KEMBAR78
Comparing v1.1.1...v1.1.2 · sigstore/sigstore-go · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sigstore/sigstore-go
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.1.1
Choose a base ref
...
head repository: sigstore/sigstore-go
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.1.2
Choose a head ref
  • 10 commits
  • 23 files changed
  • 3 contributors

Commits on Aug 11, 2025

  1. Allow no timestamps to be provided when verifying a key (#510) 

    This adds back an option that allows no timestamps to be provided for
verification. This will only work when verifying with a key, and will
throw an error if set when trying to verify a certificate.

This is also used when verifying while signing. If a log is used without
a timestamp authority, we either verify a certificate with the
integrated timestamp or no timestamp for a key. If no log or timestamp
is provided, we use current time for a certificate or no timestamp for a
key.

Fixes #501
Fixes #502

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper and haydentherapper authored Aug 11, 2025
    Configuration menu
    Copy the full SHA
    4bbae69 View commit details
    Browse the repository at this point in the history

  2. Bump the minor-patch group across 2 directories with 3 updates (#511) 

    Bumps the minor-patch group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/mod](https://github.com/golang/mod) and google.golang.org/protobuf.
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/mod](https://github.com/golang/mod) and google.golang.org/protobuf.


Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0
- [Commits](golang/crypto@v0.40.0...v0.41.0)

Updates `golang.org/x/mod` from 0.26.0 to 0.27.0
- [Commits](golang/mod@v0.26.0...v0.27.0)

Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7

Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0
- [Commits](golang/crypto@v0.40.0...v0.41.0)

Updates `golang.org/x/mod` from 0.26.0 to 0.27.0
- [Commits](golang/mod@v0.26.0...v0.27.0)

Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/crypto
  dependency-version: 0.41.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.27.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 11, 2025
    Configuration menu
    Copy the full SHA
    bac8735 View commit details
    Browse the repository at this point in the history

Commits on Aug 28, 2025

  1. Update OIDC issuer for e2e test (#517) 

    * Update OIDC issuer for e2e test

In sigstore/scaffolding#1662, I made a few changes to support running the test suite on macOS. One of these changes required hardcoding an issuer rather than having the issuer be the hostname. The test suite exports an additional variable now, `ISSUER_URL`, that contains the hardcoded issuer value. `OIDC_URL` is just for requesting fresh tokens.

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

* Use both OIDC and Issuer URLs

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

---------

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    a6427a8 View commit details
    Browse the repository at this point in the history

  2. Bump actions/checkout from 4.2.2 to 5.0.0 (#512) 

    Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...08c6903)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    8051db1 View commit details
    Browse the repository at this point in the history

  3. Bump sigstore/sigstore-conformance from 0.0.18 to 0.0.19 (#513) 

    Bumps [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) from 0.0.18 to 0.0.19.
- [Release notes](https://github.com/sigstore/sigstore-conformance/releases)
- [Commits](sigstore/sigstore-conformance@fd90e6b...a7ac671)

---
updated-dependencies:
- dependency-name: sigstore/sigstore-conformance
  dependency-version: 0.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    32a79bd View commit details
    Browse the repository at this point in the history

  4. Bump github.com/go-viper/mapstructure/v2 (#515) 

    Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](go-viper/mapstructure@v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.4.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    7bb079e View commit details
    Browse the repository at this point in the history

  5. Bump the minor-patch group across 2 directories with 4 updates (#518) 

    Bumps the minor-patch group with 1 update in the / directory: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles).
Bumps the minor-patch group with 1 update in the /examples/oci-image-verification directory: [github.com/sigstore/rekor-tiles](https://github.com/sigstore/rekor-tiles).


Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.10
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.10)

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `github.com/stretchr/testify` from 1.10.0 to 1.11.0
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.10.0...v1.11.0)

Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `github.com/sigstore/rekor-tiles` from 0.1.7-0.20250624231741-98cd4a77300f to 0.1.10
- [Release notes](https://github.com/sigstore/rekor-tiles/releases)
- [Changelog](https://github.com/sigstore/rekor-tiles/blob/main/Dockerfile.release)
- [Commits](https://github.com/sigstore/rekor-tiles/commits/v0.1.10)

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

Updates `google.golang.org/protobuf` from 1.36.7 to 1.36.8

Updates `github.com/sigstore/sigstore` from 1.9.5 to 1.9.6-0.20250729224751-181c5d3339b3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/commits)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor-tiles
  dependency-version: 0.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/stretchr/testify
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor-tiles
  dependency-version: 0.1.10
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.6-0.20250729224751-181c5d3339b3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Aug 28, 2025
    Configuration menu
    Copy the full SHA
    b9e4783 View commit details
    Browse the repository at this point in the history

Commits on Sep 8, 2025

  1. Support other key algorithms for Rekor v2 (#520) 

    We hardcoded ECDSA-P256-SHA256 as the only supported algorithm. This
uses the algorithm registry to load the correct signing algorithm to
specify its type and digest in the request to Rekor v2. This also fixes
an incompatibility with Ed25519 and hashedrekord with Rekor v2, which
requires Ed25519ph where the digest is provided during verification.

To test this, I've added support for other signing algorithms in
EphemeralKeypair, which will also make the struct useable with Cosign
when a signing algorithm is provided.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @haydentherapper
    haydentherapper authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    201a35a View commit details
    Browse the repository at this point in the history

  2. Bump actions/setup-go from 5.5.0 to 6.0.0 (#521) 

    Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@d35c59a...4469467)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    b479288 View commit details
    Browse the repository at this point in the history

  3. Bump the minor-patch group across 2 directories with 4 updates (#522) 

    * Bump the minor-patch group across 2 directories with 4 updates

Bumps the minor-patch group with 3 updates in the / directory: [github.com/go-openapi/swag](https://github.com/go-openapi/swag), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [golang.org/x/mod](https://github.com/golang/mod).
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: [github.com/go-openapi/swag](https://github.com/go-openapi/swag), [github.com/sigstore/rekor](https://github.com/sigstore/rekor) and [golang.org/x/mod](https://github.com/golang/mod).


Updates `github.com/go-openapi/swag` from 0.23.1 to 0.24.1
- [Commits](go-openapi/swag@v0.23.1...v0.24.1)

Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.4.0...v1.4.2)

Updates `github.com/stretchr/testify` from 1.11.0 to 1.11.1
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.11.0...v1.11.1)

Updates `golang.org/x/mod` from 0.27.0 to 0.28.0
- [Commits](golang/mod@v0.27.0...v0.28.0)

Updates `github.com/go-openapi/swag` from 0.23.1 to 0.24.1
- [Commits](go-openapi/swag@v0.23.1...v0.24.1)

Updates `github.com/sigstore/rekor` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.4.0...v1.4.2)

Updates `golang.org/x/mod` from 0.27.0 to 0.28.0
- [Commits](golang/mod@v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/swag
  dependency-version: 0.24.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: github.com/stretchr/testify
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/go-openapi/swag
  dependency-version: 0.24.1
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.28.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint fmt

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
    @dependabot @haydentherapper
    dependabot[bot] and haydentherapper authored Sep 8, 2025
    Configuration menu
    Copy the full SHA
    fe24fbf View commit details
    Browse the repository at this point in the history
Loading