diff --git a/_service b/_service
index 28bad73..08ec141 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
https://github.com/rancherfederal/hauler
git
- v1.0.1
+ v1.3.1
@PARENT_TAG@
v(.*)
enable
diff --git a/_servicedata b/_servicedata
index a934111..604c7ea 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://github.com/rancherfederal/hauler
- bb2a8bfbeca0f33998e0015e6f0cfeaa7ec3dc93
\ No newline at end of file
+ 5edc8802eec20adc7d0b75847f77446d6f531012
\ No newline at end of file
diff --git a/hauler-1.0.1.tar.zst b/hauler-1.0.1.tar.zst
deleted file mode 100644
index 6bf5450..0000000
--- a/hauler-1.0.1.tar.zst
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4646f6e1493d727b809834a35680c05afe80a6a9b2ea738745e0dc21fb194fa5
-size 106519
diff --git a/hauler-1.3.1.tar.zst b/hauler-1.3.1.tar.zst
new file mode 100644
index 0000000..31cc228
--- /dev/null
+++ b/hauler-1.3.1.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:29d2ba55aa1559f81cec9d929459cbe1661b84b55be47b8d3bbcfed15cdd17ae
+size 25692295
diff --git a/hauler.changes b/hauler.changes
index 7f91042..c10d8ac 100644
--- a/hauler.changes
+++ b/hauler.changes
@@ -1,3 +1,218 @@
+-------------------------------------------------------------------
+Mon Nov 10 15:08:12 UTC 2025 - Dirk Müller
+
+- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
+ bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
+ bsc#1248937, CVE-2025-58058):
+ * bump github.com/containerd/containerd (#474)
+ * another fix to tests for new tests (#472)
+ * fixed typo in testdata (#471)
+ * fixed/cleaned new tests (#470)
+ * trying a new way for hauler testing (#467)
+ * update for cosign v3 verify (#469)
+ * added digests view to info (#465)
+ * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
+ * update oras-go to v1.2.7 for security patches (#464)
+ * update cosign to v3.0.2+hauler.1 (#463)
+ * fixed homebrew directory deprecation (#462)
+ * add registry logout command (#460)
+
+-------------------------------------------------------------------
+Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller
+
+- Update to version 1.3.0:
+ * bump the go_modules group across 1 directory with 2 updates (#455)
+ * upgraded versions/dependencies/deprecations (#454)
+ * allow loading of docker tarballs (#452)
+ * bump the go_modules group across 1 directory with 2 updates (#449)
+
+-------------------------------------------------------------------
+Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller
+
+- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
+ * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
+ the go_modules group across 1 directory (CVE-2025-46569)
+ * deprecate auth from hauler store copy
+ * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
+ go_modules group across 1 directory
+ * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
+ in the go_modules group across 1 directory
+ * upgraded go and dependencies versions
+
+-------------------------------------------------------------------
+Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller
+
+- Update to version 1.2.5:
+ * upgraded go and dependencies versions (#444)
+ * Bump github.com/go-viper/mapstructure/v2 (#442)
+ * bump github.com/cloudflare/circl (#441)
+ * deprecate auth from hauler store copy (#440)
+ * Bump github.com/open-policy-agent/opa (#438)
+
+-------------------------------------------------------------------
+Thu May 1 16:34:57 UTC 2025 - Dirk Müller
+
+- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
+ * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
+ group across 1 directory
+ * minor tests updates
+
+-------------------------------------------------------------------
+Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller
+
+- Update to version 1.2.3:
+ * formatting and flag text updates
+ * add keyless signature verification (#434)
+ * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
+ * add --only flag to hauler store copy (for images) (#429)
+ * fix tlog verification error/warning output (#428)
+
+-------------------------------------------------------------------
+Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com
+
+- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
+ * cleanup new tlog flag typos and add shorthand (#426)
+ * default public transparency log verification to false to be airgap friendly but allow override (#425)
+ * bump github.com/golang-jwt/jwt/v4 (#423)
+ * bump the go_modules group across 1 directory with 2 updates (#422)
+ * bump github.com/go-jose/go-jose/v3 (#417)
+ * bump github.com/go-jose/go-jose/v4 (#415)
+ * clear default manifest name if product flag used with sync (#412)
+ * updates for v1.2.0 (#408)
+ * fixed remote code (#407)
+ * added remote file fetch to load (#406)
+ * added remote and multiple file fetch to sync (#405)
+ * updated save flag and related logs (#404)
+ * updated load flag and related logs [breaking change] (#403)
+ * updated sync flag and related logs [breaking change] (#402)
+ * upgraded api update to v1/updated dependencies (#400)
+ * fixed consts for oci declarations (#398)
+ * fix for correctly grabbing platform post cosign 2.4 updates (#393)
+ * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
+ * Bump the go_modules group across 1 directory with 2 updates (#385)
+ * replace mholt/archiver with mholt/archives (#384)
+ * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
+ * cleaned up registry and improved logging (#378)
+ * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
+- drop
+ 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch
+ (upstream)
+
+-------------------------------------------------------------------
+Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller
+
+- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch
+ to bump net/html dependencies (bsc#1235332, CVE-2024-45338)
+
+-------------------------------------------------------------------
+Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com
+
+- Update to version 1.1.1:
+ * fixed cli desc for store env var (#374)
+ * updated versions for go/k8s/helm (#373)
+ * updated version flag to internal/flags (#369)
+ * renamed incorrectly named consts (#371)
+ * added store env var (#370)
+ * adding ignore errors and retries for continue on error/fail on error (#368)
+ * updated/fixed hauler directory (#354)
+ * standardize consts (#353)
+ * removed cachedir code (#355)
+ * removed k3s code (#352)
+ * updated dependencies for go, helm, and k8s (#351)
+ * [feature] build with boring crypto where available (#344)
+ * updated workflow to goreleaser builds (#341)
+ * added timeout to goreleaser workflow (#340)
+ * trying new workflow build processes (#337)
+ * improved workflow performance (#336)
+ * have extract use proper ref (#335)
+ * yet another workflow goreleaser fix (#334)
+ * even more workflow fixes (#333)
+ * added more fixes to github workflow (#332)
+ * fixed typo in hauler store save (#331)
+ * updates to fix build processes (#330)
+ * added integration tests for non hauler tarballs (#325)
+ * bump: golang >= 1.23.1 (#328)
+ * add platform flag to store save (#329)
+ * Update feature_request.md
+ * updated/standardize command descriptions (#313)
+ * use new annotation for 'store save' manifest.json (#324)
+ * enable docker load for hauler tarballs (#320)
+ * bump to cosign v2.2.3-carbide.3 for new annotation (#322)
+ * continue on error when adding images to store (#317)
+ * Update README.md (#318)
+ * fixed completion commands (#312)
+ * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
+ * pages: enable go install hauler.dev/go/hauler (#310)
+ * Create CNAME
+ * pages: initial workflow (#309)
+ * testing and linting updates (#305)
+ * feat-273: TLS Flags (#303)
+ * added list-repos flag (#298)
+ * fixed hauler login typo (#299)
+ * updated cobra function for shell completion (#304)
+ * updated install.sh to remove github api (#293)
+ * fix image ref keys getting squashed when containing sigs/atts (#291)
+ * fix missing versin info in release build (#283)
+ * bump github.com/docker/docker in the go_modules group across 1 directory (#281)
+ * updated install script (`install.sh`) (#280)
+ * fix digest images being lost on load of hauls (Signed). (#259)
+ * feat: add readonly flag (#277)
+ * fixed makefile for goreleaser v2 changes (#278)
+ * updated goreleaser versioning defaults (#279)
+ * update feature_request.md (#274)
+ * updated old references
+ * updated actions workflow user
+ * added dockerhub to github actions workflow
+ * removed helm chart
+ * added debug container and workflow
+ * updated products flag description
+ * updated chart for release
+ * fixed workflow errors/warnings
+ * fixed permissions on testdata
+ * updated chart versions (will need to update again)
+ * last bit of fixes to workflow
+ * updated unit test workflow
+ * updated goreleaser deprecations
+ * added helm chart release job
+ * updated github template names
+ * updated imports (and go fmt)
+ * formatted gitignore to match dockerignore
+ * formatted all code (go fmt)
+ * updated chart tests for new features
+ * Adding the timeout flag for fileserver command
+ * Configure chart commands to use helm clients for OCI and private registry support
+ * Added some documentation text to sync command
+ * Bump golang.org/x/net from 0.17.0 to 0.23.0
+ * fix for dup digest smashing in cosign
+ * removed vagrant scripts
+ * last bit of updates and formatting of chart
+ * updated hauler testdata
+ * adding functionality and cleaning up
+ * added initial helm chart
+ * removed tag in release workflow
+ * updated/fixed image ref in release workflow
+ * updated/fixed platforms in release workflow
+ * updated/cleaned github actions (#222)
+ * Make Product Registry configurable (#194)
+ * updated fileserver directory name (#219)
+ * fix logging for files
+ * add extra info for the tempdir override flag
+ * tempdir override flag for load
+ * deprecate the cache flag instead of remove
+ * switch to using bci-golang as builder image
+ * fix: ensure /tmp for hauler store load
+ * added the copy back for now
+ * remove copy at the image sync not needed with cosign update
+ * removed misleading cache flag
+ * better logging when adding to store
+ * update to v2.2.3 of our cosign fork
+ * add: dockerignore
+ * add: Dockerfile
+ * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
+ * Bump github.com/docker/docker
+ * updated and added new logos
+ * updated github files
+
-------------------------------------------------------------------
Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller
diff --git a/hauler.spec b/hauler.spec
index 3eef02d..e5f1e1c 100644
--- a/hauler.spec
+++ b/hauler.spec
@@ -1,7 +1,7 @@
#
# spec file for package hauler
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,8 +17,8 @@
Name: hauler
-Version: 1.0.1
-%global git_commit bb2a8bfbeca0f33998e0015e6f0cfeaa7ec3dc93
+Version: 1.3.1
+%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012
Release: 0
Summary: Airgap Swiss Army Knife
License: Apache-2.0
@@ -30,7 +30,7 @@ ExclusiveArch: x86_64 aarch64
BuildRequires: cosign
BuildRequires: golang-packaging
BuildRequires: zstd
-BuildRequires: golang(API) = 1.21
+BuildRequires: golang(API) = 1.25
%description
Rancher Government Hauler simplifies the airgap experience without requiring
diff --git a/vendor.tar.zst b/vendor.tar.zst
index fca400d..478ac39 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:c84a996fcc6495e99813d49ee5fef30a048aa1eaf114efd58eba7cde9c6649e6
-size 6830602
+oid sha256:e51a71e7ed12d40cafa4b56c098c168e17182280dc2669b60fb73241c87a58b4
+size 15144124