Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade: Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0 #150

Merged
merged 1 commit into from
Aug 12, 2024
Merged

Upgrade: Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0 #150

merged 1 commit into from
Aug 12, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 12, 2024

Bumps github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.4.0 begins the modernization of the Cosign client, which includes:

  • Support for the newer Sigstore specification-compliant bundle format
  • Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
  • Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

  • General support for the trust root file, instead of only when using the bundle format during verification
  • Simplification of trust root flags and deprecation of the Cosign-specific bundle format
  • Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

  • Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  • Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  • Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  • Conformance testing for cosign (#3806)
  • move incremental builds per commit to GHCR instead of GCR (#3808)
  • Add support for recording creation timestamp for cosign attest (#3797)
  • Include SCT verification failure details in error message (#3799)

Contributors

  • Bob Callaway
  • Hayden B
  • Slavek Kabrda
  • Zach Steindler
  • Zsolt Horvath

Full Changelog: sigstore/cosign@v2.3.0...v2.4.0

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.4.0

v2.4.0 begins the modernization of the Cosign client, which includes:

  • Support for the newer Sigstore specification-compliant bundle format
  • Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
  • Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

  • General support for the trust root file, instead of only when using the bundle format during verification
  • Simplification of trust root flags and deprecation of the Cosign-specific bundle format
  • Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

  • Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  • Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  • Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  • Conformance testing for cosign (#3806)
  • move incremental builds per commit to GHCR instead of GCR (#3808)
  • Add support for recording creation timestamp for cosign attest (#3797)
  • Include SCT verification failure details in error message (#3799)

Contributors

  • Bob Callaway
  • Hayden B
  • Slavek Kabrda
  • Zach Steindler
  • Zsolt Horvath
Commits
  • b5e7dc1 Add login for GHCR (#3820)
  • c346825 Bump sigstore/sigstore (#3819)
  • fd0368a Conformance testing for cosign (#3806)
  • 2387b50 chore(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 (#3815)
  • be43902 move incremental builds per commit to GHCR instead of GCR (#3808)
  • d0492cf chore(deps): bump github.com/buildkite/agent/v3 from 3.75.1 to 3.76.2 (#3813)
  • e3a3914 chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (#3814)
  • 7bac5e9 tidy up validate release script (#3817)
  • 983a368 chore(deps): bump go.step.sm/crypto from 0.50.0 to 0.51.1 (#3812)
  • 71a4952 chore(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#3811)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Upgrade: Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0
d40ef13 
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Aug 12, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 12, 2024
edited
Loading

DryRun Security Summary

The pull request primarily focuses on updating the versions of several dependencies, including github.com/sigstore/cosign/v2 and github.com/sigstore/sigstore, as well as other dependencies related to Google Cloud, AWS, and Buildkite, to their latest versions.

Expand for full summary

Summary:

The changes in this pull request primarily focus on updating the versions of several dependencies used in the project. The key changes include updating the github.com/sigstore/cosign/v2 dependency from version 2.3.0 to 2.4.0, and the github.com/sigstore/sigstore dependency from version 1.8.7 to 1.8.8. Additionally, several other dependencies, such as those related to Google Cloud, AWS, and Buildkite, have also been updated to their latest versions.

From an application security perspective, these changes are not particularly concerning. Updating dependencies to their latest versions is a common practice to ensure the project is using the most up-to-date and secure versions of the libraries it relies on. However, it's always a good idea to review the change logs for the updated dependencies to understand if there are any security-related fixes or improvements included in the new versions.

Files Changed:

  1. go.mod: This file has been updated to reflect the changes in the project's dependencies. The key changes include updating the github.com/sigstore/cosign/v2 and github.com/sigstore/sigstore dependencies to their latest versions.

  2. go.sum: This file has been updated to reflect the cryptographic hashes of the project's dependencies. The changes in this file indicate that the project dependencies have been updated, with several dependencies being updated to their latest versions, including those related to Google Cloud, AWS, and Buildkite.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@santoshkal santoshkal merged commit 78ee1d9 into main Aug 12, 2024
14 checks passed
@santoshkal santoshkal deleted the dependabot/go_modules/github.com/sigstore/cosign/v2-2.4.0 branch August 12, 2024 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@santoshkal