Skip to content

chore(deps): update module github.com/sigstore/cosign/v2 to v3 (8.19)#7106

Open
elastic-renovate-prod[bot] wants to merge 1 commit into
8.19from
renovate/8.19-major-sigstore
Open

chore(deps): update module github.com/sigstore/cosign/v2 to v3 (8.19)#7106
elastic-renovate-prod[bot] wants to merge 1 commit into
8.19from
renovate/8.19-major-sigstore

Conversation

@elastic-renovate-prod

@elastic-renovate-prod elastic-renovate-prod Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/cosign/v2 v2.6.3v3.1.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v3.1.1

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

  • Initialize PKCS11 slots Before Getting Token Info in #​4803
  • Sign exclusively via sigstore-go in #​4618
  • bundle create: Prevent IgnoreTlog when bundle contains SET in #​4829
  • Require bundle output or registry upload in #​4785
  • fix(load): pass NameOptions to name.ParseReference in #​4786
  • fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #​4813
  • Deprecate Flags for v4: Certificates in #​4822
  • Deprecate flags signing config in #​4844
  • Deprecate flags bundle in #​4838
  • Fix typo in map of verify command fields unsupported for new bundle format in #​4853
  • Add bundle upgrade command in #​4820
  • Deprecate Flags for v4 in #​4854
  • fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #​4869
  • fix: use Header.Set to prevent duplicate Authorization on retry in #​4870
  • feat(cli): add Rekor v2 flag to cosign signing-config create in #​4868
  • Fix crash verifying timestamps when no timestamp was verified in #​4881
  • Deprecate Flags for v4: OCI Referrers in #​4804
  • Use the configured Target Repository more consistently in #​4836
  • fix: check HTTP status code in LoadFileOrURL in #​4877
  • Fix unsafe type assertion in Rego policy evaluation by in #​4882
  • Fix Ed25519ph check to respect custom signing configs in sign-blob in #​4880
  • Enable initialize command output in conformance in #​4892
  • verify: return TUF errors for new bundle trusted roots in #​4878
  • Deprecate subcommands in #​4894
  • Remove docstring references to deprecated flags in #​4910
  • fix(verify): Attach detached certificates to static signatures via wrapped verifier in #​4737
  • fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #​4917
  • Update sigstore-go to v1.2.0 in #​4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

v3.1.0

Compare Source

v3.0.6

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

Thanks to all contributors!

v3.0.5

Compare Source

Deprecations

Features

  • Automatically require signed timestamp with Rekor v2 entries (#​4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#​4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
  • fix: avoid panic on malformed attestation payload (#​4651)
  • fix: avoid panic on malformed tlog entries (#​4649)
  • fix: avoid panic on malformed replace payload (#​4653)
  • Gracefully fail if bundle payload body is not a string (#​4648)
  • Verify validity of chain rather than just certificate (#​4663)
  • fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#​4642)
  • Fix typo in CLI help (#​4701)

v3.0.4

Compare Source

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

  • Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#​4623)
  • Optimize cosign tree performance by caching digest resolution (#​4612)
  • Don't require a trusted root to verify offline with a key (#​4613)
  • Support default services for trusted-root and signing-config creation (#​4592)

v3.0.3

Compare Source

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by
the community along with adding compatibility for the new bundle format and attestation
storage in OCI to additional commands. We're continuing to work on compatibility with
the remaining commands and will have a new release shortly. If you run into any problems,
please file an issue

Changes

  • 4554: Closes 4554 - Add warning when --output* is used (#​4556)
  • Protobuf bundle support for subcommand clean (#​4539)
  • Add staging flag to initialize with staging TUF metadata
  • Updating sign-blob to also support signing with a certificate (#​4547)
  • Protobuf bundle support for subcommands save and load (#​4538)
  • Fix cert attachment for new bundle with signing config
  • Fix OCI verification with local cert - old bundle
  • Deprecate tlog-upload flag (#​4458)
  • fix: Use signal context for sign cli package.
  • update offline verification directions (#​4526)
  • Fix signing/verifying annotations for new bundle
  • Add support to download and attach for protobuf bundles (#​4477)
  • Add --signing-algorithm flag (#​3497)
  • Refactor signcommon bundle helpers
  • Add --bundle and fix --upload for new bundle
  • Pass insecure registry flags through to referrers
  • Add protobuf bundle support for tree subcommand (#​4491)
  • Remove stale embed import (#​4492)
  • Support multiple container identities
  • Fix segfault when no attestations are found (#​4472)
  • Use overridden repository for new bundle format (#​4473)
  • Remove --out flag from cosign initialize (#​4462)
  • Deprecate offline flag (#​4457)
  • Deduplicate code in sign/attest* and verify* commands (#​4449)
  • Cache signing config when calling initialize (#​4456)

v3.0.2

Compare Source

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • choose different signature filename for KMS-signed release signatures (#​4448)
  • Update rekor-tiles version path (#​4450)

v3.0.1

Compare Source

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • update goreleaser config for v3.0.0 release (#​4446)

v3.0.0

Compare Source

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent
releases on by default, but will still allow you to disable them if you need the older functionality.
These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots
of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config),
and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See
the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent
changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

  • Default to using the new protobuf format (#​4318)
  • Fetch service URLs from the TUF PGI signing config by default (#​4428)
  • Bump module version to v3 for Cosign v3.0 (#​4427)

Configuration

📅 Schedule: Branch creation - Between 01:00 AM and 01:59 AM, Monday through Friday ( * 1 * * 1-5 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@elastic-renovate-prod elastic-renovate-prod Bot requested a review from a team as a code owner June 30, 2026 11:14
@elastic-renovate-prod elastic-renovate-prod Bot added dependencies Pull requests that update a dependency file renovate Team:Security-Cloud Services Security Data Experience - Cloud Services team. backport-skip labels Jun 30, 2026
@elastic-renovate-prod

elastic-renovate-prod Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: downloading k8s.io/client-go v0.36.1
go: downloading k8s.io/api v0.36.1
go: downloading k8s.io/apimachinery v0.36.1
go: downloading k8s.io/streaming v0.36.1
go: github.com/elastic/cloudbeat/internal/vulnerability imports
	github.com/aquasecurity/trivy/pkg/commands/artifact imports
	github.com/aquasecurity/trivy/pkg/misconf imports
	github.com/aquasecurity/trivy/pkg/iac/scanners/helm imports
	github.com/aquasecurity/trivy/pkg/iac/scanners/helm/parser imports
	helm.sh/helm/v3/pkg/action imports
	helm.sh/helm/v3/pkg/kube imports
	k8s.io/kubectl/pkg/cmd/util imports
	k8s.io/kubectl/pkg/scheme imports
	k8s.io/api/scheduling/v1alpha1: cannot find module providing package k8s.io/api/scheduling/v1alpha1

@elastic-renovate-prod elastic-renovate-prod Bot added renovate Team:Security-Cloud Services Security Data Experience - Cloud Services team. labels Jun 30, 2026
@mergify

mergify Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b renovate/8.19-major-sigstore upstream/renovate/8.19-major-sigstore
git merge upstream/8.19
git push upstream renovate/8.19-major-sigstore

@elastic-renovate-prod elastic-renovate-prod Bot force-pushed the renovate/8.19-major-sigstore branch from 23cbdd2 to bb4d8e4 Compare July 1, 2026 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-skip dependencies Pull requests that update a dependency file renovate Team:Security-Cloud Services Security Data Experience - Cloud Services team.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants