko.DefaultLoadOptions) } if err != nil { return nil, false, err @@ -386,12 +401,23 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin return certSigner, nil } -func signerFromNewKey() (*SignerVerifier, error) { - privKey, err := cosign.GeneratePrivateKey() +func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + keyDetails, err := ParseSignatureAlgorithmFlag(signingAlgorithm) + if err != nil { + return nil, fmt.Errorf("parsing signature algorithm: %w", err) + } + algo, err := signature.GetAlgorithmDetails(keyDetails) + if err != nil { + return nil, fmt.Errorf("getting algorithm details: %w", err) + } + + privKey, err := cosign.GeneratePrivateKeyWithAlgorithm(&algo) if err != nil { return nil, fmt.Errorf("generating cert: %w", err) } - sv, err := signature.LoadECDSASignerVerifier(privKey, crypto.SHA256) + + defaultLoadOptions = cosign.GetDefaultLoadOptions(defaultLoadOptions) + sv, err := signature.LoadSignerVerifierFromAlgorithmDetails(privKey, algo, *defaultLoadOptions...) if err != nil { return nil, err } @@ -602,3 +628,14 @@ func ParseOCIReference(ctx context.Context, refStr string, opts ...name.Option) } return ref, nil } + +func ParseSignatureAlgorithmFlag(signingAlgorithm string) (pb_go_v1.PublicKeyDetails, error) { + if signingAlgorithm == "" { + var err error + signingAlgorithm, err = signature.FormatSignatureAlgorithmFlag(pb_go_v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + if err != nil { + return pb_go_v1.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED, fmt.Errorf("formatting signature algorithm: %w", err) + } + } + return signature.ParseSignatureAlgorithmFlag(signingAlgorithm) +} diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 4135f3aac22..e7585000c19 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -57,6 +57,7 @@ cosign sign-blob [flags] --output-signature string write the signature to FILE --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file + --signing-algorithm string signing algorithm to use for signing/hashing (allowed ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256) (default "ecdsa-sha2-256-nistp256") --signing-config string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go index 26d7ed49059..8c299af1c01 100644 --- a/pkg/cosign/keys.go +++ b/pkg/cosign/keys.go @@ -28,6 +28,7 @@ import ( "fmt" "os" "path/filepath" + "sort" "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v3/pkg/oci/static" @@ -50,6 +51,17 @@ const ( RFC3161TimestampKey = static.RFC3161TimestampAnnotationKey ) +var SupportedKeyDetails = []v1.PublicKeyDetails{ + v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, + v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, + v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, + // Ed25519ph is not supported by Fulcio, so we don't support it here for now. + // v1.PublicKeyDetails_PKIX_ED25519_PH, +} + // PassFunc is the function to be called to retrieve the signer password. If // nil, then it assumes that no password is provided. type PassFunc func(bool) ([]byte, error) @@ -297,3 +309,17 @@ func GetDefaultLoadOptions(defaultLoadOptions *[]signature.LoadOption) *[]signat } return defaultLoadOptions } + +// GetSupportedAlgorithms returns a list of supported algorithms sorted alphabetically. +func GetSupportedAlgorithms() []string { + algorithms := make([]string, 0, len(SupportedKeyDetails)) + for _, algorithm := range SupportedKeyDetails { + signatureFlag, err := signature.FormatSignatureAlgorithmFlag(algorithm) + if err != nil { + continue + } + algorithms = append(algorithms, signatureFlag) + } + sort.Strings(algorithms) + return algorithms +} From 0f1bf8394cb282f11580b2f579cc5ceb4e83fa0e Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 4 Nov 2025 10:48:11 -0500 Subject: [PATCH 121/136] Add support to download and attach for protobuf bundles (#4477) --------- Signed-off-by: Zach Steindler --- cmd/cosign/cli/attach/attach.go | 65 +++++++---- cmd/cosign/cli/attach/sig.go | 25 ++-- cmd/cosign/cli/download.go | 4 +- cmd/cosign/cli/download/attestation.go | 38 ++++++- cmd/cosign/cli/download/signature.go | 26 ++++- cmd/cosign/cli/options/attach.go | 3 + cmd/cosign/cli/verify/verify.go | 2 +- cmd/cosign/cli/verify/verify_attestation.go | 2 +- doc/cosign_attach_signature.md | 1 + pkg/cosign/verify.go | 10 +- pkg/cosign/verify_oci_test.go | 8 +- test/e2e_test.go | 120 ++++++++++++++++++-- 12 files changed, 244 insertions(+), 60 deletions(-) diff --git a/cmd/cosign/cli/attach/attach.go b/cmd/cosign/cli/attach/attach.go index 971d4bed45c..15440379cb9 100644 --- a/cmd/cosign/cli/attach/attach.go +++ b/cmd/cosign/cli/attach/attach.go @@ -28,6 +28,7 @@ import ( ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/sigstore/cosign/v3/pkg/oci/static" "github.com/sigstore/cosign/v3/pkg/types" + "github.com/sigstore/sigstore-go/pkg/bundle" ) func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayloads []string, imageRef string) error { @@ -37,7 +38,28 @@ func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signed } for _, payload := range signedPayloads { - if err := attachAttestation(ctx, ociremoteOpts, payload, imageRef, regOpts.NameOptions()); err != nil { + fmt.Fprintf(os.Stderr, "Using payload from: %s", payload) + + ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) + if err != nil { + return err + } + if _, ok := ref.(name.Digest); !ok { + ui.Warnf(ctx, ui.TagReferenceMessage, imageRef) + } + + digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) + if err != nil { + return err + } + + // Detect if we are using new bundle format + b, err := bundle.LoadJSONFromPath(payload) + if err == nil { + return attachAttestationNewBundle(ociremoteOpts, b, digest) + } + + if err := attachAttestation(ociremoteOpts, payload, digest); err != nil { return fmt.Errorf("attaching payload from %s: %w", payload, err) } } @@ -45,8 +67,29 @@ func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signed return nil } -func attachAttestation(ctx context.Context, remoteOpts []ociremote.Option, signedPayload, imageRef string, nameOpts []name.Option) error { - fmt.Fprintf(os.Stderr, "Using payload from: %s", signedPayload) +func attachAttestationNewBundle(remoteOpts []ociremote.Option, b *bundle.Bundle, digest name.Digest) error { + envelope, err := b.Envelope() + if err != nil { + return err + } + if envelope == nil { + return fmt.Errorf("bundle does not have DSSE envelope") + } + statement, err := envelope.Statement() + if err != nil { + return err + } + if statement == nil { + return fmt.Errorf("unable to understand bundle envelope statement") + } + bundleBytes, err := b.MarshalJSON() + if err != nil { + return err + } + return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, statement.PredicateType, remoteOpts...) +} + +func attachAttestation(remoteOpts []ociremote.Option, signedPayload string, digest name.Digest) error { attestationFile, err := os.Open(signedPayload) if err != nil { return err @@ -73,22 +116,6 @@ func attachAttestation(ctx context.Context, remoteOpts []ociremote.Option, signe return fmt.Errorf("could not attach attestation without having signatures") } - ref, err := name.ParseReference(imageRef, nameOpts...) - if err != nil { - return err - } - if _, ok := ref.(name.Digest); !ok { - ui.Warnf(ctx, ui.TagReferenceMessage, imageRef) - } - digest, err := ociremote.ResolveDigest(ref, remoteOpts...) - if err != nil { - return err - } - // Overwrite "ref" with a digest to avoid a race where we use a tag - // multiple times, and it potentially points to different things at - // each access. - ref = digest // nolint - opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)} att, err := static.NewAttestation(payload, opts...) if err != nil { diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index 41418b01e63..c09fe03df3e 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -30,16 +30,10 @@ import ( "github.com/sigstore/cosign/v3/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" "github.com/sigstore/cosign/v3/pkg/oci/static" + sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" ) func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, timeStampedSigRef, rekorBundleRef, imageRef string) error { - b64SigBytes, err := signatureBytes(sigRef) - if err != nil { - return err - } else if len(b64SigBytes) == 0 { - return errors.New("empty signature") - } - ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) if err != nil { return err @@ -52,10 +46,12 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, if err != nil { return err } - // Overwrite "ref" with a digest to avoid a race where we use a tag - // multiple times, and it potentially points to different things at - // each access. - ref = digest // nolint + + // Detect if we are using new bundle format + b, err := sgbundle.LoadJSONFromPath(payloadRef) + if err == nil { + return attachAttestationNewBundle(ociremoteOpts, b, digest) + } var payload []byte if payloadRef == "" { @@ -67,6 +63,13 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, return err } + b64SigBytes, err := signatureBytes(sigRef) + if err != nil { + return err + } else if len(b64SigBytes) == 0 { + return errors.New("empty signature") + } + sig, err := static.NewSignature(payload, string(b64SigBytes)) if err != nil { return err diff --git a/cmd/cosign/cli/download.go b/cmd/cosign/cli/download.go index 687fedb7084..a38f2e966fc 100644 --- a/cmd/cosign/cli/download.go +++ b/cmd/cosign/cli/download.go @@ -49,7 +49,7 @@ func downloadSignature() *cobra.Command { Args: cobra.ExactArgs(1), PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, args []string) error { - return download.SignatureCmd(cmd.Context(), *o, args[0]) + return download.SignatureCmd(cmd.Context(), *o, args[0], cmd.OutOrStdout()) }, } @@ -94,7 +94,7 @@ func downloadAttestation() *cobra.Command { Args: cobra.ExactArgs(1), PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, args []string) error { - return download.AttestationCmd(cmd.Context(), *o, *ao, args[0]) + return download.AttestationCmd(cmd.Context(), *o, *ao, args[0], cmd.OutOrStdout()) }, } diff --git a/cmd/cosign/cli/download/attestation.go b/cmd/cosign/cli/download/attestation.go index 814021eacff..cbbb965a7c4 100644 --- a/cmd/cosign/cli/download/attestation.go +++ b/cmd/cosign/cli/download/attestation.go @@ -19,7 +19,7 @@ import ( "context" "encoding/json" "errors" - "fmt" + "io" "github.com/google/go-containerregistry/pkg/name" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" @@ -28,7 +28,7 @@ import ( ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" ) -func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, attOptions options.AttestationDownloadOptions, imageRef string) error { +func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, attOptions options.AttestationDownloadOptions, imageRef string, out io.Writer) error { ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) if err != nil { return err @@ -46,6 +46,35 @@ func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, attOpt } } + // Try bundles first + newBundles, _, err := cosign.GetBundles(ctx, ref, ociremoteOpts) + if err == nil && len(newBundles) > 0 { + for _, eachBundle := range newBundles { + if predicateType != "" { + envelope, err := eachBundle.Envelope() + if err != nil || envelope == nil { + continue + } + statement, err := envelope.Statement() + if err != nil || statement == nil { + continue + } + if statement.PredicateType != predicateType { + continue + } + } + b, err := json.Marshal(eachBundle) + if err != nil { + return err + } + _, err = out.Write(append(b, byte('\n'))) + if err != nil { + return err + } + } + return nil + } + se, err := ociremote.SignedEntity(ref, ociremoteOpts...) var entityNotFoundError *ociremote.EntityNotFoundError if err != nil { @@ -76,7 +105,10 @@ func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, attOpt if err != nil { return err } - fmt.Println(string(b)) + _, err = out.Write(append(b, byte('\n'))) + if err != nil { + return err + } } return nil } diff --git a/cmd/cosign/cli/download/signature.go b/cmd/cosign/cli/download/signature.go index 67fb9b87e77..deb3d67c3be 100644 --- a/cmd/cosign/cli/download/signature.go +++ b/cmd/cosign/cli/download/signature.go @@ -18,14 +18,14 @@ package download import ( "context" "encoding/json" - "fmt" + "io" "github.com/google/go-containerregistry/pkg/name" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/pkg/cosign" ) -func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string) error { +func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string, out io.Writer) error { ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) if err != nil { return err @@ -34,6 +34,23 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef if err != nil { return err } + + // Try bundles first + newBundles, _, err := cosign.GetBundles(ctx, ref, ociremoteOpts) + if err == nil && len(newBundles) > 0 { + for _, eachBundle := range newBundles { + b, err := json.Marshal(eachBundle) + if err != nil { + return err + } + _, err = out.Write(append(b, byte('\n'))) + if err != nil { + return err + } + } + return nil + } + signatures, err := cosign.FetchSignaturesForReference(ctx, ref, ociremoteOpts...) if err != nil { return err @@ -43,7 +60,10 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef if err != nil { return err } - fmt.Println(string(b)) + _, err = out.Write(append(b, byte('\n'))) + if err != nil { + return err + } } return nil } diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go index e0aac3fb85b..ee55697fc88 100644 --- a/cmd/cosign/cli/options/attach.go +++ b/cmd/cosign/cli/options/attach.go @@ -47,6 +47,9 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Payload, "payload", "", "path to the payload covered by the signature") + cmd.Flags().StringVar(&o.Payload, "bundle", "", + "path to bundle containing signature (alias for payload)") + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 9f8427863aa..ae6b54e647c 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -137,7 +137,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if !c.LocalImage { ref, err := name.ParseReference(images[0], c.NameOptions...) if err == nil && c.NewBundleFormat { - newBundles, _, err := cosign.GetBundles(ctx, ref, co, c.NameOptions...) + newBundles, _, err := cosign.GetBundles(ctx, ref, co.RegistryClientOpts, c.NameOptions...) if len(newBundles) == 0 || err != nil { co.NewBundleFormat = false } diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 781626f202b..edbfac10c66 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -122,7 +122,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if !c.LocalImage { ref, err := name.ParseReference(images[0], c.NameOptions...) if err == nil && c.NewBundleFormat { - newBundles, _, err := cosign.GetBundles(ctx, ref, co, c.NameOptions...) + newBundles, _, err := cosign.GetBundles(ctx, ref, co.RegistryClientOpts, c.NameOptions...) if len(newBundles) == 0 || err != nil { co.NewBundleFormat = false } diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md index a0355876e0e..e9b00729deb 100644 --- a/doc/cosign_attach_signature.md +++ b/doc/cosign_attach_signature.md @@ -35,6 +35,7 @@ cosign attach signature [flags] --allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing --allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] + --bundle string path to bundle containing signature (alias for payload) --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -h, --help help for signature diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index f4755934d53..db9a864d564 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1621,10 +1621,10 @@ func verifyImageSignaturesExperimentalOCI(ctx context.Context, signedImgRef name return verifySignatures(ctx, sigs, h, co) } -func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts, nameOpts ...name.Option) ([]*sgbundle.Bundle, *v1.Hash, error) { +func GetBundles(_ context.Context, signedImgRef name.Reference, registryClientOpts []ociremote.Option, nameOpts ...name.Option) ([]*sgbundle.Bundle, *v1.Hash, error) { // This is a carefully optimized sequence for fetching the signatures of the // entity that minimizes registry requests when supplied with a digest input - digest, err := ociremote.ResolveDigest(signedImgRef, co.RegistryClientOpts...) + digest, err := ociremote.ResolveDigest(signedImgRef, registryClientOpts...) if err != nil { if terr := (&transport.Error{}); errors.As(err, &terr) && terr.StatusCode == http.StatusNotFound { return nil, nil, &ErrImageTagNotFound{ @@ -1638,7 +1638,7 @@ func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts, n return nil, nil, err } - index, err := ociremote.Referrers(digest, "", co.RegistryClientOpts...) + index, err := ociremote.Referrers(digest, "", registryClientOpts...) if err != nil { return nil, nil, err } @@ -1648,7 +1648,7 @@ func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts, n if err != nil { return nil, nil, err } - bundle, err := ociremote.Bundle(st, co.RegistryClientOpts...) + bundle, err := ociremote.Bundle(st, registryClientOpts...) if err != nil { // There may be non-Sigstore referrers in the index, so we can ignore them. // TODO: Should we surface any errors here (e.g. if the bundle is invalid)? @@ -1668,7 +1668,7 @@ func GetBundles(_ context.Context, signedImgRef name.Reference, co *CheckOpts, n // verifyImageAttestationsSigstoreBundle verifies attestations from attached sigstore bundles func verifyImageAttestationsSigstoreBundle(ctx context.Context, signedImgRef name.Reference, co *CheckOpts, nameOpts ...name.Option) (checkedAttestations []oci.Signature, atLeastOneBundleVerified bool, err error) { - bundles, hash, err := GetBundles(ctx, signedImgRef, co, nameOpts...) + bundles, hash, err := GetBundles(ctx, signedImgRef, co.RegistryClientOpts, nameOpts...) if err != nil { return nil, false, err } diff --git a/pkg/cosign/verify_oci_test.go b/pkg/cosign/verify_oci_test.go index f9d44b7c379..3ad8690b998 100644 --- a/pkg/cosign/verify_oci_test.go +++ b/pkg/cosign/verify_oci_test.go @@ -53,7 +53,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, err) // If tag doesn't exist, should return ErrImageTagNotFound - bundles, hash, err := GetBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err := GetBundles(context.Background(), ref, []ociremote.Option{}) imgTagNotFound := &ErrImageTagNotFound{} assert.ErrorAs(t, err, &imgTagNotFound) assert.Len(t, bundles, 0) @@ -65,7 +65,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, remote.Write(ref, img)) // Check that no matching attestation error is returned - bundles, hash, err = GetBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err = GetBundles(context.Background(), ref, []ociremote.Option{}) var noMatchErr *ErrNoMatchingAttestations assert.ErrorAs(t, err, &noMatchErr) assert.Len(t, bundles, 0) @@ -81,7 +81,7 @@ func TestGetBundles_Empty(t *testing.T) { assert.NoError(t, err) // Should still return no matching attestation error, as it failed to parse the bundle - bundles, hash, err = GetBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err = GetBundles(context.Background(), ref, []ociremote.Option{}) assert.ErrorAs(t, err, &noMatchErr) assert.Len(t, bundles, 0) assert.Nil(t, hash) @@ -111,7 +111,7 @@ func TestGetBundles_Valid(t *testing.T) { assert.NoError(t, err) // Retrieve the attestation - bundles, hash, err := GetBundles(context.Background(), ref, &CheckOpts{}) + bundles, hash, err := GetBundles(context.Background(), ref, []ociremote.Option{}) assert.NoError(t, err) assert.Len(t, bundles, 1) assert.NotNil(t, hash) diff --git a/test/e2e_test.go b/test/e2e_test.go index 95714bc34d7..05d2043db68 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -109,7 +109,7 @@ func TestSignVerify(t *testing.T) { // Verify should fail at first mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) // So should download - mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Now sign the image ko := options.KeyOpts{ @@ -126,7 +126,7 @@ func TestSignVerify(t *testing.T) { // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) - must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Ensure it verifies if you default to the new protobuf bundle format cmd := cliverify.VerifyCommand{ @@ -175,7 +175,7 @@ func TestSignVerifyCertBundle(t *testing.T) { // Verify should fail at first mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, nil, "", true), t) // So should download - mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Now sign the image ko := options.KeyOpts{ @@ -195,7 +195,7 @@ func TestSignVerifyCertBundle(t *testing.T) { must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, nil, "", ignoreTlog), t) // verification with certificate chain instead of root/intermediate files should work as well must(verifyCertChain(pubKeyPath, certChainFile, certFile, imgName, true, nil, "", ignoreTlog), t) - must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Look for a specific annotation mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) @@ -246,7 +246,7 @@ func TestSignVerifyClean(t *testing.T) { // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) - must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Now clean signature from the given image must(cli.CleanCmd(ctx, options.RegistryOptions{}, "all", imgName, true), t) @@ -288,7 +288,7 @@ func TestImportSignVerifyClean(t *testing.T) { // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) - must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Now clean signature from the given image must(cli.CleanCmd(ctx, options.RegistryOptions{}, "all", imgName, true), t) @@ -1507,7 +1507,7 @@ func TestAttestationDownload(t *testing.T) { // Call download.AttestationCmd() to ensure success attOpts := options.AttestationDownloadOptions{} - must(download.AttestationCmd(ctx, regOpts, attOpts, imgName), t) + must(download.AttestationCmd(ctx, regOpts, attOpts, imgName, os.Stdout), t) attestations, err := cosign.FetchAttestationsForReference(ctx, ref, attOpts.PredicateType, ociremoteOpts...) if err != nil { @@ -1603,7 +1603,7 @@ func TestAttestationDownloadWithPredicateType(t *testing.T) { attOpts := options.AttestationDownloadOptions{ PredicateType: "vuln", } - must(download.AttestationCmd(ctx, regOpts, attOpts, imgName), t) + must(download.AttestationCmd(ctx, regOpts, attOpts, imgName, os.Stdout), t) predicateType, _ := options.ParsePredicateType(attOpts.PredicateType) attestations, err := cosign.FetchAttestationsForReference(ctx, ref, predicateType, ociremoteOpts...) @@ -1653,7 +1653,7 @@ func TestAttestationDownloadWithBadPredicateType(t *testing.T) { attOpts := options.AttestationDownloadOptions{ PredicateType: "vuln", } - mustErr(download.AttestationCmd(ctx, regOpts, attOpts, imgName), t) + mustErr(download.AttestationCmd(ctx, regOpts, attOpts, imgName, os.Stdout), t) } func TestAttestationReplaceCreate(t *testing.T) { @@ -2505,7 +2505,7 @@ func TestDuplicateSign(t *testing.T) { // Verify should fail at first mustErr(verify(pubKeyPath, imgName, true, nil, "", true), t) // So should download - mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Now sign the image ko := options.KeyOpts{ @@ -2520,7 +2520,7 @@ func TestDuplicateSign(t *testing.T) { // Now verify and download should work! // Ignore the tlog, because uploading to the tlog causes new signatures with new timestamp entries to be appended. must(verify(pubKeyPath, imgName, true, nil, "", true), t) - must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) + must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Signing again should work just fine... must(sign.SignCmd(ro, ko, so, []string{imgName}), t) @@ -3217,6 +3217,104 @@ func TestSaveLoadAttestation(t *testing.T) { must(verifyAttestation.Exec(ctx, []string{imageDir}), t) } +func TestAttestDownloadAttachNewBundle(t *testing.T) { + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "attest-new-bundle") + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + // Download should fail before attesting + ctx := context.Background() + regOpts := options.RegistryOptions{} + attOpts := options.AttestationDownloadOptions{} + mustErr(download.AttestationCmd(ctx, regOpts, attOpts, imgName, os.Stdout), t) + + // Attest first image + td := t.TempDir() + _, privKeyPath, _ := keypair(t, td) + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc, NewBundleFormat: true} + + slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` + slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + t.Fatal(err) + } + + attestCommand := attest.AttestCommand{ + KeyOpts: ko, + PredicatePath: slsaAttestationPath, + PredicateType: "slsaprovenance", + RekorEntryType: "dsse", + } + + must(attestCommand.Exec(ctx, imgName), t) + + // Download should now succeed - redirect stdout to use with attach + out := bytes.Buffer{} + must(download.AttestationCmd(ctx, regOpts, attOpts, imgName, &out), t) + + // Create a new image to attach to + img2Name := path.Join(repo, "attest-new-bundle-2") + _, _, cleanup = mkimage(t, img2Name) + defer cleanup() + + bundlePath := filepath.Join(td, "downloaded-bundle.sigstore.json") + if err := os.WriteFile(bundlePath, out.Bytes(), 0600); err != nil { + t.Fatal(err) + } + + must(attach.AttestationCmd(ctx, regOpts, []string{bundlePath}, img2Name), t) + + // Download should succeed on second image + must(download.AttestationCmd(ctx, regOpts, attOpts, img2Name, os.Stdout), t) +} + +func TestSignDownloadAttachNewBundle(t *testing.T) { + repo, stop := reg(t) + defer stop() + + imgName := path.Join(repo, "sign-new-bundle") + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + // Download should fail before attesting + ctx := context.Background() + regOpts := options.RegistryOptions{} + mustErr(download.SignatureCmd(ctx, regOpts, imgName, os.Stdout), t) + + // Sign first image + td := t.TempDir() + _, privKeyPath, _ := keypair(t, td) + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + so := options.SignOptions{ + NewBundleFormat: true, + Upload: true, + } + + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + + // Download should now succeed - redirect stdout to use with attach + out := bytes.Buffer{} + must(download.SignatureCmd(ctx, regOpts, imgName, &out), t) + + // Create a new image to attach to + img2Name := path.Join(repo, "sign-new-bundle-2") + _, _, cleanup = mkimage(t, img2Name) + defer cleanup() + + bundlePath := filepath.Join(td, "downloaded-bundle.sigstore.json") + if err := os.WriteFile(bundlePath, out.Bytes(), 0600); err != nil { + t.Fatal(err) + } + + must(attach.SignatureCmd(ctx, regOpts, "", bundlePath, "", "", "", "", img2Name), t) + + // Download should succeed on second image + must(download.SignatureCmd(ctx, regOpts, img2Name, os.Stdout), t) +} + func TestAttachSBOM(t *testing.T) { td := t.TempDir() err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) From ee3d9fe1c55e80e462791ce94cf25090b9f6e3a2 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 31 Oct 2025 16:50:39 -0700 Subject: [PATCH 122/136] Fix signing/verifying annotations for new bundle Without this change, when the new bundle format is used, annotations were not being added to the payload, nor were they being checked during verification, but were still being reported as verified. This also had a side effect of the annotations not appearing in the verification output. This change fixes the issue by passing through the annotations to the statement builder during signing, and using a different in-toto `Statement` type to parse annotations from the statement during verification, as well as actually calling the claims verifier. Signed-off-by: Colleen Murphy --- cmd/cosign/cli/sign/sign.go | 11 +++++---- cmd/cosign/cli/verify/verify.go | 19 +++++++++++++++- cmd/cosign/cli/verify/verify_test.go | 3 ++- pkg/cosign/verifiers.go | 12 ++++++---- pkg/cosign/verify.go | 5 ++++ test/e2e_test.go | 34 ++++++++++++++++++++++++++++ 6 files changed, 74 insertions(+), 10 deletions(-) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 5ad44b746f5..fe0508711c1 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -47,6 +47,7 @@ import ( "github.com/sigstore/cosign/v3/pkg/types" sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/types/known/structpb" // Loads OIDC providers _ "github.com/sigstore/cosign/v3/pkg/providers/all" @@ -114,7 +115,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return fmt.Errorf("accessing image: %w", err) } if signOpts.NewBundleFormat { - err = signDigestBundle(ctx, digest, ko, signOpts) + err = signDigestBundle(ctx, digest, ko, signOpts, annotations) } else { err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, se) } @@ -137,7 +138,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO } digest := ref.Context().Digest(d.String()) if signOpts.NewBundleFormat { - err = signDigestBundle(ctx, digest, ko, signOpts) + err = signDigestBundle(ctx, digest, ko, signOpts, annotations) } else { err = signDigest(ctx, digest, staticPayload, ko, signOpts, annotations, se) } @@ -153,14 +154,16 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO return nil } -func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpts, signOpts options.SignOptions) error { +func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpts, signOpts options.SignOptions, annotations map[string]any) error { digestParts := strings.Split(digest.DigestStr(), ":") if len(digestParts) != 2 { return fmt.Errorf("unable to parse digest %s", digest.DigestStr()) } + annoStruct, _ := structpb.NewStruct(annotations) subject := intotov1.ResourceDescriptor{ - Digest: map[string]string{digestParts[0]: digestParts[1]}, + Digest: map[string]string{digestParts[0]: digestParts[1]}, + Annotations: annoStruct, } statement := &intotov1.Statement{ diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index ae6b54e647c..e9fc06bce7e 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -25,6 +25,7 @@ import ( "path/filepath" "github.com/google/go-containerregistry/pkg/name" + in_toto_attest "github.com/in-toto/attestation/go/v1" "github.com/in-toto/in-toto-golang/in_toto" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" @@ -154,7 +155,11 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } if c.CheckClaims { - co.ClaimVerifier = cosign.SimpleClaimVerifier + if co.NewBundleFormat { + co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier + } else { + co.ClaimVerifier = cosign.SimpleClaimVerifier + } } err = SetLegacyClientsAndKeys(ctx, c.IgnoreTlog, shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk), keylessVerification(c.KeyRef, c.Sk), c.RekorURL, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, co) @@ -255,6 +260,7 @@ func transformOutput(verified []oci.Signature, name string) (verifiedOutput []oc if dsseEnvelope.PayloadType != in_toto.PayloadType { return nil, fmt.Errorf("unable to understand payload type %s", dsseEnvelope.PayloadType) } + // Unmarshal first into in_toto.StatementHeader which should correctly parse the predicate type var intotoStatement in_toto.StatementHeader err = json.Unmarshal(dsseEnvelope.Payload, &intotoStatement) if err != nil { @@ -263,11 +269,21 @@ func transformOutput(verified []oci.Signature, name string) (verifiedOutput []oc if len(intotoStatement.Subject) < 1 || len(intotoStatement.Subject[0].Digest) < 1 { return nil, fmt.Errorf("no intoto subject or digest found") } + // Unmarshal again into in_toto_attest.Statement in order to parse annotations + var intotoAnnoStatement in_toto_attest.Statement + err = json.Unmarshal(dsseEnvelope.Payload, &intotoAnnoStatement) + if err != nil { + return nil, err + } + if len(intotoAnnoStatement.Subject) < 1 || len(intotoAnnoStatement.Subject[0].Digest) < 1 { + return nil, fmt.Errorf("no intoto subject or digest found") + } var digest string for k, v := range intotoStatement.Subject[0].Digest { digest = k + ":" + v } + annotations := intotoAnnoStatement.Subject[0].Annotations.AsMap() sci := payload.SimpleContainerImage{ Critical: payload.Critical{ @@ -279,6 +295,7 @@ func transformOutput(verified []oci.Signature, name string) (verifiedOutput []oc }, Type: intotoStatement.PredicateType, }, + Optional: annotations, } p, err := json.Marshal(sci) if err != nil { diff --git a/cmd/cosign/cli/verify/verify_test.go b/cmd/cosign/cli/verify/verify_test.go index 0882a978847..020272711d3 100644 --- a/cmd/cosign/cli/verify/verify_test.go +++ b/cmd/cosign/cli/verify/verify_test.go @@ -351,7 +351,7 @@ func TestTransformOutputSuccess(t *testing.T) { stmt := `{ "_type": "https://in-toto.io/Statement/v0.1", "subject": [ - { "name": "artifact", "digest": { "sha256": "deadbeef" } } + { "name": "artifact", "digest": { "sha256": "deadbeef" }, "annotations": { "foo": "bar" } } ], "predicateType": "https://slsa.dev/provenance/v0.2" }` @@ -394,4 +394,5 @@ func TestTransformOutputSuccess(t *testing.T) { assert.Equal(t, name, sci.Critical.Identity.DockerReference, "docker reference mismatch") assert.Equal(t, "sha256:deadbeef", sci.Critical.Image.DockerManifestDigest, "digest mismatch") assert.Equal(t, "https://slsa.dev/provenance/v0.2", sci.Critical.Type, "type mismatch") + assert.Equal(t, map[string]any{"foo": "bar"}, sci.Optional, "missing annotation") } diff --git a/pkg/cosign/verifiers.go b/pkg/cosign/verifiers.go index 391a05b796b..95f901f67e4 100644 --- a/pkg/cosign/verifiers.go +++ b/pkg/cosign/verifiers.go @@ -22,7 +22,7 @@ import ( "fmt" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/in-toto/in-toto-golang/in_toto" + in_toto "github.com/in-toto/attestation/go/v1" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v3/pkg/oci" @@ -56,7 +56,7 @@ func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map } // IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest. -func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error { +func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error { p, err := sig.Payload() if err != nil { return err @@ -82,9 +82,13 @@ func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[st continue } subjDigest := "sha256:" + dgst - if subjDigest == imageDigest.String() { - return nil + if subjDigest != imageDigest.String() { + continue + } + if !correctAnnotations(annotations, subj.Annotations.AsMap()) { + return errors.New("missing or incorrect annotation") } + return nil } return errors.New("no matching subject digest found") } diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index db9a864d564..dbbab6de3ef 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1716,6 +1716,11 @@ func verifyImageAttestationsSigstoreBundle(ctx context.Context, signedImgRef nam if err != nil { return err } + if co.ClaimVerifier != nil { + if err := co.ClaimVerifier(att, *hash, co.Annotations); err != nil { + return err + } + } bundlesVerified[index] = true return err diff --git a/test/e2e_test.go b/test/e2e_test.go index 05d2043db68..f0ec72c10dc 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -77,6 +77,7 @@ import ( "github.com/sigstore/cosign/v3/pkg/cosign/kubernetes" "github.com/sigstore/cosign/v3/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" + sigs "github.com/sigstore/cosign/v3/pkg/signature" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -1290,6 +1291,39 @@ func TestSignVerifyBundle(t *testing.T) { UseSignedTimestamps: false, } must(cmd.Exec(ctx, args), t) + + // Add annotations and verify claims + _, privKeyPath, pubKeyPath = keypair(t, td) + ko = options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } + so = options.SignOptions{ + Upload: true, + NewBundleFormat: true, + TlogUpload: true, + AnnotationOptions: options.AnnotationOptions{ + Annotations: []string{"foo=bar"}, + }, + } + must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + cmd = cliverify.VerifyCommand{ + CommonVerifyOptions: options.CommonVerifyOptions{ + TrustedRootPath: trustedRootPath, + }, + KeyRef: pubKeyPath, + NewBundleFormat: true, + UseSignedTimestamps: false, + Annotations: sigs.AnnotationsMap{Annotations: map[string]any{"foo": "bar"}}, + CheckClaims: true, + } + must(cmd.Exec(ctx, args), t) + + // Verfying other annotations should not work + cmd.Annotations.Annotations["baz"] = "bat" + mustErr(cmd.Exec(ctx, args), t) } func TestAttestVerify(t *testing.T) { From e3fa92d97fc76ac041ccd9bcf77c9ce5fcd2b2d1 Mon Sep 17 00:00:00 2001 From: Natalie Somersall Date: Wed, 12 Nov 2025 09:36:28 -0700 Subject: [PATCH 123/136] update offline verification directions (#4526) Signed-off-by: Natalie Somersall --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 81b59f07b78..162c84ee962 100644 --- a/README.md +++ b/README.md @@ -164,8 +164,14 @@ cosign save $IMAGE_NAME --dir ./path/to/dir Now, in an air-gapped environment, this local image can be verified: -``` -cosign verify --certificate-identity $CERT_IDENTITY --certificate-oidc-issuer $CERT_OIDC_ISSUER --offline --local-image ./path/to/dir +```shell +cosign verify \ + --certificate-identity $CERT_IDENTITY \ + --certificate-oidc-issuer $CERT_OIDC_ISSUER \ + --offline=true \ + --new-bundle-format=false \ # for artifacts signed without the new protobuf bundle format + --trusted-root ~/.sigstore/root/tuf-repo-cdn.sigstore.dev/targets/trusted_root.json \ # default location of trusted root + --local-image ./path/to/dir ``` You'll need to pass in expected values for `$CERT_IDENTITY` and `$CERT_OIDC_ISSUER` to correctly verify this image. From 6eecec74d237d4a54f46e11dd4244415ca85eb56 Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Sun, 9 Nov 2025 18:40:15 +0530 Subject: [PATCH 124/136] fix: Use signal context for `sign` cli package. Use proper context passing for `sign` cli package. Fixes: #4506 Signed-off-by: Noel Georgi --- cmd/cosign/cli/sign.go | 7 +- cmd/cosign/cli/sign/sign.go | 4 +- cmd/cosign/cli/sign/sign_blob.go | 4 +- cmd/cosign/cli/sign/sign_blob_test.go | 6 +- cmd/cosign/cli/sign/sign_test.go | 2 +- cmd/cosign/cli/signblob.go | 7 +- test/e2e_insecure_registry_test.go | 8 +- test/e2e_kms_test.go | 6 +- test/e2e_test.go | 185 +++++++++++++------------- test/e2e_tsa_test.go | 13 +- 10 files changed, 121 insertions(+), 121 deletions(-) diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index b10034cbb09..c578df9cfbb 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -16,7 +16,6 @@ package cli import ( - "context" "fmt" "os" @@ -94,7 +93,7 @@ race conditions or (worse) malicious tampering. Args: cobra.MinimumNArgs(1), PersistentPreRun: options.BindViper, - RunE: func(_ *cobra.Command, args []string) error { + RunE: func(cmd *cobra.Command, args []string) error { switch o.Attachment { case "sbom": fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation) @@ -157,7 +156,7 @@ race conditions or (worse) malicious tampering. } else { ko.TrustedMaterial, err = cosign.TrustedRoot() if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + ui.Warnf(cmd.Context(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) } } } @@ -173,7 +172,7 @@ race conditions or (worse) malicious tampering. } } - if err := sign.SignCmd(ro, ko, *o, args); err != nil { + if err := sign.SignCmd(cmd.Context(), ro, ko, *o, args); err != nil { if o.Attachment == "" { return fmt.Errorf("signing %v: %w", args, err) } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index fe0508711c1..4f4f239105c 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -64,12 +64,12 @@ func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremot } // nolint -func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignOptions, imgs []string) error { +func SignCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignOptions, imgs []string) error { if options.NOf(ko.KeyRef, ko.Sk) > 1 { return &options.KeyParseError{} } - ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) + ctx, cancel := context.WithTimeout(ctx, ro.Timeout) defer cancel() var staticPayload []byte diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 622fedf4f26..7bb6c968176 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -58,10 +58,10 @@ func getPayload(ctx context.Context, payloadPath string, hashFunction crypto.Has } // nolint -func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) { +func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpts, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) { var payload internal.HashReader - ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) + ctx, cancel := context.WithTimeout(ctx, ro.Timeout) defer cancel() shouldUpload, err := signcommon.ShouldUploadToTlog(ctx, ko, nil, tlogUpload) diff --git a/cmd/cosign/cli/sign/sign_blob_test.go b/cmd/cosign/cli/sign/sign_blob_test.go index 10880c711a0..1d5a67dc069 100644 --- a/cmd/cosign/cli/sign/sign_blob_test.go +++ b/cmd/cosign/cli/sign/sign_blob_test.go @@ -37,7 +37,7 @@ func TestSignBlobCmd(t *testing.T) { keyOpts := options.KeyOpts{KeyRef: keyRef, BundlePath: bundlePath} // Test happy path - _, err := SignBlobCmd(rootOpts, keyOpts, blobPath, true, "", "", false) + _, err := SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, true, "", "", false) if err != nil { t.Fatalf("unexpected error %v", err) } @@ -46,7 +46,7 @@ func TestSignBlobCmd(t *testing.T) { keyOpts.NewBundleFormat = true sigPath := filepath.Join(td, "output.sig") certPath := filepath.Join(td, "output.pem") - _, err = SignBlobCmd(rootOpts, keyOpts, blobPath, false, sigPath, certPath, false) + _, err = SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, false, sigPath, certPath, false) if err != nil { t.Fatalf("unexpected error %v", err) } @@ -55,7 +55,7 @@ func TestSignBlobCmd(t *testing.T) { func writeFile(t *testing.T, td string, blob string, name string) string { // Write blob to disk blobPath := filepath.Join(td, name) - if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + if err := os.WriteFile(blobPath, []byte(blob), 0o644); err != nil { t.Fatal(err) } return blobPath diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index a8be500276f..4fca2565f90 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -37,7 +37,7 @@ func TestSignCmdLocalKeyAndSk(t *testing.T) { }, } { so := options.SignOptions{} - err := SignCmd(ro, ko, so, nil) + err := SignCmd(t.Context(), ro, ko, so, nil) if (errors.Is(err, &options.KeyParseError{}) == false) { t.Fatal("expected KeyParseError") } diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 30cb298280b..2d46cd5bf05 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -16,7 +16,6 @@ package cli import ( - "context" "fmt" "os" "strings" @@ -84,7 +83,7 @@ func SignBlob() *cobra.Command { return nil }, - RunE: func(_ *cobra.Command, args []string) error { + RunE: func(cmd *cobra.Command, args []string) error { oidcClientSecret, err := o.OIDC.ClientSecret() if err != nil { return err @@ -142,7 +141,7 @@ func SignBlob() *cobra.Command { } else { ko.TrustedMaterial, err = cosign.TrustedRoot() if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + ui.Warnf(cmd.Context(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) } } } @@ -165,7 +164,7 @@ func SignBlob() *cobra.Command { o.OutputSignature = o.Output } - if _, err := sign.SignBlobCmd(ro, ko, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil { + if _, err := sign.SignBlobCmd(cmd.Context(), ro, ko, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil { return fmt.Errorf("signing %s: %w", blob, err) } } diff --git a/test/e2e_insecure_registry_test.go b/test/e2e_insecure_registry_test.go index 26f546ecaf0..d59273797e4 100644 --- a/test/e2e_insecure_registry_test.go +++ b/test/e2e_insecure_registry_test.go @@ -83,7 +83,7 @@ func TestInsecureRegistry(t *testing.T) { Upload: true, TlogUpload: true, } - mustErr(sign.SignCmd(ro, ko, so, []string{imgName}), t) + mustErr(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) so.Registry = options.RegistryOptions{ AllowInsecure: true, AllowHTTPRegistry: true, @@ -93,7 +93,7 @@ func TestInsecureRegistry(t *testing.T) { RegistryReferrersMode: options.RegistryReferrersModeOCI11, } } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) mustErr(verify(pubKey, imgName, true, nil, "", false), t) cmd := cliverify.VerifyCommand{ KeyRef: pubKey, @@ -115,7 +115,7 @@ func TestInsecureRegistry(t *testing.T) { defer cleanup2() so.NewBundleFormat = true - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) cmd.NewBundleFormat = true must(cmd.Exec(context.Background(), []string{imgName}), t) } @@ -155,7 +155,7 @@ func TestAttestInsecureRegistry(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } diff --git a/test/e2e_kms_test.go b/test/e2e_kms_test.go index 9337c97320f..2d212c85d52 100644 --- a/test/e2e_kms_test.go +++ b/test/e2e_kms_test.go @@ -75,7 +75,7 @@ func TestSecretsKMS(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) must(verify(pubKey, imgName, true, nil, "", false), t) // Sign and verify with annotations @@ -87,12 +87,12 @@ func TestSecretsKMS(t *testing.T) { Annotations: []string{"foo=bar"}, }, } - must(sign.SignCmd(ro, ko, soAnno, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, soAnno, []string{imgName}), t) must(verify(pubKey, imgName, true, map[string]any{"foo": "bar"}, "", false), t) // Store signatures in a different repo t.Setenv("COSIGN_REPOSITORY", path.Join(repo, "subbedrepo")) - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) must(verify(pubKey, imgName, true, nil, "", false), t) os.Unsetenv("COSIGN_REPOSITORY") } diff --git a/test/e2e_test.go b/test/e2e_test.go index f0ec72c10dc..0c90b23cc75 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -123,7 +123,7 @@ func TestSignVerify(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -144,7 +144,7 @@ func TestSignVerify(t *testing.T) { Annotations: []string{"foo=bar"}, } // Sign the image with an annotation - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // It should match this time. must(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) @@ -189,7 +189,7 @@ func TestSignVerifyCertBundle(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Now verify and download should work! ignoreTlog := true @@ -205,7 +205,7 @@ func TestSignVerifyCertBundle(t *testing.T) { Annotations: []string{"foo=bar"}, } // Sign the image with an annotation - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // It should match this time. must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) @@ -243,7 +243,7 @@ func TestSignVerifyClean(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -285,7 +285,7 @@ func TestImportSignVerifyClean(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Now verify and download should work! must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -310,7 +310,7 @@ func downloadTargets(td string, targets []targetInfo, targetsMeta *metadata.Meta if err != nil { return err } - err = os.Mkdir(targetsDir, 0700) + err = os.Mkdir(targetsDir, 0o700) if err != nil { return err } @@ -788,7 +788,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) { TlogUpload: true, SkipConfirmation: true, } - gotErr := sign.SignCmd(ro, ko, so, []string{imgName}) + gotErr := sign.SignCmd(ctx, ro, ko, so, []string{imgName}) if test.wantSignErr { mustErr(gotErr, t) return @@ -817,7 +817,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) { blob := "someblob" blobDir := t.TempDir() bp := filepath.Join(blobDir, blob) - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } tsPath := filepath.Join(blobDir, "ts.txt") @@ -825,7 +825,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) { // TODO(cmurphy): make this work with ko.NewBundleFormat = true ko.BundlePath = bundlePath ko.RFC3161TimestampPath = tsPath - _, gotErr = sign.SignBlobCmd(ro, ko, bp, true, "", "", true) + _, gotErr = sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", true) if test.wantSignErr { mustErr(gotErr, t) } else { @@ -927,14 +927,14 @@ func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) { blob := "someblob" blobDir := t.TempDir() bp := filepath.Join(blobDir, blob) - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } bundlePath := filepath.Join(blobDir, "bundle.json") ko.NewBundleFormat = true ko.BundlePath = bundlePath - _, err = sign.SignBlobCmd(ro, ko, bp, false, "", "", true) + _, err = sign.SignBlobCmd(ctx, ro, ko, bp, false, "", "", true) must(err, t) // Verify a blob @@ -954,7 +954,7 @@ func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) { statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}` attestDir := t.TempDir() statementPath := filepath.Join(attestDir, "statement") - if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil { + if err := os.WriteFile(statementPath, []byte(statement), 0o644); err != nil { t.Fatal(err) } attBundlePath := filepath.Join(attestDir, "attest.bundle.json") @@ -1047,7 +1047,7 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) { NewBundleFormat: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Verify Fulcio-signed image cmd := cliverify.VerifyCommand{ @@ -1064,7 +1064,7 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) { // Attest image predicate := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` predicatePath := filepath.Join(t.TempDir(), "predicate.json") - if err := os.WriteFile(predicatePath, []byte(predicate), 0644); err != nil { + if err := os.WriteFile(predicatePath, []byte(predicate), 0o644); err != nil { t.Fatal(err) } attestCmd := attest.AttestCommand{ @@ -1142,7 +1142,7 @@ func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { blob := "someblob" blobDir := t.TempDir() bp := filepath.Join(blobDir, blob) - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } bundlePath := filepath.Join(blobDir, "bundle.json") @@ -1150,7 +1150,7 @@ func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { ko.BundlePath = bundlePath ko.KeyRef = privKeyPath - _, err = sign.SignBlobCmd(ro, ko, bp, false, "", "", true) + _, err = sign.SignBlobCmd(ctx, ro, ko, bp, false, "", "", true) must(err, t) // Verify a blob with the key in the trusted root @@ -1165,7 +1165,7 @@ func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { statement := `{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"someblob","digest":{"alg":"7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"}}],"predicateType":"something","predicate":{}}` attestDir := t.TempDir() statementPath := filepath.Join(attestDir, "statement") - if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil { + if err := os.WriteFile(statementPath, []byte(statement), 0o644); err != nil { t.Fatal(err) } attBundlePath := filepath.Join(attestDir, "attest.bundle.json") @@ -1218,7 +1218,7 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Verify bundle trustedRootPath := prepareTrustedRoot(t, "") @@ -1246,7 +1246,7 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, TlogUpload: false, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Verify bundle without Rekor cmd = cliverify.VerifyCommand{ CommonVerifyOptions: options.CommonVerifyOptions{ @@ -1276,7 +1276,7 @@ func TestSignVerifyBundle(t *testing.T) { NewBundleFormat: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Verify Fulcio-signed image cmd = cliverify.VerifyCommand{ @@ -1308,7 +1308,7 @@ func TestSignVerifyBundle(t *testing.T) { Annotations: []string{"foo=bar"}, }, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) cmd = cliverify.VerifyCommand{ CommonVerifyOptions: options.CommonVerifyOptions{ TrustedRootPath: trustedRootPath, @@ -1422,7 +1422,7 @@ func attestVerify(t *testing.T, newBundleFormat bool, predicateType, attestation // Fail case when using without type and policy flag mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t) - if err := os.WriteFile(attestationPath, []byte(attestation), 0600); err != nil { + if err := os.WriteFile(attestationPath, []byte(attestation), 0o600); err != nil { t.Fatal(err) } @@ -1443,13 +1443,13 @@ func attestVerify(t *testing.T, newBundleFormat bool, predicateType, attestation verifyAttestation.Policies = []string{policyPath} // Fail case - if err := os.WriteFile(policyPath, []byte(badCue), 0600); err != nil { + if err := os.WriteFile(policyPath, []byte(badCue), 0o600); err != nil { t.Fatal(err) } mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t) // Success case - if err := os.WriteFile(policyPath, []byte(goodCue), 0600); err != nil { + if err := os.WriteFile(policyPath, []byte(goodCue), 0o600); err != nil { t.Fatal(err) } must(verifyAttestation.Exec(ctx, []string{imgName}), t) @@ -1475,7 +1475,7 @@ func TestAttestationDownload(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1503,7 +1503,7 @@ func TestAttestationDownload(t *testing.T) { } ` vulnAttestationPath := filepath.Join(td, "attestation.vuln.json") - if err := os.WriteFile(vulnAttestationPath, []byte(vulnAttestation), 0600); err != nil { + if err := os.WriteFile(vulnAttestationPath, []byte(vulnAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1569,7 +1569,7 @@ func TestAttestationDownloadWithPredicateType(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1597,7 +1597,7 @@ func TestAttestationDownloadWithPredicateType(t *testing.T) { } ` vulnAttestationPath := filepath.Join(td, "attestation.vuln.json") - if err := os.WriteFile(vulnAttestationPath, []byte(vulnAttestation), 0600); err != nil { + if err := os.WriteFile(vulnAttestationPath, []byte(vulnAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1666,7 +1666,7 @@ func TestAttestationDownloadWithBadPredicateType(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1707,7 +1707,7 @@ func TestAttestationReplaceCreate(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1760,7 +1760,7 @@ func TestAttestationReplace(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1805,7 +1805,6 @@ func TestAttestationReplace(t *testing.T) { } must(attestCommand.Exec(ctx, imgName), t) attestations, err = cosign.FetchAttestationsForReference(ctx, ref, attOpts.PredicateType, ociremoteOpts...) - // Download and count the attestations if err != nil { t.Fatal(err) @@ -1859,7 +1858,7 @@ func TestAttestationRFC3161Timestamp(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -1948,12 +1947,12 @@ func TestAttestationBlobRFC3161Timestamp(t *testing.T) { }) bp := filepath.Join(td, blob) - if err := os.WriteFile(bp, []byte(blob), 0600); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o600); err != nil { t.Fatal(err) } predicatePath := filepath.Join(td, "predicate") - if err := os.WriteFile(predicatePath, []byte(predicate), 0600); err != nil { + if err := os.WriteFile(predicatePath, []byte(predicate), 0o600); err != nil { t.Fatal(err) } @@ -2017,7 +2016,7 @@ func TestAttestationBlobRFC3161Timestamp(t *testing.T) { if err != nil { t.Error(err) } - if err := os.WriteFile(trustedRootPath, trustedRootBytes, 0600); err != nil { + if err := os.WriteFile(trustedRootPath, trustedRootBytes, 0o600); err != nil { t.Fatal(err) } @@ -2058,7 +2057,7 @@ func TestVerifyWithCARoots(t *testing.T) { b := bytes.Buffer{} blobRef := filepath.Join(td, blob) - if err := os.WriteFile(blobRef, []byte(blob), 0644); err != nil { + if err := os.WriteFile(blobRef, []byte(blob), 0o644); err != nil { t.Fatal(err) } must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) @@ -2135,7 +2134,7 @@ func TestVerifyWithCARoots(t *testing.T) { KeyRef: privKeyRef, PassFunc: passFunc, } - blobSig, err := sign.SignBlobCmd(ro, ko, blobRef, true, "", "", false) + blobSig, err := sign.SignBlobCmd(ctx, ro, ko, blobRef, true, "", "", false) if err != nil { t.Fatal(err) } @@ -2307,7 +2306,7 @@ func TestRekorBundle(t *testing.T) { } // Sign the image - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Make sure verify works must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -2345,7 +2344,7 @@ func TestRekorOutput(t *testing.T) { } // Sign the image - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Make sure verify works must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -2392,7 +2391,7 @@ func TestFulcioBundle(t *testing.T) { } // Sign the image - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Make sure verify works must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -2451,7 +2450,7 @@ func TestRFC3161Timestamp(t *testing.T) { } // Sign the image - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Make sure verify works against the TSA server must(verifyTSA(pubKeyPath, imgName, true, nil, "", file.Name(), true), t) } @@ -2513,7 +2512,7 @@ func TestRekorBundleAndRFC3161Timestamp(t *testing.T) { } // Sign the image - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Make sure verify works against the Rekor and TSA clients must(verifyTSA(pubKeyPath, imgName, true, nil, "", file.Name(), false), t) } @@ -2549,7 +2548,7 @@ func TestDuplicateSign(t *testing.T) { so := options.SignOptions{ Upload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Now verify and download should work! // Ignore the tlog, because uploading to the tlog causes new signatures with new timestamp entries to be appended. @@ -2557,7 +2556,7 @@ func TestDuplicateSign(t *testing.T) { must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName, os.Stdout), t) // Signing again should work just fine... - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) se, err := ociremote.SignedEntity(ref, ociremote.WithRemoteOptions(registryClientOpts(ctx)...)) must(err, t) @@ -2673,14 +2672,14 @@ func TestMultipleSignatures(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now verify should work with that one, but not the other must(verify(pub1, imgName, true, nil, "", false), t) mustErr(verify(pub2, imgName, true, nil, "", false), t) // Now sign with the other key too ko.KeyRef = priv2 - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now verify should work with both must(verify(pub1, imgName, true, nil, "", false), t) @@ -2698,7 +2697,7 @@ func TestSignBlob(t *testing.T) { td2 := t.TempDir() bp := filepath.Join(td1, blob) - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -2732,7 +2731,7 @@ func TestSignBlob(t *testing.T) { KeyRef: privKeyPath1, PassFunc: passFunc, } - sig, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false) + sig, err := sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", false) if err != nil { t.Fatal(err) } @@ -2749,7 +2748,7 @@ func TestSignBlobBundle(t *testing.T) { bp := filepath.Join(td1, blob) bundlePath := filepath.Join(td1, "bundle.sig") - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -2781,14 +2780,14 @@ func TestSignBlobBundle(t *testing.T) { RekorURL: rekorURL, SkipConfirmation: true, } - if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) } // Now verify should work must(verifyBlobCmd.Exec(ctx, bp), t) // Now we turn on the tlog and sign again - if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", true); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", true); err != nil { t.Fatal(err) } @@ -2803,7 +2802,7 @@ func TestSignBlobNewBundle(t *testing.T) { blob := "someblob" blobPath := filepath.Join(td1, blob) - if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + if err := os.WriteFile(blobPath, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -2834,7 +2833,7 @@ func TestSignBlobNewBundle(t *testing.T) { NewBundleFormat: true, } - if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, blobPath, true, "", "", false); err != nil { t.Fatal(err) } @@ -2847,7 +2846,7 @@ func TestSignBlobNewBundleNonSHA256(t *testing.T) { blob := "someblob" blobPath := filepath.Join(td1, blob) - if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + if err := os.WriteFile(blobPath, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -2864,7 +2863,7 @@ func TestSignBlobNewBundleNonSHA256(t *testing.T) { BundlePath: bundlePath, NewBundleFormat: true, } - if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, blobPath, true, "", "", false); err != nil { t.Fatal(err) } @@ -2939,7 +2938,7 @@ func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { blob := "someblob" blobPath := filepath.Join(td1, blob) - if err := os.WriteFile(blobPath, []byte(blob), 0644); err != nil { + if err := os.WriteFile(blobPath, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -2980,7 +2979,7 @@ func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { SkipConfirmation: true, } - if _, err := sign.SignBlobCmd(ro, ko, blobPath, true, "", "", true); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, blobPath, true, "", "", true); err != nil { t.Fatal(err) } @@ -2990,7 +2989,7 @@ func TestSignBlobNewBundleNonDefaultAlgorithm(t *testing.T) { t.Fatal(err) } tmpBundlePath := filepath.Join("/tmp", fmt.Sprintf("bundle-%s", tt.algo)) - if err := os.WriteFile(tmpBundlePath, bundleBytes, 0644); err != nil { + if err := os.WriteFile(tmpBundlePath, bundleBytes, 0o644); err != nil { t.Fatal(err) } @@ -3018,7 +3017,7 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { bundlePath := filepath.Join(td, "bundle.sig") tsPath := filepath.Join(td, "rfc3161Timestamp.json") - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } @@ -3069,14 +3068,14 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { RekorURL: rekorURL, SkipConfirmation: true, } - if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) } // Now verify should work must(verifyBlobCmd.Exec(ctx, bp), t) // Now we turn on the tlog and sign again - if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", true); err != nil { + if _, err := sign.SignBlobCmd(ctx, ro, ko, bp, true, "", "", true); err != nil { t.Fatal(err) } // Point to a fake rekor server to make sure offline verification of the tlog entry works @@ -3155,7 +3154,7 @@ func TestSaveLoad(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) must(verify(pubKeyPath, imgName, true, nil, "", false), t) // save the image to a temp dir @@ -3202,13 +3201,13 @@ func TestSaveLoadAttestation(t *testing.T) { Upload: true, TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) must(verify(pubKeyPath, imgName, true, nil, "", false), t) // now, append an attestation to the image slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -3242,7 +3241,7 @@ func TestSaveLoadAttestation(t *testing.T) { verifyAttestation.Policies = []string{policyPath} // Success case (remote) cuePolicy := `predicate: builder: id: "2"` - if err := os.WriteFile(policyPath, []byte(cuePolicy), 0600); err != nil { + if err := os.WriteFile(policyPath, []byte(cuePolicy), 0o600); err != nil { t.Fatal(err) } must(verifyAttestation.Exec(ctx, []string{imgName2}), t) @@ -3272,7 +3271,7 @@ func TestAttestDownloadAttachNewBundle(t *testing.T) { slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` slsaAttestationPath := filepath.Join(td, "attestation.slsa.json") - if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil { + if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0o600); err != nil { t.Fatal(err) } @@ -3295,7 +3294,7 @@ func TestAttestDownloadAttachNewBundle(t *testing.T) { defer cleanup() bundlePath := filepath.Join(td, "downloaded-bundle.sigstore.json") - if err := os.WriteFile(bundlePath, out.Bytes(), 0600); err != nil { + if err := os.WriteFile(bundlePath, out.Bytes(), 0o600); err != nil { t.Fatal(err) } @@ -3327,7 +3326,7 @@ func TestSignDownloadAttachNewBundle(t *testing.T) { Upload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t) // Download should now succeed - redirect stdout to use with attach out := bytes.Buffer{} @@ -3339,7 +3338,7 @@ func TestSignDownloadAttachNewBundle(t *testing.T) { defer cleanup() bundlePath := filepath.Join(td, "downloaded-bundle.sigstore.json") - if err := os.WriteFile(bundlePath, out.Bytes(), 0600); err != nil { + if err := os.WriteFile(bundlePath, out.Bytes(), 0o600); err != nil { t.Fatal(err) } @@ -3417,7 +3416,7 @@ func TestAttachSBOM(t *testing.T) { TlogUpload: true, Attachment: "sbom", } - must(sign.SignCmd(ro, ko1, so, []string{imgName}), t) + must(sign.SignCmd(ctx, ro, ko1, so, []string{imgName}), t) // Now verify should work with that one, but not the other must(verify(pubKeyPath1, imgName, true, nil, "sbom", false), t) @@ -3448,7 +3447,7 @@ func TestNoTlog(t *testing.T) { so := options.SignOptions{ Upload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now verify should work! must(verify(pubKeyPath, imgName, true, nil, "", true), t) @@ -3461,7 +3460,7 @@ func TestGetPublicKeyCustomOut(t *testing.T) { outFile := "output.pub" outPath := filepath.Join(td, outFile) - outWriter, err := os.OpenFile(outPath, os.O_WRONLY|os.O_CREATE, 0600) + outWriter, err := os.OpenFile(outPath, os.O_WRONLY|os.O_CREATE, 0o600) must(err, t) pk := publickey.Pkopts{ @@ -3508,7 +3507,7 @@ func TestInvalidBundle(t *testing.T) { TlogUpload: true, SkipConfirmation: true, } - must(sign.SignCmd(ro, ko, so, []string{img1}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{img1}), t) // verify image1 must(verify(pubKeyPath, img1, true, nil, "", false), t) // extract the bundle from image1 @@ -3536,7 +3535,7 @@ func TestInvalidBundle(t *testing.T) { Upload: true, TlogUpload: false, } - must(sign.SignCmd(ro, ko, so, []string{img2}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{img2}), t) must(verify(pubKeyPath, img2, true, nil, "", true), t) si2, err := ociremote.SignedEntity(imgRef2, remoteOpts) @@ -3595,22 +3594,22 @@ func TestAttestBlobSignVerify(t *testing.T) { }) bp := filepath.Join(td1, blob) - if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { + if err := os.WriteFile(bp, []byte(blob), 0o644); err != nil { t.Fatal(err) } anotherBlob := filepath.Join(td1, "another-blob") - if err := os.WriteFile(anotherBlob, []byte("another-blob"), 0644); err != nil { + if err := os.WriteFile(anotherBlob, []byte("another-blob"), 0o644); err != nil { t.Fatal(err) } predicatePath := filepath.Join(td1, "predicate") - if err := os.WriteFile(predicatePath, []byte(predicate), 0644); err != nil { + if err := os.WriteFile(predicatePath, []byte(predicate), 0o644); err != nil { t.Fatal(err) } statementPath := filepath.Join(td1, "statement") - if err := os.WriteFile(statementPath, []byte(statement), 0644); err != nil { + if err := os.WriteFile(statementPath, []byte(statement), 0o644); err != nil { t.Fatal(err) } @@ -3707,7 +3706,7 @@ func TestOffline(t *testing.T) { TlogUpload: true, SkipConfirmation: true, } - must(sign.SignCmd(ro, ko, so, []string{img1}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{img1}), t) // verify image1 online and offline must(verify(pubKeyPath, img1, true, nil, "", false), t) verifyCmd := &cliverify.VerifyCommand{ @@ -3803,8 +3802,8 @@ func TestDockerfileVerify(t *testing.T) { SkipConfirmation: true, } ctx := context.Background() - must(sign.SignCmd(ro, ko, so, []string{signedImg1}), t) - must(sign.SignCmd(ro, ko, so, []string{signedImg2}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{signedImg1}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{signedImg2}), t) // create the dockerfiles singleStageDockerfileContents := fmt.Sprintf(` @@ -3949,7 +3948,7 @@ func TestManifestVerify(t *testing.T) { SkipConfirmation: true, } ctx := context.Background() - must(sign.SignCmd(ro, ko, so, []string{signedImg}), t) + must(sign.SignCmd(ctx, ro, ko, so, []string{signedImg}), t) // create the manifests manifestTemplate := ` @@ -4071,7 +4070,7 @@ func TestSignVerifyWithRepoOverride(t *testing.T) { TlogUpload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Bundle should appear in the second repo tags, err = crane.ListTags(cosignRepo) @@ -4090,7 +4089,7 @@ func TestSignVerifyWithRepoOverride(t *testing.T) { // Sign another image with the new protobuf bundle format so.NewBundleFormat = true - must(sign.SignCmd(ro, ko, so, []string{name.String()}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{name.String()}), t) // The new bundle should appear under a new tag for the second repo tags, err = crane.ListTags(cosignRepo) @@ -4147,7 +4146,7 @@ func TestSignVerifyMultipleIdentities(t *testing.T) { TlogUpload: true, SignContainerIdentities: []string{"registry/cosign-e2e:tag1", "registry/cosign-e2e:tag2"}, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now verify should work must(verify(pubKeyPath, imgName, true, nil, "", false), t) @@ -4179,7 +4178,7 @@ func TestTree(t *testing.T) { Upload: true, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Test out tree command after sign out.Reset() @@ -4217,7 +4216,7 @@ func TestSignVerifyUploadFalse(t *testing.T) { so := options.SignOptions{ Upload: false, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // There should still be no signatures out.Reset() @@ -4226,7 +4225,7 @@ func TestSignVerifyUploadFalse(t *testing.T) { // Now with Upload: true so.Upload = true - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now there should be signatures out.Reset() @@ -4247,7 +4246,7 @@ func TestSignVerifyUploadFalse(t *testing.T) { so.Upload = false so.NewBundleFormat = true so.BundlePath = path.Join(td, "output.bundle") - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) assert.FileExists(t, so.BundlePath) // There should still be no signatures @@ -4257,7 +4256,7 @@ func TestSignVerifyUploadFalse(t *testing.T) { // Now with Upload: true so.Upload = true - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) // Now there should be signatures out.Reset() @@ -4302,7 +4301,7 @@ func TestAttestVerifyUploadFalse(t *testing.T) { } predicate := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` predicatePath := filepath.Join(t.TempDir(), "predicate.json") - if err := os.WriteFile(predicatePath, []byte(predicate), 0644); err != nil { + if err := os.WriteFile(predicatePath, []byte(predicate), 0o644); err != nil { t.Fatal(err) } attestCmd := attest.AttestCommand{ diff --git a/test/e2e_tsa_test.go b/test/e2e_tsa_test.go index cd23d26199e..18eaab8b456 100644 --- a/test/e2e_tsa_test.go +++ b/test/e2e_tsa_test.go @@ -69,7 +69,7 @@ func TestTSAMTLS(t *testing.T) { Cert: pemLeafRef, CertChain: pemRootRef, } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) + must(sign.SignCmd(t.Context(), ro, ko, so, []string{imgName}), t) verifyCmd := cliverify.VerifyCommand{ IgnoreTlog: true, @@ -110,7 +110,7 @@ func TestSignBlobTSAMTLS(t *testing.T) { RFC3161TimestampPath: timestampPath, BundlePath: bundlePath, } - sig, err := sign.SignBlobCmd(ro, signingKO, blobPath, true, "", "", false) + sig, err := sign.SignBlobCmd(t.Context(), ro, signingKO, blobPath, true, "", "", false) must(err, t) verifyKO := options.KeyOpts{ @@ -145,7 +145,8 @@ func generateSigningKeys(t *testing.T, td string) (string, string, string) { encBytes, _ := encrypted.Encrypt(x509Encoded, keyPass) keyPem := pem.EncodeToMemory(&pem.Block{ Type: cosign.CosignPrivateKeyPemType, - Bytes: encBytes}) + Bytes: encBytes, + }) pemKeyRef := mkfile(string(keyPem), td, t) return pemRootRef, pemLeafRef, pemKeyRef @@ -162,7 +163,8 @@ func generateMTLSKeys(t *testing.T, td string) (string, string, string, string, serverX509Encoded, _ := x509.MarshalPKCS8PrivateKey(serverPrivKey) serverKeyPem := pem.EncodeToMemory(&pem.Block{ Type: cosign.ECPrivateKeyPemType, - Bytes: serverX509Encoded}) + Bytes: serverX509Encoded, + }) serverPemKeyRef := mkfile(string(serverKeyPem), td, t) clientLeafCert, clientPrivKey, _ := cert_test.GenerateLeafCert("tsa-mtls-client", "oidc-issuer", rootCert, rootKey) @@ -171,7 +173,8 @@ func generateMTLSKeys(t *testing.T, td string) (string, string, string, string, clientX509Encoded, _ := x509.MarshalPKCS8PrivateKey(clientPrivKey) clientKeyPem := pem.EncodeToMemory(&pem.Block{ Type: cosign.ECPrivateKeyPemType, - Bytes: clientX509Encoded}) + Bytes: clientX509Encoded, + }) clientPemKeyRef := mkfile(string(clientKeyPem), td, t) return pemRootRef, serverPemLeafRef, serverPemKeyRef, clientPemLeafRef, clientPemKeyRef } From b51a7c2a25211ea30ba5641f39ec720ff2e395d6 Mon Sep 17 00:00:00 2001 From: Hayden Date: Fri, 14 Nov 2025 11:50:40 -0800 Subject: [PATCH 125/136] Deprecate tlog-upload flag (#4458) * Deprecate tlog-upload flag Clients that don't want to use a transparency log should provide a signing config without tlog service instances rather than use this flag. This will also throw an error when a client uses this flag when a signing config will be used, since Cosign/sigstore-go ignores this flag and we don't want a user to unexpectedly upload to the public instance. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Refactor TR and SC initialization into common method The one difference between sign/attest and sign/attest-blob is whether a bundle output flag is present, so the error message has been adjusted. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * Fix e2e test, better error message Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> --- cmd/cosign/cli/attest.go | 49 +++---------------------- cmd/cosign/cli/attest_blob.go | 51 +++----------------------- cmd/cosign/cli/options/attest.go | 1 + cmd/cosign/cli/options/attest_blob.go | 1 + cmd/cosign/cli/options/sign.go | 1 + cmd/cosign/cli/options/signblob.go | 1 + cmd/cosign/cli/sign.go | 48 +++---------------------- cmd/cosign/cli/signblob.go | 47 +++--------------------- cmd/cosign/cli/signcommon/common.go | 52 +++++++++++++++++++++++++++ doc/cosign_attest-blob.md | 1 - doc/cosign_attest.md | 1 - doc/cosign_sign-blob.md | 1 - doc/cosign_sign.md | 1 - test/e2e_test.go | 5 ++- test/e2e_test.ps1 | 2 +- 15 files changed, 81 insertions(+), 181 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index ffb20be7059..11e04e6d907 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -16,16 +16,12 @@ package cli import ( - "context" "fmt" "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/spf13/cobra" ) @@ -103,45 +99,10 @@ func Attest() *cobra.Command { BundlePath: o.BundlePath, NewBundleFormat: o.NewBundleFormat, } - // If a signing config is used, then service URLs cannot be specified - if (o.UseSigningConfig || o.SigningConfigPath != "") && - ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || - (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || - (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || - o.TSAServerURL != "") { - return fmt.Errorf("cannot specify service URLs and use signing config") - } - // Signing config requires a bundle as output for verification materials since sigstore-go is used - if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { - return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") - } - // Fetch a trusted root when: - // * requesting a certificate and no CT log key is provided to verify an SCT - // * using a signing config and signing using sigstore-go - if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || - (o.UseSigningConfig || o.SigningConfigPath != "") { - if o.TrustedRootPath != "" { - ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else { - ko.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - } - } - if o.SigningConfigPath != "" { - ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) - if err != nil { - return fmt.Errorf("error reading signing config from file: %w", err) - } - } else if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } + if err := signcommon.LoadTrustedMaterialAndSigningConfig(cmd.Context(), &ko, o.UseSigningConfig, o.SigningConfigPath, + o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload, + o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil { + return err } attestCommand := attest.AttestCommand{ diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 454a02b9523..51db427f602 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -15,16 +15,10 @@ package cli import ( - "context" - "fmt" - "github.com/sigstore/cosign/v3/cmd/cosign/cli/attest" "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/spf13/cobra" ) @@ -90,45 +84,10 @@ func AttestBlob() *cobra.Command { BundlePath: o.BundlePath, NewBundleFormat: o.NewBundleFormat, } - // If a signing config is used, then service URLs cannot be specified - if (o.UseSigningConfig || o.SigningConfigPath != "") && - ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || - (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || - (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || - o.TSAServerURL != "") { - return fmt.Errorf("cannot specify service URLs and use signing config") - } - // Signing config requires a bundle as output for verification materials since sigstore-go is used - if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { - return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") - } - // Fetch a trusted root when: - // * requesting a certificate and no CT log key is provided to verify an SCT - // * using a signing config and signing using sigstore-go - if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || - (o.UseSigningConfig || o.SigningConfigPath != "") { - if o.TrustedRootPath != "" { - ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else { - ko.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - } - } - if o.SigningConfigPath != "" { - ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) - if err != nil { - return fmt.Errorf("error reading signing config from file: %w", err) - } - } else if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } + if err := signcommon.LoadTrustedMaterialAndSigningConfig(cmd.Context(), &ko, o.UseSigningConfig, o.SigningConfigPath, + o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload, + o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil { + return err } v := attest.AttestBlobCommand{ diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index d1791889730..bf55898251e 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -88,6 +88,7 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true, "whether or not to upload to the tlog") + _ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services") cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", rekorEntryTypes[0], "specifies the type to be used for a rekor entry upload ("+strings.Join(rekorEntryTypes, "|")+")") diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index 4d906605c2e..3ddef763460 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -121,6 +121,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true, "whether or not to upload to the tlog") + _ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services") cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", rekorEntryTypes[0], "specifies the type to be used for a rekor entry upload ("+strings.Join(rekorEntryTypes, "|")+")") diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 23eb93cab49..c0d6bdef3a2 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -118,6 +118,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true, "whether or not to upload to the tlog") + _ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services") cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "", "path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server") diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index d40cfa783cf..2eb815c977a 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -107,6 +107,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true, "whether or not to upload to the tlog") + _ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services") cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "", "path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server") diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index c578df9cfbb..e4aa71996a3 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -22,10 +22,7 @@ import ( "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v3/internal/ui" - "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/spf13/cobra" ) @@ -131,45 +128,10 @@ race conditions or (worse) malicious tampering. TSAServerURL: o.TSAServerURL, IssueCertificateForExistingKey: o.IssueCertificate, } - // If a signing config is used, then service URLs cannot be specified - if (o.UseSigningConfig || o.SigningConfigPath != "") && - ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || - (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || - (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || - o.TSAServerURL != "") { - return fmt.Errorf("cannot specify service URLs and use signing config") - } - // Signing config requires a bundle as output for verification materials since sigstore-go is used - if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat { - return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config") - } - // Fetch a trusted root when: - // * requesting a certificate and no CT log key is provided to verify an SCT - // * using a signing config and signing using sigstore-go - if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || - (o.UseSigningConfig || o.SigningConfigPath != "") { - if o.TrustedRootPath != "" { - ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else { - ko.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(cmd.Context(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - } - } - if o.SigningConfigPath != "" { - ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) - if err != nil { - return fmt.Errorf("error reading signing config from file: %w", err) - } - } else if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } + if err := signcommon.LoadTrustedMaterialAndSigningConfig(cmd.Context(), &ko, o.UseSigningConfig, o.SigningConfigPath, + o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload, + o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil { + return err } if err := sign.SignCmd(cmd.Context(), ro, ko, *o, args); err != nil { diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 2d46cd5bf05..2397cd45e01 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -23,10 +23,8 @@ import ( "github.com/sigstore/cosign/v3/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/sigstore/cosign/v3/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v3/internal/ui" + "github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon" "github.com/sigstore/cosign/v3/pkg/cosign" - "github.com/sigstore/cosign/v3/pkg/cosign/env" - "github.com/sigstore/sigstore-go/pkg/root" "github.com/spf13/cobra" "github.com/spf13/viper" ) @@ -116,45 +114,10 @@ func SignBlob() *cobra.Command { IssueCertificateForExistingKey: o.IssueCertificate, SigningAlgorithm: o.SigningAlgorithm, } - // If a signing config is used, then service URLs cannot be specified - if (o.UseSigningConfig || o.SigningConfigPath != "") && - ((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) || - (o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) || - (o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) || - o.TSAServerURL != "") { - return fmt.Errorf("cannot specify service URLs and use signing config") - } - // Signing config requires a bundle as output for verification materials since sigstore-go is used - if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" { - return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config") - } - // Fetch a trusted root when: - // * requesting a certificate and no CT log key is provided to verify an SCT - // * using a signing config and signing using sigstore-go - if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || - (o.UseSigningConfig || o.SigningConfigPath != "") { - if o.TrustedRootPath != "" { - ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath) - if err != nil { - return fmt.Errorf("loading trusted root: %w", err) - } - } else { - ko.TrustedMaterial, err = cosign.TrustedRoot() - if err != nil { - ui.Warnf(cmd.Context(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) - } - } - } - if o.SigningConfigPath != "" { - ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath) - if err != nil { - return fmt.Errorf("error reading signing config from file: %w", err) - } - } else if o.UseSigningConfig { - ko.SigningConfig, err = cosign.SigningConfig() - if err != nil { - return fmt.Errorf("error getting signing config from TUF: %w", err) - } + if err := signcommon.LoadTrustedMaterialAndSigningConfig(cmd.Context(), &ko, o.UseSigningConfig, o.SigningConfigPath, + o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload, + o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil { + return err } for _, blob := range args { diff --git a/cmd/cosign/cli/signcommon/common.go b/cmd/cosign/cli/signcommon/common.go index f46b5851bbf..8a728498be8 100644 --- a/cmd/cosign/cli/signcommon/common.go +++ b/cmd/cosign/cli/signcommon/common.go @@ -38,6 +38,7 @@ import ( "github.com/sigstore/cosign/v3/internal/ui" "github.com/sigstore/cosign/v3/pkg/cosign" cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle" + "github.com/sigstore/cosign/v3/pkg/cosign/env" "github.com/sigstore/cosign/v3/pkg/cosign/pivkey" "github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key" ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote" @@ -639,3 +640,54 @@ func ParseSignatureAlgorithmFlag(signingAlgorithm string) (pb_go_v1.PublicKeyDet } return signature.ParseSignatureAlgorithmFlag(signingAlgorithm) } + +// LoadTrustedMaterialAndSigningConfig loads the trusted material and signing config from the given options. +func LoadTrustedMaterialAndSigningConfig(ctx context.Context, ko *options.KeyOpts, useSigningConfig bool, signingConfigPath string, + rekorURL, fulcioURL, oidcIssuer, tsaServerURL, trustedRootPath string, + tlogUpload bool, newBundleFormat bool, bundlePath string, keyRef string, issueCertificate bool) error { + var err error + // If a signing config is used, then service URLs cannot be specified + if (useSigningConfig || signingConfigPath != "") && + ((rekorURL != "" && rekorURL != options.DefaultRekorURL) || + (fulcioURL != "" && fulcioURL != options.DefaultFulcioURL) || + (oidcIssuer != "" && oidcIssuer != options.DefaultOIDCIssuerURL) || + tsaServerURL != "") { + return fmt.Errorf("cannot specify service URLs and use signing config") + } + if (useSigningConfig || signingConfigPath != "") && !tlogUpload { + return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config with --signing-config without a transparency log service, which can be created with `cosign signing-config create` or `curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | jq 'del(.rekorTlogUrls)'` for the public instance") + } + // Signing config requires a bundle as output for verification materials since sigstore-go is used + if (useSigningConfig || signingConfigPath != "") && !newBundleFormat && bundlePath == "" { + return fmt.Errorf("must provide --new-bundle-format or --bundle where applicable with --signing-config or --use-signing-config") + } + // Fetch a trusted root when: + // * requesting a certificate and no CT log key is provided to verify an SCT + // * using a signing config and signing using sigstore-go + if ((keyRef == "" || issueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") || + (useSigningConfig || signingConfigPath != "") { + if trustedRootPath != "" { + ko.TrustedMaterial, err = root.NewTrustedRootFromPath(trustedRootPath) + if err != nil { + return fmt.Errorf("loading trusted root: %w", err) + } + } else { + ko.TrustedMaterial, err = cosign.TrustedRoot() + if err != nil { + ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err) + } + } + } + if signingConfigPath != "" { + ko.SigningConfig, err = root.NewSigningConfigFromPath(signingConfigPath) + if err != nil { + return fmt.Errorf("error reading signing config from file: %w", err) + } + } else if useSigningConfig { + ko.SigningConfig, err = cosign.SigningConfig() + if err != nil { + return fmt.Errorf("error getting signing config from TUF: %w", err) + } + } + return nil +} diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 126f3f1444d..30cb9c10f73 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -67,7 +67,6 @@ cosign attest-blob [flags] --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr - --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format (default true) diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 57601462a3a..7beb3dbdf0b 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -91,7 +91,6 @@ cosign attest [flags] --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr - --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format (default true) diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index e7585000c19..0a8eb004a1c 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -66,7 +66,6 @@ cosign sign-blob [flags] --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr - --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must provide --bundle, which will output verification material in the new format (default true) -y, --yes skip confirmation prompts for non-destructive operations diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 8973b53aee8..bb5049c760e 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -119,7 +119,6 @@ cosign sign [flags] --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr - --tlog-upload whether or not to upload to the tlog (default true) --trusted-root string optional path to a TrustedRoot JSON file to verify a signature after signing --upload whether to upload the signature (default true) --use-signing-config whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will store verification material in the new format (default true) diff --git a/test/e2e_test.go b/test/e2e_test.go index 0c90b23cc75..fc6d049bb2b 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -852,7 +852,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) { } } -func prepareSigningConfig(t *testing.T, fulcioURL, rekorURL, oidcURL, tsaURL string) string { +func prepareSigningConfig(t *testing.T, fulcioURL, rekorURL, oidcURL, tsaURL string) string { //nolint: unparam startTime := "2024-01-01T00:00:00Z" fulcioSpec := fmt.Sprintf("url=%s,api-version=1,operator=fulcio-op,start-time=%s", fulcioURL, startTime) rekorSpec := fmt.Sprintf("url=%s,api-version=1,operator=rekor-op,start-time=%s", rekorURL, startTime) @@ -965,6 +965,7 @@ func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) { KeyOpts: ko, RekorEntryType: "dsse", StatementPath: statementPath, + TlogUpload: true, } must(attestBlobCmd.Exec(ctx, bp), t) @@ -1073,6 +1074,7 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) { PredicateType: "slsaprovenance", Timeout: 30 * time.Second, RekorEntryType: "dsse", + TlogUpload: true, } must(attestCmd.Exec(ctx, imgName), t) @@ -1177,6 +1179,7 @@ func TestSignVerifyWithSigningConfigWithKey(t *testing.T) { KeyOpts: ko, RekorEntryType: "dsse", StatementPath: statementPath, + TlogUpload: true, } must(attestBlobCmd.Exec(ctx, bp), t) diff --git a/test/e2e_test.ps1 b/test/e2e_test.ps1 index dd6736f6321..4228d769a29 100644 --- a/test/e2e_test.ps1 +++ b/test/e2e_test.ps1 @@ -35,7 +35,7 @@ $signing_key = "cosign.key" $verification_key = "cosign.pub" Write-Output "hello world" | Out-File -FilePath "hello_world.txt" -Write-Output $pass | .\cosign.exe sign-blob --key $signing_key --bundle test.sigstore.json --tlog-upload=false hello_world.txt +Write-Output $pass | .\cosign.exe sign-blob --key $signing_key --bundle test.sigstore.json --use-signing-config=false --tlog-upload=false hello_world.txt .\cosign.exe verify-blob --key $verification_key --bundle test.sigstore.json --insecure-ignore-tlog=true hello_world.txt Pop-Location From e073b488cf644cb2ee103510bb019b8f6bab359c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:51:01 -0800 Subject: [PATCH 126/136] chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4522) Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](https://github.com/theupdateframework/go-tuf/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index b31e371cb85..da6a24c8bae 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/sigstore/cosign/v3 -go 1.24.6 +go 1.24.9 require ( cuelang.org/go v0.14.2 @@ -49,7 +49,7 @@ require ( github.com/spf13/viper v1.21.0 github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/stretchr/testify v1.11.1 - github.com/theupdateframework/go-tuf/v2 v2.2.0 + github.com/theupdateframework/go-tuf/v2 v2.3.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.157.0 diff --git a/go.sum b/go.sum index c34b4436127..68da6613ab4 100644 --- a/go.sum +++ b/go.sum @@ -1521,8 +1521,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.2.0 h1:Hmb+Azgd7IKOZeNJFT2C91y+YZ+F+TeloSIvQIaXCQw= -github.com/theupdateframework/go-tuf/v2 v2.2.0/go.mod h1:CubcJiJlBHQ2YkA5j9hlBO4B+tHFlLjRbWCJCT7EIKU= +github.com/theupdateframework/go-tuf/v2 v2.3.0 h1:gt3X8xT8qu/HT4w+n1jgv+p7koi5ad8XEkLXXZqG9AA= +github.com/theupdateframework/go-tuf/v2 v2.3.0/go.mod h1:xW8yNvgXRncmovMLvBxKwrKpsOwJZu/8x+aB0KtFcdw= github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI= github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis= github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0= From 7d5ea875a83763cb959387343ebd00d8bd96db80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:51:14 -0800 Subject: [PATCH 127/136] chore(deps): bump github.com/buildkite/agent/v3 from 3.110.0 to 3.111.0 (#4523) Bumps [github.com/buildkite/agent/v3](https://github.com/buildkite/agent) from 3.110.0 to 3.111.0. - [Release notes](https://github.com/buildkite/agent/releases) - [Changelog](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) - [Commits](https://github.com/buildkite/agent/compare/v3.110.0...v3.111.0) --- updated-dependencies: - dependency-name: github.com/buildkite/agent/v3 dependency-version: 3.111.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 38 ++++++++++++++-------------- go.sum | 80 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 59 insertions(+), 59 deletions(-) diff --git a/go.mod b/go.mod index da6a24c8bae..e981ba8b4e6 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cuelang.org/go v0.14.2 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 - github.com/buildkite/agent/v3 v3.110.0 + github.com/buildkite/agent/v3 v3.111.0 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 @@ -57,7 +57,7 @@ require ( golang.org/x/oauth2 v0.32.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.36.0 - google.golang.org/api v0.252.0 + google.golang.org/api v0.255.0 google.golang.org/protobuf v1.36.10 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 @@ -116,22 +116,22 @@ require ( github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.8 // indirect - github.com/aws/aws-sdk-go-v2 v1.39.3 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.13 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.17 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.6 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.17 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.7 // indirect - github.com/aws/smithy-go v1.23.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect + github.com/aws/smithy-go v1.23.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/go-pipeline v0.16.0 // indirect @@ -222,7 +222,7 @@ require ( github.com/jellydator/ttlcache/v3 v3.4.0 // indirect github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.18.0 // indirect + github.com/klauspost/compress v1.18.1 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/blackmagic v1.0.4 // indirect github.com/lestrrat-go/dsig v1.0.0 // indirect @@ -311,12 +311,12 @@ require ( golang.org/x/net v0.46.0 // indirect golang.org/x/sys v0.37.0 // indirect golang.org/x/text v0.30.0 // indirect - golang.org/x/time v0.13.0 // indirect + golang.org/x/time v0.14.0 // indirect golang.org/x/tools v0.37.0 // indirect google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect - google.golang.org/grpc v1.75.1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect + google.golang.org/grpc v1.76.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 68da6613ab4..ffb50507ad5 100644 --- a/go.sum +++ b/go.sum @@ -757,38 +757,38 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= -github.com/aws/aws-sdk-go-v2 v1.39.3 h1:h7xSsanJ4EQJXG5iuW4UqgP7qBopLpj84mpkNx3wPjM= -github.com/aws/aws-sdk-go-v2 v1.39.3/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM= -github.com/aws/aws-sdk-go-v2/config v1.31.13 h1:wcqQB3B0PgRPUF5ZE/QL1JVOyB0mbPevHFoAMpemR9k= -github.com/aws/aws-sdk-go-v2/config v1.31.13/go.mod h1:ySB5D5ybwqGbT6c3GszZ+u+3KvrlYCUQNo62+hkKOFk= -github.com/aws/aws-sdk-go-v2/credentials v1.18.17 h1:skpEwzN/+H8cdrrtT8y+rvWJGiWWv0DeNAe+4VTf+Vs= -github.com/aws/aws-sdk-go-v2/credentials v1.18.17/go.mod h1:Ed+nXsaYa5uBINovJhcAWkALvXw2ZLk36opcuiSZfJM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10 h1:UuGVOX48oP4vgQ36oiKmW9RuSeT8jlgQgBFQD+HUiHY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10/go.mod h1:vM/Ini41PzvudT4YkQyE/+WiQJiQ6jzeDyU8pQKwCac= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10 h1:mj/bdWleWEh81DtpdHKkw41IrS+r3uw1J/VQtbwYYp8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10/go.mod h1:7+oEMxAZWP8gZCyjcm9VicI0M61Sx4DJtcGfKYv2yKQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10 h1:wh+/mn57yhUrFtLIxyFPh2RgxgQz/u+Yrf7hiHGHqKY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10/go.mod h1:7zirD+ryp5gitJJ2m1BBux56ai8RIRDykXZrJSp540w= +github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk= +github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE= +github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y= +github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c= +github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA= +github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10 h1:DRND0dkCKtJzCj4Xl4OpVbXZgfttY5q712H9Zj7qc/0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10/go.mod h1:tGGNmJKOTernmR2+VJ0fCzQRurcPZj9ut60Zu5Fi6us= -github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 h1:vSXYridw+tT3AHuK1PWdJto2qEc30/wG/fm8dmCHHis= -github.com/aws/aws-sdk-go-v2/service/kms v1.46.0/go.mod h1:YXPskkMuiMgp6qUG96NSTl7UpideOQT/Kx0u9Y1MKn0= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 h1:fspVFg6qMx0svs40YgRmE7LZXh9VRZvTT35PfdQR6FM= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.7/go.mod h1:BQTKL3uMECaLaUV3Zc2L4Qybv8C6BIXjuu1dOPyxTQs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 h1:scVnW+NLXasGOhy7HhkdT9AGb6kjgW7fJ5xYkUaqHs0= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2/go.mod h1:FRNCY3zTEWZXBKm2h5UBUPvCVDOecTad9KhynDyGBc0= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.7 h1:VEO5dqFkMsl8QZ2yHsFDJAIZLAkEbaYDB+xdKi0Feic= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.7/go.mod h1:L1xxV3zAdB+qVrVW/pBIrIAnHFWHo6FBbFe4xOGsG/o= -github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M= -github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg= +github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 h1:6+C0RoGF4HJQALrsecOXN7cm/l5rgNHCw2xbcvFgpH4= +github.com/aws/aws-sdk-go-v2/service/kms v1.47.1/go.mod h1:VJcNH6BLr+3VJwinRKdotLOMglHO8mIKlD3ea5c7hbw= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo= +github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs= +github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk= +github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM= +github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 h1:6lMw4/QGLFPvbKQ0eri/9Oh3YX5Nm6BPrUlZR8yuJHg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1/go.mod h1:EVJOSYOVeoD3VFFZ/dWCAzWJp5wZr9lTOCjW8ejAmO0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -797,8 +797,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/buildkite/agent/v3 v3.110.0 h1:fcNbcaIRnC8Q4545mXqFSmQCWUxZCNUJrvbyHgYUOz0= -github.com/buildkite/agent/v3 v3.110.0/go.mod h1:ynBDBI5OcKElHKHtsxEVeHctG54MKxUZ9dRHqXI+6Jk= +github.com/buildkite/agent/v3 v3.111.0 h1:TegvS0mm6mbJT++OwMPURB8BG6Th7YHEsnECBKLC0pY= +github.com/buildkite/agent/v3 v3.111.0/go.mod h1:dTlGVB6oEPNgk+TaOJoJxkEbpUT3SPMtnctiw0mhRMw= github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= @@ -1269,8 +1269,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE= github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= -github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co= +github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -1624,8 +1624,8 @@ go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42s go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= -go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= +go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE= +go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0= go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds= go.step.sm/crypto v0.70.0/go.mod h1:pzfUhS5/ue7ev64PLlEgXvhx1opwbhFCjkvlhsxVds0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -1966,8 +1966,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= -golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -2111,8 +2111,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.252.0 h1:xfKJeAJaMwb8OC9fesr369rjciQ704AjU/psjkKURSI= -google.golang.org/api v0.252.0/go.mod h1:dnHOv81x5RAmumZ7BWLShB/u7JZNeyalImxHmtTHxqw= +google.golang.org/api v0.255.0 h1:OaF+IbRwOottVCYV2wZan7KUq7UeNUQn1BcPc4K7lE4= +google.golang.org/api v0.255.0/go.mod h1:d1/EtvCLdtiWEV4rAEHDHGh2bCnqsWhw+M8y2ECN4a8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2256,8 +2256,8 @@ google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 h1:LvZVVaPE0JSqL+Z google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9/go.mod h1:QFOrLhdAe2PsTp3vQY4quuLKTi9j3XG3r6JPPaw7MSc= google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU= google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 h1:CirRxTOwnRWVLKzDNrs0CXAaVozJoR4G9xvdRecrdpk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda h1:i/Q+bfisr7gq6feoJnS/DlpdwEL4ihp41fvRiM3Ork0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -2299,8 +2299,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= -google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 5cc633f83eabef204cbcdc64d494e91d099ce801 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:51:42 -0800 Subject: [PATCH 128/136] chore(deps): bump the actions group across 1 directory with 2 updates (#4516) Bumps the actions group with 2 updates in the / directory: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `sigstore/sigstore-conformance` from 0.0.21 to 0.0.23 - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](https://github.com/sigstore/sigstore-conformance/compare/244638a7a138ae9f6106cfe2d44a698eccd3bef7...48320dc345b60e599a447a3d321b71b310c687bb) Updates `chainguard-dev/actions` from 1.5.7 to 1.5.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](https://github.com/chainguard-dev/actions/compare/1b32103f5aa389c31ab0be75a8edc38d7e4750d8...abcc11e1cf9073eff6c69e91c49756c1430b094c) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-version: 0.0.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: chainguard-dev/actions dependency-version: 1.5.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance.yml | 2 +- .github/workflows/donotsubmit.yaml | 2 +- .github/workflows/e2e-tests.yml | 4 ++-- .github/workflows/kind-verify-attestation.yaml | 2 +- .github/workflows/tests.yaml | 2 +- .github/workflows/whitespace.yaml | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index a3e47c1af95..2fc48422b19 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -44,6 +44,6 @@ jobs: - run: make cosign conformance - - uses: sigstore/sigstore-conformance@244638a7a138ae9f6106cfe2d44a698eccd3bef7 # v0.0.21 + - uses: sigstore/sigstore-conformance@48320dc345b60e599a447a3d321b71b310c687bb # v0.0.23 with: entrypoint: ${{ github.workspace }}/conformance diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index c0b211bc1cd..57efa658448 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -40,4 +40,4 @@ jobs: persist-credentials: false - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + uses: chainguard-dev/actions/donotsubmit@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index e7707c6032a..215e32abada 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -149,7 +149,7 @@ jobs: cache: false - name: Setup mirror - uses: chainguard-dev/actions/setup-mirror@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + uses: chainguard-dev/actions/setup-mirror@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 with: mirror: mirror.gcr.io @@ -257,4 +257,4 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + uses: chainguard-dev/actions/kind-diag@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 216c8e36028..31000916b51 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -181,7 +181,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + uses: chainguard-dev/actions/kind-diag@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 - name: Create vuln attestation for it run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ed3a3fc3ec8..ff1aeb06f4f 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -184,7 +184,7 @@ jobs: - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + uses: chainguard-dev/actions/kind-diag@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 e2e-windows-powershell-tests: name: Run PowerShell E2E tests diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 3acbcd924c3..87d1f9b335b 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -38,8 +38,8 @@ jobs: with: persist-credentials: false - - uses: chainguard-dev/actions/trailing-space@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + - uses: chainguard-dev/actions/trailing-space@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 if: ${{ always() }} - - uses: chainguard-dev/actions/eof-newline@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 + - uses: chainguard-dev/actions/eof-newline@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8 if: ${{ always() }} From b80e7e1d7c3e9146b3ac5e92369cea6f423d8bc3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:56:17 -0800 Subject: [PATCH 129/136] chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...330a01c490aca151604b8cf639adc76d48f6c5d4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard-action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml index 52d86722d0c..5ca79d11836 100644 --- a/.github/workflows/scorecard-action.yml +++ b/.github/workflows/scorecard-action.yml @@ -61,7 +61,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif From 07540c7db260a8a077f7b68dc1412e25dc485972 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:57:07 -0800 Subject: [PATCH 130/136] chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.9.0 to 1.10.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v1.9.0...v1.10.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index e981ba8b4e6..db2884e1a99 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/moby/term v0.5.2 github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 - github.com/open-policy-agent/opa v1.9.0 + github.com/open-policy-agent/opa v1.10.1 github.com/secure-systems-lab/go-securesystemslib v0.9.1 github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 diff --git a/go.sum b/go.sum index ffb50507ad5..b0affd4bcbe 100644 --- a/go.sum +++ b/go.sum @@ -805,8 +805,8 @@ github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79 github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= github.com/buildkite/roko v1.4.0 h1:DxixoCdpNqxu4/1lXrXbfsKbJSd7r1qoxtef/TT2J80= github.com/buildkite/roko v1.4.0/go.mod h1:0vbODqUFEcVf4v2xVXRfZZRsqJVsCCHTG/TBRByGK4E= -github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= -github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= +github.com/bytecodealliance/wasmtime-go/v37 v37.0.0 h1:DPjdn2V3JhXHMoZ2ymRqGK+y1bDyr9wgpyYCvhjMky8= +github.com/bytecodealliance/wasmtime-go/v37 v37.0.0/go.mod h1:Pf1l2JCTUFMnOqDIwkjzx1qfVJ09xbaXETKgRVE4jZ0= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= @@ -1368,8 +1368,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/open-policy-agent/opa v1.9.0 h1:QWFNwbcc29IRy0xwD3hRrMc/RtSersLY1Z6TaID3vgI= -github.com/open-policy-agent/opa v1.9.0/go.mod h1:72+lKmTda0O48m1VKAxxYl7MjP/EWFZu9fxHQK2xihs= +github.com/open-policy-agent/opa v1.10.1 h1:haIvxZSPky8HLjRrvQwWAjCPLg8JDFSZMbbG4yyUHgY= +github.com/open-policy-agent/opa v1.10.1/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= From 23655977a7c16bab697f8ca27fd8dbfe4a8f5007 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 20:19:55 +0000 Subject: [PATCH 131/136] chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524) Bumps cuelang.org/go from 0.14.2 to 0.15.0. --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index db2884e1a99..4f735a90738 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/sigstore/cosign/v3 go 1.24.9 require ( - cuelang.org/go v0.14.2 + cuelang.org/go v0.15.0 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 github.com/buildkite/agent/v3 v3.111.0 @@ -78,7 +78,7 @@ require ( cloud.google.com/go/monitoring v1.24.2 // indirect cloud.google.com/go/spanner v1.86.0 // indirect cloud.google.com/go/storage v1.57.0 // indirect - cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d // indirect + cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect @@ -252,7 +252,7 @@ require ( github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.66.1 // indirect github.com/prometheus/procfs v0.17.0 // indirect - github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 // indirect + github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rs/cors v1.11.1 // indirect @@ -307,12 +307,12 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect - golang.org/x/mod v0.28.0 // indirect + golang.org/x/mod v0.29.0 // indirect golang.org/x/net v0.46.0 // indirect golang.org/x/sys v0.37.0 // indirect golang.org/x/text v0.30.0 // indirect golang.org/x/time v0.14.0 // indirect - golang.org/x/tools v0.37.0 // indirect + golang.org/x/tools v0.38.0 // indirect google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect diff --git a/go.sum b/go.sum index b0affd4bcbe..7f329adb7c1 100644 --- a/go.sum +++ b/go.sum @@ -620,10 +620,10 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M= cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA= cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= -cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d h1:lX0EawyoAu4kgMJJfy7MmNkIHioBcdBGFRSKDZ+CWo0= -cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= -cuelang.org/go v0.14.2 h1:LDlMXbfp0/AHjNbmuDYSGBbHDekaXei/RhAOCihpSgg= -cuelang.org/go v0.14.2/go.mod h1:53oOiowh5oAlniD+ynbHPaHxHFO5qc3QkzlUiB/9kps= +cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 h1:4k1yAtPvZJZQTu8DRY8muBo0LHv6TqtrE0AO5n6IPYs= +cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= +cuelang.org/go v0.15.0 h1:0jlWNxLp1In6dWJtywTXei7w0cqfHSTiCk/6Z+FUvxI= +cuelang.org/go v0.15.0/go.mod h1:NYw6n4akZcTjA7QQwJ1/gqWrrhsN4aZwhcAL0jv9rZE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= @@ -1406,8 +1406,8 @@ github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9Z github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= -github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5 h1:WWs1ZFnGobK5ZXNu+N9If+8PDNVB9xAqrib/stUXsV4= -github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5/go.mod h1:BnHogPTyzYAReeQLZrOxyxzS739DaTNtTvohVdbENmA= +github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 h1:s1LvMaU6mVwoFtbxv/rCZKE7/fwDmDY684FfUe4c1Io= +github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91/go.mod h1:JSbkp0BviKovYYt9XunS95M3mLPibE9bGg+Y95DsEEY= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= @@ -1716,8 +1716,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= -golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= +golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= +golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2034,8 +2034,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= -golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= -golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= +golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= +golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From a27d400be8a4d07f5fe3953dea4013d99afc0b58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 12:26:44 -0800 Subject: [PATCH 132/136] chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.32.0 to 0.33.0. - [Commits](https://github.com/golang/oauth2/compare/v0.32.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4f735a90738..c33bf8bd121 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 gitlab.com/gitlab-org/api/client-go v0.157.0 golang.org/x/crypto v0.43.0 - golang.org/x/oauth2 v0.32.0 + golang.org/x/oauth2 v0.33.0 golang.org/x/sync v0.17.0 golang.org/x/term v0.36.0 google.golang.org/api v0.255.0 diff --git a/go.sum b/go.sum index 7f329adb7c1..3e9779bd1ba 100644 --- a/go.sum +++ b/go.sum @@ -1814,8 +1814,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY= -golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo= +golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From e46683a43134e5c8a02e936f6b50144c30771fe7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 12:26:58 -0800 Subject: [PATCH 133/136] chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515) Bumps the all group with 1 update: golang. Updates `golang` from 1.25.3 to 1.25.4 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index eb59fd6f167..933e0dd9959 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,4 +15,4 @@ # This is used to we scrap the go version and use in CI to get the latest go version # and we use dependabot to keep the go version up to date -FROM golang:1.25.3 +FROM golang:1.25.4 From 6b85a7255bf0f0ae49927e21883693afa16d0e08 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 12:27:15 -0800 Subject: [PATCH 134/136] chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520) Bumps [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) from 0.157.0 to 0.159.0. - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v0.157.0...v0.159.0) --- updated-dependencies: - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 0.159.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index c33bf8bd121..72a7e2beb1c 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.3.0 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - gitlab.com/gitlab-org/api/client-go v0.157.0 + gitlab.com/gitlab-org/api/client-go v0.160.0 golang.org/x/crypto v0.43.0 golang.org/x/oauth2 v0.33.0 golang.org/x/sync v0.17.0 @@ -67,7 +67,7 @@ require ( ) require ( - cel.dev/expr v0.24.0 // indirect + cel.dev/expr v0.25.1 // indirect cloud.google.com/go v0.121.6 // indirect cloud.google.com/go/auth v0.17.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect diff --git a/go.sum b/go.sum index 3e9779bd1ba..593b25b5dba 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA= al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= -cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= -cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= +cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4= +cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -1582,8 +1582,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= -gitlab.com/gitlab-org/api/client-go v0.157.0 h1:B+/Ku1ek3V/MInR/SmvL4FOqE0YYx51u7lBVYIHC2ic= -gitlab.com/gitlab-org/api/client-go v0.157.0/go.mod h1:CQVoxjEswJZeXft4Mi+H+OF1MVrpNVF6m4xvlPTQ2J4= +gitlab.com/gitlab-org/api/client-go v0.160.0 h1:aMQzbcE8zFe0lR/J+a3zneEgH+/EBFs8rD8Chrr4Snw= +gitlab.com/gitlab-org/api/client-go v0.160.0/go.mod h1:ooCNtKB7OyP7GBa279+HrUS3eeJF6Yi6XABZZy7RTSk= go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 5bf81a10517e4408e167d34e0c88f430a41d1496 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 12:28:00 -0800 Subject: [PATCH 135/136] chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.0.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d7543c93d881b35a8faa02e8e3605f69b7a1ce62...faadad0cce49287aee09b3a48701e75088a2c6ad) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 123bd2b8456..faf390387b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -48,7 +48,7 @@ jobs: with: persist-credentials: false - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Extract version of Go to use run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV From f28a5964b55f5c6218e242910e8fc67a69b0afac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 16:33:28 -0800 Subject: [PATCH 136/136] chore(deps): bump the gomod group across 1 directory with 7 updates (#4528) Bumps the gomod group with 4 updates in the / directory: [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime), [github.com/sigstore/rekor-tiles/v2](https://github.com/sigstore/rekor-tiles), [k8s.io/api](https://github.com/kubernetes/api) and [k8s.io/client-go](https://github.com/kubernetes/client-go). Updates `github.com/go-openapi/runtime` from 0.29.0 to 0.29.2 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.29.0...v0.29.2) Updates `github.com/go-openapi/strfmt` from 0.24.0 to 0.25.0 - [Commits](https://github.com/go-openapi/strfmt/compare/v0.24.0...v0.25.0) Updates `github.com/sigstore/rekor-tiles/v2` from 2.0.0 to 2.0.1 - [Release notes](https://github.com/sigstore/rekor-tiles/releases) - [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release) - [Commits](https://github.com/sigstore/rekor-tiles/compare/v2.0.0...v2.0.1) Updates `golang.org/x/sync` from 0.17.0 to 0.18.0 - [Commits](https://github.com/golang/sync/compare/v0.17.0...v0.18.0) Updates `k8s.io/api` from 0.34.1 to 0.34.2 - [Commits](https://github.com/kubernetes/api/compare/v0.34.1...v0.34.2) Updates `k8s.io/apimachinery` from 0.34.1 to 0.34.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.34.1...v0.34.2) Updates `k8s.io/client-go` from 0.34.1 to 0.34.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.34.1...v0.34.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/sigstore/rekor-tiles/v2 dependency-version: 2.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/sync dependency-version: 0.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: k8s.io/api dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: k8s.io/client-go dependency-version: 0.34.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 42 ++++++++++++++-------------- go.sum | 88 ++++++++++++++++++++++++++++++---------------------------- 2 files changed, 67 insertions(+), 63 deletions(-) diff --git a/go.mod b/go.mod index 72a7e2beb1c..25be02abe4c 100644 --- a/go.mod +++ b/go.mod @@ -13,8 +13,8 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 github.com/go-jose/go-jose/v4 v4.1.3 - github.com/go-openapi/runtime v0.29.0 - github.com/go-openapi/strfmt v0.24.0 + github.com/go-openapi/runtime v0.29.2 + github.com/go-openapi/strfmt v0.25.0 github.com/go-openapi/swag v0.25.1 github.com/go-openapi/swag/conv v0.25.1 github.com/go-piv/piv-go/v2 v2.4.0 @@ -36,7 +36,7 @@ require ( github.com/sigstore/fulcio v1.7.1 github.com/sigstore/protobuf-specs v0.5.0 github.com/sigstore/rekor v1.4.2 - github.com/sigstore/rekor-tiles/v2 v2.0.0 + github.com/sigstore/rekor-tiles/v2 v2.0.1 github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 github.com/sigstore/sigstore-go v1.1.3 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 @@ -55,13 +55,13 @@ require ( gitlab.com/gitlab-org/api/client-go v0.160.0 golang.org/x/crypto v0.43.0 golang.org/x/oauth2 v0.33.0 - golang.org/x/sync v0.17.0 + golang.org/x/sync v0.18.0 golang.org/x/term v0.36.0 google.golang.org/api v0.255.0 google.golang.org/protobuf v1.36.10 - k8s.io/api v0.34.1 - k8s.io/apimachinery v0.34.1 - k8s.io/client-go v0.34.1 + k8s.io/api v0.34.2 + k8s.io/apimachinery v0.34.2 + k8s.io/client-go v0.34.2 k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d sigs.k8s.io/release-utils v0.12.2 ) @@ -73,11 +73,11 @@ require ( cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect - cloud.google.com/go/kms v1.23.0 // indirect + cloud.google.com/go/kms v1.23.2 // indirect cloud.google.com/go/longrunning v0.6.7 // indirect cloud.google.com/go/monitoring v1.24.2 // indirect - cloud.google.com/go/spanner v1.86.0 // indirect - cloud.google.com/go/storage v1.57.0 // indirect + cloud.google.com/go/spanner v1.86.1 // indirect + cloud.google.com/go/storage v1.57.1 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect @@ -168,12 +168,12 @@ require ( github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/analysis v0.24.0 // indirect - github.com/go-openapi/errors v0.22.3 // indirect + github.com/go-openapi/analysis v0.24.1 // indirect + github.com/go-openapi/errors v0.22.4 // indirect github.com/go-openapi/jsonpointer v0.22.1 // indirect - github.com/go-openapi/jsonreference v0.21.2 // indirect - github.com/go-openapi/loads v0.23.1 // indirect - github.com/go-openapi/spec v0.22.0 // indirect + github.com/go-openapi/jsonreference v0.21.3 // indirect + github.com/go-openapi/loads v0.23.2 // indirect + github.com/go-openapi/spec v0.22.1 // indirect github.com/go-openapi/swag/cmdutils v0.25.1 // indirect github.com/go-openapi/swag/fileutils v0.25.1 // indirect github.com/go-openapi/swag/jsonname v0.25.1 // indirect @@ -184,7 +184,7 @@ require ( github.com/go-openapi/swag/stringutils v0.25.1 // indirect github.com/go-openapi/swag/typeutils v0.25.1 // indirect github.com/go-openapi/swag/yamlutils v0.25.1 // indirect - github.com/go-openapi/validate v0.25.0 // indirect + github.com/go-openapi/validate v0.25.1 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect @@ -277,11 +277,11 @@ require ( github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 // indirect github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 // indirect github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0 // indirect - github.com/tink-crypto/tink-go/v2 v2.4.0 // indirect + github.com/tink-crypto/tink-go/v2 v2.5.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect - github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 // indirect - github.com/transparency-dev/tessera v1.0.0 // indirect + github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect + github.com/transparency-dev/tessera v1.0.1-0.20251104110637-ba6c65c4ae73 // indirect github.com/urfave/negroni v1.0.0 // indirect github.com/valyala/fastjson v1.6.4 // indirect github.com/vbatts/tar-split v0.12.1 // indirect @@ -290,7 +290,7 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.mongodb.org/mongo-driver v1.17.4 // indirect + go.mongodb.org/mongo-driver v1.17.6 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect @@ -301,7 +301,7 @@ require ( go.opentelemetry.io/otel/sdk v1.38.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/otel/trace v1.38.0 // indirect - go.step.sm/crypto v0.70.0 // indirect + go.step.sm/crypto v0.73.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect diff --git a/go.sum b/go.sum index 593b25b5dba..bc74209bc3e 100644 --- a/go.sum +++ b/go.sum @@ -342,8 +342,8 @@ cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4 cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/kms v1.23.0 h1:WaqAZsUptyHwOo9II8rFC1Kd2I+yvNsNP2IJ14H2sUw= -cloud.google.com/go/kms v1.23.0/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g= +cloud.google.com/go/kms v1.23.2 h1:4IYDQL5hG4L+HzJBhzejUySoUOheh3Lk5YT4PCyyW6k= +cloud.google.com/go/kms v1.23.2/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= @@ -532,8 +532,8 @@ cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+ cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos= cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk= cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M= -cloud.google.com/go/spanner v1.86.0 h1:jlNWusBol1Jxa9PmYGknUBzLwvD1cebuEenzqebZ9xs= -cloud.google.com/go/spanner v1.86.0/go.mod h1:bbwCXbM+zljwSPLZ44wZOdzcdmy89hbUGmM/r9sD0ws= +cloud.google.com/go/spanner v1.86.1 h1:lSeVPwUotuKTpf8K6BPitzneQfGu73QcDFIca2lshG8= +cloud.google.com/go/spanner v1.86.1/go.mod h1:bbwCXbM+zljwSPLZ44wZOdzcdmy89hbUGmM/r9sD0ws= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= @@ -551,8 +551,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= -cloud.google.com/go/storage v1.57.0 h1:4g7NB7Ta7KetVbOMpCqy89C+Vg5VE8scqlSHUPm7Rds= -cloud.google.com/go/storage v1.57.0/go.mod h1:329cwlpzALLgJuu8beyJ/uvQznDHpa2U5lGjWednkzg= +cloud.google.com/go/storage v1.57.1 h1:gzao6odNJ7dR3XXYvAgPK+Iw4fVPPznEPPyNjbaVkq8= +cloud.google.com/go/storage v1.57.1/go.mod h1:329cwlpzALLgJuu8beyJ/uvQznDHpa2U5lGjWednkzg= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= @@ -972,22 +972,22 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA= -github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw= -github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs= -github.com/go-openapi/errors v0.22.3/go.mod h1:+WvbaBBULWCOna//9B9TbLNGSFOfF8lY9dw4hGiEiKQ= +github.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM= +github.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84= +github.com/go-openapi/errors v0.22.4 h1:oi2K9mHTOb5DPW2Zjdzs/NIvwi2N3fARKaTJLdNabaM= +github.com/go-openapi/errors v0.22.4/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk= github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM= -github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU= -github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ= -github.com/go-openapi/loads v0.23.1 h1:H8A0dX2KDHxDzc797h0+uiCZ5kwE2+VojaQVaTlXvS0= -github.com/go-openapi/loads v0.23.1/go.mod h1:hZSXkyACCWzWPQqizAv/Ye0yhi2zzHwMmoXQ6YQml44= -github.com/go-openapi/runtime v0.29.0 h1:Y7iDTFarS9XaFQ+fA+lBLngMwH6nYfqig1G+pHxMRO0= -github.com/go-openapi/runtime v0.29.0/go.mod h1:52HOkEmLL/fE4Pg3Kf9nxc9fYQn0UsIWyGjGIJE9dkg= -github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0Tw= -github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0= -github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc= -github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4= +github.com/go-openapi/jsonreference v0.21.3 h1:96Dn+MRPa0nYAR8DR1E03SblB5FJvh7W6krPI0Z7qMc= +github.com/go-openapi/jsonreference v0.21.3/go.mod h1:RqkUP0MrLf37HqxZxrIAtTWW4ZJIK1VzduhXYBEeGc4= +github.com/go-openapi/loads v0.23.2 h1:rJXAcP7g1+lWyBHC7iTY+WAF0rprtM+pm8Jxv1uQJp4= +github.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY= +github.com/go-openapi/runtime v0.29.2 h1:UmwSGWNmWQqKm1c2MGgXVpC2FTGwPDQeUsBMufc5Yj0= +github.com/go-openapi/runtime v0.29.2/go.mod h1:biq5kJXRJKBJxTDJXAa00DOTa/anflQPhT0/wmjuy+0= +github.com/go-openapi/spec v0.22.1 h1:beZMa5AVQzRspNjvhe5aG1/XyBSMeX1eEOs7dMoXh/k= +github.com/go-openapi/spec v0.22.1/go.mod h1:c7aeIQT175dVowfp7FeCvXXnjN/MrpaONStibD2WtDA= +github.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ= +github.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8= github.com/go-openapi/swag v0.25.1 h1:6uwVsx+/OuvFVPqfQmOOPsqTcm5/GkBhNwLqIR916n8= github.com/go-openapi/swag v0.25.1/go.mod h1:bzONdGlT0fkStgGPd3bhZf1MnuPkf2YAys6h+jZipOo= github.com/go-openapi/swag/cmdutils v0.25.1 h1:nDke3nAFDArAa631aitksFGj2omusks88GF1VwdYqPY= @@ -1014,8 +1014,12 @@ github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3 github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8= github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk= github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg= -github.com/go-openapi/validate v0.25.0 h1:JD9eGX81hDTjoY3WOzh6WqxVBVl7xjsLnvDo1GL5WPU= -github.com/go-openapi/validate v0.25.0/go.mod h1:SUY7vKrN5FiwK6LyvSwKjDfLNirSfWwHNgxd2l29Mmw= +github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4= +github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg= +github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls= +github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/go-openapi/validate v0.25.1 h1:sSACUI6Jcnbo5IWqbYHgjibrhhmt3vR6lCzKZnmAgBw= +github.com/go-openapi/validate v0.25.1/go.mod h1:RMVyVFYte0gbSTaZ0N4KmTn6u/kClvAFp+mAVfS/DQc= github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-piv/piv-go/v2 v2.4.0 h1:xamQ/fR4MJiw/Ndbk6yi7MVwhjrwlnDAPuaH9zcGb+I= @@ -1449,8 +1453,8 @@ github.com/sigstore/rekor v1.4.2 h1:Lx2xby7loviFYdg2C9pB1mESk2QU/LqcYSGsqqZwmg8= github.com/sigstore/rekor v1.4.2/go.mod h1:nX/OYaLqpTeCOuMEt7ELE0+5cVjZWFnFKM+cZ+3hQRA= github.com/sigstore/rekor-tiles v0.1.11 h1:0NAJ2EhD1r6DH95FUuDTqUDd+c31LSKzoXGW5ZCzFq0= github.com/sigstore/rekor-tiles v0.1.11/go.mod h1:eGIeqASh52pgWpmp/j5KZDjmKdVwob7eTYskVVRCu5k= -github.com/sigstore/rekor-tiles/v2 v2.0.0 h1:RDi03W/k7TOB+1StMOVdUaufKqtFImrh0KpOEPwsiV0= -github.com/sigstore/rekor-tiles/v2 v2.0.0/go.mod h1:1HyDsS2pQg36OoEZ0SeGmQIGflxK5W3nWW1Z+G6IWA8= +github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo= +github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= github.com/sigstore/sigstore-go v1.1.3 h1:5lKcbXZa5JC7wb/UVywyCulccfYTUju1D5h4tkn+fXE= @@ -1529,19 +1533,19 @@ github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhO github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw= github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0 h1:6nAX1aRGnkg2SEUMwO5toB2tQkP0Jd6cbmZ/K5Le1V0= github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0/go.mod h1:HOC5NWW1wBI2Vke1FGcRBvDATkEYE7AUDiYbXqi2sBw= -github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= -github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= +github.com/tink-crypto/tink-go/v2 v2.5.0 h1:B8KLF6AofxdBIE4UJIaFbmoj5/1ehEtt7/MmzfI4Zpw= +github.com/tink-crypto/tink-go/v2 v2.5.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho= github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE= -github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26 h1:YTbkeFbzcer+42bIgo6Za2194nKwhZPgaZKsP76QffE= -github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26/go.mod h1:ODywn0gGarHMMdSkWT56ULoK8Hk71luOyRseKek9COw= +github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c h1:5a2XDQ2LiAUV+/RjckMyq9sXudfrPSuCY4FuPC1NyAw= +github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c/go.mod h1:g85IafeFJZLxlzZCDRu4JLpfS7HKzR+Hw9qRh3bVzDI= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/transparency-dev/tessera v1.0.0 h1:4OT1V9xJLa5NnYlFWWlCdZkCm18/o12rdd+bCTje7XE= -github.com/transparency-dev/tessera v1.0.0/go.mod h1:TLvfjlkbmsmKVEJUtzO2eb9Q2IBnK3EJ0dI4G0oxEOU= +github.com/transparency-dev/tessera v1.0.1-0.20251104110637-ba6c65c4ae73 h1:XVu3/5rI/3okvRH7uFDiiB6/g4HM7eZN1tTvOEU2vl8= +github.com/transparency-dev/tessera v1.0.1-0.20251104110637-ba6c65c4ae73/go.mod h1:hxs+XmMCxM44pskCyfRFhEuUkpETNcfl6fTNOFsh7O8= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= @@ -1584,8 +1588,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= gitlab.com/gitlab-org/api/client-go v0.160.0 h1:aMQzbcE8zFe0lR/J+a3zneEgH+/EBFs8rD8Chrr4Snw= gitlab.com/gitlab-org/api/client-go v0.160.0/go.mod h1:ooCNtKB7OyP7GBa279+HrUS3eeJF6Yi6XABZZy7RTSk= -go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw= -go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= +go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss= +go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -1626,8 +1630,8 @@ go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE= go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0= -go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds= -go.step.sm/crypto v0.70.0/go.mod h1:pzfUhS5/ue7ev64PLlEgXvhx1opwbhFCjkvlhsxVds0= +go.step.sm/crypto v0.73.0 h1:SNFpslZJa+kTNADpWYJJeMsQqzwDiuxFq0ei5OPLIUg= +go.step.sm/crypto v0.73.0/go.mod h1:pw2MKw7aPgx3bVjVwYrKbpMIawLRwth/5cyhZf6QnBM= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -1833,8 +1837,8 @@ golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= -golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= +golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2357,12 +2361,12 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= -k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= -k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY= +k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw= +k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= +k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M= +k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=