build(deps): update dependency sigstore/cosign to v3.0.6

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
sigstore/cosign	patch	3.0.4 → 3.0.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sigstore/cosign (sigstore/cosign)

v3.0.6

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

• f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#​4801)
• a09afa9 Handle whitespace-only certificate annotation (#​4760)
• 5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#​4761)
• 2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#​4762)
• 36f4008 support managed keys in conformance testing (#​4728)
• 3274cf9 Add support for GCE metadata server env var (#​4732)
• 2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#​4709)
• dece275 Fix parsing of in-toto for string predicates
• bd4f0fd Mark batch of flags for deprecation (#​4698)
• 9b259ff disallow key and cert identity being used together during verification (#​4636)
• 95eb1c3 support key creation in GitLab group (#​4704)

Thanks to all contributors!

v3.0.5

Compare Source

Deprecations

• Deprecate rekor-entry-type flag (#​4691)
• Deprecate cosign triangulate (#​4676)
• Deprecate cosign copy (#​4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#​4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
• Add mTLS support for TSA client connections when signing with a signing config (#​4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
• fix: avoid panic on malformed attestation payload (#​4651)
• fix: avoid panic on malformed tlog entries (#​4649)
• fix: avoid panic on malformed replace payload (#​4653)
• Gracefully fail if bundle payload body is not a string (#​4648)
• Verify validity of chain rather than just certificate (#​4663)
• fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#​4642)
• Fix typo in CLI help (#​4701)

---

Configuration

📅 Schedule: (in timezone Europe/Stockholm)

• Branch creation
  • "after 8:00pm on Saturday,before 11:59pm on Sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.