chore(deps): update module github.com/sigstore/cosign/v2 to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v2	v2.6.3 → v3.0.6

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v3.0.6

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

• f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#​4801)
• a09afa9 Handle whitespace-only certificate annotation (#​4760)
• 5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#​4761)
• 2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#​4762)
• 36f4008 support managed keys in conformance testing (#​4728)
• 3274cf9 Add support for GCE metadata server env var (#​4732)
• 2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#​4709)
• dece275 Fix parsing of in-toto for string predicates
• bd4f0fd Mark batch of flags for deprecation (#​4698)
• 9b259ff disallow key and cert identity being used together during verification (#​4636)
• 95eb1c3 support key creation in GitLab group (#​4704)

Thanks to all contributors!

v3.0.5

Compare Source

Deprecations

• Deprecate rekor-entry-type flag (#​4691)
• Deprecate cosign triangulate (#​4676)
• Deprecate cosign copy (#​4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#​4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
• Add mTLS support for TSA client connections when signing with a signing config (#​4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
• fix: avoid panic on malformed attestation payload (#​4651)
• fix: avoid panic on malformed tlog entries (#​4649)
• fix: avoid panic on malformed replace payload (#​4653)
• Gracefully fail if bundle payload body is not a string (#​4648)
• Verify validity of chain rather than just certificate (#​4663)
• fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#​4642)
• Fix typo in CLI help (#​4701)

v3.0.4

Compare Source

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#​4623)
• Optimize cosign tree performance by caching digest resolution (#​4612)
• Don't require a trusted root to verify offline with a key (#​4613)
• Support default services for trusted-root and signing-config creation (#​4592)

v3.0.3

Compare Source

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by
the community along with adding compatibility for the new bundle format and attestation
storage in OCI to additional commands. We're continuing to work on compatibility with
the remaining commands and will have a new release shortly. If you run into any problems,
please file an issue

Changes

• 4554: Closes 4554 - Add warning when --output* is used (#​4556)
• Protobuf bundle support for subcommand clean (#​4539)
• Add staging flag to initialize with staging TUF metadata
• Updating sign-blob to also support signing with a certificate (#​4547)
• Protobuf bundle support for subcommands save and load (#​4538)
• Fix cert attachment for new bundle with signing config
• Fix OCI verification with local cert - old bundle
• Deprecate tlog-upload flag (#​4458)
• fix: Use signal context for sign cli package.
• update offline verification directions (#​4526)
• Fix signing/verifying annotations for new bundle
• Add support to download and attach for protobuf bundles (#​4477)
• Add --signing-algorithm flag (#​3497)
• Refactor signcommon bundle helpers
• Add --bundle and fix --upload for new bundle
• Pass insecure registry flags through to referrers
• Add protobuf bundle support for tree subcommand (#​4491)
• Remove stale embed import (#​4492)
• Support multiple container identities
• Fix segfault when no attestations are found (#​4472)
• Use overridden repository for new bundle format (#​4473)
• Remove --out flag from cosign initialize (#​4462)
• Deprecate offline flag (#​4457)
• Deduplicate code in sign/attest* and verify* commands (#​4449)
• Cache signing config when calling initialize (#​4456)

v3.0.2

Compare Source

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

• Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

• choose different signature filename for KMS-signed release signatures (#​4448)
• Update rekor-tiles version path (#​4450)

v3.0.1

Compare Source

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

• Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

• update goreleaser config for v3.0.0 release (#​4446)

v3.0.0

Compare Source

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent
releases on by default, but will still allow you to disable them if you need the older functionality.
These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots
of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config),
and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See
the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent
changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

• Default to using the new protobuf format (#​4318)
• Fetch service URLs from the TUF PGI signing config by default (#​4428)
• Bump module version to v3 for Cosign v3.0 (#​4427)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.5 -> 1.25.7