🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

dependabot · 2022-04-27T21:34:53Z

Bumps github.com/sigstore/cosign from 1.7.2 to 1.8.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

What's Changed

Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in sigstore/cosign#1620

Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in sigstore/cosign#1745

Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in sigstore/cosign#1746

Move the KMS integration imports into the binary entrypoints by @mattmoor in sigstore/cosign#1744

[Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in sigstore/cosign#1736

Refactor policy related code, add support for vuln verify by @vaikas in sigstore/cosign#1747

Use bundle log ID to find verification key by @haydentherapper in sigstore/cosign#1748

[cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in sigstore/cosign#1726

Add intermediate CA certificate pool for Fulcio by @haydentherapper in sigstore/cosign#1749

Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in sigstore/cosign#1751

test: create fake TUF test root and create test SETs for verification by @asraa in sigstore/cosign#1750

update go builder and cosign images by @cpanato in sigstore/cosign#1755

Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in sigstore/cosign#1752

Implement identities, fix bug in webhook validation. by @vaikas in sigstore/cosign#1759

Validate issuer/subject regexp in validate webhook. by @vaikas in sigstore/cosign#1761

chore: add warning when attaching sBOMs by @hectorj2f in sigstore/cosign#1756

Verify embedded SCTs by @haydentherapper in sigstore/cosign#1731

chore: add warning when downloading a sBOM by @hectorj2f in sigstore/cosign#1763

[policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in sigstore/cosign#1757

Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in sigstore/cosign#1765

Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in sigstore/cosign#1764

Break the CIP action tests into a sh script. by @vaikas in sigstore/cosign#1767

tuf: add debug info if tuf update fails by @asraa in sigstore/cosign#1766

cosigned: add support for rsa keys by @hectorj2f in sigstore/cosign#1768

Cosigned validate against remote sig src by @DennyHoang in sigstore/cosign#1754

Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in sigstore/cosign#1774

Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in sigstore/cosign#1784

fix: more informative error by @ybelMekk in sigstore/cosign#1778

Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in sigstore/cosign#1779

Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in sigstore/cosign#1780

Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in sigstore/cosign#1781

Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in sigstore/cosign#1782

Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in sigstore/cosign#1783

Run update-codegen. by @wlynch in sigstore/cosign#1789

Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in sigstore/cosign#1790

Refactor fulcio signer to take in KeyOpts. by @wlynch in sigstore/cosign#1788

test: add cue unit tests by @hectorj2f in sigstore/cosign#1791

Attestations + policy in cip. by @vaikas in sigstore/cosign#1772

chore: add rego function to consume modules and evaluate them by @hectorj2f in sigstore/cosign#1787

Add parallelization for processing policies / authorities. by @vaikas in sigstore/cosign#1795

Allow passing keys via environment variables (env:// refs) by @znewman01 in sigstore/cosign#1794

Handle context cancelled properly + tests. by @vaikas in sigstore/cosign#1796

Fix a bug where an error would send duplicate results. by @vaikas in sigstore/cosign#1797

Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in sigstore/cosign#1798

Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in sigstore/cosign#1799

Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in sigstore/cosign#1800

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

Enhancements

Support PKCS1 encoded and non-ECDSA CT log public keys (sigstore/cosign#1806)

Load in intermediate cert pool from TUF (sigstore/cosign#1804)

Don't fail open in VerifyBundle (sigstore/cosign#1648)

Handle context cancelled properly + tests. (sigstore/cosign#1796)

Allow passing keys via environment variables (env:// refs) (sigstore/cosign#1794)

Add parallelization for processing policies / authorities. (sigstore/cosign#1795)

Attestations + policy in cip. (sigstore/cosign#1772)

Refactor fulcio signer to take in KeyOpts. (sigstore/cosign#1788)

Remove the dependency on v1alpha1.Identity which brings in (sigstore/cosign#1790)

Add Fulcio intermediate CA certificate to intermediate pool (sigstore/cosign#1774)

Cosigned validate against remote sig src (sigstore/cosign#1754)

tuf: add debug info if tuf update fails (sigstore/cosign#1766)

Break the CIP action tests into a sh script. (sigstore/cosign#1767)

[policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags (sigstore/cosign#1757)

Verify embedded SCTs (sigstore/cosign#1731)

Validate issuer/subject regexp in validate webhook. (sigstore/cosign#1761)

Add intermediate CA certificate pool for Fulcio (sigstore/cosign#1749)

[cosigned] The webhook name is now configurable via --webhook-name flag (sigstore/cosign#1726)

Use bundle log ID to find verification key (sigstore/cosign#1748)

Refactor policy related code, add support for vuln verify (sigstore/cosign#1747)

Create convert functions for internal CIP (sigstore/cosign#1736)

Move the KMS integration imports into the binary entrypoints (sigstore/cosign#1744)

Bug Fixes

Fix a bug where an error would send duplicate results. (sigstore/cosign#1797)

fix: more informative error (sigstore/cosign#1778)

fix: add support for rsa keys (sigstore/cosign#1768)

Implement identities, fix bug in webhook validation. (sigstore/cosign#1759)

Others

Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (sigstore/cosign#1758)

Bump google-github-actions/auth from 0.7.0 to 0.7.1 (sigstore/cosign#1801)

Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (sigstore/cosign#1800)

Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 (sigstore/cosign#1799)

Revert "Refactor fulcio signer to take in KeyOpts. (sigstore/cosign#1788)" (sigstore/cosign#1798)

chore: add rego function to consume modules (sigstore/cosign#1787)

test: add cue unit tests (sigstore/cosign#1791)

Run update-codegen. (sigstore/cosign#1789)

Bump actions/checkout from 3.0.1 to 3.0.2 (sigstore/cosign#1783)

Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (sigstore/cosign#1782)

Bump k8s.io/code-generator from 0.23.5 to 0.23.6 (sigstore/cosign#1781)

Bump google.golang.org/api from 0.74.0 to 0.75.0 (sigstore/cosign#1780)

... (truncated)

Commits

9ef6b20 Support PKCS1 encoded and non-ECDSA CT log public keys (#1806)
27caa98 add changelog for release v1.8.0 (#1803)
367c79e Load in intermediate cert pool from TUF (#1804)
d104fc4 Don't fail open in VerifyBundle (#1648)
db323cd cosigned: Unify cue data and policy before evaluating it (#1793)
cba2cfb Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (#1758)
376b1b7 Bump google-github-actions/auth from 0.7.0 to 0.7.1 (#1801)
133ce88 Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#1800)
e4c68cb Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 (#1799)
87b06ef Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" (#1798)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

codecov · 2022-04-27T21:38:44Z

Codecov Report

Merging #212 (33936c6) into main (e6b7742) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #212   +/-   ##
=======================================
  Coverage   61.95%   61.95%           
=======================================
  Files           3        3           
  Lines         205      205           
=======================================
  Hits          127      127           
  Misses         69       69           
  Partials        9        9

Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.7.2 to 1.8.0. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v1.7.2...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

* Removed Sarif Results From Processing & Rekor Upload (#197) * test action * sign test data * func to sign and upload workflow result * added signScorecardResult func and test * added signScorecardResult func and test * moved signing code into main.go * added call to signScorecardResult at the end of main * added err checking * comments and added global vars * style changes * updated test to use randomized payload * check publish_results * error logging for signScorecardResult call * error logging * entrypoint * updated dockerfile * dockerfile * dockerfile * EnvInputsResults vars added to Options * resultsfile env var * set PAT * create results file with sudo * sudo create resultsfile * try os.Openfile * fixed fileapth * changed Distroless to debian * get output format from env var * fixed defaultpolicyfile path * policy filepath * copy policy.yml in dockerfile * policyfile * moved signing code to separate file * dockerfile * generate results.json file in preRun * revert dockerfile to main * json file creation check * run scorecard again to produce json output * testing * entrypointJson * print cmd * alter env vars in main for json * opts * dockerfile uses entrypoint.go * renamed make build * produce both sarif and json * sign json result * sig verification api call * go mod tidy * readfile fix * sign sarif instead of json * http response code checking * moved api call func into signing.go * dont hardcode repo paths * finalized signing + verif * renamed sign test * Bump debian from d5cd7e5 to 40f90ea * removed unnecessary slash * comments * policy.yml -> /policy.yml * refractored signing * more refractoring + sig processing test * fixed func call * fixed sign test * style + error fmt * reverted dockerfile * style fixes * lint fixes * linting errs * test workflow permissions * debug print * commented out signing test * linting errors Co-authored-by: Azeem Shaikh <[email protected]> * Add initial release documentation (#194) Signed-off-by: Stephen Augustus <[email protected]> * 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md) - [Commits](codecov/codecov-action@e3c5604...81cd2dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * ✨ Update documentation (#203) * set GITHUB_TOKEN as default token * updates * Update doc * Update doc * updates * updates * update * update * update * update * updates * Update doc with PAT for private repos (#205) * Update doc with PAT for private repos * Update README.md * Update README.md * Update README.md * Log repo_info.json File in entrypoint.sh (#211) * test action * log repo_json file * check status >=300 * log json * fixed conditional * fixed or * fixed or * spacing * remove file before exit * always print repo_info * 🌱 Bump github/codeql-action from 2.1.8 to 2.1.9 (#231) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.8 to 2.1.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@1ed1437...7502d6e) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Scorecard version to v4.2.0 in Golang (#247) Co-authored-by: Azeem Shaikh <[email protected]> * 🌱 Bump openssf/scorecard from v4.1.0 to v4.2.0 (#249) Bumps openssf/scorecard from v4.1.0 to v4.2.0. --- updated-dependencies: - dependency-name: openssf/scorecard dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update hash to latest scorecard (#276) Update hash to latest scorecard * ✨ Amend documentation for private repos (#286) * update * update * update * update (#293) * 🌱 Bump debian from `f75d8a3` to `fbaacd5` (#287) Bumps debian from `f75d8a3` to `fbaacd5`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 (#212) Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.7.2 to 1.8.0. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v1.7.2...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2 Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.1 to 6.9.2. - [Release notes](https://github.com/caarlos0/env/releases) - [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml) - [Commits](caarlos0/env@v6.9.1...v6.9.2) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * 🌱 Bump github/codeql-action from 2.1.9 to 2.1.10 (#305) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.9 to 2.1.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7502d6e...2f58583) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🌱 Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@b517f99...537aa19) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@f6164bd...fcdc436) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#206) * Update container hash for v1.1.0 (#314) * multi-repo-action: Cleanups (1/n) (#301) - install: Move action installation into a separate package - Add missing license headers - install: Fix unrecognized variables - lint: Fix warnings and attempt to auto-fix issues (where supported) - install: Parameterize config - install: Borrow GitHub client pattern from sigs.k8s.io/release-sdk - install: Use package-internal GitHub interface - install: Provide installation options as struct - install: Initial error/log handling cleanups - install: Use cobra for CLI - Remove inaccurate instances of workflow configuration file - multi-repo-action: Disable incomplete tests - install: Retrieve the correct action configuration from local path Signed-off-by: Stephen Augustus <[email protected]> Co-authored-by: Rohan Khandelwal <[email protected]> Co-authored-by: Stephen Augustus (he/him) <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: laurentsimon <[email protected]> Co-authored-by: Azeem Shaikh <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 27, 2022

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch 3 times, most recently from 47614fb to dde0217 Compare May 6, 2022 22:23

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch from dde0217 to a1fbfb9 Compare May 10, 2022 16:00

dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch from a1fbfb9 to 33936c6 Compare May 12, 2022 17:40

naveensrinivasan approved these changes May 12, 2022

View reviewed changes

naveensrinivasan enabled auto-merge (squash) May 12, 2022 17:44

naveensrinivasan merged commit c9afc0e into main May 12, 2022

naveensrinivasan deleted the dependabot/go_modules/github.com/sigstore/cosign-1.8.0 branch May 12, 2022 17:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

Uh oh!

dependabot bot commented on behalf of github Apr 27, 2022 •

edited

Loading

Uh oh!

codecov bot commented Apr 27, 2022 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

🌱 Bump github.com/sigstore/cosign from 1.7.2 to 1.8.0 #212

Uh oh!

Conversation

dependabot bot commented on behalf of github Apr 27, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v1.8.0

What's Changed

v1.8.0

Enhancements

Bug Fixes

Others

Uh oh!

codecov bot commented Apr 27, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Apr 27, 2022 •

edited

Loading

codecov bot commented Apr 27, 2022 •

edited

Loading