Skip to content

chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6#19850

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.6
Open

chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6#19850
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 7, 2026
edited
Loading

Bumps github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6.

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.0.6

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

  • f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
  • a09afa97480a0a4a20ad6314600598b7bddc8c0c Handle whitespace-only certificate annotation (#4760)
  • 5a38a6d3368f0286ef214c3fd81388c99b3444b8 fix(sign): closing SignerVerifier too early when signing with a security key (#4761)
  • 2290a593c9f5b300322b83e1f2a632953aeb840c Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
  • 36f40082f3c507e131cb9d926b75b36606160483 support managed keys in conformance testing (#4728)
  • 3274cf98c6a2c2fc12618edfa26612e8a071820a Add support for GCE metadata server env var (#4732)
  • 2e9754aa80a54fe7062a63debe12ae2b11b87e5a fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
  • dece2753067e2da18c5e0a0060e0de59fedee0b0 Fix parsing of in-toto for string predicates
  • bd4f0fde48c16d2c55ad82acf34166a39be262a8 Mark batch of flags for deprecation (#4698)
  • 9b259ff6b690c0f0844893016cd23c2c250124f2 disallow key and cert identity being used together during verification (#4636)
  • 95eb1c3155b7ad11cc443c5a26f37eeede244e66 support key creation in GitLab group (#4704)

Thanks to all contributors!

v3.0.5

v3.0.5 resolves a low-severity advisory for private PKIs.

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v3's changelog.

v3.0.5

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)
  • Fix typo in CLI help (#4701)
Commits

@dependabot dependabot bot added auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file labels Apr 7, 2026
@dependabot dependabot bot requested a review from a team as a code owner April 7, 2026 05:54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 03af198. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-575-g03af19847d

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

/retest

3 similar comments
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

/retest

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

/retest

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

/retest

@dependabot
chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6
03af198 
Bumps [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v3.0.4...v3.0.6)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v3
  dependency-version: 3.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.6 branch from 89fa63a to 03af198 Compare April 7, 2026 09:18
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 7, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 7, 2026

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-ui-e2e-tests 03af198 link true /test gke-ui-e2e-tests
ci/prow/gke-qa-e2e-tests 03af198 link false /test gke-qa-e2e-tests
ci/prow/gke-nongroovy-e2e-tests 03af198 link true /test gke-nongroovy-e2e-tests
ci/prow/gke-upgrade-tests 03af198 link false /test gke-upgrade-tests
ci/prow/ocp-4-12-nongroovy-e2e-tests 03af198 link false /test ocp-4-12-nongroovy-e2e-tests
ci/prow/ocp-4-21-nongroovy-e2e-tests 03af198 link false /test ocp-4-21-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file needs-rebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhacs-bot