KEMBAR78
Comparing v1.1.0...v1.1.3 · sigstore/sigstore-go · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sigstore/sigstore-go
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.1.0
Choose a base ref
...
head repository: sigstore/sigstore-go
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.1.3
Choose a head ref
  • 19 commits
  • 31 files changed
  • 5 contributors

Commits on Jul 29, 2025

  1. Make conformance compatible with rekor v2 (#505) 

    Bundles with entries from rekor v2 will not have inclusion
promises or integrated time

Signed-off-by: Appu Goundan <appu@google.com>
    @loosebazooka
    loosebazooka authored Jul 29, 2025
    Configuration menu
    Copy the full SHA
    f8877fc View commit details
    Browse the repository at this point in the history

  2. Update GetSigningConfig to use signing_config.v0.2.json (#506) 

    Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
    @facutuesca
    facutuesca authored Jul 29, 2025
    Configuration menu
    Copy the full SHA
    3bd742e View commit details
    Browse the repository at this point in the history

Commits on Aug 1, 2025

  1. Refactor SelectService to return Service rather than URL, add support… 

    …ed API versions (#503)

Each signing service implementation sets a global variable for the list
of URLs supported. This avoids clients that use the signing APIs needing
to know which set of service API versions are supported when selecting
services.

This also refactors ServiceService(s) to return the Service struct
itself rather than just a URL, since a signer will need to know the API
version when initializing its client, like for Rekor.

Also removed unnecessary nolints after un-deprecating TrustedRoot's
LogId.

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Aug 1, 2025
    Configuration menu
    Copy the full SHA
    37e45ae View commit details
    Browse the repository at this point in the history

Commits on Aug 4, 2025

  1. Remove noisy log message (#507) 

    When initializing trusted material in Cosign, on every signing and verification that uses the new bundle format, this message would print. Removing it since it doesn't provide much value.

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Aug 4, 2025
    Configuration menu
    Copy the full SHA
    d20c39f View commit details
    Browse the repository at this point in the history

Commits on Aug 5, 2025

  1. Bump the minor-patch group across 2 directories with 2 updates (#508) 

    Bumps the minor-patch group with 2 updates in the / directory: [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) and [github.com/sigstore/rekor](https://github.com/sigstore/rekor).
Bumps the minor-patch group with 2 updates in the /examples/oci-image-verification directory: [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) and [github.com/sigstore/rekor](https://github.com/sigstore/rekor).


Updates `github.com/secure-systems-lab/go-securesystemslib` from 0.9.0 to 0.9.1
- [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases)
- [Commits](secure-systems-lab/go-securesystemslib@v0.9.0...v0.9.1)

Updates `github.com/sigstore/rekor` from 1.3.10 to 1.4.0
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.3.10...v1.4.0)

Updates `github.com/secure-systems-lab/go-securesystemslib` from 0.9.0 to 0.9.1
- [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases)
- [Commits](secure-systems-lab/go-securesystemslib@v0.9.0...v0.9.1)

Updates `github.com/sigstore/rekor` from 1.3.10 to 1.4.0
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.3.10...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/secure-systems-lab/go-securesystemslib
  dependency-version: 0.9.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/secure-systems-lab/go-securesystemslib
  dependency-version: 0.9.1
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 5, 2025
    Configuration menu
    Copy the full SHA
    d9ac070 View commit details
    Browse the repository at this point in the history

Commits on Aug 11, 2025

  1. Allow no timestamps to be provided when verifying a key (#510) 

    This adds back an option that allows no timestamps to be provided for
verification. This will only work when verifying with a key, and will
throw an error if set when trying to verify a certificate.

This is also used when verifying while signing. If a log is used without
a timestamp authority, we either verify a certificate with the
integrated timestamp or no timestamp for a key. If no log or timestamp
is provided, we use current time for a certificate or no timestamp for a
key.

Fixes #501
Fixes #502

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper and haydentherapper authored Aug 11, 2025
    Configuration menu
    Copy the full SHA
    4bbae69 View commit details
    Browse the repository at this point in the history

  2. Bump the minor-patch group across 2 directories with 3 updates (#511) 

    Bumps the minor-patch group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/mod](https://github.com/golang/mod) and google.golang.org/protobuf.
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/mod](https://github.com/golang/mod) and google.golang.org/protobuf.


Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0
- [Commits](golang/crypto@v0.40.0...v0.41.0)

Updates `golang.org/x/mod` from 0.26.0 to 0.27.0
- [Commits](golang/mod@v0.26.0...v0.27.0)

Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7

Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0
- [Commits](golang/crypto@v0.40.0...v0.41.0)

Updates `golang.org/x/mod` from 0.26.0 to 0.27.0
- [Commits](golang/mod@v0.26.0...v0.27.0)

Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/crypto
  dependency-version: 0.41.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.27.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 11, 2025
    Configuration menu
    Copy the full SHA
    bac8735 View commit details
    Browse the repository at this point in the history

Commits on Aug 28, 2025

  1. Update OIDC issuer for e2e test (#517) 

    * Update OIDC issuer for e2e test

In sigstore/scaffolding#1662, I made a few changes to support running the test suite on macOS. One of these changes required hardcoding an issuer rather than having the issuer be the hostname. The test suite exports an additional variable now, `ISSUER_URL`, that contains the hardcoded issuer value. `OIDC_URL` is just for requesting fresh tokens.

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

* Use both OIDC and Issuer URLs

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

---------

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    a6427a8 View commit details
    Browse the repository at this point in the history

  2. Bump actions/checkout from 4.2.2 to 5.0.0 (#512) 

    Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...08c6903)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    8051db1 View commit details
    Browse the repository at this point in the history

  3. Bump sigstore/sigstore-conformance from 0.0.18 to 0.0.19 (#513) 

    Bumps [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) from 0.0.18 to 0.0.19.
- [Release notes](https://github.com/sigstore/sigstore-conformance/releases)
- [Commits](sigstore/sigstore-conformance@fd90e6b...a7ac671)

---
updated-dependencies:
- dependency-name: sigstore/sigstore-conformance
  dependency-version: 0.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    32a79bd View commit details
    Browse the repository at this point in the history

  4. Bump github.com/go-viper/mapstructure/v2 (#515) 

    Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](go-viper/mapstructure@v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.4.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    7bb079e View commit details
    Browse the repository at this point in the history

  5. Bump the minor-patch group across 2 directories with 4 updates (#518) 

    Bumps the minor-patch group with 1 update in the / directory: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles).
Bumps the minor-patch group with 1 update in the /examples/oci-image-verification directory: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles).


Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.10
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.10)

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `github.com/stretchr/testify` from 1.10.0 to 1.11.0
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.10.0...v1.11.0)

Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.10
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.10)

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor-tiles
  dependency-version: 0.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/stretchr/testify
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor-tiles
  dependency-version: 0.1.10
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    b9e4783 View commit details
    Browse the repository at this point in the history

Commits on Sep 8, 2025

  1. Support other key algorithms for Rekor v2 (#520) 

    We hardcoded ECDSA-P256-SHA256 as the only supported algorithm. This
uses the algorithm registry to load the correct signing algorithm to
specify its type and digest in the request to Rekor v2. This also fixes
an incompatibility with Ed25519 and hashedrekord with Rekor v2, which
requires Ed25519ph where the digest is provided during verification.

To test this, I've added support for other signing algorithms in
EphemeralKeypair, which will also make the struct useable with Cosign
when a signing algorithm is provided.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    201a35a View commit details
    Browse the repository at this point in the history

  2. Bump actions/setup-go from 5.5.0 to 6.0.0 (#521) 

    Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@d35c59a...4469467)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    b479288 View commit details
    Browse the repository at this point in the history

  3. Bump the minor-patch group across 2 directories with 4 updates (#522) 

    * Bump the minor-patch group across 2 directories with 4 updates

Bumps the minor-patch group with 3 updates in the / directory: [github.com/go-openapi/swag](https://github.com/go-openapi/swag), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [golang.org/x/mod](https://github.com/golang/mod).
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: [github.com/go-openapi/swag](https://github.com/go-openapi/swag), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [golang.org/x/mod](https://github.com/golang/mod).


Updates `github.com/go-openapi/swag` from 0.23.1 to 0.24.1
- [Commits](go-openapi/swag@v0.23.1...v0.24.1)

Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.4.0...v1.4.2)

Updates `github.com/stretchr/testify` from 1.11.0 to 1.11.1
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.11.0...v1.11.1)

Updates `golang.org/x/mod` from 0.27.0 to 0.28.0
- [Commits](golang/mod@v0.27.0...v0.28.0)

Updates `github.com/go-openapi/swag` from 0.23.1 to 0.24.1
- [Commits](go-openapi/swag@v0.23.1...v0.24.1)

Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.4.0...v1.4.2)

Updates `golang.org/x/mod` from 0.27.0 to 0.28.0
- [Commits](golang/mod@v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/swag
  dependency-version: 0.24.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/stretchr/testify
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/go-openapi/swag
  dependency-version: 0.24.1
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.28.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint fmt

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @dependabot @haydentherapper
    dependabot[bot] and haydentherapper authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    fe24fbf View commit details
    Browse the repository at this point in the history

Commits on Sep 16, 2025

  1. Set user agent for TUF and Rekor v2 clients (#525) 

    This adds version-specific user agents for TUF and Rekor v2 calls,
matching what we have for Fulcio, the TSA, and Rekor v1.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper and haydentherapper authored Sep 16, 2025
    Configuration menu
    Copy the full SHA
    0701306 View commit details
    Browse the repository at this point in the history

Commits on Sep 23, 2025

  1. Bump the minor-patch group across 1 directory with 5 updates (#526) 

    Bumps the minor-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles) | `0.1.10` | `0.1.11` |
| [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) | `1.2.8` | `1.2.9` |
| [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) | `2.1.1` | `2.2.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.41.0` | `0.42.0` |
| google.golang.org/protobuf | `1.36.8` | `1.36.9` |



Updates `github.com/sigstore/rekor-tiles` from 0.1.10 to 0.1.11
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](sigstore/rekor-tiles@v0.1.10...v0.1.11)

Updates `github.com/sigstore/timestamp-authority` from 1.2.8 to 1.2.9
- [Release notes](https://github.com/sigstore/timestamp-authority/releases)
- [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md)
- [Commits](sigstore/timestamp-authority@v1.2.8...v1.2.9)

Updates `github.com/theupdateframework/go-tuf/v2` from 2.1.1 to 2.2.0
- [Release notes](https://github.com/theupdateframework/go-tuf/releases)
- [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml)
- [Commits](theupdateframework/go-tuf@v2.1.1...v2.2.0)

Updates `golang.org/x/crypto` from 0.41.0 to 0.42.0
- [Commits](golang/crypto@v0.41.0...v0.42.0)

Updates `google.golang.org/protobuf` from 1.36.8 to 1.36.9

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor-tiles
  dependency-version: 0.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/timestamp-authority
  dependency-version: 1.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/theupdateframework/go-tuf/v2
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/crypto
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Sep 23, 2025
    Configuration menu
    Copy the full SHA
    4cd170a View commit details
    Browse the repository at this point in the history

Commits on Sep 26, 2025

  1. Add support for signing config for conformance test suite (#527) 

    The signing config along with a trusted root file may be passed to
sign-bundle. This adds support for the signing config when it's
provided.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper and haydentherapper authored Sep 26, 2025
    Configuration menu
    Copy the full SHA
    cbc9bf5 View commit details
    Browse the repository at this point in the history

  2. Add note regarding API compatibility when using signing config (#528) 

    As discussed in the Go meeting today, we want developers to be aware of
the consequences of using a signing config and always selecting the
highest API version, which may lead to verifiers unable to verify.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper and haydentherapper authored Sep 26, 2025
    Configuration menu
    Copy the full SHA
    c79035f View commit details
    Browse the repository at this point in the history
Loading