build: update module github.com/sigstore/cosign/v2 to v2.3.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v2	v2.2.3 -> v2.3.0

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.3.0

Compare Source

Features

• Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
• add registry options to cosign save (#​3645)
• Add debug providers command. (#​3728)
• Make config layers in ociremote mountable (#​3741)
• upgrade to go1.22 (#​3739)
• adds tsa cert chain check for env var or tuf targets. (#​3600)
• add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
• add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

• fix: close attestationFile (#​3679)
• Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

• Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

• Refactor KMS E2E tests (#​3684)
• Remove sign_blob_test.sh test (#​3707)
• Remove KMS E2E test script (#​3702)
• Refactor insecure registry E2E tests (#​3701)

Contributors

• Billy Lynch
• bminahan73
• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Colleen Murphy
• Dmitry Savintsev
• guangwu
• Hayden B
• Hector Fernandez
• ian hundere
• Jason Power
• Jon Johnson
• Max Lambrecht
• Meeki1l

v2.2.4

Compare Source

Bug Fixes

• Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#​3661)
• ErrNoSignaturesFound should be used when there is no signature attached to an image. (#​3526)
• fix semgrep issues for dgryski.semgrep-go ruleset (#​3541)
• Honor creation timestamp for signatures again (#​3549)

Features

• Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#​3578)

Documentation

• add oci bundle spec (#​3622)
• Correct help text of triangulate cmd (#​3551)
• Correct help text of verify-attestation policy argument (#​3527)
• feat: add OVHcloud MPR registry tested with cosign (#​3639)

Testing

• Refactor e2e-tests.yml workflow (#​3627)
• Clean up and clarify e2e scripts (#​3628)
• Don't ignore transparency log in tests if possible (#​3528)
• Make E2E tests hermetic (#​3499)
• add e2e test for pkcs11 token signing (#​3495)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 76 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.1 -> 1.22.5
github.com/google/go-containerregistry	v0.19.0 -> v0.20.1
github.com/open-policy-agent/opa	v0.62.1 -> v0.66.0
github.com/sigstore/rekor	v1.3.5 -> v1.3.6
github.com/sigstore/sigstore	v1.8.2 -> v1.8.7
github.com/spf13/cobra	v1.8.0 -> v1.8.1
golang.org/x/oauth2	v0.18.0 -> v0.21.0
google.golang.org/protobuf	v1.33.0 -> v1.34.2
cloud.google.com/go/compute/metadata	v0.2.3 -> v0.5.0
github.com/Microsoft/go-winio	v0.6.1 -> v0.6.2
github.com/aws/aws-sdk-go-v2	v1.24.1 -> v1.30.1
github.com/aws/aws-sdk-go-v2/config	v1.26.6 -> v1.27.24
github.com/aws/aws-sdk-go-v2/credentials	v1.16.16 -> v1.17.24
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.14.11 -> v1.16.9
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.2.10 -> v1.3.13
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.5.10 -> v2.6.13
github.com/aws/aws-sdk-go-v2/internal/ini	v1.7.3 -> v1.8.0
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.10.4 -> v1.11.3
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.10.10 -> v1.11.15
github.com/aws/aws-sdk-go-v2/service/sso	v1.18.7 -> v1.22.1
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.21.7 -> v1.26.2
github.com/aws/aws-sdk-go-v2/service/sts	v1.26.7 -> v1.30.1
github.com/aws/smithy-go	v1.19.0 -> v1.20.3
github.com/buildkite/agent/v3	v3.62.0 -> v3.75.1
github.com/buildkite/go-pipeline	v0.3.2 -> v0.10.0
github.com/buildkite/interpolate	v0.0.0-20200526001904-07f35b4ae251 -> v0.1.3
github.com/cespare/xxhash/v2	v2.2.0 -> v2.3.0
github.com/coreos/go-oidc/v3	v3.9.0 -> v3.11.0
github.com/docker/docker	v24.0.7+incompatible -> v24.0.9+incompatible
github.com/go-jose/go-jose/v3	v3.0.2 -> v3.0.3
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/go-openapi/analysis	v0.22.0 -> v0.23.0
github.com/go-openapi/errors	v0.21.0 -> v0.22.0
github.com/go-openapi/jsonpointer	v0.20.2 -> v0.21.0
github.com/go-openapi/jsonreference	v0.20.4 -> v0.21.0
github.com/go-openapi/loads	v0.21.5 -> v0.22.0
github.com/go-openapi/runtime	v0.27.1 -> v0.28.0
github.com/go-openapi/spec	v0.20.14 -> v0.21.0
github.com/go-openapi/strfmt	v0.22.0 -> v0.23.0
github.com/go-openapi/swag	v0.22.9 -> v0.23.0
github.com/go-openapi/validate	v0.22.6 -> v0.24.0
github.com/golang/protobuf	v1.5.3 -> v1.5.4
github.com/google/certificate-transparency-go	v1.1.7 -> v1.2.1
github.com/hashicorp/go-retryablehttp	v0.7.5 -> v0.7.7
github.com/klauspost/compress	v1.17.2 -> v1.17.8
github.com/letsencrypt/boulder	v0.0.0-20231026200631-000cd05d5491 -> v0.0.0-20240620165639-de9c06129bec
github.com/opencontainers/image-spec	v1.1.0-rc6 -> v1.1.0
github.com/pelletier/go-toml/v2	v2.1.0 -> v2.2.2
github.com/prometheus/client_golang	v1.19.0 -> v1.19.1
github.com/prometheus/client_model	v0.5.0 -> v0.6.1
github.com/prometheus/common	v0.48.0 -> v0.55.0
github.com/prometheus/procfs	v0.12.0 -> v0.15.1
github.com/sigstore/fulcio	v1.4.3 -> v1.5.1
github.com/sigstore/timestamp-authority	v1.2.1 -> v1.2.2
github.com/spf13/viper	v1.18.2 -> v1.19.0
github.com/spiffe/go-spiffe/v2	v2.1.7 -> v2.3.0
github.com/xanzy/go-gitlab	v0.96.0 -> v0.107.0
go.mongodb.org/mongo-driver	v1.13.1 -> v1.14.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.47.0 -> v0.52.0
go.opentelemetry.io/otel	v1.22.0 -> v1.28.0
go.opentelemetry.io/otel/metric	v1.22.0 -> v1.28.0
go.opentelemetry.io/otel/sdk	v1.22.0 -> v1.28.0
go.opentelemetry.io/otel/trace	v1.22.0 -> v1.28.0
go.step.sm/crypto	v0.42.1 -> v0.50.0
go.uber.org/zap	v1.26.0 -> v1.27.0
golang.org/x/crypto	v0.21.0 -> v0.25.0
golang.org/x/exp	v0.0.0-20231108232855-2478ac86f678 -> v0.0.0-20240112132812-db7319d0e0e3
golang.org/x/mod	v0.14.0 -> v0.17.0
golang.org/x/net	v0.22.0 -> v0.27.0
golang.org/x/sync	v0.6.0 -> v0.7.0
golang.org/x/sys	v0.18.0 -> v0.22.0
golang.org/x/term	v0.18.0 -> v0.22.0
golang.org/x/text	v0.14.0 -> v0.16.0
google.golang.org/api	v0.159.0 -> v0.188.0
k8s.io/klog/v2	v2.120.0 -> v2.120.1
k8s.io/utils	v0.0.0-20230726121419-3b25d923346b -> v0.0.0-20240502163921-fe8a2dddb1d0
sigs.k8s.io/release-utils	v0.7.7 -> v0.8.3