Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sigstore/sigstore
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.8.15
Choose a base ref
...
head repository: sigstore/sigstore
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.9.0
Choose a head ref
  • 18 commits
  • 27 files changed
  • 4 contributors

Commits on Feb 21, 2025

  1. Update KMS policy for new plugin interface (#1987) 

    This points producers to the interface documentation and example, and notes we will not accept new providers in-tree.

Signed-off-by: Hayden B <haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Feb 21, 2025
    Configuration menu
    Copy the full SHA
    7b1d98b View commit details
    Browse the repository at this point in the history

  2. Update TUF root to latest v12 root (#1988) 

    Minimizing the number of network requests a client needs to make to fetch the latest.

Fixes #1138

Signed-off-by: Hayden B <haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Feb 21, 2025
    Configuration menu
    Copy the full SHA
    c6ff33c View commit details
    Browse the repository at this point in the history

Commits on Feb 25, 2025

  1. build(deps): Bump github.com/go-jose/go-jose/v4 (#1995) 

    Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Feb 25, 2025
    Configuration menu
    Copy the full SHA
    a65d8ad View commit details
    Browse the repository at this point in the history

  2. build(deps): Bump the all group with 2 updates (#1990) 

    Bumps the all group with 2 updates: [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/cache` from 4.2.0 to 4.2.1
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@1bd1e32...0c907a7)

Updates `actions/upload-artifact` from 4.6.0 to 4.6.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@65c4c4a...4cec3d8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Feb 25, 2025
    Configuration menu
    Copy the full SHA
    ce46fde View commit details
    Browse the repository at this point in the history

  3. build(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 (#… 

    …1994)

* build(deps): Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5

Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* sync

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
    @dependabot @cpanato
    dependabot[bot] and cpanato authored Feb 25, 2025
    Configuration menu
    Copy the full SHA
    3c3cc9b View commit details
    Browse the repository at this point in the history

Commits on Mar 3, 2025

  1. upgrade go-jose to v4 (#2000) 

    * upgrade go-jose to v4

Signed-off-by: cpanato <ctadeu@gmail.com>

* go mod sync

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: cpanato <ctadeu@gmail.com>
    @cpanato
    cpanato authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    97659d8 View commit details
    Browse the repository at this point in the history

  2. build(deps): Bump github.com/go-jose/go-jose/v4 in /test/fuzz (#2002) 

    Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    b8a592a View commit details
    Browse the repository at this point in the history

  3. build(deps): Bump the all group across 1 directory with 3 updates (#2004 

    )

Bumps the all group with 3 updates in the /test/e2e directory: [dexidp/dex](https://github.com/dexidp/dex), localstack/localstack and hashicorp/vault.


Updates `dexidp/dex` from v2.41.1 to v2.42.0
- [Release notes](https://github.com/dexidp/dex/releases)
- [Commits](dexidp/dex@v2.41.1...v2.42.0)

Updates `localstack/localstack` from 4.1.1 to 4.2.0

Updates `hashicorp/vault` from 1.18.4 to 1.18.5

---
updated-dependencies:
- dependency-name: dexidp/dex
  dependency-type: direct:production
  dependency-group: all
- dependency-name: localstack/localstack
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: hashicorp/vault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    5d73655 View commit details
    Browse the repository at this point in the history

  4. build(deps): Bump the gomod group across 5 directories with 7 updates ( 

    …#2005)

* build(deps): Bump the gomod group across 5 directories with 7 updates

Bumps the gomod group with 2 updates in the / directory: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) and google.golang.org/protobuf.
Bumps the gomod group with 4 updates in the /pkg/signature/kms/aws directory: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry), [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and google.golang.org/protobuf.
Bumps the gomod group with 4 updates in the /pkg/signature/kms/azure directory: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry), [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go), [github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys](https://github.com/Azure/azure-sdk-for-go) and google.golang.org/protobuf.
Bumps the gomod group with 2 updates in the /pkg/signature/kms/gcp directory: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) and google.golang.org/protobuf.
Bumps the gomod group with 2 updates in the /pkg/signature/kms/hashivault directory: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) and google.golang.org/protobuf.


Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.2...v0.20.3)

Updates `google.golang.org/protobuf` from 1.36.4 to 1.36.5

Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.2...v0.20.3)

Updates `github.com/aws/aws-sdk-go-v2` from 1.36.1 to 1.36.3
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](aws/aws-sdk-go-v2@v1.36.1...v1.36.3)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.1 to 1.29.8
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](aws/aws-sdk-go-v2@config/v1.29.1...config/v1.29.8)

Updates `google.golang.org/protobuf` from 1.36.4 to 1.36.5

Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.2...v0.20.3)

Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.8.0 to 1.8.2
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](Azure/azure-sdk-for-go@sdk/azcore/v1.8.0...sdk/azidentity/v1.8.2)

Updates `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys` from 1.3.0 to 1.3.1
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](Azure/azure-sdk-for-go@sdk/azcore/v1.3.0...sdk/azcore/v1.3.1)

Updates `golang.org/x/crypto` from 0.32.0 to 0.33.0
- [Commits](golang/crypto@v0.32.0...v0.33.0)

Updates `google.golang.org/protobuf` from 1.36.4 to 1.36.5

Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.2...v0.20.3)

Updates `google.golang.org/protobuf` from 1.36.4 to 1.36.5

Updates `github.com/google/go-containerregistry` from 0.20.2 to 0.20.3
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.2...v0.20.3)

Updates `google.golang.org/protobuf` from 1.36.4 to 1.36.5

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>

* sync

Signed-off-by: cpanato <ctadeu@gmail.com>

* sync

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
    @dependabot @cpanato
    dependabot[bot] and cpanato authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    a1f51d7 View commit details
    Browse the repository at this point in the history

  5. build(deps): Bump github.com/sigstore/sigstore (#1992) 

    Bumps the tools group with 1 update in the /test/fuzz directory: [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore).


Updates `github.com/sigstore/sigstore` from 1.8.12 to 1.8.15
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](v1.8.12...v1.8.15)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tools
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    79d4d1e View commit details
    Browse the repository at this point in the history

  6. build(deps): Bump golang.org/x/crypto from 0.32.0 to 0.35.0 (#2003) 

    * build(deps): Bump golang.org/x/crypto from 0.32.0 to 0.35.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.32.0 to 0.35.0.
- [Commits](golang/crypto@v0.32.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* sync go mod

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
    @dependabot @cpanato
    dependabot[bot] and cpanato authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    5249c79 View commit details
    Browse the repository at this point in the history

  7. build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#2006 

    )

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.217.0 to 0.223.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.217.0...v0.223.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    341e085 View commit details
    Browse the repository at this point in the history

  8. build(deps): Bump github.com/google/go-cmp from 0.6.0 to 0.7.0 (#2007) 

    * build(deps): Bump github.com/google/go-cmp from 0.6.0 to 0.7.0

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* go mod sync

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
    @dependabot @cpanato
    dependabot[bot] and cpanato authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    468a565 View commit details
    Browse the repository at this point in the history

  9. build(deps): Bump golang.org/x/oauth2 from 0.26.0 to 0.27.0 (#2008) 

    * build(deps): Bump golang.org/x/oauth2 from 0.26.0 to 0.27.0

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.26.0 to 0.27.0.
- [Commits](golang/oauth2@v0.26.0...v0.27.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* go mod sync

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
    @dependabot @cpanato
    dependabot[bot] and cpanato authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    9c71796 View commit details
    Browse the repository at this point in the history

  10. build(deps): Bump github.com/aws/aws-sdk-go-v2/service/kms (#2009) 

    Bumps [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) from 1.37.13 to 1.38.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.38.0/CHANGELOG.md)
- [Commits](aws/aws-sdk-go-v2@service/kms/v1.37.13...service/s3/v1.38.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    ffbe3d5 View commit details
    Browse the repository at this point in the history

  11. build(deps): Bump cloud.google.com/go/kms in /pkg/signature/kms/gcp (#… 

    …2011)

Bumps [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go) from 1.20.5 to 1.21.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](googleapis/google-cloud-go@kms/v1.20.5...kms/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/kms
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    47d4326 View commit details
    Browse the repository at this point in the history

  12. build(deps): Bump actions/cache from 4.2.1 to 4.2.2 in the all group (#… 

    …2013)
    @dependabot
    dependabot[bot] authored Mar 3, 2025
    Configuration menu
    Copy the full SHA
    bf09332 View commit details
    Browse the repository at this point in the history

Commits on Mar 4, 2025

  1. pkg/signature: expose Algorithm Details information (#2001) 

    * pkg/signature: expose Algorithm Details information

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* pkg/signature: remove AlgorithmDetails interface and just use struct

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

* pkg/signature: add comments to exported functions

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>

---------

Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
    @ret2libc
    ret2libc authored Mar 4, 2025
    Configuration menu
    Copy the full SHA
    a304698 View commit details
    Browse the repository at this point in the history
Loading