-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update cosign to > v1.12.1 and sigstore to v1.4.2 #3188
Conversation
@@ -444,17 +443,6 @@ replace ( | |||
// github.com/stackrox/helm-operator is a modified fork of github.com/operator-framework/helm-operator-plugins that | |||
// we currently depend on. | |||
github.com/operator-framework/helm-operator-plugins => github.com/stackrox/helm-operator v0.0.10-0.20220919093109-89f9785764c6 | |||
// github.com/sigstore/rekor is a transitive dep pulled in by cosign. The version pulled in by cosign is using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: the newer versions of cosign and sigstore use go-tuf >= v0.5.0 which has the fix for GHSA-66x3-6cw3-v5gj
Images are ready for the commit at e80b371. To use with deploy scripts, first |
/retest-required |
Blocked by sigstore/cosign#2277 |
Update: sigstore/cosign#2277 has been resolved and will be released in v1.13.0, which I'd expect to be released sometime soon. I will wait until that is released before updating this PR and merging |
github.com/shibumi/go-pathspec v1.3.0 // indirect | ||
github.com/shopspring/decimal v1.2.0 // indirect | ||
github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect | ||
github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This version of rekor uses go-tuf v0.5.0, which has the fix for GHSA-66x3-6cw3-v5gj
https://github.com/sigstore/rekor/blob/4bb6f441c1b27ccc7e625c721c7d3203acc7b313/go.mod
github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect | ||
github.com/theupdateframework/go-tuf v0.3.0 // indirect | ||
github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we even use a version > v0.2.0 explicitly here
I wanted to merge this asap so we can have the vuln fix asap. I imagine cosign v1.13.0 should come out before we cut a new release, so we will update to that before we cut the new release |
Checklist
[ ] Unit test and regression tests added[ ] Evaluated and added CHANGELOG entry if required[ ] Determined and documented upgrade steps[ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)Testing Performed
CI