🌱 Bump github.com/sigstore/cosign from 1.8.0 to 1.9.0

[dependabot]

Bumps github.com/sigstore/cosign from 1.8.0 to 1.9.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.9.0

What's Changed

• Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 by @​dependabot in sigstore/cosign#1808
• update changelog for 1.8.0 by @​cpanato in sigstore/cosign#1807
• Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @​dependabot in sigstore/cosign#1809
• Bump google.golang.org/api from 0.75.0 to 0.76.0 by @​dependabot in sigstore/cosign#1810
• Bump github/codeql-action from 2.1.8 to 2.1.9 by @​dependabot in sigstore/cosign#1814
• Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @​dependabot in sigstore/cosign#1813
• Check failure message of policy that fails with issuer mismatch by @​vaikas in sigstore/cosign#1815
• [Cosigned] Add signature pull secrets by @​DennyHoang in sigstore/cosign#1805
• feat: add rego policy support by @​hectorj2f in sigstore/cosign#1817
• Refactor fulcio signer to take in KeyOpts (take 2) by @​wlynch in sigstore/cosign#1818
• cosigned: Test unsupported KMS providers by @​imjasonh in sigstore/cosign#1820
• chore(deps): Included dependency review by @​naveensrinivasan in sigstore/cosign#1792
• Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 by @​dependabot in sigstore/cosign#1828
• Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @​dependabot in sigstore/cosign#1830
• Add auth flow option to KeyOpts. by @​wlynch in sigstore/cosign#1827
• Bump google.golang.org/api from 0.76.0 to 0.77.0 by @​dependabot in sigstore/cosign#1829
• Bump mikefarah/yq from 4.24.5 to 4.25.1 by @​dependabot in sigstore/cosign#1831
• Document Staging instance usage with Keyless by @​k4leung4 in sigstore/cosign#1824
• New flag --oidc-providers-disable to disable OIDC providers by @​puerco in sigstore/cosign#1832
• Validate tlog entry when verifying signature via public key. by @​wlynch in sigstore/cosign#1833
• Add function to explicitly request a certain provider by @​priyawadhwa in sigstore/cosign#1837
• cosigned: Fix podAntiAffinity labels by @​elfotografo007 in sigstore/cosign#1841
• Bump google.golang.org/api from 0.77.0 to 0.78.0 by @​dependabot in sigstore/cosign#1838
• Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 by @​dependabot in sigstore/cosign#1843
• remove exclude from go.mod by @​cpanato in sigstore/cosign#1846
• [Cosigned] Glob matching improvement by @​DennyHoang in sigstore/cosign#1842
• Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @​dependabot in sigstore/cosign#1851
• sget: Enable KMS providers for sget by @​imjasonh in sigstore/cosign#1852
• Fix piv-tool generate-key command in TOKENS doc by @​nealmcb in sigstore/cosign#1850
• Add IBM Cloud Container Registry to tested registry list by @​bainsy88 in sigstore/cosign#1856
• Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 by @​dependabot in sigstore/cosign#1857
• Bump google.golang.org/api from 0.78.0 to 0.79.0 by @​dependabot in sigstore/cosign#1858
• If SBOM ref has .json suffix, assume JSON mediatype by @​jdolitsky in sigstore/cosign#1859
• Add rekor.0.pub TUF target to unit tests by @​priyawadhwa in sigstore/cosign#1860
• Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @​dependabot in sigstore/cosign#1864
• Bump github/codeql-action from 2.1.9 to 2.1.10 by @​dependabot in sigstore/cosign#1863
• Normalize certificate flag names by @​haydentherapper in sigstore/cosign#1868
• Check certificate policy flags with only a certificate by @​haydentherapper in sigstore/cosign#1869
• Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @​cpanato in sigstore/cosign#1861
• Bump actions/setup-go from 3.0.0 to 3.1.0 by @​dependabot in sigstore/cosign#1870
• Point git commmit FUN.md to gitsign! by @​wlynch in sigstore/cosign#1874
• Bump actions/github-script from 6.0.0 to 6.1.0 by @​dependabot in sigstore/cosign#1876
• Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @​dependabot in sigstore/cosign#1875
• [cosigned] remove regex from the image pattern fields by @​hectorj2f in sigstore/cosign#1873
• go.mod: format go.mod by @​zchee in sigstore/cosign#1879
• Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @​dependabot in sigstore/cosign#1886
• Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @​dependabot in sigstore/cosign#1884
• Remove dependency on deprecated github.com/pkg/errors by @​zchee in sigstore/cosign#1887

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.9.0

Enhancements

• Do not push to public rekor. (sigstore/cosign#1931)
• Add privacy statement for PII storage (sigstore/cosign#1909)
• Add support for "**" in image glob matching (sigstore/cosign#1914)
• [cosigned] Rename cosigned references to policy-controller (sigstore/cosign#1893)
• [cosigned] Remove undefined apiGroups from policy clusterrole (sigstore/cosign#1896)
• tree: support --attachment-tag-prefix (sigstore/cosign#1900)
• v1beta1 API for cosigned (sigstore/cosign#1890)
• tree: only report artifacts that are present (sigstore/cosign#1872)
• Check certificate policy flags with only a certificate (sigstore/cosign#1869)
• Normalize certificate flag names (sigstore/cosign#1868)
• Add rekor.0.pub TUF target to unit tests (sigstore/cosign#1860)
• If SBOM ref has .json suffix, assume JSON mediatype (sigstore/cosign#1859)
• sget: Enable KMS providers for sget (sigstore/cosign#1852)
• Use filepath match instead of glob (sigstore/cosign#1842)
• cosigned: Fix podAntiAffinity labels (sigstore/cosign#1841)
• Add function to explictly request a certain provider (sigstore/cosign#1837)
• Validate tlog entry when verifying signature via public key. (sigstore/cosign#1833)
• New flag --oidc-providers-disable to disable OIDC providers (sigstore/cosign#1832)
• Add auth flow option to KeyOpts. (sigstore/cosign#1827)
• cosigned: Test unsupported KMS providers (sigstore/cosign#1820)
• Refactor fulcio signer to take in KeyOpts (take 2) (sigstore/cosign#1818)
• feat: add rego policy support (sigstore/cosign#1817)
• [Cosigned] Add signature pull secrets (sigstore/cosign#1805)
• Check failure message of policy that fails with issuer mismatch (sigstore/cosign#1815)
• Support PKCS1 encoded and non-ECDSA CT log public keys (sigstore/cosign#1806)

Documention

• update README with ebpf modules (sigstore/cosign#1888)
• Point git commmit FUN.md to gitsign! (sigstore/cosign#1874)
• Add IBM Cloud Container Registry to tested registry list (sigstore/cosign#1856)
• Document Staging instance usage with Keyless (sigstore/cosign#1824)

Bug Fixes

• fix: fix #1930 for AWS KMS formats (sigstore/cosign#1946)
• fix: fix fetching updated targets from TUF root (sigstore/cosign#1921)
• Fix piv-tool generate-key command in TOKENS doc (sigstore/cosign#1850)

Others

• remove deprecation (sigstore/cosign#1952)
• Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (sigstore/cosign#1949)
• update cross-builder image to use go1.17.11 (sigstore/cosign#1950)
• Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (sigstore/cosign#1945)
• Bump github.com/secure-systems-lab/go-securesystemslib (sigstore/cosign#1944)

... (truncated)

Commits

• a4cb262 add parallelism (#1957)
• 4394708 add changelog for v1.9.0 (#1955)
• 632c4a8 remove deprecation (#1952)
• 2b4d69b Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (#1949)
• e32873a update cross-builder image to use go1.17.11 (#1950)
• 2ccb1a2 fix: fix #1930 for AWS KMS formats (#1946)
• ae90c74 Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (#1945)
• 82b8702 Bump github.com/secure-systems-lab/go-securesystemslib (#1944)
• 072fba8 fix: fix fetching updated targets from TUF root (#1921)
• f98e31e Bump actions/cache from 3.0.2 to 3.0.3 (#1937)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[justaugustus]

@dependabot rebase

[codecov]

Codecov Report

Merging #331 (c286864) into main (f8cb15a) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main     #331   +/-   ##
=======================================
  Coverage   63.94%   63.94%           
=======================================
  Files           4        4           
  Lines         208      208           
=======================================
  Hits          133      133           
  Misses         66       66           
  Partials        9        9           

Impacted Files	Coverage Δ
signing/signing.go	32.14% <0.00%> (ø)