chore(deps): update dependency sigstore/cosign to v3.1.1 #239

Merged

CSRBot merged 1 commits from renovate/sigstore-cosign-3.x into master 2026-06-09 20:06:21 +02:00

Conversation 0 Commits 1 Files Changed 1

+1 -1

CSRBot commented 2026-06-09 20:04:08 +02:00

Collaborator

Copy Link

Copy Source

This PR contains the following updates:

Package	Update	Change
sigstore/cosign	patch	v3.1.0 → v3.1.1

---

Release Notes

sigstore/cosign (sigstore/cosign)

v3.1.1

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

• Initialize PKCS11 slots Before Getting Token Info in #​4803
• Sign exclusively via sigstore-go in #​4618
• bundle create: Prevent IgnoreTlog when bundle contains SET in #​4829
• Require bundle output or registry upload in #​4785
• fix(load): pass NameOptions to name.ParseReference in #​4786
• fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #​4813
• Deprecate Flags for v4: Certificates in #​4822
• Deprecate flags signing config in #​4844
• Deprecate flags bundle in #​4838
• Fix typo in map of verify command fields unsupported for new bundle format in #​4853
• Add bundle upgrade command in #​4820
• Deprecate Flags for v4 in #​4854
• fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #​4869
• fix: use Header.Set to prevent duplicate Authorization on retry in #​4870
• feat(cli): add Rekor v2 flag to cosign signing-config create in #​4868
• Fix crash verifying timestamps when no timestamp was verified in #​4881
• Deprecate Flags for v4: OCI Referrers in #​4804
• Use the configured Target Repository more consistently in #​4836
• fix: check HTTP status code in LoadFileOrURL in #​4877
• Fix unsafe type assertion in Rego policy evaluation by in #​4882
• Fix Ed25519ph check to respect custom signing configs in sign-blob in #​4880
• Enable initialize command output in conformance in #​4892
• verify: return TUF errors for new bundle trusted roots in #​4878
• Deprecate subcommands in #​4894
• Remove docstring references to deprecated flags in #​4910
• fix(verify): Attach detached certificates to static signatures via wrapped verifier in #​4737
• fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #​4917
• Update sigstore-go to v1.2.0 in #​4914

Full Changelog: https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [sigstore/cosign](https://github.com/sigstore/cosign) | patch | `v3.1.0` → `v3.1.1` | --- ### Release Notes <details> <summary>sigstore/cosign (sigstore/cosign)</summary> ### [`v3.1.1`](https://github.com/sigstore/cosign/releases/tag/v3.1.1) [Compare Source](https://github.com/sigstore/cosign/compare/v3.1.0...v3.1.1) #### What's Changed *Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0* This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release. This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs. - Initialize PKCS11 slots Before Getting Token Info in [#&#8203;4803](https://github.com/sigstore/cosign/pull/4803) - Sign exclusively via sigstore-go in [#&#8203;4618](https://github.com/sigstore/cosign/pull/4618) - bundle create: Prevent IgnoreTlog when bundle contains SET in [#&#8203;4829](https://github.com/sigstore/cosign/pull/4829) - Require bundle output or registry upload in [#&#8203;4785](https://github.com/sigstore/cosign/pull/4785) - fix(load): pass NameOptions to name.ParseReference in [#&#8203;4786](https://github.com/sigstore/cosign/pull/4786) - fix: honor --digestAlg when hashing a blob in verify-blob-attestation in [#&#8203;4813](https://github.com/sigstore/cosign/pull/4813) - Deprecate Flags for v4: Certificates in [#&#8203;4822](https://github.com/sigstore/cosign/pull/4822) - Deprecate flags signing config in [#&#8203;4844](https://github.com/sigstore/cosign/pull/4844) - Deprecate flags bundle in [#&#8203;4838](https://github.com/sigstore/cosign/pull/4838) - Fix typo in map of verify command fields unsupported for new bundle format in [#&#8203;4853](https://github.com/sigstore/cosign/pull/4853) - Add bundle upgrade command in [#&#8203;4820](https://github.com/sigstore/cosign/pull/4820) - Deprecate Flags for v4 in [#&#8203;4854](https://github.com/sigstore/cosign/pull/4854) - fix: close file descriptor leaked in WriteSignedImageIndexImages loop in [#&#8203;4869](https://github.com/sigstore/cosign/pull/4869) - fix: use Header.Set to prevent duplicate Authorization on retry in [#&#8203;4870](https://github.com/sigstore/cosign/pull/4870) - feat(cli): add Rekor v2 flag to cosign signing-config create in [#&#8203;4868](https://github.com/sigstore/cosign/pull/4868) - Fix crash verifying timestamps when no timestamp was verified in [#&#8203;4881](https://github.com/sigstore/cosign/pull/4881) - Deprecate Flags for v4: OCI Referrers in [#&#8203;4804](https://github.com/sigstore/cosign/pull/4804) - Use the configured Target Repository more consistently in [#&#8203;4836](https://github.com/sigstore/cosign/pull/4836) - fix: check HTTP status code in LoadFileOrURL in [#&#8203;4877](https://github.com/sigstore/cosign/pull/4877) - Fix unsafe type assertion in Rego policy evaluation by in [#&#8203;4882](https://github.com/sigstore/cosign/pull/4882) - Fix Ed25519ph check to respect custom signing configs in sign-blob in [#&#8203;4880](https://github.com/sigstore/cosign/pull/4880) - Enable initialize command output in conformance in [#&#8203;4892](https://github.com/sigstore/cosign/pull/4892) - verify: return TUF errors for new bundle trusted roots in [#&#8203;4878](https://github.com/sigstore/cosign/pull/4878) - Deprecate subcommands in [#&#8203;4894](https://github.com/sigstore/cosign/pull/4894) - Remove docstring references to deprecated flags in [#&#8203;4910](https://github.com/sigstore/cosign/pull/4910) - fix(verify): Attach detached certificates to static signatures via wrapped verifier in [#&#8203;4737](https://github.com/sigstore/cosign/pull/4737) - fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in [#&#8203;4917](https://github.com/sigstore/cosign/pull/4917) - Update sigstore-go to v1.2.0 in [#&#8203;4914](https://github.com/sigstore/cosign/pull/4914) **Full Changelog**: <https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzYuMyIsInVwZGF0ZWRJblZlciI6IjQzLjEzNi4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbInJlbm92YXRlL2F1dG9tZXJnZSIsInJlbm92YXRlL2dpdGh1Yi1hY3Rpb24iXX0=-->

CSRBot added 1 commit 2026-06-09 20:04:08 +02:00

chore(deps): update dependency sigstore/cosign to v3.1.1 41c3163301

CSRBot scheduled this pull request to auto merge when all checks succeed 2026-06-09 20:04:10 +02:00

CSRBot merged commit 679b2a5c74 into master 2026-06-09 20:06:21 +02:00

CSRBot deleted branch renovate/sigstore-cosign-3.x 2026-06-09 20:06:22 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

renovate/rebase

Rebase branch on base branch via renovate

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

CSRBot (CSRBot) volker.raschek (Markus Pesch)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: volker.raschek/db-wait#239