diff --git a/go.mod b/go.mod
index aaae5a0b4b..3036d880f2 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
github.com/mitchellh/go-homedir v1.1.0
github.com/pkg/errors v0.9.1
github.com/sigstore/cosign/v2 v2.6.3
- github.com/sigstore/sigstore v1.10.4
+ github.com/sigstore/sigstore v1.10.5
github.com/spf13/cobra v1.10.2
github.com/spf13/pflag v1.0.10
github.com/tektoncd/chains v0.26.2
diff --git a/go.sum b/go.sum
index 915e9986b5..8579701c71 100644
--- a/go.sum
+++ b/go.sum
@@ -674,8 +674,8 @@ github.com/sigstore/rekor v1.5.0 h1:rL7SghHd5HLCtsCrxw0yQg+NczGvM75EjSPPWuGjaiQ=
github.com/sigstore/rekor v1.5.0/go.mod h1:D7JoVCUkxwQOpPDNYeu+CE8zeBC18Y5uDo6tF8s2rcQ=
github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo=
github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU=
-github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE=
-github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI=
+github.com/sigstore/sigstore v1.10.5 h1:KqrOjDhNOVY+uOzQFat2FrGLClPPCb3uz8pK3wuI+ow=
+github.com/sigstore/sigstore v1.10.5/go.mod h1:k/mcVVXw3I87dYG/iCVTSW2xTrW7vPzxxGic4KqsqXs=
github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg=
github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4 h1:VZ+L6SKVWbLPHznIF0tBuO7qKMFdJiJMVwFKu9DlY5o=
diff --git a/vendor/github.com/sigstore/sigstore/pkg/oauth/interactive.go b/vendor/github.com/sigstore/sigstore/pkg/oauth/interactive.go
index d9ee1234af..d24d89d746 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/oauth/interactive.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/oauth/interactive.go
@@ -16,15 +16,14 @@
package oauth
import (
- "bytes"
"fmt"
- "text/template"
+ "strings"
)
// GetInteractiveSuccessHTML is the page displayed upon success when using a web browser during an interactive Oauth token flow.
// The page will close automatically if autoclose is true with the timeout specified.
func GetInteractiveSuccessHTML(autoclose bool, timeout int) (string, error) {
- const successTemplate = `
+ const successTemplateHead = `
Sigstore Authentication
@@ -90,10 +89,11 @@ func GetInteractiveSuccessHTML(autoclose bool, timeout int) (string, error) {
+`
- {{ if .Autoclose -}}
+ const autocloseScript = `
- {{- end }}
+
+
+`
+
+ const successTemplateTail = `
`
- // Parse the template
- tmpl, err := template.New("success").Parse(successTemplate)
- if err != nil {
- return "", fmt.Errorf("error parsing success template: %w", err)
- }
- // Pass autoclose and timeout to the template
- data := struct {
- Autoclose bool
- Timeout int
- }{
- autoclose,
- timeout,
- }
- var htmlPage bytes.Buffer
- if err := tmpl.Execute(&htmlPage, data); err != nil {
- return "", fmt.Errorf("error executing template: %w", err)
+
+ var sb strings.Builder
+
+ sb.WriteString(successTemplateHead)
+
+ if autoclose {
+ fmt.Fprintf(&sb, autocloseScript, timeout)
}
- return htmlPage.String(), nil
+
+ sb.WriteString(successTemplateTail)
+
+ return sb.String(), nil
}
const (
diff --git a/vendor/github.com/sigstore/sigstore/pkg/oauthflow/device.go b/vendor/github.com/sigstore/sigstore/pkg/oauthflow/device.go
index 3dad8c34f4..3d44044028 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/oauthflow/device.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/oauthflow/device.go
@@ -32,12 +32,14 @@ import (
const (
// SigstoreDeviceURL specifies the Device Code endpoint for the public good Sigstore service
- /* #nosec */
+ //
// Deprecated: this constant (while correct) should not be used
+ /* #nosec */
SigstoreDeviceURL = "https://oauth2.sigstore.dev/auth/device/code"
// SigstoreTokenURL specifies the Token endpoint for the public good Sigstore service
- /* #nosec */
+ //
// Deprecated: this constant (while correct) should not be used
+ /* #nosec */
SigstoreTokenURL = "https://oauth2.sigstore.dev/auth/device/token"
)
@@ -64,6 +66,7 @@ type DeviceFlowTokenGetter struct {
}
// NewDeviceFlowTokenGetter creates a new DeviceFlowTokenGetter that retrieves an OIDC Identity Token using a Device Code Grant
+//
// Deprecated: NewDeviceFlowTokenGetter is deprecated; use NewDeviceFlowTokenGetterForIssuer() instead
func NewDeviceFlowTokenGetter(issuer, codeURL, _ string) *DeviceFlowTokenGetter {
return &DeviceFlowTokenGetter{
diff --git a/vendor/github.com/sigstore/sigstore/pkg/oauthflow/interactive.go b/vendor/github.com/sigstore/sigstore/pkg/oauthflow/interactive.go
index de21064e45..3a4052d20f 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/oauthflow/interactive.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/oauthflow/interactive.go
@@ -201,6 +201,7 @@ func startRedirectListener(state, htmlPage, redirectURL string, doneCh chan stri
}
m.HandleFunc(urlListener.Path, func(w http.ResponseWriter, r *http.Request) {
+ r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
// even though these are fetched from the FormValue method,
// these are supplied as query parameters
if r.FormValue("state") != state {
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go
index 02c032b02d..802256ac65 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go
@@ -62,7 +62,7 @@ type AlgorithmDetails struct {
// The underlying type of these parameters is dependent on the keyType.
// For example, ECDSA algorithms will store an elliptic curve here whereas, RSA keys will store the key size.
// Algorithms that don't require any extra parameters leave this set to nil.
- extraKeyParams interface{}
+ extraKeyParams any
// flagValue is a string representation of the signature algorithm that follows the naming conventions of CLI
// arguments that are used for Sigstore services.
@@ -157,7 +157,7 @@ var supportedAlgorithms = []AlgorithmDetails{
{v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pkcs1-4096-sha256"},
{v1.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(2048), "rsa-sign-pss-2048-sha256"},
{v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(3072), "rsa-sign-pss-3072-sha256"},
- {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pss-4092-sha256"},
+ {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pss-4096-sha256"},
{v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P256(), "ecdsa-sha2-256-nistp256"},
{v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, ECDSA, crypto.SHA384, v1.HashAlgorithm_SHA2_384, elliptic.P384(), "ecdsa-sha2-384-nistp384"},
{v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P384(), "ecdsa-sha2-256-nistp384"}, //nolint:staticcheck
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding/options.go b/vendor/github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding/options.go
index 09e4671ad1..7e6de0782e 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding/options.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding/options.go
@@ -17,7 +17,7 @@
package encoding
// We have some type assertions that seem like they may panic, but this is just to satisfy
-// golanci-lint's forcetypeassert linter. If they were to ever fail, unit tests would also fail.
+// golangci-lint's forcetypeassert linter. If they were to ever fail, unit tests would also fail.
// We know the asserted types are valid because otherwise we would have compiler failures.
import (
@@ -55,9 +55,9 @@ func PackRPCOptions(opts []signature.RPCOption) *common.RPCOptions {
func UnpackRPCOptions(commonOpts *common.RPCOptions) []signature.RPCOption {
opts := []signature.RPCOption{}
if commonOpts.CtxDeadline != nil {
- // no need fot this package to cancel the context early,
+ // no need for this package to cancel the context early,
// and users may still check if the deadline is exceeded with ctx.Err().
- ctx, _ := context.WithDeadline(context.Background(), *commonOpts.CtxDeadline) //nolint:govet
+ ctx, _ := context.WithDeadline(context.Background(), *commonOpts.CtxDeadline) //nolint:govet,gosec
opts = append(opts, options.WithContext(ctx))
}
if commonOpts.KeyVersion != nil {
@@ -90,7 +90,7 @@ func PackMessageOptions(opts []signature.MessageOption) *common.MessageOptions {
// PackPublicKeyOptions extracts properties of all of opts into struct ready for serializing.
func PackPublicKeyOptions(opts []signature.PublicKeyOption) *common.PublicKeyOptions {
- rpcOpts := []signature.RPCOption{}
+ rpcOpts := make([]signature.RPCOption, 0, len(opts))
for _, opt := range opts {
rpcOpts = append(rpcOpts, opt)
}
@@ -101,8 +101,9 @@ func PackPublicKeyOptions(opts []signature.PublicKeyOption) *common.PublicKeyOpt
// UnpackPublicKeyOptions builds the []signature.PublicKeyOption from common.PublicKeyOptions.
func UnpackPublicKeyOptions(commonOpts *common.PublicKeyOptions) []signature.PublicKeyOption {
- opts := []signature.PublicKeyOption{}
- for _, opt := range UnpackRPCOptions(&commonOpts.RPCOptions) {
+ rpcOpts := UnpackRPCOptions(&commonOpts.RPCOptions)
+ opts := make([]signature.PublicKeyOption, 0, len(rpcOpts))
+ for _, opt := range rpcOpts {
opt, ok := opt.(signature.PublicKeyOption)
if !ok {
panic("cannot assert as PublicKeyOption")
@@ -124,13 +125,13 @@ func UnpackMessageOptions(commonOpts *common.MessageOptions) []signature.Message
return opts
}
-// PackSignOptions extracts properties of all of opts into struct ready for serializing,
+// PackSignOptions extracts properties of all of opts into struct ready for serializing.
func PackSignOptions(opts []signature.SignOption) *common.SignOptions {
- rpcOpts := []signature.RPCOption{}
+ rpcOpts := make([]signature.RPCOption, 0, len(opts))
for _, opt := range opts {
rpcOpts = append(rpcOpts, opt)
}
- messageOpts := []signature.MessageOption{}
+ messageOpts := make([]signature.MessageOption, 0, len(opts))
for _, opt := range opts {
messageOpts = append(messageOpts, opt)
}
@@ -140,17 +141,19 @@ func PackSignOptions(opts []signature.SignOption) *common.SignOptions {
}
}
-// UnpackSignOptions builds the []]signature.SignOption from common.SignOptions.
+// UnpackSignOptions builds the []signature.SignOption from common.SignOptions.
func UnpackSignOptions(commonOpts *common.SignOptions) []signature.SignOption {
- opts := []signature.SignOption{}
- for _, opt := range UnpackRPCOptions(&commonOpts.RPCOptions) {
+ rpcOpts := UnpackRPCOptions(&commonOpts.RPCOptions)
+ msgOpts := UnpackMessageOptions(&commonOpts.MessageOptions)
+ opts := make([]signature.SignOption, 0, len(rpcOpts)+len(msgOpts))
+ for _, opt := range rpcOpts {
opt, ok := opt.(signature.SignOption)
if !ok {
panic("cannot assert as SignOption")
}
opts = append(opts, opt)
}
- for _, opt := range UnpackMessageOptions(&commonOpts.MessageOptions) {
+ for _, opt := range msgOpts {
opt, ok := opt.(signature.SignOption)
if !ok {
panic("cannot assert as SignOption")
@@ -160,13 +163,13 @@ func UnpackSignOptions(commonOpts *common.SignOptions) []signature.SignOption {
return opts
}
-// PackVerifyOptions extracts properties of all of opts into struct ready for serializing,
+// PackVerifyOptions extracts properties of all of opts into struct ready for serializing.
func PackVerifyOptions(opts []signature.VerifyOption) *common.VerifyOptions {
- rpcOpts := []signature.RPCOption{}
+ rpcOpts := make([]signature.RPCOption, 0, len(opts))
for _, opt := range opts {
rpcOpts = append(rpcOpts, opt)
}
- messageOpts := []signature.MessageOption{}
+ messageOpts := make([]signature.MessageOption, 0, len(opts))
for _, opt := range opts {
messageOpts = append(messageOpts, opt)
}
@@ -176,17 +179,19 @@ func PackVerifyOptions(opts []signature.VerifyOption) *common.VerifyOptions {
}
}
-// UnpackVerifyOptions builds the []]signature.VerifyOption from common.VerifyOptions.
+// UnpackVerifyOptions builds the []signature.VerifyOption from common.VerifyOptions.
func UnpackVerifyOptions(commonOpts *common.VerifyOptions) []signature.VerifyOption {
- opts := []signature.VerifyOption{}
- for _, opt := range UnpackRPCOptions(&commonOpts.RPCOptions) {
+ rpcOpts := UnpackRPCOptions(&commonOpts.RPCOptions)
+ msgOpts := UnpackMessageOptions(&commonOpts.MessageOptions)
+ opts := make([]signature.VerifyOption, 0, len(rpcOpts)+len(msgOpts))
+ for _, opt := range rpcOpts {
opt, ok := opt.(signature.VerifyOption)
if !ok {
panic("cannot assert as VerifyOption")
}
opts = append(opts, opt)
}
- for _, opt := range UnpackMessageOptions(&commonOpts.MessageOptions) {
+ for _, opt := range msgOpts {
opt, ok := opt.(signature.VerifyOption)
if !ok {
panic("cannot assert as VerifyOption")
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
index 44771ff3da..bd715b0c54 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
@@ -21,18 +21,14 @@ import (
"errors"
"fmt"
"io"
+ "slices"
)
func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool {
if supportedAlgs == nil {
return true
}
- for _, supportedAlg := range supportedAlgs {
- if alg == supportedAlg {
- return true
- }
- }
- return false
+ return slices.Contains(supportedAlgs, alg)
}
// ComputeDigestForSigning calculates the digest value for the specified message using a hash function selected by the following process:
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go b/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go
index cab6f5b98a..58cbff7973 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go
@@ -29,8 +29,8 @@ const CosignSignatureType = "cosign container image signature"
// SimpleContainerImage describes the structure of a basic container image signature payload, as defined at:
// https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format
type SimpleContainerImage struct {
- Critical Critical `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature
- Optional map[string]interface{} `json:"optional"` // Optional optional metadata about the image
+ Critical Critical `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature
+ Optional map[string]any `json:"optional"` // Optional optional metadata about the image
}
// Critical data critical to correctly evaluating the validity of a signature
@@ -65,7 +65,7 @@ type Cosign struct {
// - Older versions of cosign generate signatures where ClaimedIdentity only contains a registry/…/repo ; signature consumers should allow users
// to determine whether such images should be accepted (and, long-term, the default SHOULD be to reject them)
ClaimedIdentity string
- Annotations map[string]interface{}
+ Annotations map[string]any
}
// SimpleContainerImage returns information about a container image in the github.com/containers/image/signature format
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go
index 3f8beff49c..e4d7c4190d 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go
@@ -28,7 +28,7 @@ import (
)
// SignImage signs a container manifest using the specified signer object
-func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map[string]interface{}) (payload, signature []byte, err error) {
+func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map[string]any) (payload, signature []byte, err error) {
imgPayload := sigpayload.Cosign{
Image: image,
Annotations: optionalAnnotations,
@@ -45,7 +45,7 @@ func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map
}
// VerifyImageSignature verifies a signature over a container manifest
-func VerifyImageSignature(signer SignerVerifier, payload, signature []byte) (image name.Digest, annotations map[string]interface{}, err error) {
+func VerifyImageSignature(signer SignerVerifier, payload, signature []byte) (image name.Digest, annotations map[string]any, err error) {
if err := signer.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload)); err != nil {
return name.Digest{}, nil, fmt.Errorf("signature verification failed: %w", err)
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3946df7011..151f5187b3 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1158,7 +1158,7 @@ github.com/sigstore/rekor-tiles/v2/pkg/generated/protobuf
github.com/sigstore/rekor-tiles/v2/pkg/note
github.com/sigstore/rekor-tiles/v2/pkg/types/verifier
github.com/sigstore/rekor-tiles/v2/pkg/verify
-# github.com/sigstore/sigstore v1.10.4
+# github.com/sigstore/sigstore v1.10.5
## explicit; go 1.25.0
github.com/sigstore/sigstore/pkg/cryptoutils
github.com/sigstore/sigstore/pkg/cryptoutils/goodkey