Accepting request 1323778 from security

- Update to version 3.0.3:
  * 4554: Closes 4554 - Add warning when --output* is used (#4556)
  * chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)
  * chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)
  * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)
  * chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)
  * chore(deps): bump the actions group with 4 updates (#4544)
  * chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)
  * chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)
  * update builder to use go1.25.5 (#4566)
  * Protobuf bundle support for subcommand `clean` (#4539)
  * Add staging flag to initialize with staging TUF metadata
  * update slack invite link (#4560)
  * Updating sign-blob to also support signing with a certificate (#4547)
  * Bump sigstore library dependencies (#4532)
  * Protobuf bundle support for subcommands `save` and `load` (#4538)
  * Fix cert attachment for new bundle with signing config
  * Fix OCI verification with local cert - old bundle
  * chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)
  * chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)
  * chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)
  * update go builder and cosign (#4529)
  * chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)
  * chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)
  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)
  * chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)
  * chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)
  * chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)
  * chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)
  * chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502) (forwarded request 1322929 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1323778
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=30

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/sigstore/cosign</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v2.5.0</param>
+    <param name="revision">v3.0.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/sigstore/cosign</param>
-              <param name="changesrevision">38bb98697005cdc5c092f031594c0e45d039f4a0</param></service></servicedata>
+              <param name="changesrevision">3f32cea203c59a93323a6bebfebff03417520143</param></service></servicedata>

cosign-3.0.3.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03dd3d8bdf710dd4eba957be3e8895995813c51713b6d080147e8b710482c970
+size 4057100

cosign-3.0.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0cea36c79cd4083ce62c7d20a6b54d0550424576bcffc056e948354e5391b6ed
+size 949214

cosign.changes

@@ -1,3 +1,161 @@
+-------------------------------------------------------------------
+Wed Dec 10 14:35:48 UTC 2025 - meissner@suse.com
+
+- Update to version 3.0.3:
+  * 4554: Closes 4554 - Add warning when --output* is used (#4556)
+  * chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)
+  * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)
+  * chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)
+  * chore(deps): bump the actions group with 4 updates (#4544)
+  * chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)
+  * chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)
+  * update builder to use go1.25.5 (#4566)
+  * Protobuf bundle support for subcommand `clean` (#4539)
+  * Add staging flag to initialize with staging TUF metadata
+  * update slack invite link (#4560)
+  * Updating sign-blob to also support signing with a certificate (#4547)
+  * Bump sigstore library dependencies (#4532)
+  * Protobuf bundle support for subcommands `save` and `load` (#4538)
+  * Fix cert attachment for new bundle with signing config
+  * Fix OCI verification with local cert - old bundle
+  * chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)
+  * chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)
+  * chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)
+  * update go builder and cosign (#4529)
+  * chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)
+  * chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)
+  * chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)
+  * chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)
+  * chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)
+  * chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)
+  * chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502)
+  * chore(deps): bump the actions group across 1 directory with 2 updates (#4516)
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.110.0 to 3.111.0 (#4523)
+  * chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4522)
+  * Deprecate tlog-upload flag (#4458)
+  * fix: Use signal context for `sign` cli package.
+  * update offline verification directions (#4526)
+  * Fix signing/verifying annotations for new bundle
+  * Add support to download and attach for protobuf bundles (#4477)
+  * Add --signing-algorithm flag (#3497)
+  * Refactor signcommon bundle helpers
+  * Add --bundle and fix --upload for new bundle
+  * Pass insecure registry flags through to referrers
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.108.0 to 3.109.1 (#4483)
+  * Add protobuf bundle support for tree subcommand (#4491)
+  * Remove stale embed import (#4492)
+  * Support multiple container identities
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4484)
+  * chore(deps): bump chainguard-dev/actions in the actions group (#4480)
+  * chore(deps): bump github.com/sigstore/rekor-tiles/v2 (#4485)
+  * chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 (#4486)
+  * chore(deps): bump cuelang.org/go in the gomod group (#4479)
+  * upgrade OSS-Fuzz build tooling (#4487)
+  * Fix segfault when no attestations are found (#4472)
+  * Use overridden repository for new bundle format (#4473)
+  * update go to 1.25.3 (#4471)
+  * Remove --out flag from `cosign initialize` (#4462)
+  * chore(deps): bump the actions group with 2 updates (#4460)
+  * Deprecate offline flag (#4457)
+  * Deduplicate code in sign/attest* and verify* commands (#4449)
+  * Cache signing config when calling initialize (#4456)
+  * Update changelog for v3.0.2 (#4455)
+  * chore(deps): bump google.golang.org/api from 0.250.0 to 0.251.0
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go
+  * chore(deps): bump the actions group with 3 updates
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.107.2 to 3.108.0
+  * choose different signature filename for KMS-signed release signatures (#4448)
+  * chore(deps): bump github.com/go-jose/go-jose/v4 (#4451)
+  * Update rekor-tiles version path
+  * update CL for v3.0.1 release (#4447)
+  * update goreleaser config for v3.0.0 release (#4446)
+  * Create changelog for v3.0.0 (#4440)
+  * Fetch service URLs from the TUF PGI signing config by default (#4428)
+  * Create changelog for v2.6.1 (#4439)
+  * chore(deps): bump google.golang.org/api from 0.249.0 to 0.250.0 (#4432)
+  * chore(deps): bump the gomod group with 2 updates (#4429)
+  * chore(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#4433)
+  * chore(deps): bump the actions group with 3 updates (#4434)
+  * chore(deps): bump github.com/go-openapi/swag from 0.24.1 to 0.25.1 (#4435)
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4436)
+  * chore(deps): bump github.com/go-openapi/runtime from 0.28.0 to 0.29.0 (#4437)
+  * Bump module version to v3 for Cosign v3.0 (#4427)
+  * Move sigstore-conformance back to tagged release (#4425)
+  * Bump sigstore-go to v1.1.3 (#4423)
+  * Partially populate the output of cosign verify when working with new bundles (#4416)
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4419)
+  * chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4418)
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.105.0 to 3.107.0 (#4420)
+  * chore(deps): bump chainguard-dev/actions in the actions group (#4421)
+  * bump go builder to use 1.25.1 and cosign (#4417)
+  * Bump sigstore-go for more precise user agents (#4413)
+  * chore(deps): bump github.com/spf13/viper from 1.20.1 to 1.21.0 (#4408)
+  * chore(deps): bump the actions group with 2 updates (#4407)
+  * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4410)
+  * chore(deps): bump github.com/buildkite/agent/v3 from 3.104.0 to 3.105.0 (#4411)
+  * Default to using the new protobuf format (#4318)
+
+-------------------------------------------------------------------
+Thu Sep 18 13:33:58 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 2.6.0:
+  - Require exclusively a SigningConfig or service URLs when signing (#4403)
+  - Add a terminal spinner while signing with sigstore-go (#4402)
+  - Bump sigstore-go, support alternative hash algorithms with keys (#4386)
+  - Add support for SigningConfig in sign/attest (#4371)
+  - Support self-managed keys when signing with sigstore-go (#4368)
+  - Remove SHA256 assumption in sign-blob/verify-blob (#4050)
+  - introduce dockerfile to pin the go version to decouple go version from go.mod (#4369)
+  - refactor: extract function to write referrer attestations (#4357)
+  - Break import cycle with e2e build tag (#4370)
+  - Update conformance test binary for signing config (#4367)
+  - update builder image to use go1.25 (#4366)
+  - Don't load content from TUF if trusted root path is specified (#4347)
+  - Don't require timestamps when verifying with a key (#4337)
+  - Fixes to cosign sign / verify for the new bundle format (#4346)
+  - update builder to use go1.24.6 (#4334)
+  - bump golangci-lint to v2.3.x (#4333)
+  - Have cosign sign support bundle format (#4316)
+  - Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)
+  - Verify subject with bundle only when checking claims (#4320)
+  - Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306)
+
+-------------------------------------------------------------------
+Fri Jul 18 11:54:31 UTC 2025 - meissner@suse.com
+
+- Update to version 2.5.3 (jsc#SLE-23879)
+  - Add signing-config create command (#4280)
+  - Allow multiple services to be specified for trusted-root create (#4285)
+  - force when copying the latest image to overwrite (#4298)
+  - Fix cert verification logic for trusted-root/SCTs (#4294)
+  - Fix lint error for types package (#4295)
+  - feat: Add OCI 1.1+ experimental support to tree (#4205)
+  - Add validity period end for trusted-root create (#4271)
+  - avoid double-loading trustedroot from file (#4264)
+- Update to 2.5.2:
+  - Do not load trusted root when CT env key is set
+  - docs: improve doc for --no-upload option (#4206)
+- Update to 2.5.1:
+  * Features
+    - Add Rekor v2 support for trusted-root create (#4242)
+    - Add baseUrl and Uri to trusted-root create command
+    - Upgrade to TUF v2 client with trusted root
+    - Don't verify SCT for a private PKI cert (#4225)
+    - Bump TSA library to relax EKU chain validation rules (#4219)
+  * Bug Fixes
+    - Bump sigstore-go to pick up log index=0 fix (#4162)
+    - remove unused recursive flag on attest command (#4187)
+  * Docs
+    - Fix indentation in verify-blob cmd examples (#4160)
+*  GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)
+
+-------------------------------------------------------------------
+Wed May 28 15:47:32 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- switch to go1.24, enable fips build
+
 -------------------------------------------------------------------
 Sun Apr 13 11:23:56 UTC 2025 - meissner@suse.com
 

cosign.obsinfo

@@ -1,4 +1,4 @@
 name: cosign
-version: 2.5.0
-mtime: 1744058029
-commit: 38bb98697005cdc5c092f031594c0e45d039f4a0
+version: 3.0.3
+mtime: 1765324943
+commit: 3f32cea203c59a93323a6bebfebff03417520143

cosign.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cosign
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           cosign
-Version:        2.5.0
+Version:        3.0.3
 Release:        0
 Summary:        Container Signing, Verification and Storage in an OCI registry
 License:        Apache-2.0
@@ -26,7 +26,7 @@ Source:         https://github.com/sigstore/cosign/archive/refs/tags/v%{version}
 Source1:        vendor.tar.zst
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.25
 
 %description
 Cosign aims to make signatures invisible infrastructure.
@@ -81,6 +81,7 @@ BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || dat
 CLI_PKG=sigs.k8s.io/release-utils/version
 CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=$COMMIT_HASH -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}"
 
+export GOFIPS140=v1.0.0
 CGO_ENABLED=1 go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o cosign ./cmd/cosign
 
 %check