🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

dependabot · 2022-04-27T21:34:53Z

Bumps github.com/sigstore/cosign from 1.7.2 to 1.8.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

What's Changed

Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in sigstore/cosign#1620

Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in sigstore/cosign#1745

Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in sigstore/cosign#1746

Move the KMS integration imports into the binary entrypoints by @mattmoor in sigstore/cosign#1744

[Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in sigstore/cosign#1736

Refactor policy related code, add support for vuln verify by @vaikas in sigstore/cosign#1747

Use bundle log ID to find verification key by @haydentherapper in sigstore/cosign#1748

[cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in sigstore/cosign#1726

Add intermediate CA certificate pool for Fulcio by @haydentherapper in sigstore/cosign#1749

Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in sigstore/cosign#1751

test: create fake TUF test root and create test SETs for verification by @asraa in sigstore/cosign#1750

update go builder and cosign images by @cpanato in sigstore/cosign#1755

Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in sigstore/cosign#1752

Implement identities, fix bug in webhook validation. by @vaikas in sigstore/cosign#1759

Validate issuer/subject regexp in validate webhook. by @vaikas in sigstore/cosign#1761

chore: add warning when attaching sBOMs by @hectorj2f in sigstore/cosign#1756

Verify embedded SCTs by @haydentherapper in sigstore/cosign#1731

chore: add warning when downloading a sBOM by @hectorj2f in sigstore/cosign#1763

[policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in sigstore/cosign#1757

Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in sigstore/cosign#1765

Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in sigstore/cosign#1764

Break the CIP action tests into a sh script. by @vaikas in sigstore/cosign#1767

tuf: add debug info if tuf update fails by @asraa in sigstore/cosign#1766

cosigned: add support for rsa keys by @hectorj2f in sigstore/cosign#1768

Cosigned validate against remote sig src by @DennyHoang in sigstore/cosign#1754

Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in sigstore/cosign#1774

Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in sigstore/cosign#1784

fix: more informative error by @ybelMekk in sigstore/cosign#1778

Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in sigstore/cosign#1779

Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in sigstore/cosign#1780

Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in sigstore/cosign#1781

Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in sigstore/cosign#1782

Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in sigstore/cosign#1783

Run update-codegen. by @wlynch in sigstore/cosign#1789

Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in sigstore/cosign#1790

Refactor fulcio signer to take in KeyOpts. by @wlynch in sigstore/cosign#1788

test: add cue unit tests by @hectorj2f in sigstore/cosign#1791

Attestations + policy in cip. by @vaikas in sigstore/cosign#1772

chore: add rego function to consume modules and evaluate them by @hectorj2f in sigstore/cosign#1787

Add parallelization for processing policies / authorities. by @vaikas in sigstore/cosign#1795

Allow passing keys via environment variables (env:// refs) by @znewman01 in sigstore/cosign#1794

Handle context cancelled properly + tests. by @vaikas in sigstore/cosign#1796

Fix a bug where an error would send duplicate results. by @vaikas in sigstore/cosign#1797

Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in sigstore/cosign#1798

Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in sigstore/cosign#1799

Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in sigstore/cosign#1800

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

Enhancements

Support PKCS1 encoded and non-ECDSA CT log public keys (sigstore/cosign#1806)

Load in intermediate cert pool from TUF (sigstore/cosign#1804)

Don't fail open in VerifyBundle (sigstore/cosign#1648)

Handle context cancelled properly + tests. (sigstore/cosign#1796)

Allow passing keys via environment variables (env:// refs) (sigstore/cosign#1794)

Add parallelization for processing policies / authorities. (sigstore/cosign#1795)

Attestations + policy in cip. (sigstore/cosign#1772)

Refactor fulcio signer to take in KeyOpts. (sigstore/cosign#1788)

Remove the dependency on v1alpha1.Identity which brings in (sigstore/cosign#1790)

Add Fulcio intermediate CA certificate to intermediate pool (sigstore/cosign#1774)

Cosigned validate against remote sig src (sigstore/cosign#1754)

tuf: add debug info if tuf update fails (sigstore/cosign#1766)

Break the CIP action tests into a sh script. (sigstore/cosign#1767)

[policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags (sigstore/cosign#1757)

Verify embedded SCTs (sigstore/cosign#1731)

Validate issuer/subject regexp in validate webhook. (sigstore/cosign#1761)

Add intermediate CA certificate pool for Fulcio (sigstore/cosign#1749)

[cosigned] The webhook name is now configurable via --webhook-name flag (sigstore/cosign#1726)

Use bundle log ID to find verification key (sigstore/cosign#1748)

Refactor policy related code, add support for vuln verify (sigstore/cosign#1747)

Create convert functions for internal CIP (sigstore/cosign#1736)

Move the KMS integration imports into the binary entrypoints (sigstore/cosign#1744)

Bug Fixes

Fix a bug where an error would send duplicate results. (sigstore/cosign#1797)

fix: more informative error (sigstore/cosign#1778)

fix: add support for rsa keys (sigstore/cosign#1768)

Implement identities, fix bug in webhook validation. (sigstore/cosign#1759)

Others

Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (sigstore/cosign#1758)

Bump google-github-actions/auth from 0.7.0 to 0.7.1 (sigstore/cosign#1801)

Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (sigstore/cosign#1800)

Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 (sigstore/cosign#1799)

Revert "Refactor fulcio signer to take in KeyOpts. (sigstore/cosign#1788)" (sigstore/cosign#1798)

chore: add rego function to consume modules (sigstore/cosign#1787)

test: add cue unit tests (sigstore/cosign#1791)

Run update-codegen. (sigstore/cosign#1789)

Bump actions/checkout from 3.0.1 to 3.0.2 (sigstore/cosign#1783)

Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (sigstore/cosign#1782)

Bump k8s.io/code-generator from 0.23.5 to 0.23.6 (sigstore/cosign#1781)

Bump google.golang.org/api from 0.74.0 to 0.75.0 (sigstore/cosign#1780)

... (truncated)

Commits

9ef6b20 Support PKCS1 encoded and non-ECDSA CT log public keys (#1806)
27caa98 add changelog for release v1.8.0 (#1803)
367c79e Load in intermediate cert pool from TUF (#1804)
d104fc4 Don't fail open in VerifyBundle (#1648)
db323cd cosigned: Unify cue data and policy before evaluating it (#1793)
cba2cfb Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (#1758)
376b1b7 Bump google-github-actions/auth from 0.7.0 to 0.7.1 (#1801)
133ce88 Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#1800)
e4c68cb Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 (#1799)
87b06ef Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" (#1798)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

codecov · 2022-04-27T21:38:44Z

Codecov Report

Merging #212 (33936c6) into main (e6b7742) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #212   +/-   ##
=======================================
  Coverage   61.95%   61.95%           
=======================================
  Files           3        3           
  Lines         205      205           
=======================================
  Hits          127      127           
  Misses         69       69           
  Partials        9        9

Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.7.2 to 1.8.0. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v1.7.2...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

* Removed Sarif Results From Processing & Rekor Upload (#197) * test action * sign test data * func to sign and upload workflow result * added signScorecardResult func and test * added signScorecardResult func and test * moved signing code into main.go * added call to signScorecardResult at the end of main * added err checking * comments and added global vars * style changes * updated test to use randomized payload * check publish_results * error logging for signScorecardResult call * error logging * entrypoint * updated dockerfile * dockerfile * dockerfile * EnvInputsResults vars added to Options * resultsfile env var * set PAT * create results file with sudo * sudo create resultsfile * try os.Openfile * fixed fileapth * changed Distroless to debian * get output format from env var * fixed defaultpolicyfile path * policy filepath * copy policy.yml in dockerfile * policyfile * moved signing code to separate file * dockerfile * generate results.json file in preRun * revert dockerfile to main * json file creation check * run scorecard again to produce json output * testing * entrypointJson * print cmd * alter env vars in main for json * opts * dockerfile uses entrypoint.go * renamed make build * produce both sarif and json * sign json result * sig verification api call * go mod tidy * readfile fix * sign sarif instead of json * http response code checking * moved api call func into signing.go * dont hardcode repo paths * finalized signing + verif * renamed sign test * Bump debian from d5cd7e5 to 40f90ea * removed unnecessary slash * comments * policy.yml -> /policy.yml * refractored signing * more refractoring + sig processing test * fixed func call * fixed sign test * style + error fmt * reverted dockerfile * style fixes * lint fixes * linting errs * test workflow permissions * debug print * commented out signing test * linting errors Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com> * Add initial release documentation (#194) Signed-off-by: Stephen Augustus <foo@auggie.dev> * 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md) - [Commits](codecov/codecov-action@e3c5604...81cd2dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * ✨ Update documentation (#203) * set GITHUB_TOKEN as default token * updates * Update doc * Update doc * updates * updates * update * update * update * update * updates * Update doc with PAT for private repos (#205) * Update doc with PAT for private repos * Update README.md * Update README.md * Update README.md * Log repo_info.json File in entrypoint.sh (#211) * test action * log repo_json file * check status >=300 * log json * fixed conditional * fixed or * fixed or * spacing * remove file before exit * always print repo_info * 🌱 Bump github/codeql-action from 2.1.8 to 2.1.9 (#231) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.8 to 2.1.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@1ed1437...7502d6e) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Scorecard version to v4.2.0 in Golang (#247) Co-authored-by: Azeem Shaikh <azeems@google.com> * 🌱 Bump openssf/scorecard from v4.1.0 to v4.2.0 (#249) Bumps openssf/scorecard from v4.1.0 to v4.2.0. --- updated-dependencies: - dependency-name: openssf/scorecard dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update hash to latest scorecard (#276) Update hash to latest scorecard * ✨ Amend documentation for private repos (#286) * update * update * update * update (#293) * 🌱 Bump debian from `f75d8a3` to `fbaacd5` (#287) Bumps debian from `f75d8a3` to `fbaacd5`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 (#212) Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.7.2 to 1.8.0. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v1.7.2...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2 Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.1 to 6.9.2. - [Release notes](https://github.com/caarlos0/env/releases) - [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml) - [Commits](caarlos0/env@v6.9.1...v6.9.2) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump github/codeql-action from 2.1.9 to 2.1.10 (#305) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.9 to 2.1.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7502d6e...2f58583) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@b517f99...537aa19) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@f6164bd...fcdc436) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#206) * Update container hash for v1.1.0 (#314) * multi-repo-action: Cleanups (1/n) (#301) - install: Move action installation into a separate package - Add missing license headers - install: Fix unrecognized variables - lint: Fix warnings and attempt to auto-fix issues (where supported) - install: Parameterize config - install: Borrow GitHub client pattern from sigs.k8s.io/release-sdk - install: Use package-internal GitHub interface - install: Provide installation options as struct - install: Initial error/log handling cleanups - install: Use cobra for CLI - Remove inaccurate instances of workflow configuration file - multi-repo-action: Disable incomplete tests - install: Retrieve the correct action configuration from local path Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: Rohan Khandelwal <98796241+rohankh532@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeems@google.com>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 27, 2022

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch 3 times, most recently from 47614fb to dde0217 Compare May 6, 2022 22:23

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch from dde0217 to a1fbfb9 Compare May 10, 2022 16:00

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch from a1fbfb9 to 33936c6 Compare May 12, 2022 17:40

naveensrinivasan approved these changes May 12, 2022

View reviewed changes

naveensrinivasan enabled auto-merge (squash) May 12, 2022 17:44

naveensrinivasan merged commit c9afc0e into main May 12, 2022

naveensrinivasan deleted the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch May 12, 2022 17:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

dependabot bot commented on behalf of github Apr 27, 2022 •

edited

codecov bot commented Apr 27, 2022 •

edited

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

Conversation

dependabot bot commented on behalf of github Apr 27, 2022 • edited

v1.8.0

What's Changed

v1.8.0

Enhancements

Bug Fixes

Others

codecov bot commented Apr 27, 2022 • edited

Codecov Report

dependabot bot commented on behalf of github Apr 27, 2022 •

edited

codecov bot commented Apr 27, 2022 •

edited