Accepting request 1318184 from security

update to 1.4.3 (forwarded request 1318133 from ojkastl_buildservice)

OBS-URL: https://build.opensuse.org/request/show/1318184
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=30

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/sigstore/rekor</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v1.3.10</param>
+    <param name="revision">v1.4.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/sigstore/rekor</param>
-              <param name="changesrevision">4118a64b4b9c228a968b2d935a00807ca1b33aed</param></service></servicedata>
+              <param name="changesrevision">cb5b1d5f364a8437e1c6c857b200283e2dcc2b29</param></service></servicedata>

rekor-1.4.3.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0f468e91542ddcee9fb59a64c04eed924ac1a10826c2bddafe261fad54182944
+size 3398668

rekor.changes

@@ -1,3 +1,283 @@
+-------------------------------------------------------------------
+Mon Nov 17 06:20:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- Update to version 1.4.3:
+  This release reduces dependencies for a number of exported
+  packages.
+  This release also changes the format of the binary and container
+  signature, which is now a Sigstore bundle. To verify a release,
+  use the latest Cosign 3.x, verifying with
+
+    cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.
+
+  * Improvements
+    - use interruptable context to elegantly handle signals in
+      rekor-cli (#2681)
+    - restapi: Don't log client errors as errors (#2680)
+    - pkg: separate pki types from implementations (#2668)
+    - e2e: don't mix e2e and regular utilities (#2672)
+    - pkg: remove viper config from spec definitions (#2669)
+    - log: remove zap & go-chi dependecy from pkg/types (#2667)
+    - chore: update go-openapi/runtime to v0.29.0 (#2670)
+    - chore: remove double imported mapstructure pkg (#2671)
+    - remove archived dependency and use stdlib slices (#2650)
+  * Documentation
+    - (docs): guard unsafe int/uint conversions flagged by gosec
+      (#2679)
+  * Dependencies
+    - build(deps): Bump actions/setup-go from 5.5.0 to 6.0.0
+    - build(deps): Bump actions/upload-artifact from 4.6.2 to 5.0.0
+    - build(deps): Bump cloud.google.com/go/pubsub/v2 from 2.0.0 to
+      2.3.0 (#2654)
+    - build(deps): Bump github.com/go-openapi/loads from 0.22.0 to
+      0.23.1 (#2632)
+    - build(deps): Bump github.com/go-openapi/swag from 0.24.1 to
+      0.25.1 (#2666)
+    - build(deps): Bump github.com/go-openapi/swag/conv from 0.24.0
+      to 0.25.1 (#2628)
+    - build(deps): Bump github.com/go-openapi/validate from 0.24.0
+      to 0.25.0 (#2629)
+    - build(deps): Bump github.com/go-swagger/go-swagger from
+      0.32.3 to 0.33.1 in /hack/tools in the all group (#2643)
+    - build(deps): Bump github.com/redis/go-redis/v9 from 9.12.1 to
+      9.13.0
+    - build(deps): Bump github.com/redis/go-redis/v9 from 9.13.0 to
+      9.14.0
+    - build(deps): Bump github.com/spf13/cobra from 1.9.1 to 1.10.1
+    - build(deps): Bump github.com/spf13/viper from 1.20.1 to
+      1.21.0
+    - build(deps): Bump github.com/tink-crypto/tink-go/v2 from
+      2.4.0 to 2.5.0 (#2661)
+    - build(deps): Bump github/codeql-action from 3.30.3 to 4.30.9
+      (#2645)
+    - build(deps): Bump github/codeql-action in the all group
+      (#2659)
+    - build(deps): Bump github/codeql-action in the all group
+      (#2663)
+    - build(deps): Bump go.step.sm/crypto from 0.70.0 to 0.72.0
+      (#2651)
+    - build(deps): Bump go.step.sm/crypto from 0.73.0 to 0.74.0
+      (#2674)
+    - build(deps): Bump golang from 1.25.0 to 1.25.1 in the all
+      group (#2611)
+    - build(deps): Bump golang from 1.25.1 to 1.25.2 in the all
+      group (#2644)
+    - build(deps): Bump golang from 1.25.2 to 1.25.3 in the all
+      group
+    - build(deps): Bump golang from 1.25.3 to 1.25.4 in the all
+      group (#2675)
+    - build(deps): Bump golang from `a5e935d` to `8305f5f`
+    - build(deps): Bump golang.org/x/mod from 0.27.0 to 0.28.0
+    - build(deps): Bump golang.org/x/mod from 0.28.0 to 0.29.0
+      (#2665)
+    - build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
+    - build(deps): Bump golang.org/x/net from 0.44.0 to 0.46.0
+      (#2656)
+    - build(deps): Bump golang.org/x/sync from 0.16.0 to 0.17.0
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+      (#2618)
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+      (#2642)
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+      (#2658)
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+      (#2660)
+    - build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+      (#2676)
+    - build(deps): Bump google.golang.org/api from 0.248.0 to
+      0.249.0
+    - build(deps): Bump google.golang.org/api from 0.249.0 to
+      0.252.0 (#2648)
+    - build(deps): Bump google.golang.org/api from 0.252.0 to
+      0.253.0 (#2653)
+    - build(deps): Bump google.golang.org/grpc from 1.75.1 to
+      1.76.0 (#2652)
+    - build(deps): Bump sigstore/cosign-installer from 3.10.0 to
+      4.0.0 (#2646)
+    - build(deps): Bump sigstore/scaffolding/trillian_log_server
+      (#2636)
+    - build(deps): Bump sigstore/scaffolding/trillian_log_server
+      (#2678)
+    - build(deps): Bump sigstore/scaffolding/trillian_log_signer
+      (#2635)
+    - build(deps): Bump sigstore/scaffolding/trillian_log_signer
+      (#2677)
+    - build(deps): Bump the all group across 1 directory with 5
+      updates (#2647)
+    - build(deps): Bump the all group with 2 updates
+    - build(deps): Bump the all group with 2 updates
+    - build(deps): Bump the all group with 2 updates
+    - build(deps): Bump the all group with 3 updates
+    - build(deps): Bump the all group with 7 updates (#2673)
+
+-------------------------------------------------------------------
+Thu Sep 18 13:01:07 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- Update to version 1.4.2:
+  * build(deps): Bump google-github-actions/auth from 2.1.12 to
+    3.0.0 by @dependabot[bot] in #2601
+  * build(deps): Bump github/codeql-action from 3.29.11 to 3.30.0
+    in the all group by @dependabot[bot] in #2602
+  * build(deps): Bump the all group with 3 updates by
+    @dependabot[bot] in #2599
+  * optimize performance of regex operations by @bobcallaway in
+    #2603
+  * move to direct decoding instead of mapstructure by @bobcallaway
+    in #2598
+  * build(deps): Bump github.com/go-openapi/swag from 0.23.1 to
+    0.24.1 by @dependabot[bot] in #2600
+  * build(deps): Bump golang from 1.24.6 to 1.25.0 in the all group
+    by @dependabot[bot] in #2587
+  * process type contents serially by @bobcallaway in #2604
+  * use pubsub client to check IAM permissions by @bobcallaway in
+    #2605
+  * add changelog for v1.4.2 by @bobcallaway in #2606
+
+-------------------------------------------------------------------
+Mon Sep 01 11:06:50 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- Update to version 1.4.1 (jsc#SLE-23476)::
+  * build(deps): Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#2596)
+    CVE-2025-58058: rekor: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory: (bsc#1248910)
+  * build(deps): Bump github.com/redis/go-redis/v9 from 9.11.0 to 9.12.1
+    CVE-2025-29923: rekor: github.com/redis/go-redis: potential out of order responses when `CLIENT SETINFO` times out during connection establishment (bsc#1241153)
+  * use less expensive gRPC call to implement GetLeafAndProofByHash (#2581)
+  * move to per-shard trillian client manager (#2564)
+  * use cheaper gRPC endpoint when we already have the inclusion proof (#2580)
+  * simplify hash and signature verification in rekord type (#2579)
+  * return correct error if GetLeafAndProofByHash fails (#2574)
+
+-------------------------------------------------------------------
+Sun Aug 03 12:03:29 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- Update to version 1.4.0:
+  * changelog for v1.4.0 release (#2550)
+  * enable retries and timeouts on GCP KMS calls (#2548)
+  * allow configuring gRPC default service config for trillian
+    client load balancing & timeouts (#2549)
+  * remove stable checkpoint feature (#2537)
+  * build(deps): Bump sigs.k8s.io/release-utils from 0.11.1 to
+    0.12.0
+  * build(deps): Bump golang.org/x/net from 0.41.0 to 0.42.0
+    (#2544)
+  * build(deps): Bump the all group with 3 updates (#2545)
+  * fix lints
+  * bump golangci-lint to v2.2.x
+  * use go1.24.5 to build rekor
+  * build(deps): Bump google.golang.org/api from 0.238.0 to 0.242.0
+    (#2543)
+  * build(deps): Bump golang.org/x/sync from 0.15.0 to 0.16.0
+    (#2541)
+  * build(deps): Bump github.com/spf13/pflag in the all group
+    (#2542)
+  * build(deps): Bump github.com/sigstore/protobuf-specs from 0.4.3
+    to 0.5.0
+  * move context handling in trillian RPC calls to be request based
+    and idiomatic (#2536)
+  * build(deps): Bump github.com/go-viper/mapstructure/v2 (#2522)
+  * build(deps): Bump golang from 1.24.4 to 1.24.5 in the all group
+    (#2534)
+  * build(deps): Bump the all group with 2 updates (#2518)
+  * build(deps): Bump the all group with 2 updates (#2524)
+  * build(deps): Bump sigstore/scaffolding/trillian_log_server
+    (#2527)
+  * build(deps): Bump sigstore/scaffolding/trillian_log_signer
+    (#2526)
+  * build(deps): Bump github.com/go-viper/mapstructure/v2 in
+    /hack/tools (#2523)
+  * backoff pubsub emulator to last-known good (#2535)
+  * build(deps): Bump golang from `db5d0af` to `10c1318`
+  * build(deps): Bump sigstore/cosign-installer in the all group
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump google.golang.org/api from 0.237.0 to 0.238.0
+  * build(deps): Bump go.step.sm/crypto from 0.66.0 to 0.67.0
+  * build(deps): Bump github/codeql-action in the all group
+  * build(deps): Bump google.golang.org/api from 0.236.0 to 0.237.0
+  * build(deps): Bump the all group with 7 updates
+  * Update GoReleaser configurations (#2511)
+  * update builder to use go1.24.4
+  * build(deps): Bump google.golang.org/grpc from 1.72.2 to 1.73.0
+  * build(deps): Bump golang.org/x/net from 0.40.0 to 0.41.0
+  * build(deps): Bump github.com/redis/go-redis/v9 from 9.9.0 to
+    9.10.0
+  * build(deps): Bump google.golang.org/api from 0.235.0 to 0.236.0
+  * build(deps): Bump golang from 1.24.3 to 1.24.4 in the all group
+  * build(deps): Bump github.com/go-swagger/go-swagger
+  * build(deps): Bump github/codeql-action in the all group
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump github.com/google/rpmpack from 0.6.0 to 0.7.0
+  * build(deps): Bump github.com/redis/go-redis/v9 from 9.8.0 to
+    9.9.0
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump go.step.sm/crypto from 0.64.0 to 0.66.0
+  * build(deps): Bump google.golang.org/api from 0.234.0 to 0.235.0
+  * build(deps): Bump golang from `4c0a181` to `81bf592`
+  * build(deps): Bump google.golang.org/api from 0.233.0 to 0.234.0
+  * build(deps): Bump golang from `86b4cff` to `4c0a181`
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump google.golang.org/grpc in the all group
+  * build(deps): Bump go.step.sm/crypto from 0.63.0 to 0.64.0
+  * Don't initialize index storage with stable checkpoint
+    publishing (#2486)
+  * build(deps): Bump golang from `39d9e7d` to `86b4cff`
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump the all group with 2 updates
+  * build(deps): Bump google.golang.org/api from 0.232.0 to 0.233.0
+  * build(deps): Bump the all group with 2 updates
+  * Fix docker compose up --wait failing when Trillian server isn't
+    healthy (#2473)
+  * build(deps): Bump golang.org/x/crypto from 0.37.0 to 0.38.0
+    (#2477)
+  * build(deps): Bump golang.org/x/net from 0.39.0 to 0.40.0
+    (#2475)
+  * build(deps): Bump golang from 1.24.2 to 1.24.3 in the all group
+    (#2480)
+  * build(deps): Bump google.golang.org/api from 0.231.0 to 0.232.0
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+    (#2478)
+  * build(deps): Bump actions/setup-go from 5.4.0 to 5.5.0 in the
+    all group (#2474)
+  * build(deps): Bump github.com/redis/go-redis/v9 from 9.7.3 to
+    9.8.0 (#2470)
+  * build(deps): Bump golangci/golangci-lint-action from 7.0.0 to
+    8.0.0 (#2471)
+  * build(deps): Bump google.golang.org/api from 0.230.0 to 0.231.0
+  * build(deps): Bump go.step.sm/crypto from 0.61.0 to 0.63.0
+    (#2468)
+  * build(deps): Bump github/codeql-action in the all group (#2467)
+  * build(deps): Bump golang from `d9db321` to `30baaea` (#2469)
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+    (#2466)
+  * build(deps): Bump the all group with 2 updates
+  * build(deps): Bump google.golang.org/api from 0.229.0 to 0.230.0
+  * build(deps): Bump the all group with 3 updates
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+    (#2462)
+  * Bump sigstore/sigstore, use shared Tink library (#2461)
+  * better mysql healthcheck (#2459)
+  * build(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to
+    0.11.1
+  * build(deps): Bump google.golang.org/grpc from 1.71.1 to 1.72.0
+  * build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.3.0
+    to 2.4.0
+  * build(deps): Bump google.com/cloudsdktool/google-cloud-cli
+  * build(deps): Bump golang
+  * build(deps): Bump codecov/codecov-action in the all group
+  * build(deps): Bump go.step.sm/crypto from 0.60.0 to 0.61.0
+  * build(deps): Bump golang.org/x/crypto in /hack/tools
+  * update builder image to use go1.24.2
+  * build(deps): Bump golang from `991aa6a` to `1ecc479`
+  * build(deps): Bump ko-build/setup-ko from 0.8 to 0.9 in the all
+    group
+  * build(deps): Bump cloud.google.com/go/pubsub from 1.47.0 to
+    1.49.0
+  * build(deps): Bump github.com/prometheus/client_golang
+  * build(deps): Bump the all group with 7 updates
+  * build(deps): Bump github.com/spf13/viper from 1.19.0 to 1.20.1
+  * Add CHANGELOG for v1.3.10 (#2439)
+
 -------------------------------------------------------------------
 Fri Apr 11 18:10:26 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

rekor.obsinfo

@@ -1,4 +1,4 @@
 name: rekor
-version: 1.3.10
-mtime: 1744388461
-commit: 4118a64b4b9c228a968b2d935a00807ca1b33aed
+version: 1.4.3
+mtime: 1763153780
+commit: cb5b1d5f364a8437e1c6c857b200283e2dcc2b29

rekor.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package rekor
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %define apps cli server
 
 Name:           rekor
-Version:        1.3.10
+Version:        1.4.3
 Release:        0
 Summary:        Supply Chain Transparency Log
 License:        Apache-2.0