Sync changes to SLFO-1.2 branch

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/sigstore/cosign</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v2.5.0</param>
+    <param name="revision">v2.5.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/sigstore/cosign</param>
-              <param name="changesrevision">38bb98697005cdc5c092f031594c0e45d039f4a0</param></service></servicedata>
+              <param name="changesrevision">488ef8ceed5ab5d77379e9077a124a0d0df41d06</param></service></servicedata>

cosign.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Fri Jul 18 11:54:31 UTC 2025 - meissner@suse.com
+
+- Update to version 2.5.3 (jsc#SLE-23879)
+  - Add signing-config create command (#4280)
+  - Allow multiple services to be specified for trusted-root create (#4285)
+  - force when copying the latest image to overwrite (#4298)
+  - Fix cert verification logic for trusted-root/SCTs (#4294)
+  - Fix lint error for types package (#4295)
+  - feat: Add OCI 1.1+ experimental support to tree (#4205)
+  - Add validity period end for trusted-root create (#4271)
+  - avoid double-loading trustedroot from file (#4264)
+- Update to 2.5.2:
+  - Do not load trusted root when CT env key is set
+  - docs: improve doc for --no-upload option (#4206)
+- Update to 2.5.1:
+  * Features
+    - Add Rekor v2 support for trusted-root create (#4242)
+    - Add baseUrl and Uri to trusted-root create command
+    - Upgrade to TUF v2 client with trusted root
+    - Don't verify SCT for a private PKI cert (#4225)
+    - Bump TSA library to relax EKU chain validation rules (#4219)
+  * Bug Fixes
+    - Bump sigstore-go to pick up log index=0 fix (#4162)
+    - remove unused recursive flag on attest command (#4187)
+  * Docs
+    - Fix indentation in verify-blob cmd examples (#4160)
+*  GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)
+
+-------------------------------------------------------------------
+Wed May 28 15:47:32 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- switch to go1.24, enable fips build
+
 -------------------------------------------------------------------
 Sun Apr 13 11:23:56 UTC 2025 - meissner@suse.com
 

cosign.obsinfo

@@ -1,4 +1,4 @@
 name: cosign
-version: 2.5.0
-mtime: 1744058029
-commit: 38bb98697005cdc5c092f031594c0e45d039f4a0
+version: 2.5.3
+mtime: 1752782207
+commit: 488ef8ceed5ab5d77379e9077a124a0d0df41d06

cosign.spec

@@ -17,7 +17,7 @@
 
 
 Name:           cosign
-Version:        2.5.0
+Version:        2.5.3
 Release:        0
 Summary:        Container Signing, Verification and Storage in an OCI registry
 License:        Apache-2.0
@@ -26,7 +26,7 @@ Source:         https://github.com/sigstore/cosign/archive/refs/tags/v%{version}
 Source1:        vendor.tar.zst
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.24
 
 %description
 Cosign aims to make signatures invisible infrastructure.
@@ -81,6 +81,7 @@ BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || dat
 CLI_PKG=sigs.k8s.io/release-utils/version
 CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=$COMMIT_HASH -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}"
 
+export GOFIPS140=v1.0.0
 CGO_ENABLED=1 go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o cosign ./cmd/cosign
 
 %check