[Upstream Sync] Merge v0.16.1 into main by securesign-upstream-sync[bot] · Pull Request #358 · securesign/gitsign

securesign-upstream-sync · 2026-06-15T10:27:38Z

Upstream Sync: `v0.16.1` into `main`

Merges upstream sigstore/gitsign@v0.16.1 into main.

Upstream Changes (34 commits)

d5e8a58 Bump sigstore/cosign-installer from 4.1.1 to 4.1.2 in the actions group (#804)
fb02437 Return the actual signer cert from CertVerifier.Verify (#810)
6b9237c Updates (#803)
03848e9 Reject malformed objects in attest predicate generation (#809)
eec018a Bump github.com/go-openapi/strfmt in the gomod group across 1 directory (#811)
3c84d87 Verify against raw git object bytes (#802)
bf96ce6 Migrate release signing to cosign v3 bundle format (#800)
d7565c4 Return errors instead of panicking on empty cert / panic in Wrap (#799)
c9c095d Bump github.com/secure-systems-lab/go-securesystemslib (#798)
1474a07 Bump the actions group across 1 directory with 2 updates (#797)
41a7c1f Bump github.com/sigstore/timestamp-authority/v2 from 2.0.5 to 2.0.6 (#791)
2851028 Bump the gomod group across 1 directory with 4 updates (#796)
1cc894f Bump goreleaser/goreleaser-action from 6.4.0 to 7.1.0 (#795)
a89dfb0 Bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 (#793)
4638d83 Bump docker/login-action from 3.7.0 to 4.1.0 (#787)
bf59fb0 Bump sigstore/cosign-installer from 3.10.0 to 4.1.1 (#785)
5c3a0b9 Bump golang.org/x/crypto from 0.49.0 to 0.50.0 (#788)
64a066c Bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 (#789)
9dc706a Bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 (#790)
df415a8 Support attesting tag signatures (#780)
666efd5 Bump the gomod group across 1 directory with 10 updates (#784)
0839b90 Update README.md (#781)
143134a Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#765)
e679f33 Bump github.com/cloudflare/circl from 1.6.2 to 1.6.3 (#768)
7118d3a Bump actions/attest-build-provenance from 3.2.0 to 4.1.0 (#771)
5a5e33b Bump github.com/docker/cli (#772)
8e3d25a Bump the actions group across 1 directory with 3 updates (#776)
d2006ef Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 (#778)
771801d Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#782)
63c5e09 Fix lint errors (#783)
f9b15e6 Bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#762)
96681cd Bump the actions group with 5 updates (#760)
7654617 Bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#761)
8a21e88 Bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0 (#759)

⚠️ Unresolved conflicts

The following files need manual resolution:

internal/gpg/status.go
internal/io/streams.go

Resolve locally

git fetch origin
git checkout sync-upstream/main/v0.16.1
git merge origin/main

# Auto-resolve Dockerfiles, go.mod, and workflow version bumps
go install github.com/securesign/actions/sync-upstream/resolve-conflicts@main
resolve-conflicts all

# Resolve remaining conflicts manually
# internal/gpg/status.go
# internal/io/streams.go

git add -A && git commit
git push origin sync-upstream/main/v0.16.1

Generated by Sync Upstream action

…#759) Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0. - [Release notes](https://github.com/coreos/go-systemd/releases) - [Commits](coreos/go-systemd@v22.6.0...v22.7.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-systemd/v22 dependency-version: 22.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.34.0 to 0.35.0. - [Commits](golang/oauth2@v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) | `0.4` | `0.5` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.21.1` | `0.22.2` | | [docker/login-action](https://github.com/docker/login-action) | `3.6.0` | `3.7.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `3.1.0` | `3.2.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.2` | `5.0.3` | Updates `imjasonh/setup-crane` from 0.4 to 0.5 - [Release notes](https://github.com/imjasonh/setup-crane/releases) - [Commits](imjasonh/setup-crane@31b88ef...6da1ae0) Updates `anchore/sbom-action` from 0.21.1 to 0.22.2 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@0b82b0b...28d7154) Updates `docker/login-action` from 3.6.0 to 3.7.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) Updates `actions/attest-build-provenance` from 3.1.0 to 3.2.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@00014ed...96278af) Updates `actions/cache` from 5.0.2 to 5.0.3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@8b402f5...cdf6c1f) --- updated-dependencies: - dependency-name: imjasonh/setup-crane dependency-version: '0.5' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: anchore/sbom-action dependency-version: 0.22.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/attest-build-provenance dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.5 to 5.17.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.5...v5.17.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 3 updates in the / directory: [actions/setup-go](https://github.com/actions/setup-go), [anchore/sbom-action](https://github.com/anchore/sbom-action) and [actions/cache](https://github.com/actions/cache). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `anchore/sbom-action` from 0.22.2 to 0.24.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@28d7154...e22c389) Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: anchore/sbom-action dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/docker/cli](https://github.com/docker/cli) from 29.1.3+incompatible to 29.2.0+incompatible. - [Commits](docker/cli@v29.1.3...v29.2.0) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-version: 29.2.0+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.2.0 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@96278af...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.2 to 1.6.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.6.2...v1.6.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519) from 1.1.0 to 1.1.1. - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

You can not copy/paste that huge block into a zsh terminal to create the shell script in the tmp directory. It will work if you separate it into two steps, 1.) create the file 2.) execute the file. Signed-off-by: Corey Daley <corey.daley@chainguard.dev>

Bumps the gomod group with 4 updates in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime), [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) and [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs). Updates `github.com/go-git/go-git/v5` from 5.17.1 to 5.17.2 - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.17.1...v5.17.2) Updates `github.com/go-openapi/runtime` from 0.29.2 to 0.29.3 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.2...v0.29.3) Updates `github.com/go-openapi/strfmt` from 0.25.0 to 0.26.0 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.25.0...v0.26.0) Updates `github.com/go-openapi/swag/conv` from 0.25.4 to 0.25.5 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.4...v0.25.5) Updates `github.com/sigstore/cosign/v3` from 3.0.4 to 3.0.6 - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v3.0.4...v3.0.6) Updates `github.com/sigstore/protobuf-specs` from 0.5.0 to 0.5.1 - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](sigstore/protobuf-specs@v0.5.0...v0.5.1) Updates `github.com/sigstore/rekor` from 1.5.0 to 1.5.1 - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](sigstore/rekor@v1.5.0...v1.5.1) Updates `github.com/sigstore/sigstore` from 1.10.4 to 1.10.5 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.4...v1.10.5) Updates `golang.org/x/crypto` from 0.47.0 to 0.49.0 - [Commits](golang/crypto@v0.47.0...v0.49.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.25.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/cosign/v3 dependency-version: 3.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/protobuf-specs dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/rekor dependency-version: 1.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add tag predicate Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> * Regenerate proto Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> * Implement TagStatement() Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> * Redirect to attest.TagStatement on tag refs Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> * Return error when attesting non-annotated tags Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> * Add tests for the tag attestations Adds tests for the new tag attestations. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>

Bumps [github.com/in-toto/attestation](https://github.com/in-toto/attestation) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.2...v1.2.0) --- updated-dependencies: - dependency-name: github.com/in-toto/attestation dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.17.0 to 3.18.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](coreos/go-oidc@v3.17.0...v3.18.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-version: 3.18.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.49.0 to 0.50.0. - [Commits](golang/crypto@v0.49.0...v0.50.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d7543c9...cad07c2) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.1.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...4907a6d) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.2 to 5.18.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.17.2...v5.18.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.18.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.4.0 to 7.1.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@e435ccd...e24998b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the gomod group with 2 updates in the / directory: [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) and [github.com/mattn/go-tty](https://github.com/mattn/go-tty). Updates `github.com/go-openapi/runtime` from 0.29.3 to 0.29.4 - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](go-openapi/runtime@v0.29.3...v0.29.4) Updates `github.com/go-openapi/strfmt` from 0.26.0 to 0.26.1 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.0...v0.26.1) Updates `github.com/go-openapi/swag/conv` from 0.25.5 to 0.26.0 - [Release notes](https://github.com/go-openapi/swag/releases) - [Commits](go-openapi/swag@v0.25.5...v0.26.0) Updates `github.com/mattn/go-tty` from 0.0.7 to 0.0.8 - [Commits](mattn/go-tty@v0.0.7...v0.0.8) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/go-openapi/swag/conv dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/mattn/go-tty dependency-version: 0.0.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#791) Bumps [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v2.0.5...v2.0.6) --- updated-dependencies: - dependency-name: github.com/sigstore/timestamp-authority/v2 dependency-version: 2.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates in the / directory: [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/cache](https://github.com/actions/cache). Updates `goreleaser/goreleaser-action` from 7.1.0 to 7.2.1 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@e24998b...1a80836) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases) - [Commits](secure-systems-lab/go-securesystemslib@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: github.com/secure-systems-lab/go-securesystemslib dependency-version: 0.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…store#799) - Verify now returns an explicit error when the parsed signature contains no certificates, instead of panicking on certs[0]. - Streams.Wrap now recovers panics into a returned error rather than swallowing them, so callers see a non-nil error. Signed-off-by: Billy Lynch <billy@chainguard.dev> Co-authored-by: bugbunny-research <262839898+bugbunny-research@users.noreply.github.com>

cosign v3 makes --new-bundle-format the default and requires --bundle, so the existing --output-signature/--output-certificate args are ignored and goreleaser fails with "create bundle file: open : no such file or directory" because no --bundle path is passed. Switch sign-blob to write a single ${artifact}.bundle via --bundle. Signed-off-by: Billy Lynch <billy@chainguard.dev>

* Verify against raw git object bytes to prevent parser trust-confusion go-git's loose object parser uses last-wins semantics for duplicate singleton headers (tree, author, committer, etc.), while git-core uses first-wins. An attacker can craft a commit or tag whose raw bytes hash to one set of contents under git-core but re-encode through go-git to a different signed payload, letting a legitimate signature verify against attacker-controlled bytes. Replace the go-git decode + EncodeWithoutSignature path with SplitCommit and SplitTag, which operate directly on the object-database bytes (the same bytes git-core feeds its verifier) and reject objects with structural ambiguities — duplicate singleton headers, duplicate gpgsig, malformed gpgsig continuations. ObjectHash now reassembles via JoinCommit/JoinTag so the recorded hash matches git-core. Signed-off-by: Billy Lynch <billy@chainguard.dev> * Add support for sha256 headers. See https://git-scm.com/docs/hash-function-transition#_signed_commits Signed-off-by: Billy Lynch <billy@chainguard.dev> --------- Signed-off-by: Billy Lynch <billy@chainguard.dev>

…ry (sigstore#811) Bumps the gomod group with 1 update in the / directory: [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt). Updates `github.com/go-openapi/strfmt` from 0.26.1 to 0.26.2 - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](go-openapi/strfmt@v0.26.1...v0.26.2) --- updated-dependencies: - dependency-name: github.com/go-openapi/strfmt dependency-version: 0.26.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump go-git to v5.19.0 (which fixes the loose-object parser to match git-core's first-wins semantics on duplicate singleton headers) and add ValidateCommit/ValidateTag checks so CommitStatement and TagStatement refuse objects with duplicate singleton headers. Signed-off-by: Billy Lynch <billy@chainguard.dev>

* bump go Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix permissions for ci job Signed-off-by: Carlos Panato <ctadeu@gmail.com> --------- Signed-off-by: Carlos Panato <ctadeu@gmail.com>

CertVerifier.Verify returned certs[0] from the PKCS7 cert bag, while the internal CMS verifier identifies the signer via SignerInfo (issuer+serial or SKI). An attacker who controls the SignedData can place an unrelated cert at position 0 while signing with a different one, so callers that trust the returned cert without an independent Rekor check would see the wrong identity. Same anti-pattern as CVE-2026-39984 in timestamp-authority. Return the leaf of the first verified chain from VerifyDetached / Verify, which is the cert the internal CMS verifier actually authenticated the signature against. Also move the "use cert.NotBefore + 1min as CurrentTime to skip the validity-window check" logic from the caller into the internal CMS verifier's per-SignerInfo loop. Doing it once at the caller used a single time for every cert's chain check, which breaks multi-signer PKCS7 when signers have non-overlapping validity windows; doing it per-cert lets each SignerInfo be checked against a time inside its own window. Actual signing time is still verified independently via Rekor. Signed-off-by: Billy Lynch <billy@chainguard.dev> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…up (sigstore#804) Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot and others added 30 commits February 4, 2026 10:43

Bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (sigstore#762)

f9b15e6

Fix lint errors (sigstore#783)

63c5e09

Update README.md (sigstore#781)

0839b90

You can not copy/paste that huge block into a zsh terminal to create the shell script in the tmp directory. It will work if you separate it into two steps, 1.) create the file 2.) execute the file. Signed-off-by: Corey Daley <corey.daley@chainguard.dev>

wlynch and others added 4 commits May 15, 2026 11:24

Updates (sigstore#803)

6b9237c

* bump go Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix permissions for ci job Signed-off-by: Carlos Panato <ctadeu@gmail.com> --------- Signed-off-by: Carlos Panato <ctadeu@gmail.com>

securesign-upstream-sync Bot added the kind/sync-fork-to-upstream label Jun 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Upstream Sync] Merge v0.16.1 into main#358

[Upstream Sync] Merge v0.16.1 into main#358
securesign-upstream-sync[bot] wants to merge 34 commits into
mainfrom
sync-upstream/main/v0.16.1

securesign-upstream-sync Bot commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

securesign-upstream-sync Bot commented Jun 15, 2026

Upstream Sync: v0.16.1 into main

Upstream Changes (34 commits)

⚠️ Unresolved conflicts

Resolve locally

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Upstream Sync: `v0.16.1` into `main`