Skip to content

chore(deps): update module github.com/sigstore/cosign/v2 to v3 #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/sigstore/cosign/v2 to v3 #228

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 29, 2025

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/cosign/v2 v2.5.2 -> v3.0.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v3.0.2

Compare Source

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • choose different signature filename for KMS-signed release signatures (#​4448)
  • Update rekor-tiles version path (#​4450)

v3.0.1

Compare Source

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • update goreleaser config for v3.0.0 release (#​4446)

v3.0.0

Compare Source

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent
releases on by default, but will still allow you to disable them if you need the older functionality.
These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots
of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config),
and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See
the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent
changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

  • Default to using the new protobuf format (#​4318)
  • Fetch service URLs from the TUF PGI signing config by default (#​4428)
  • Bump module version to v3 for Cosign v3.0 (#​4427)

v2.6.1

Compare Source

Bug Fixes

  • Partially populate the output of cosign verify when working with new bundles (#​4416)
  • Bump sigstore-go, move conformance back to tagged release (#​4426)

v2.6.0

Compare Source

v2.6.0 introduces a number of new features, including:

  • Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#​4306)
  • Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #​3927 (#​4316)
  • Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#​4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be
updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

Features

  • Add to attest-blob the ability to supply a complete in-toto statement, and add to verify-blob-attestation the ability to verify with just a digest (#​4306)
  • Have cosign sign support bundle format (#​4316)
  • Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#​4319)
  • Add support for SigningConfig in sign/attest (#​4371)
  • Support self-managed keys when signing with sigstore-go (#​4368)
  • Don't require timestamps when verifying with a key (#​4337)
  • Don't load content from TUF if trusted root path is specified (#​4347)
  • Add a terminal spinner while signing with sigstore-go (#​4402)
  • Require exclusively a SigningConfig or service URLs when signing (#​4403)
  • Remove SHA256 assumption in sign-blob/verify-blob (#​4050)
  • Bump sigstore-go, support alternative hash algorithms with keys (#​4386)

Breaking API Changes

  • sign.SignerFromKeyOpts no longer generates a key. Instead, it returns whether or not the client needs to generate a key, and if so, clients
    should call sign.KeylessSigner. This allows clients to more easily manage key generation.

Bug Fixes

  • Verify subject with bundle only when checking claims (#​4320)
  • Fixes to cosign sign / verify for the new bundle format (#​4346)

v2.5.3

Compare Source

Features

  • Add signing-config create command (#​4280)
  • Allow multiple services to be specified for trusted-root create (#​4285)
  • feat: Add OCI 1.1+ experimental support to tree (#​4205)
  • Add validity period end for trusted-root create (#​4271)

Bug Fixes

  • Fix cert verification logic for trusted-root/SCTs (#​4294)
  • force when copying the latest image to overwrite (#​4298)
  • avoid double-loading trustedroot from file (#​4264)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Oct 29, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 97 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.0 -> 1.24.6
cloud.google.com/go v0.121.2 -> v0.121.6
cloud.google.com/go/auth v0.16.2 -> v0.16.5
cloud.google.com/go/compute/metadata v0.7.0 -> v0.9.0
cloud.google.com/go/kms v1.22.0 -> v1.23.0
cloud.google.com/go/storage v1.55.0 -> v1.57.0
cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 -> v0.0.0-20250715075730-49cab49c8e9d
cuelang.org/go v0.12.1 -> v0.14.1
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 -> v1.19.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 -> v1.12.0
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 -> v1.11.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 -> v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 -> v1.2.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 -> v1.6.2
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 -> v1.5.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 -> v0.54.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 -> v0.54.0
github.com/aws/aws-sdk-go v1.55.7 -> v1.55.8
github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 -> v1.45.1
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.32.2 -> v1.33.2
github.com/aws/aws-sdk-go-v2/service/kms v1.41.0 -> v1.45.3
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 -> v0.10.1
github.com/buildkite/agent/v3 v3.98.2 -> v3.107.2
github.com/buildkite/go-pipeline v0.13.3 -> v0.16.0
github.com/buildkite/roko v1.3.1 -> v1.4.0
github.com/charmbracelet/bubbletea v1.3.0 -> v1.3.9
github.com/charmbracelet/x/ansi v0.9.2 -> v0.10.1
github.com/emicklei/go-restful/v3 v3.11.0 -> v3.12.2
github.com/emicklei/proto v1.13.4 -> v1.14.2
github.com/fxamacker/cbor/v2 v2.7.0 -> v2.9.0
github.com/go-jose/go-jose/v4 v4.1.2 -> v4.1.3
github.com/go-openapi/analysis v0.23.0 -> v0.24.0
github.com/go-openapi/errors v0.22.1 -> v0.22.3
github.com/go-openapi/jsonpointer v0.21.1 -> v0.22.1
github.com/go-openapi/jsonreference v0.21.0 -> v0.21.2
github.com/go-openapi/loads v0.22.0 -> v0.23.1
github.com/go-openapi/runtime v0.28.0 -> v0.29.0
github.com/go-openapi/spec v0.21.0 -> v0.22.0
github.com/go-openapi/strfmt v0.23.0 -> v0.24.0
github.com/go-openapi/swag v0.23.1 -> v0.25.1
github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
github.com/google/gnostic-models v0.6.9 -> v0.7.0
github.com/google/rpmpack v0.7.0 -> v0.7.1
github.com/googleapis/gax-go/v2 v2.14.2 -> v2.15.0
github.com/in-toto/attestation v1.1.1 -> v1.1.2
github.com/jellydator/ttlcache/v3 v3.3.0 -> v3.4.0
github.com/modern-go/reflect2 v1.0.2 -> v1.0.3-0.20250322232337-35a7c28c31ee
github.com/open-policy-agent/opa v1.5.1 -> v1.9.0
github.com/prometheus/client_golang v1.22.0 -> v1.23.2
github.com/prometheus/common v0.64.0 -> v0.66.1
github.com/prometheus/procfs v0.16.1 -> v0.17.0
github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d -> v0.0.0-20250627152318-f293424e46b5
github.com/sagikazarmark/locafero v0.9.0 -> v0.11.0
github.com/secure-systems-lab/go-securesystemslib v0.9.0 -> v0.9.1
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 -> v1.4.0
github.com/sigstore/protobuf-specs v0.4.3 -> v0.5.0
github.com/sigstore/rekor v1.3.10 -> v1.4.2
github.com/sigstore/rekor-tiles v0.1.5 -> v0.1.11
github.com/sigstore/sigstore v1.9.5 -> v1.9.6-0.20250729224751-181c5d3339b3
github.com/sigstore/sigstore-go v1.0.0 -> v1.1.3
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5 -> v1.9.6-0.20250729224751-181c5d3339b3
github.com/sigstore/timestamp-authority v1.2.8 -> v1.2.9
github.com/sirupsen/logrus v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/sourcegraph/conc v0.3.0 -> v0.3.1-0.20240121214520-5f936abd7ae8
github.com/spf13/afero v1.14.0 -> v1.15.0
github.com/spf13/cast v1.9.2 -> v1.10.0
github.com/spf13/cobra v1.9.1 -> v1.10.1
github.com/spf13/pflag v1.0.7 -> v1.0.10
github.com/spf13/viper v1.20.1 -> v1.21.0
github.com/spiffe/go-spiffe/v2 v2.5.0 -> v2.6.0
github.com/tchap/go-patricia/v2 v2.3.2 -> v2.3.3
github.com/theupdateframework/go-tuf/v2 v2.1.1 -> v2.2.0
github.com/vektah/gqlparser/v2 v2.5.27 -> v2.5.30
gitlab.com/gitlab-org/api/client-go v0.130.1 -> v0.148.1
go.mongodb.org/mongo-driver v1.17.3 -> v1.17.4
go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/detectors/gcp v1.36.0 -> v1.38.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 -> v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 -> v0.63.0
go.uber.org/mock v0.5.2 -> v0.6.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20250620022241-b7579e27df2b
golang.org/x/mod v0.27.0 -> v0.28.0
golang.org/x/oauth2 v0.30.0 -> v0.31.0
golang.org/x/time v0.12.0 -> v0.13.0
google.golang.org/api v0.242.0 -> v0.251.0
google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 -> v0.0.0-20250922171735-9219d122eba9
gotest.tools/gotestsum v1.12.3 -> v1.13.0
k8s.io/api v0.33.1 -> v0.34.1
k8s.io/apimachinery v0.33.1 -> v0.34.1
k8s.io/client-go v0.33.1 -> v0.34.1
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff -> v0.0.0-20250710124328-f3f2b991d03b
k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e -> v0.0.0-20250820121507-0af2bda4dd1d
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/release-utils v0.11.1 -> v0.12.2
sigs.k8s.io/yaml v1.4.0 -> v1.6.0
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 -> v2.27.3
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20250929231259-57b25ae835d4
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20250929231259-57b25ae835d4

@renovate renovate bot requested a review from a team as a code owner October 29, 2025 13:37
@renovate renovate bot force-pushed the renovate/github.com-sigstore-cosign-v2-3.x branch from dab1139 to 0bcccdc Compare October 29, 2025 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christian-stephen christian-stephen christian-stephen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@christian-stephen