Skip to content

Bump github.com/sigstore/cosign/v2 from 2.5.3 to 2.6.0 #1441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 18, 2025
Merged

Bump github.com/sigstore/cosign/v2 from 2.5.3 to 2.6.0 #1441

merged 2 commits into from
Sep 18, 2025

Conversation

@arewm
Copy link
Contributor

@arewm arewm commented Sep 16, 2025
edited
Loading

Changes

Proposing to bump the cosign version to include new library calls to
push attestations with the referrer's API.

The new changes desired are sigstore/cosign#4357 which should
better support the work in #1409.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Sep 16, 2025
@arewm
Bump github.com/sigstore/cosign/v2 from 2.5.3 to 2.6.0
886b07d 
Proposing to bump the cosign version to include new library calls to
push attestations with the referrer's API.

- [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0)
- [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.5.3...v2.6.0)

The new changes desired are sigstore/cosign/pull/4357 which should
better support the work in tektoncd#1409.

Signed-off-by: arewm <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@arewm
Fix LoadPrivateKey API breaking change for cosign v2.6.0
cb9aa6c 
- Add LoadOption parameter to LoadPrivateKey calls in x509.go and clients.go
- Pass nil for defaultLoadOptions to use sensible defaults (ED25519ph)
- Update both production code and test code to match new API

The LoadPrivateKey function signature changed in cosign v2.6.0 to
include a third parameter for LoadOption configuration. Passing nil
uses the default ED25519ph behavior which is appropriate for this
use case.

Co-authored-by: Claude Sonnet <[email protected]>
Signed-off-by: arewm <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@lcarva
Copy link
Contributor

lcarva commented Sep 16, 2025

Linter is failing due to the known issue where it can't handle large PRs.

lcarva
lcarva approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@lcarva lcarva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 16, 2025
@tekton-robot
Copy link

tekton-robot commented Sep 16, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lcarva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 16, 2025
@arewm
Copy link
Contributor Author

arewm commented Sep 16, 2025

The second commit (cb9aa6c) is on top of updating the dependency as the interface did change a little bit.

Locally, two tests failed but I am not sure if that is because I don't have sufficient configuration to run them (this brief summary was generated by Cursor):

Test Status Summary
✅ Tests that PASS:
TestCreateSignerFulcioEnabledDefaultTokenFileMissing - PASS
TestSigner_SignECDSA - PASS (this is the core signing functionality we fixed)
TestSigner_SignED25519 - SKIP (intentionally skipped, not implemented yet)
❌ Tests that FAIL:
TestCreateSignerFulcioEnabled - FAIL
TestCreateSignerFulcioEnabledFilesystemProvider - FAIL

@lcarva lcarva merged commit e3469c5 into tektoncd:main Sep 18, 2025
11 of 13 checks passed
@anithapriyanatarajan anithapriyanatarajan mentioned this pull request Nov 5, 2025
Closed
6 tasks
@aThorp96 aThorp96 mentioned this pull request Nov 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcarva lcarva lcarva approved these changes

@chitrangpatel chitrangpatel Awaiting requested review from chitrangpatel

Assignees

@lcarva lcarva

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arewm @lcarva @tekton-robot