chore(deps): update dependency sigstore/cosign to v3.1.2 #175

Merged
CSRBot merged 1 commits from renovate/sigstore-cosign-3.x into master 2026-07-17 20:11:10 +02:00
Collaborator

This PR contains the following updates:

Package Update Change
sigstore/cosign patch v3.1.1v3.1.2

Release Notes

sigstore/cosign (sigstore/cosign)

v3.1.2

Compare Source

This may be the last Cosign v3.1 release, as we finish deprecations and removing unused functionality. Soon we'll start work on Cosign v4 where we will remove things that are currently deprecated. We'll continue to support Cosign v3, with it's opt-in backwards compatibility, as described in our versioning policy.

If you haven't already, now is an excellent time to move to the bundle format that has been supported since Cosign v2.6.

We have received a ton of fixes over the past month from folks using Cosign in a variety of environments - thank you all!

Deprecations

Features

Fixes

  • eb3bb86 Guard against empty certificate PEM in mutate.Signature (#​4998)
  • 089731c fix(download): Validate predicate type for new bundle format
  • d996ce1 Skip nil subject entries in IntotoSubjectClaimVerifier (#​5016)
  • 8ca5b20 Fix Makefile: fall back to "unknown" version info when built outside a git repo (#​5000)
  • df78bf6 fix(verify): skip identity validation for security keys (#​5012)
  • aebdc3a fix: include artifactType in OCI 1.1 signature referrer manifest
  • c0edaac Allow attestation download to handle both bundle types (#​4996)
  • a8642c7 Fix panic in dockerfile verify on malformed FROM lines (#​4979)
  • ef3e3b4 fix(release): restore signing-step auth and fail on image signing errors (#​4978)
  • 16ddbcf feat(signing-config): add --base-config flag to override services from base config (#​4977)
  • f17f812 fix: pass NewBundleFormat to KeyOpts in sign command (#​4981)
  • 6ef8d9d fix: ignore build stage references in dockerfile verify (#​4961)
  • 8dbdef5 fix: allow '=' in annotation values (#​4957)

Cleanup

Documentation

  • 8184126 feat: improve verify flag shell completions (#​4965)
  • ed0efe8 docs: fix Short style and add Example fields to piv-tool subcommands (#​4942)
  • d41b86c docs: add Example fields to env and bundle create commands (#​4941)
  • 8a7174a docs: fix Short style and add Example fields to pkcs11-tool subcommands
Thanks to all contributors!

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [sigstore/cosign](https://github.com/sigstore/cosign) | patch | `v3.1.1` → `v3.1.2` | --- ### Release Notes <details> <summary>sigstore/cosign (sigstore/cosign)</summary> ### [`v3.1.2`](https://github.com/sigstore/cosign/releases/tag/v3.1.2) [Compare Source](https://github.com/sigstore/cosign/compare/v3.1.1...v3.1.2) This may be the last Cosign v3.1 release, as we finish deprecations and removing unused functionality. Soon we'll start work on Cosign v4 where we will remove things that are currently deprecated. We'll continue to support Cosign v3, with it's opt-in backwards compatibility, as described in [our versioning policy](https://github.com/sigstore/cosign/blob/main/VERSIONING.md). If you haven't already, now is an excellent time to move to the bundle format that has been supported since Cosign v2.6. We have received a ton of fixes over the past month from folks using Cosign in a variety of environments - thank you all! #### Deprecations - [`816f2b6`](https://github.com/sigstore/cosign/commit/816f2b6634821cefe6ceabbffdd5ff7ffc00d0a4) Deprecate --payload for sign and verify commands ([#&#8203;4991](https://github.com/sigstore/cosign/issues/4991)) #### Features - [`5121398`](https://github.com/sigstore/cosign/commit/5121398c0ae6f4444d8ffd10447d7b765184f304) docs: add OVHcloud KMS in available external plugins ([#&#8203;4962](https://github.com/sigstore/cosign/issues/4962)) - [`38f73bb`](https://github.com/sigstore/cosign/commit/38f73bb8fd949fad71e7086bd122080b2d47ceeb) Add insecure registry flag to ko publish in kind-verify-attestation workflow ([#&#8203;4970](https://github.com/sigstore/cosign/issues/4970)) - [`2e0749a`](https://github.com/sigstore/cosign/commit/2e0749ac11c7326299f6af65ae6a3ab6a6750586) Deprecate --output-attestation ([#&#8203;4958](https://github.com/sigstore/cosign/issues/4958)) - [`2233166`](https://github.com/sigstore/cosign/commit/2233166935e2940a530e5a740adc095f4ca4863d) Add bundle inspect command ([#&#8203;4842](https://github.com/sigstore/cosign/issues/4842)) #### Fixes - [`eb3bb86`](https://github.com/sigstore/cosign/commit/eb3bb86f712a1163591b6663bbc434afb6fad467) Guard against empty certificate PEM in mutate.Signature ([#&#8203;4998](https://github.com/sigstore/cosign/issues/4998)) - [`089731c`](https://github.com/sigstore/cosign/commit/089731c31f750153e9d91ec248c990e3b1991c2b) fix(download): Validate predicate type for new bundle format - [`d996ce1`](https://github.com/sigstore/cosign/commit/d996ce12df6967bb5bf81e3244bfbbe1c2665f34) Skip nil subject entries in IntotoSubjectClaimVerifier ([#&#8203;5016](https://github.com/sigstore/cosign/issues/5016)) - [`8ca5b20`](https://github.com/sigstore/cosign/commit/8ca5b2002f5cd43614c476665e2055e59392b59d) Fix Makefile: fall back to "unknown" version info when built outside a git repo ([#&#8203;5000](https://github.com/sigstore/cosign/issues/5000)) - [`df78bf6`](https://github.com/sigstore/cosign/commit/df78bf67985f09e431f88b69be5842b7d0f5f4eb) fix(verify): skip identity validation for security keys ([#&#8203;5012](https://github.com/sigstore/cosign/issues/5012)) - [`aebdc3a`](https://github.com/sigstore/cosign/commit/aebdc3a232083841b9c957fbba6b80b41df8caad) fix: include artifactType in OCI 1.1 signature referrer manifest - [`c0edaac`](https://github.com/sigstore/cosign/commit/c0edaac063a90b1dcacdabc7fc23e6c6f8ade90d) Allow attestation download to handle both bundle types ([#&#8203;4996](https://github.com/sigstore/cosign/issues/4996)) - [`a8642c7`](https://github.com/sigstore/cosign/commit/a8642c7b8611d557b4a592e6b94b188bd9427d7c) Fix panic in dockerfile verify on malformed FROM lines ([#&#8203;4979](https://github.com/sigstore/cosign/issues/4979)) - [`ef3e3b4`](https://github.com/sigstore/cosign/commit/ef3e3b446a011852929a08f51095ecc67495bfe7) fix(release): restore signing-step auth and fail on image signing errors ([#&#8203;4978](https://github.com/sigstore/cosign/issues/4978)) - [`16ddbcf`](https://github.com/sigstore/cosign/commit/16ddbcf9040b75e2329f2436b65ba3ed340dac88) feat(signing-config): add --base-config flag to override services from base config ([#&#8203;4977](https://github.com/sigstore/cosign/issues/4977)) - [`f17f812`](https://github.com/sigstore/cosign/commit/f17f812494b558499d89a37a6c9161657d2371e9) fix: pass NewBundleFormat to KeyOpts in sign command ([#&#8203;4981](https://github.com/sigstore/cosign/issues/4981)) - [`6ef8d9d`](https://github.com/sigstore/cosign/commit/6ef8d9d040a481e26e065349c292799615ea7e7b) fix: ignore build stage references in dockerfile verify ([#&#8203;4961](https://github.com/sigstore/cosign/issues/4961)) - [`8dbdef5`](https://github.com/sigstore/cosign/commit/8dbdef561622178f453d64d83faa02b1744a19f7) fix: allow '=' in annotation values ([#&#8203;4957](https://github.com/sigstore/cosign/issues/4957)) #### Cleanup - [`193d215`](https://github.com/sigstore/cosign/commit/193d2153431f8bb0d945a4c1ee721872f73add67) Remove unused policy evaluation code ([#&#8203;4936](https://github.com/sigstore/cosign/issues/4936)) - [`0fc9811`](https://github.com/sigstore/cosign/commit/0fc9811059a037c32599e133ec4cc9fead4f354e) Remove unused signing code ([#&#8203;4918](https://github.com/sigstore/cosign/issues/4918)) - [`95dceda`](https://github.com/sigstore/cosign/commit/95dceda0e7ea0b8d1f1a1d2b9a98c9fb2a6e5b74) Remove unused OCI code ([#&#8203;4935](https://github.com/sigstore/cosign/issues/4935)) - [`b1dd2e9`](https://github.com/sigstore/cosign/commit/b1dd2e9524daf7406b350cbbfa7f4cd7b8ea0973) Remove unused ephemeral signer ([#&#8203;4938](https://github.com/sigstore/cosign/issues/4938)) #### Documentation - [`8184126`](https://github.com/sigstore/cosign/commit/81841260820bdddef3ea65c6f0824caca0cf2715) feat: improve verify flag shell completions ([#&#8203;4965](https://github.com/sigstore/cosign/issues/4965)) - [`ed0efe8`](https://github.com/sigstore/cosign/commit/ed0efe8cb464c1bae4711f87b552b1f2e602c816) docs: fix Short style and add Example fields to piv-tool subcommands ([#&#8203;4942](https://github.com/sigstore/cosign/issues/4942)) - [`d41b86c`](https://github.com/sigstore/cosign/commit/d41b86c63cfd2653c263962a9225691c5774c228) docs: add Example fields to env and bundle create commands ([#&#8203;4941](https://github.com/sigstore/cosign/issues/4941)) - [`8a7174a`](https://github.com/sigstore/cosign/commit/8a7174a1d462b3bb5a2722c7e1cf3a24fd1d3896) docs: fix Short style and add Example fields to pkcs11-tool subcommands ##### Thanks to all contributors! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjguNCIsInVwZGF0ZWRJblZlciI6IjQzLjI2OC40IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbInJlbm92YXRlL2F1dG9tZXJnZSIsInJlbm92YXRlL2dpdGh1Yi1hY3Rpb24iXX0=-->
CSRBot added 1 commit 2026-07-17 20:05:05 +02:00
chore(deps): update dependency sigstore/cosign to v3.1.2
Helm / helm-lint (push) Successful in 6s
Helm / helm-unittest (push) Successful in 18s
Helm / helm-lint (pull_request) Successful in 7s
Helm / helm-unittest (pull_request) Successful in 21s
5d34f13333
CODEOWNERS rules requested review from volker.raschek 2026-07-17 20:05:05 +02:00
CSRBot scheduled this pull request to auto merge when all checks succeed 2026-07-17 20:05:07 +02:00
CSRBot merged commit a71619c727 into master 2026-07-17 20:11:10 +02:00
CSRBot deleted branch renovate/sigstore-cosign-3.x 2026-07-17 20:11:11 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: volker.raschek/athens-proxy-charts#175