Skip to content

Update module github.com/sigstore/cosign/v3 to v3.1.1#465

Open
renovate-rancher[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-sigstore-cosign-v3-3.x
Open

Update module github.com/sigstore/cosign/v3 to v3.1.1#465
renovate-rancher[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-sigstore-cosign-v3-3.x

Conversation

@renovate-rancher

@renovate-rancher renovate-rancher Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/cosign/v3 v3.0.6v3.1.1 age confidence

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v3)

v3.1.1

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

  • Initialize PKCS11 slots Before Getting Token Info in #​4803
  • Sign exclusively via sigstore-go in #​4618
  • bundle create: Prevent IgnoreTlog when bundle contains SET in #​4829
  • Require bundle output or registry upload in #​4785
  • fix(load): pass NameOptions to name.ParseReference in #​4786
  • fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #​4813
  • Deprecate Flags for v4: Certificates in #​4822
  • Deprecate flags signing config in #​4844
  • Deprecate flags bundle in #​4838
  • Fix typo in map of verify command fields unsupported for new bundle format in #​4853
  • Add bundle upgrade command in #​4820
  • Deprecate Flags for v4 in #​4854
  • fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #​4869
  • fix: use Header.Set to prevent duplicate Authorization on retry in #​4870
  • feat(cli): add Rekor v2 flag to cosign signing-config create in #​4868
  • Fix crash verifying timestamps when no timestamp was verified in #​4881
  • Deprecate Flags for v4: OCI Referrers in #​4804
  • Use the configured Target Repository more consistently in #​4836
  • fix: check HTTP status code in LoadFileOrURL in #​4877
  • Fix unsafe type assertion in Rego policy evaluation by in #​4882
  • Fix Ed25519ph check to respect custom signing configs in sign-blob in #​4880
  • Enable initialize command output in conformance in #​4892
  • verify: return TUF errors for new bundle trusted roots in #​4878
  • Deprecate subcommands in #​4894
  • Remove docstring references to deprecated flags in #​4910
  • fix(verify): Attach detached certificates to static signatures via wrapped verifier in #​4737
  • fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #​4917
  • Update sigstore-go to v1.2.0 in #​4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

v3.1.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@renovate-rancher
renovate-rancher Bot requested a review from a team as a code owner June 13, 2026 07:52
@renovate-rancher
renovate-rancher Bot requested a review from pohanhuang June 13, 2026 07:52
@renovate-rancher

renovate-rancher Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 13 additional dependencies were updated

Details:

Package Change
github.com/coreos/go-oidc/v3 v3.17.0 -> v3.18.0
github.com/go-openapi/swag/conv v0.26.0 -> v0.26.1
github.com/go-openapi/swag/typeutils v0.26.0 -> v0.26.1
github.com/spiffe/go-spiffe/v2 v2.6.0 -> v2.7.0
github.com/theupdateframework/go-tuf/v2 v2.4.2-0.20260407074541-7e8f69f906ef -> v2.4.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 -> v0.68.0
google.golang.org/protobuf v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/api v0.35.3 -> v0.36.1
k8s.io/apimachinery v0.35.3 -> v0.36.1
k8s.io/client-go v0.35.3 -> v0.36.1
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 -> v6.3.2

@renovate-rancher
renovate-rancher Bot force-pushed the renovate/github.com-sigstore-cosign-v3-3.x branch from 50a9be4 to 64d6b21 Compare June 17, 2026 06:23
@renovate-rancher renovate-rancher Bot changed the title Update module github.com/sigstore/cosign/v3 to v3.1.0 Update module github.com/sigstore/cosign/v3 to v3.1.1 Jun 17, 2026
@renovate-rancher
renovate-rancher Bot force-pushed the renovate/github.com-sigstore-cosign-v3-3.x branch 3 times, most recently from e4815d7 to ebd5dcf Compare July 9, 2026 06:04
@renovate-rancher
renovate-rancher Bot force-pushed the renovate/github.com-sigstore-cosign-v3-3.x branch from ebd5dcf to af6a7b6 Compare July 15, 2026 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants