Skip to content

chore(deps): update module github.com/sigstore/cosign/v2 to v3 #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/sigstore/cosign/v2 to v3 #492

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 24, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/sigstore/cosign/v2 v2.6.1 -> v3.0.3 age adoption passing confidence

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v3.0.3

Compare Source

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by
the community along with adding compatibility for the new bundle format and attestation
storage in OCI to additional commands. We're continuing to work on compatibility with
the remaining commands and will have a new release shortly. If you run into any problems,
please file an issue

Changes

  • 4554: Closes 4554 - Add warning when --output* is used (#​4556)
  • Protobuf bundle support for subcommand clean (#​4539)
  • Add staging flag to initialize with staging TUF metadata
  • Updating sign-blob to also support signing with a certificate (#​4547)
  • Protobuf bundle support for subcommands save and load (#​4538)
  • Fix cert attachment for new bundle with signing config
  • Fix OCI verification with local cert - old bundle
  • Deprecate tlog-upload flag (#​4458)
  • fix: Use signal context for sign cli package.
  • update offline verification directions (#​4526)
  • Fix signing/verifying annotations for new bundle
  • Add support to download and attach for protobuf bundles (#​4477)
  • Add --signing-algorithm flag (#​3497)
  • Refactor signcommon bundle helpers
  • Add --bundle and fix --upload for new bundle
  • Pass insecure registry flags through to referrers
  • Add protobuf bundle support for tree subcommand (#​4491)
  • Remove stale embed import (#​4492)
  • Support multiple container identities
  • Fix segfault when no attestations are found (#​4472)
  • Use overridden repository for new bundle format (#​4473)
  • Remove --out flag from cosign initialize (#​4462)
  • Deprecate offline flag (#​4457)
  • Deduplicate code in sign/attest* and verify* commands (#​4449)
  • Cache signing config when calling initialize (#​4456)

v3.0.2

Compare Source

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • choose different signature filename for KMS-signed release signatures (#​4448)
  • Update rekor-tiles version path (#​4450)

v3.0.1

Compare Source

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • update goreleaser config for v3.0.0 release (#​4446)

v3.0.0

Compare Source

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent
releases on by default, but will still allow you to disable them if you need the older functionality.
These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots
of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config),
and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See
the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent
changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

  • Default to using the new protobuf format (#​4318)
  • Fetch service URLs from the TUF PGI signing config by default (#​4428)
  • Bump module version to v3 for Cosign v3.0 (#​4427)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file ok-to-test labels Nov 24, 2025
@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Nov 24, 2025
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Nov 24, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sgtcodfish for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 24, 2025
@wallrj-cyberark
Copy link
Member

wallrj-cyberark commented Dec 3, 2025

/hold My hunch is that this will break things.

Before merging it, I think we should test this branch by temporarily updating the klone file in one of the sub-projects (e.g., csi-driver), and testing the oci-publish target.

richard@localhost:~/projects/cert-manager/csi-driver$ git grep cosign
make/_shared/oci-publish/01_mod.mk:cosign_flags_$1 ?= $(COSIGN_FLAGS)
make/_shared/oci-publish/01_mod.mk:                $$(COSIGN) sign --yes=true $(cosign_flags_$1) "$2@$$(call oci_digest,$1)"
make/_shared/tools/00_mod.mk:# https://pkg.go.dev/github.com/sigstore/cosign/v2/cmd/cosign?tab=versions
make/_shared/tools/00_mod.mk:# renovate: datasource=go packageName=github.com/sigstore/cosign/v2
make/_shared/tools/00_mod.mk:tools += cosign=v2.6.1
make/_shared/tools/00_mod.mk:go_dependencies += cosign=github.com/sigstore/cosign/v2/cmd/cosign

@cert-manager-prow cert-manager-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 3, 2025
@renovate renovate bot force-pushed the renovate/github.com-sigstore-cosign-v2-3.x branch from efd0e62 to 155df87 Compare December 10, 2025 04:44
@renovate
chore(deps): update module github.com/sigstore/cosign/v2 to v3
3f47bdc 
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
@renovate
Copy link
Contributor Author

renovate bot commented Dec 10, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined
Command failed: make vendor-go learn-tools-shas
go: downloading github.com/google/go-containerregistry v0.20.7
go: downloading github.com/docker/cli v29.0.3+incompatible
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading github.com/spf13/cobra v1.10.1
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading golang.org/x/sync v0.18.0
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/docker/distribution v2.8.3+incompatible
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.18.1
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/spf13/pflag v1.0.9
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/docker/docker-credential-helpers v0.9.3
go: downloading github.com/klauspost/compress v1.18.1
go: downloading github.com/vbatts/tar-split v0.12.2
go: downloading golang.org/x/sys v0.38.0
curl: (56) Recv failure: Connection reset by peer
make[1]: *** [tools/00_mod.mk:672: /tmp/tmp.yXX61yzV4J/_bin/learn/download/tools/rclone@v1.72.0_darwin_amd64] Error 56
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:108: learn-tools-shas] Error 2

@renovate renovate bot force-pushed the renovate/github.com-sigstore-cosign-v2-3.x branch from 155df87 to 3f47bdc Compare December 10, 2025 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. dependencies Pull requests that update a dependency file do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. ok-to-test size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wallrj-cyberark