v2.6 branch - bump sigstore deps (#4619)

Hayden · Hayden-IO · cpanato · web-flow · commit c4e6a783ce9b · 2026-01-08T22:30:14.000Z
* v2.6 branch - bump sigstore deps This should fix any build issues for clients still using v2. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> * update builder to use go1.25.5 (#4566) Signed-off-by: Carlos Panato <ctadeu@gmail.com> --------- Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Signed-off-by: Carlos Panato <ctadeu@gmail.com> Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml
@@ -53,6 +53,7 @@ jobs:
           persist-credentials: false
 
       - name: Extract version of Go to use
+        shell: bash # To use awk on Windows
         run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -63,6 +63,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Extract version of Go to use
+        shell: bash # To use awk on Windows
         run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
@@ -197,6 +198,7 @@ jobs:
           persist-credentials: false
 
       - name: Extract version of Go to use
+        shell: bash # To use awk on Windows
         run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -26,14 +26,14 @@ jobs:
   check-signature:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c
+      image: ghcr.io/sigstore/cosign/cosign:v3.0.3-dev@sha256:20826fbd1b274662771989eb847134019ac37d6985c7c78f51517532d723c8db
 
     steps:
       - name: Check Signature
         run: |
-          cosign verify ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d \
+          cosign verify ghcr.io/gythialy/golang-cross:v1.25.5-0@sha256:3a7d463d9e3438513b6bd597c79f7d5db756023e04718259cc25aabd5d00fc17 \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0"
+          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.5-0"
         env:
           TUF_ROOT: /tmp
 
@@ -43,7 +43,7 @@ jobs:
       - check-signature
 
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d
+      image: ghcr.io/gythialy/golang-cross:v1.25.5-0@sha256:3a7d463d9e3438513b6bd597c79f7d5db756023e04718259cc25aabd5d00fc17
       volumes:
         - /usr:/host_usr
         - /opt:/host_opt
diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -31,7 +31,7 @@ import (
 	"time"
 
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/rekor-tiles/pkg/note"
+	"github.com/sigstore/rekor-tiles/v2/pkg/note"
 	"github.com/sigstore/sigstore-go/pkg/root"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go
@@ -27,7 +27,7 @@ import (
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
-	"github.com/sigstore/timestamp-authority/pkg/signer"
+	"github.com/sigstore/timestamp-authority/v2/pkg/signer"
 )
 
 // TSAClient creates RFC3161 timestamps and implements client.TimestampAuthority.
diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go
@@ -33,6 +33,7 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
 	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/sigstore/pkg/cryptoutils/goodkey"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 )
@@ -140,7 +141,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		if err != nil {
 			return nil, fmt.Errorf("error parsing rsa private key: %w", err)
 		}
-		if err = cryptoutils.ValidatePubKey(rsaPk.Public()); err != nil {
+		if err = goodkey.ValidatePubKey(rsaPk.Public()); err != nil {
 			return nil, fmt.Errorf("error validating rsa key: %w", err)
 		}
 		pk = rsaPk
@@ -149,7 +150,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		if err != nil {
 			return nil, fmt.Errorf("error parsing ecdsa private key")
 		}
-		if err = cryptoutils.ValidatePubKey(ecdsaPk.Public()); err != nil {
+		if err = goodkey.ValidatePubKey(ecdsaPk.Public()); err != nil {
 			return nil, fmt.Errorf("error validating ecdsa key: %w", err)
 		}
 		pk = ecdsaPk
@@ -160,17 +161,17 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		}
 		switch k := pkcs8Pk.(type) {
 		case *rsa.PrivateKey:
-			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
+			if err = goodkey.ValidatePubKey(k.Public()); err != nil {
 				return nil, fmt.Errorf("error validating rsa key: %w", err)
 			}
 			pk = k
 		case *ecdsa.PrivateKey:
-			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
+			if err = goodkey.ValidatePubKey(k.Public()); err != nil {
 				return nil, fmt.Errorf("error validating ecdsa key: %w", err)
 			}
 			pk = k
 		case ed25519.PrivateKey:
-			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
+			if err = goodkey.ValidatePubKey(k.Public()); err != nil {
 				return nil, fmt.Errorf("error validating ed25519 key: %w", err)
 			}
 			pk = k
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -73,7 +73,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 	"github.com/sigstore/sigstore/pkg/tuf"
-	tsaverification "github.com/sigstore/timestamp-authority/pkg/verification"
+	tsaverification "github.com/sigstore/timestamp-authority/v2/pkg/verification"
 )
 
 // Identity specifies an issuer/subject to verify a signature against.
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -32,20 +32,19 @@ steps:
         echo "Checking out ${_GIT_TAG}"
         git checkout ${_GIT_TAG}
 
-  - name: 'ghcr.io/sigstore/cosign/cosign:v2.6.0-dev@sha256:927acebad5fd845802b560f2a1b2cfa7c7170a5056511d2cae137a5e4fc39a4c'
+  - name: 'ghcr.io/sigstore/cosign/cosign:v3.0.3-dev@sha256:20826fbd1b274662771989eb847134019ac37d6985c7c78f51517532d723c8db'
     dir: "go/src/sigstore/cosign"
     env:
       - TUF_ROOT=/tmp
     args:
       - 'verify'
-      - 'ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d'
+      - 'ghcr.io/gythialy/golang-cross:v1.25.5-0@sha256:3a7d463d9e3438513b6bd597c79f7d5db756023e04718259cc25aabd5d00fc17'
       - '--certificate-oidc-issuer'
       - "https://token.actions.githubusercontent.com"
       - '--certificate-identity'
-      - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.1-0"
-
+      - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.25.5-0"
   # maybe we can build our own image and use that to be more in a safe side
-  - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d
+  - name: ghcr.io/gythialy/golang-cross:v1.25.5-0@sha256:3a7d463d9e3438513b6bd597c79f7d5db756023e04718259cc25aabd5d00fc17
     entrypoint: /bin/sh
     dir: "go/src/sigstore/cosign"
     env:
@@ -68,7 +67,7 @@ steps:
         gcloud auth configure-docker \
         && make release
 
-  - name: ghcr.io/gythialy/golang-cross:v1.25.1-0@sha256:037d8941e21d7e33df0388d2be044e7f322dbd61bef42bb504ae15e15eb0eb7d
+  - name: ghcr.io/gythialy/golang-cross:v1.25.5-0@sha256:3a7d463d9e3438513b6bd597c79f7d5db756023e04718259cc25aabd5d00fc17
     entrypoint: 'bash'
     dir: "go/src/sigstore/cosign"
     env:
diff --git a/test/e2e_attach_test.go b/test/e2e_attach_test.go
@@ -49,8 +49,8 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
-	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
-	"github.com/sigstore/timestamp-authority/pkg/server"
+	tsaclient "github.com/sigstore/timestamp-authority/v2/pkg/client"
+	"github.com/sigstore/timestamp-authority/v2/pkg/server"
 	"github.com/spf13/viper"
 )
 
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -78,8 +78,8 @@ import (
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
-	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
-	"github.com/sigstore/timestamp-authority/pkg/server"
+	tsaclient "github.com/sigstore/timestamp-authority/v2/pkg/client"
+	"github.com/sigstore/timestamp-authority/v2/pkg/server"
 	"github.com/spf13/viper"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 )
diff --git a/test/e2e_tsa_test.go b/test/e2e_tsa_test.go
@@ -32,8 +32,8 @@ import (
 	cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
 	cert_test "github.com/sigstore/cosign/v2/internal/test"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
-	tsaserver "github.com/sigstore/timestamp-authority/pkg/server"
+	tsaclient "github.com/sigstore/timestamp-authority/v2/pkg/client"
+	tsaserver "github.com/sigstore/timestamp-authority/v2/pkg/server"
 	"github.com/spf13/viper"
 )
 

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ import (`
`31`	`31`	`"time"`
`32`	`32`
`33`	`33`	`"github.com/sigstore/cosign/v2/pkg/cosign"`
`34`		`- "github.com/sigstore/rekor-tiles/pkg/note"`
	`34`	`+ "github.com/sigstore/rekor-tiles/v2/pkg/note"`
`35`	`35`	`"github.com/sigstore/sigstore-go/pkg/root"`
`36`	`36`	`"github.com/sigstore/sigstore/pkg/cryptoutils"`
`37`	`37`	`)`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ import (`
`27`	`27`	`"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client"`
`28`	`28`	`"github.com/sigstore/sigstore/pkg/cryptoutils"`
`29`	`29`	`"github.com/sigstore/sigstore/pkg/signature"`
`30`		`- "github.com/sigstore/timestamp-authority/pkg/signer"`
	`30`	`+ "github.com/sigstore/timestamp-authority/v2/pkg/signer"`
`31`	`31`	`)`
`32`	`32`
`33`	`33`	`// TSAClient creates RFC3161 timestamps and implements client.TimestampAuthority.`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ import (`
`33`	`33`	`"github.com/sigstore/cosign/v2/pkg/oci/static"`
`34`	`34`	`v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"`
`35`	`35`	`"github.com/sigstore/sigstore/pkg/cryptoutils"`
	`36`	`+ "github.com/sigstore/sigstore/pkg/cryptoutils/goodkey"`
`36`	`37`	`"github.com/sigstore/sigstore/pkg/signature"`
`37`	`38`	`"github.com/sigstore/sigstore/pkg/signature/options"`
`38`	`39`	`)`
`@@ -140,7 +141,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {`
`140`	`141`	`if err != nil {`
`141`	`142`	`return nil, fmt.Errorf("error parsing rsa private key: %w", err)`
`142`	`143`	`}`
`143`		`- if err = cryptoutils.ValidatePubKey(rsaPk.Public()); err != nil {`
	`144`	`+ if err = goodkey.ValidatePubKey(rsaPk.Public()); err != nil {`
`144`	`145`	`return nil, fmt.Errorf("error validating rsa key: %w", err)`
`145`	`146`	`}`
`146`	`147`	`pk = rsaPk`
`@@ -149,7 +150,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {`
`149`	`150`	`if err != nil {`
`150`	`151`	`return nil, fmt.Errorf("error parsing ecdsa private key")`
`151`	`152`	`}`
`152`		`- if err = cryptoutils.ValidatePubKey(ecdsaPk.Public()); err != nil {`
	`153`	`+ if err = goodkey.ValidatePubKey(ecdsaPk.Public()); err != nil {`
`153`	`154`	`return nil, fmt.Errorf("error validating ecdsa key: %w", err)`
`154`	`155`	`}`
`155`	`156`	`pk = ecdsaPk`
`@@ -160,17 +161,17 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {`
`160`	`161`	`}`
`161`	`162`	`switch k := pkcs8Pk.(type) {`
`162`	`163`	`case *rsa.PrivateKey:`
`163`		`- if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {`
	`164`	`+ if err = goodkey.ValidatePubKey(k.Public()); err != nil {`
`164`	`165`	`return nil, fmt.Errorf("error validating rsa key: %w", err)`
`165`	`166`	`}`
`166`	`167`	`pk = k`
`167`	`168`	`case *ecdsa.PrivateKey:`
`168`		`- if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {`
	`169`	`+ if err = goodkey.ValidatePubKey(k.Public()); err != nil {`
`169`	`170`	`return nil, fmt.Errorf("error validating ecdsa key: %w", err)`
`170`	`171`	`}`
`171`	`172`	`pk = k`
`172`	`173`	`case ed25519.PrivateKey:`
`173`		`- if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {`
	`174`	`+ if err = goodkey.ValidatePubKey(k.Public()); err != nil {`
`174`	`175`	`return nil, fmt.Errorf("error validating ed25519 key: %w", err)`
`175`	`176`	`}`
`176`	`177`	`pk = k`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ import (`
`73`	`73`	`"github.com/sigstore/sigstore/pkg/signature/dsse"`
`74`	`74`	`"github.com/sigstore/sigstore/pkg/signature/options"`
`75`	`75`	`"github.com/sigstore/sigstore/pkg/tuf"`
`76`		`- tsaverification "github.com/sigstore/timestamp-authority/pkg/verification"`
	`76`	`+ tsaverification "github.com/sigstore/timestamp-authority/v2/pkg/verification"`
`77`	`77`	`)`
`78`	`78`
`79`	`79`	`// Identity specifies an issuer/subject to verify a signature against.`