fix(deps): update go

[ramonpetgrave64]

This PR contains the following updates:

Package	Type	Update	Change
github.com/google/go-containerregistry	require	minor	v0.18.0 -> v0.19.1
github.com/sigstore/cosign/v2	require	patch	v2.2.0 -> v2.2.3
github.com/sigstore/fulcio	require	patch	v1.4.3 -> v1.4.4
github.com/sigstore/protobuf-specs	require	minor	v0.2.1 -> v0.3.1
github.com/sigstore/rekor	require	patch	v1.3.4 -> v1.3.6
github.com/sigstore/sigstore	require	patch	v1.8.1 -> v1.8.3
github.com/slsa-framework/slsa-github-generator	require	minor	v1.9.0 -> v1.10.0
golang.org/x/mod	require	minor	v0.14.0 -> v0.17.0
sigs.k8s.io/release-utils	require	minor	v0.7.7 -> v0.8.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

google/go-containerregistry (github.com/google/go-containerregistry)

v0.19.1

Compare Source

What's Changed

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pkg/authn/k8schain by @​dependabot in https://github.com/google/go-containerregistry/pull/1815
• Bump golang.org/x/ packages by @​jonjohnsonjr in https://github.com/google/go-containerregistry/pull/1892

Full Changelog: google/go-containerregistry@v0.19.0...v0.19.1

v0.19.0

Compare Source

What's Changed

• Work around docker v25 tarballs by @​jonjohnsonjr in https://github.com/google/go-containerregistry/pull/1872

Full Changelog: google/go-containerregistry@v0.18.0...v0.19.0

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.2.3

Compare Source

Bug Fixes

• Fix race condition on verification with multiple signatures attached to image (#​3486)
• fix(clean): Fix clean cmd for private registries (#​3446)
• Fixed BYO PKI verification (#​3427)

Features

• Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#​3466)
• Add support for OpenVEX predicate type (#​3405)

Documentation

• Resolves #​3088: version sub-command expected behaviour documentation and testing (#​3447)
• add examples for cosign attach signature cmd (#​3468)

Misc

• Remove CertSubject function (#​3467)
• Use local rekor and fulcio instances in e2e tests (#​3478)

Contributors

• aalsabag
• Bob Callaway
• Carlos Tadeu Panato Junior
• Colleen Murphy
• Hayden B
• Mukuls77
• Omri Bornstein
• Puerco
• vivek kumar sahu

v2.2.2

Compare Source

v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.

Bug Fixes

• chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#​3411) which fixes a bug with using Azure KMS
• Don't require CT log keys if using a key/sk (#​3415)
• Fix copy without any flag set (#​3409)
• Update cosign generate cmd to not include newline (#​3393)
• Fix idempotency error with signing (#​3371)

Features

• Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#​3383)
• Use the timeout flag value in verify* commands. (#​3391)
• add --private-infrastructure flag (#​3369)

Container Updates

• Bump builder image to use go1.21.4 and add new cosign image tags with shell (#​3373)

Documentation

• Update SBOM_SPEC.md (#​3358)

Contributors

• Carlos Tadeu Panato Junior
• Dylan Richardson
• Hayden B
• Lily Sturmann
• Nikos Fotiou
• Yonghe Zhao

v2.2.1

Compare Source

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

• feat: Support basic auth and bearer auth login to registry (#​3310)
• add support for ignoring certificates with pkcs11 (#​3334)
• Support ReplaceOp in Signatures (#​3315)
• feat: added ability to get image digest back via triangulate (#​3255)
• feat: add --only flag in cosign copy to copy sign, att & sbom (#​3247)
• feat: add support attaching a Rekor bundle to a container (#​3246)
• feat: add support outputting rekor response on signing (#​3248)
• feat: improve dockerfile verify subcommand (#​3264)
• Add guard flag for experimental OCI 1.1 verify. (#​3272)
• Deprecate SBOM attachments (#​3256)
• feat: dedent line in cosign copy doc (#​3244)
• feat: add platform flag to cosign copy command (#​3234)
• Add SLSA 1.0 attestation support to cosign. Closes #​2860 (#​3219)
• attest: pass OCI remote opts to att resolver. (#​3225)

Bug Fixes

• Merge pull request from GHSA-vfp6-jrw2-99g9
• fix: allow cosign download sbom when image is absent (#​3245)
• ci: add a OCI registry test for referrers support (#​3253)
• Fix ReplaceSignatures (#​3292)
• Stop using deprecated in_toto.ProvenanceStatement (#​3243)
• Fixes #​3236, disable SCT checking for a cosign verification when usin… (#​3237)
• fix: update error in SignedEntity to be more descriptive (#​3233)
• Fail timestamp verification if no root is provided (#​3224)

Documentation

• Add some docs about verifying in an air-gapped environment (#​3321)
• Update CONTRIBUTING.md (#​3268)
• docs: improves the Contribution guidelines (#​3257)
• Remove security policy (#​3230)

Others

• Set go to min 1.21 and update dependencies (#​3327)
• Update contact for code of conduct (#​3266)
• Update .ko.yaml (#​3240)

Contributors

• AdamKorcz
• Andres Galante
• Appu
• Billy Lynch
• Bob Callaway
• Caleb Woodbine
• Carlos Tadeu Panato Junior
• Dylan Richardson
• Gareth Healy
• Hayden B
• John Kjell
• Jon Johnson
• jonvnadelberg
• Luiz Carvalho
• Priya Wadhwa
• Ramkumar Chinchani
• Tosone
• Ville Aikas
• Vishal Choudhary
• ziel

sigstore/fulcio (github.com/sigstore/fulcio)

v1.4.4

Compare Source

Features

• Add production OIDC provider for Eclipse (#​1472)
• Change parseExtension function to be public (#​1584)
• Allow exposed metrics port to be overridden (#​1518)
• add configurable idle timeout

Bug Fixes

• Fix docker-compose service order (#​1537)
• Fix debug docker-compose setup (#​1529)
• Fix docker-compose file (#​1560)

Documentation

• Create new-idp-requirements.md (#​1447)
• docs: Add back descriptive content on cert issuing (#​1494)
• Added GitLab OIDC documentation to the /docs/oidc.md file that was missing. (#​1574)

Misc

• update builder to use go1.21.6
• Move kubernetes CA processing in config.prepare (#​1454)
• Lots of dependabot updates

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Colleen Murphy
• Cyril Cordoui
• Hayden B
• John Kjell
• Paul Welch
• Tanner Jones

sigstore/protobuf-specs (github.com/sigstore/protobuf-specs)

v0.3.1

Compare Source

v0.3.0

Compare Source

sigstore/rekor (github.com/sigstore/rekor)

v1.3.6

Compare Source

New Features

• Add support for IEEE P1363 encoded ECDSA signatures
• Add index performance script (#​2042)
• Add support for ed25519ph user keys in hashedrekord (#​1945)
• Add metrics for index insertion (#​2015)
• Add TLS support for Redis Client implementation (#​1998)

Bug Fixes

• fix typo in remoteIp and set full name for trace field

Contributors

• Bob Callaway
• Colleen Murphy
• cpanato
• Hayden B
• Mihkel Pärna
• Riccardo Schirone

v1.3.5

Compare Source

New Features

• output trace in slog and override correlation header name (#​1986)
• give log timestamps nanosecond precision (#​1985)
• Added support for sha384/sha512 hash algorithms in hashedrekords (#​1959)
• Change Redis value for locking mechanism (#​1957)

Bug Fixes

• Fix panic for DSSE canonicalization (#​1923)
• Drop conditional when verifying entry checkpoint (#​1917)
• Remove timestamp from checkpoint (#​1888)
• Additional unique index correction (#​1885)

Quality Enhancements

• bump trillian images to v1.6.0 (#​1984)
• remove trillian images from release process (#​1983)
• update builder to use go1.21

Contributors

• Andrew Block
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden Blauzvern
• Riccardo Schirone

sigstore/sigstore (github.com/sigstore/sigstore)

v1.8.3

Compare Source

What's Changed

• Update embedded TUF root.json to version 9 from root-signing repo by @​lkatalin in https://github.com/sigstore/sigstore/pull/1649
• add support for verifying IEEE P1363 encoded ECDSA sigs by @​bobcallaway in https://github.com/sigstore/sigstore/pull/1686

Full Changelog: sigstore/sigstore@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

• Add support for Ed25519ph Signer/Verifier by @​ret2libc in https://github.com/sigstore/sigstore/pull/1595
• Convert ED25519phSignerVerifier to the Pure version by @​ret2libc in https://github.com/sigstore/sigstore/pull/1616
• add client credential flow by @​nkreiger in https://github.com/sigstore/sigstore/pull/1620
• Add support for autoclosing oauth flow window by @​stgarf in https://github.com/sigstore/sigstore/pull/1618
• fix: adds TSA URI for customMetadata. by @​ianhundere in https://github.com/sigstore/sigstore/pull/1646

New Contributors

• @​ret2libc made their first contribution in https://github.com/sigstore/sigstore/pull/1595
• @​nkreiger made their first contribution in https://github.com/sigstore/sigstore/pull/1620
• @​stgarf made their first contribution in https://github.com/sigstore/sigstore/pull/1618
• @​ianhundere made their first contribution in https://github.com/sigstore/sigstore/pull/1646

Full Changelog: sigstore/sigstore@v1.8.1...v1.8.2

slsa-framework/slsa-github-generator (github.com/slsa-framework/slsa-github-generator)

v1.10.0

Compare Source

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix

• The cosign TUF roots were fixed (#​3350). More details here.

v1.10.0: Gradle Builder

• The Gradle Builder was fixed when the project root is the same as the
  repository root (#​2727)

v1.10.0: Go Builder

• The go-version-file input was fixed so that it can find the go.mod file
  (#​2661)

v1.10.0: Container Generator

• A new provenance-repository input was added to allow reading provenance from
  a different container repository than the image itself (#​2956)

v1.9.1

Compare Source

This is an un-finalized release.

See the CHANGELOG for details.

kubernetes-sigs/release-utils (sigs.k8s.io/release-utils)

v0.8.0

Compare Source

What's Changed

• Log error message on editor error by @​JamesLaverack in https://github.com/kubernetes-sigs/release-utils/pull/98
• HTTP Agent: Support writing responses to Writers by @​puerco in https://github.com/kubernetes-sigs/release-utils/pull/99
• bump tools and set require go1.21 as minimum by @​cpanato in https://github.com/kubernetes-sigs/release-utils/pull/100

New Contributors

• @​JamesLaverack made their first contribution in https://github.com/kubernetes-sigs/release-utils/pull/98

Full Changelog: kubernetes-sigs/release-utils@v0.7.7...v0.8.0

---

Configuration

📅 Schedule: Branch creation - "before 4 am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.