fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.1 (main) by crossplane-renovate[bot] · Pull Request #980 · crossplane/crossplane-runtime

crossplane-renovate · 2026-04-18T08:16:23Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/cosign/v3	`v3.0.5` → `v3.1.1`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v3)

`v3.1.1`

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

Initialize PKCS11 slots Before Getting Token Info in #4803
Sign exclusively via sigstore-go in #4618
bundle create: Prevent IgnoreTlog when bundle contains SET in #4829
Require bundle output or registry upload in #4785
fix(load): pass NameOptions to name.ParseReference in #4786
fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #4813
Deprecate Flags for v4: Certificates in #4822
Deprecate flags signing config in #4844
Deprecate flags bundle in #4838
Fix typo in map of verify command fields unsupported for new bundle format in #4853
Add bundle upgrade command in #4820
Deprecate Flags for v4 in #4854
fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #4869
fix: use Header.Set to prevent duplicate Authorization on retry in #4870
feat(cli): add Rekor v2 flag to cosign signing-config create in #4868
Fix crash verifying timestamps when no timestamp was verified in #4881
Deprecate Flags for v4: OCI Referrers in #4804
Use the configured Target Repository more consistently in #4836
fix: check HTTP status code in LoadFileOrURL in #4877
Fix unsafe type assertion in Rego policy evaluation by in #4882
Fix Ed25519ph check to respect custom signing configs in sign-blob in #4880
Enable initialize command output in conformance in #4892
verify: return TUF errors for new bundle trusted roots in #4878
Deprecate subcommands in #4894
Remove docstring references to deprecated flags in #4910
fix(verify): Attach detached certificates to static signatures via wrapped verifier in #4737
fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #4917
Update sigstore-go to v1.2.0 in #4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

`v3.1.0`

Compare Source

`v3.0.6`

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
a09afa9 Handle whitespace-only certificate annotation (#4760)
5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#4761)
2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
36f4008 support managed keys in conformance testing (#4728)
3274cf9 Add support for GCE metadata server env var (#4732)
2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
dece275 Fix parsing of in-toto for string predicates
bd4f0fd Mark batch of flags for deprecation (#4698)
9b259ff disallow key and cert identity being used together during verification (#4636)
95eb1c3 support key creation in GitLab group (#4704)

Thanks to all contributors!

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

crossplane-renovate · 2026-05-08T08:32:06Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

crossplane-renovate · 2026-06-06T08:55:18Z

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

63 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.25.9` -> `1.26.0`
`google.golang.org/protobuf`	`v1.36.11` -> `v1.36.12-0.20260120151049-f2248ac996af`
`k8s.io/api`	`v0.35.1` -> `v0.36.1`
`k8s.io/apimachinery`	`v0.35.1` -> `v0.36.1`
`k8s.io/client-go`	`v0.35.1` -> `v0.36.1`
`k8s.io/utils`	`v0.0.0-20260108192941-914a6e750570` -> `v0.0.0-20260210185600-b8788abfbbc2`
`github.com/aws/aws-sdk-go-v2`	`v1.41.4` -> `v1.41.7`
`github.com/aws/aws-sdk-go-v2/config`	`v1.32.12` -> `v1.32.18`
`github.com/aws/aws-sdk-go-v2/credentials`	`v1.19.12` -> `v1.19.17`
`github.com/aws/aws-sdk-go-v2/feature/ec2/imds`	`v1.18.20` -> `v1.18.23`
`github.com/aws/aws-sdk-go-v2/internal/configsources`	`v1.4.20` -> `v1.4.23`
`github.com/aws/aws-sdk-go-v2/internal/endpoints/v2`	`v2.7.20` -> `v2.7.23`
`github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding`	`v1.13.7` -> `v1.13.9`
`github.com/aws/aws-sdk-go-v2/service/internal/presigned-url`	`v1.13.20` -> `v1.13.23`
`github.com/aws/aws-sdk-go-v2/service/signin`	`v1.0.8` -> `v1.0.11`
`github.com/aws/aws-sdk-go-v2/service/sso`	`v1.30.13` -> `v1.30.17`
`github.com/aws/aws-sdk-go-v2/service/ssooidc`	`v1.35.17` -> `v1.36.0`
`github.com/aws/aws-sdk-go-v2/service/sts`	`v1.41.9` -> `v1.42.1`
`github.com/aws/smithy-go`	`v1.24.2` -> `v1.25.1`
`github.com/coreos/go-oidc/v3`	`v3.17.0` -> `v3.18.0`
`github.com/fsnotify/fsnotify`	`v1.9.0` -> `v1.10.1`
`github.com/go-chi/chi/v5`	`v5.2.5` -> `v5.3.0`
`github.com/go-openapi/analysis`	`v0.24.3` -> `v0.25.2`
`github.com/go-openapi/jsonpointer`	`v0.22.5` -> `v0.23.1`
`github.com/go-openapi/jsonreference`	`v0.21.5` -> `v0.21.6`
`github.com/go-openapi/runtime`	`v0.29.3` -> `v0.32.3`
`github.com/go-openapi/spec`	`v0.22.4` -> `v0.22.5`
`github.com/go-openapi/strfmt`	`v0.26.1` -> `v0.26.3`
`github.com/go-openapi/swag`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/cmdutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.5` -> `v0.26.1`
`github.com/go-openapi/swag/fileutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.5` -> `v0.26.1`
`github.com/go-openapi/swag/yamlutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/validate`	`v0.25.2` -> `v0.25.3`
`github.com/grpc-ecosystem/grpc-gateway/v2`	`v2.27.7` -> `v2.29.0`
`github.com/prometheus/procfs`	`v0.19.2` -> `v0.20.1`
`github.com/sigstore/protobuf-specs`	`v0.5.0` -> `v0.5.1`
`github.com/sigstore/rekor`	`v1.5.1` -> `v1.5.2`
`github.com/sigstore/rekor-tiles/v2`	`v2.2.1` -> `v2.2.2-0.20260601073857-5d098a2b6443`
`github.com/sigstore/sigstore-go`	`v1.1.4` -> `v1.2.0`
`github.com/sigstore/timestamp-authority/v2`	`v2.0.6` -> `v2.1.2`
`github.com/theupdateframework/go-tuf/v2`	`v2.4.1` -> `v2.4.2`
`github.com/transparency-dev/formats`	`v0.0.0-20251017110053-404c0d5b696c` -> `v0.1.1`
`go.opentelemetry.io/otel`	`v1.43.0` -> `v1.44.0`
`go.opentelemetry.io/otel/metric`	`v1.43.0` -> `v1.44.0`
`go.opentelemetry.io/otel/trace`	`v1.43.0` -> `v1.44.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`go.yaml.in/yaml/v2`	`v2.4.3` -> `v2.4.4`
`golang.org/x/crypto`	`v0.52.0` -> `v0.53.0`
`golang.org/x/sync`	`v0.20.0` -> `v0.21.0`
`golang.org/x/sys`	`v0.45.0` -> `v0.46.0`
`golang.org/x/term`	`v0.43.0` -> `v0.44.0`
`golang.org/x/text`	`v0.37.0` -> `v0.38.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260316180232-0b37fe3546d5` -> `v0.0.0-20260526163538-3dc84a4a5aaa`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260316180232-0b37fe3546d5` -> `v0.0.0-20260523011958-0a33c5d7ca68`
`k8s.io/kube-openapi`	`v0.0.0-20260127142750-a19766b6e2d4` -> `v0.0.0-20260317180543-43fb72c5454a`
`sigs.k8s.io/structured-merge-diff/v6`	`v6.3.2-0.20260122202528-d9cc6641c482` -> `v6.3.2`

crossplane-renovate Bot added the automated label Apr 18, 2026

crossplane-renovate Bot requested a review from a team as a code owner April 18, 2026 08:16

crossplane-renovate Bot requested a review from jbw976 April 18, 2026 08:16

crossplane-renovate Bot force-pushed the renovate/main-github.com-sigstore-cosign-v3-3.x branch from 6991ea2 to 91a3cd9 Compare June 6, 2026 08:55

crossplane-renovate Bot changed the title ~~fix(deps): update module github.com/sigstore/cosign/v3 to v3.0.6 (main)~~ fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.0 (main) Jun 6, 2026

crossplane-renovate Bot force-pushed the renovate/main-github.com-sigstore-cosign-v3-3.x branch 2 times, most recently from bfc1cc6 to 18df698 Compare June 10, 2026 09:14

crossplane-renovate Bot changed the title ~~fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.0 (main)~~ fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.1 (main) Jun 10, 2026

crossplane-renovate Bot force-pushed the renovate/main-github.com-sigstore-cosign-v3-3.x branch 4 times, most recently from f5bd6f1 to 93c78fd Compare June 14, 2026 02:40

bobh66 force-pushed the renovate/main-github.com-sigstore-cosign-v3-3.x branch from 93c78fd to a18b769 Compare June 14, 2026 15:16

fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.1

47f36e7

crossplane-renovate Bot force-pushed the renovate/main-github.com-sigstore-cosign-v3-3.x branch from a18b769 to 47f36e7 Compare June 15, 2026 10:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.1 (main)#980

fix(deps): update module github.com/sigstore/cosign/v3 to v3.1.1 (main)#980
crossplane-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-github.com-sigstore-cosign-v3-3.x

crossplane-renovate Bot commented Apr 18, 2026 •

edited

Loading

Uh oh!

crossplane-renovate Bot commented May 8, 2026

Uh oh!

crossplane-renovate Bot commented Jun 6, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

crossplane-renovate Bot commented Apr 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v3.1.1

What's Changed

v3.1.0

v3.0.6

Changelog

Thanks to all contributors!

Configuration

Uh oh!

crossplane-renovate Bot commented May 8, 2026

Edited/Blocked Notification

Uh oh!

crossplane-renovate Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ️ Artifact update notice

File name: go.mod

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

crossplane-renovate Bot commented Apr 18, 2026 •

edited

Loading

`v3.1.1`

`v3.1.0`

`v3.0.6`

crossplane-renovate Bot commented Jun 6, 2026 •

edited

Loading