From f06a86553b5df0e1efd81f5f7f0f2f959a3bc701 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sat, 15 Nov 2025 03:52:52 +0000 Subject: [PATCH 01/13] feat(sign): support for sigstore bundle format Signed-off-by: Brandt Keller --- src/pkg/packager/layout/layout.go | 1 + src/pkg/packager/layout/package.go | 35 +++++++++++++++++++++++++----- src/pkg/utils/cosign.go | 7 ++++-- 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/src/pkg/packager/layout/layout.go b/src/pkg/packager/layout/layout.go index a4c74ff39b..e71024d9c5 100644 --- a/src/pkg/packager/layout/layout.go +++ b/src/pkg/packager/layout/layout.go @@ -12,6 +12,7 @@ import ( const ( ZarfYAML = "zarf.yaml" Signature = "zarf.yaml.sig" + Bundle = "zarf.bundle.sig" Checksums = "checksums.txt" ImagesDir = "images" diff --git a/src/pkg/packager/layout/package.go b/src/pkg/packager/layout/package.go index 6c1809986f..83985acb49 100644 --- a/src/pkg/packager/layout/package.go +++ b/src/pkg/packager/layout/package.go @@ -188,6 +188,7 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti tmpZarfYAMLPath := filepath.Join(tmpDir, ZarfYAML) tmpSignaturePath := filepath.Join(tmpDir, Signature) + tmpBundlePath := filepath.Join(tmpDir, Bundle) // Update in-memory state to signed:true signed := true @@ -212,6 +213,7 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti // Configure signing to write to temp directory signOpts := opts signOpts.OutputSignature = tmpSignaturePath + signOpts.BundlePath = tmpBundlePath // Check if signature already exists in actual layout and warn actualSignaturePath := filepath.Join(p.dirPath, Signature) @@ -244,6 +246,11 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti return fmt.Errorf("failed to move signature after signing: %w", err) } + err = os.Rename(tmpBundlePath, filepath.Join(p.dirPath, Bundle)) + if err != nil { + return fmt.Errorf("failed to move bundle after signing: %w", err) + } + l.Info("package signed successfully", "signature", actualSignaturePath) return nil } @@ -269,16 +276,31 @@ func (p *PackageLayout) VerifyPackageSignature(ctx context.Context, opts utils.V return errors.New("package is signed but no key was provided") } - // Validate that the signature exists + // Check for bundle format signature (preferred) + bundlePath := filepath.Join(p.dirPath, Bundle) + _, err := os.Stat(bundlePath) + if err == nil { + opts.BundlePath = bundlePath + ZarfYAMLPath := filepath.Join(p.dirPath, ZarfYAML) + return utils.CosignVerifyBlobWithOptions(ctx, ZarfYAMLPath, opts) + } + if !errors.Is(err, os.ErrNotExist) { + return fmt.Errorf("error checking bundle signature: %w", err) + } + + // Bundle doesn't exist, check for legacy signature format signaturePath := filepath.Join(p.dirPath, Signature) - if _, err := os.Stat(signaturePath); err != nil { - return fmt.Errorf("signature not found: %w", err) + _, err = os.Stat(signaturePath) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return fmt.Errorf("signature not found: neither bundle nor legacy signature exists") + } + return fmt.Errorf("error checking legacy signature: %w", err) } - // Note: this is the backwards compatible behavior - // this will change in the future + // Legacy signature found + l.Warn("non-bundle format signature is being deprecated in favor of the sigstore bundle format") opts.SigRef = signaturePath - ZarfYAMLPath := filepath.Join(p.dirPath, ZarfYAML) return utils.CosignVerifyBlobWithOptions(ctx, ZarfYAMLPath, opts) } @@ -482,6 +504,7 @@ func validatePackageIntegrity(pkgLayout *PackageLayout, isPartial bool) error { delete(packageFiles, filepath.Join(pkgLayout.dirPath, ZarfYAML)) delete(packageFiles, filepath.Join(pkgLayout.dirPath, Checksums)) delete(packageFiles, filepath.Join(pkgLayout.dirPath, Signature)) + delete(packageFiles, filepath.Join(pkgLayout.dirPath, Bundle)) b, err := os.ReadFile(filepath.Join(pkgLayout.dirPath, Checksums)) if err != nil { diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index 088b24099d..6d88781426 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -85,7 +85,7 @@ func DefaultSignBlobOptions() SignBlobOptions { FulcioAuthFlow: "normal", FulcioURL: "https://fulcio.sigstore.dev", RekorURL: "https://rekor.sigstore.dev", - NewBundleFormat: false, + NewBundleFormat: true, SkipConfirmation: false, }, Timeout: CosignDefaultTimeout, @@ -97,6 +97,9 @@ func DefaultSignBlobOptions() SignBlobOptions { // Configures sensible defaults for offline/air-gapped environments. func DefaultVerifyBlobOptions() VerifyBlobOptions { return VerifyBlobOptions{ + KeyOpts: options.KeyOpts{ + NewBundleFormat: true, + }, CertVerifyOptions: options.CertVerifyOptions{ IgnoreSCT: true, // Skip SCT verification by default }, @@ -178,7 +181,7 @@ func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts Veri l.Debug("verifying blob with cosign", "keyRef", opts.KeyRef, - "sigRef", opts.SigRef, + "bundlePath", opts.BundlePath, "offline", opts.Offline) err := cmd.Exec(ctx, blobPath) From 16501f35793d3fa898af926639f56ba3828e265c Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sat, 15 Nov 2025 13:55:10 +0000 Subject: [PATCH 02/13] fix(sign): update testing to reflect bundle addition Signed-off-by: Brandt Keller --- src/pkg/packager/layout/package_test.go | 116 ++++++++++++++++++------ 1 file changed, 87 insertions(+), 29 deletions(-) diff --git a/src/pkg/packager/layout/package_test.go b/src/pkg/packager/layout/package_test.go index 944a89dbeb..ef435a0491 100644 --- a/src/pkg/packager/layout/package_test.go +++ b/src/pkg/packager/layout/package_test.go @@ -212,7 +212,8 @@ func TestPackageLayoutSignPackage(t *testing.T) { t.Run("successful signing", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) require.NoError(t, err) @@ -231,7 +232,8 @@ func TestPackageLayoutSignPackage(t *testing.T) { err = pkgLayout.SignPackage(ctx, opts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath, "bundle format signature should exist") + require.FileExists(t, legacySignaturePath, "legacy signature should exist for backward compatibility") require.NotNil(t, pkgLayout.Pkg.Build.Signed) require.True(t, *pkgLayout.Pkg.Build.Signed) }) @@ -239,7 +241,8 @@ func TestPackageLayoutSignPackage(t *testing.T) { t.Run("wrong password", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) require.NoError(t, err) @@ -259,7 +262,8 @@ func TestPackageLayoutSignPackage(t *testing.T) { err = pkgLayout.SignPackage(ctx, opts) require.ErrorContains(t, err, "failed to sign package") require.ErrorContains(t, err, "reading key: decrypt: encrypted: decryption failed") - require.NoFileExists(t, signedPath) + require.NoFileExists(t, bundlePath) + require.NoFileExists(t, legacySignaturePath) }) t.Run("missing zarf.yaml", func(t *testing.T) { @@ -319,13 +323,16 @@ func TestPackageLayoutSignPackage(t *testing.T) { t.Run("overwrite existing signature", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) require.NoError(t, err) - // Create an existing signature file - err = os.WriteFile(signedPath, []byte("old signature"), 0o644) + // Create existing signature files (both formats) + err = os.WriteFile(legacySignaturePath, []byte("old legacy signature"), 0o644) + require.NoError(t, err) + err = os.WriteFile(bundlePath, []byte("old bundle"), 0o644) require.NoError(t, err) pkgLayout := &PackageLayout{ @@ -340,21 +347,27 @@ func TestPackageLayoutSignPackage(t *testing.T) { opts.KeyRef = "./testdata/cosign.key" opts.PassFunc = passFunc - // Should overwrite the existing signature (with warning logged) + // Should overwrite the existing signatures (with warning logged) err = pkgLayout.SignPackage(ctx, opts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath) + require.FileExists(t, legacySignaturePath) + + // Verify the signatures were overwritten (not the old content) + legacyContent, err := os.ReadFile(legacySignaturePath) + require.NoError(t, err) + require.NotEqual(t, "old legacy signature", string(legacyContent)) - // Verify the signature was overwritten (not the old content) - content, err := os.ReadFile(signedPath) + bundleContent, err := os.ReadFile(bundlePath) require.NoError(t, err) - require.NotEqual(t, "old signature", string(content)) + require.NotEqual(t, "old bundle", string(bundleContent)) }) t.Run("skip signing when ShouldSign returns false", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) require.NoError(t, err) @@ -370,7 +383,8 @@ func TestPackageLayoutSignPackage(t *testing.T) { // Should skip signing without error err = pkgLayout.SignPackage(ctx, opts) require.NoError(t, err) - require.NoFileExists(t, signedPath) + require.NoFileExists(t, bundlePath) + require.NoFileExists(t, legacySignaturePath) require.Nil(t, pkgLayout.Pkg.Build.Signed) }) @@ -521,9 +535,11 @@ func TestPackageLayoutSignPackage(t *testing.T) { err = pkgLayout.SignPackage(ctx, opts) require.NoError(t, err) - // Verify signature file exists - signaturePath := filepath.Join(tmpDir, Signature) - require.FileExists(t, signaturePath) + // Verify both signature formats exist + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) + require.FileExists(t, bundlePath, "bundle format signature should exist") + require.FileExists(t, legacySignaturePath, "legacy signature should exist") // Read the zarf.yaml from disk updatedBytes, err := os.ReadFile(yamlPath) @@ -738,7 +754,8 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { t.Run("successful verification with valid signature", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) // Create and sign a package err := os.WriteFile(yamlPath, []byte("test content"), 0o644) @@ -759,9 +776,10 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.SignPackage(ctx, signOpts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath, "bundle format signature should exist") + require.FileExists(t, legacySignaturePath, "legacy signature should exist") - // Verify the signature + // Verify the signature (should use bundle format as primary) verifyOpts := utils.DefaultVerifyBlobOptions() verifyOpts.KeyRef = "./testdata/cosign.pub" @@ -819,7 +837,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.VerifyPackageSignature(ctx, verifyOpts) require.Error(t, err) - require.Contains(t, err.Error(), "signature not found") + require.Contains(t, err.Error(), "signature not found: neither bundle nor legacy signature exists") }) t.Run("verification fails with empty dirPath", func(t *testing.T) { @@ -871,7 +889,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { t.Run("verification fails with no public key", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) // Create signed package err := os.WriteFile(yamlPath, []byte("test content"), 0o644) @@ -892,7 +910,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.SignPackage(ctx, signOpts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath) // Try to verify without providing a key verifyOpts := utils.DefaultVerifyBlobOptions() @@ -905,7 +923,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { t.Run("verification fails when signature is corrupted", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) // Create and sign package err := os.WriteFile(yamlPath, []byte("test content"), 0o644) @@ -926,10 +944,10 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.SignPackage(ctx, signOpts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath) - // Corrupt the signature - err = os.WriteFile(signedPath, []byte("corrupted signature data"), 0o644) + // Corrupt the bundle signature + err = os.WriteFile(bundlePath, []byte("corrupted bundle data"), 0o644) require.NoError(t, err) // Try to verify with corrupted signature @@ -943,7 +961,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { t.Run("verification fails when zarf.yaml is modified after signing", func(t *testing.T) { tmpDir := t.TempDir() yamlPath := filepath.Join(tmpDir, ZarfYAML) - signedPath := filepath.Join(tmpDir, Signature) + bundlePath := filepath.Join(tmpDir, Bundle) // Create and sign package err := os.WriteFile(yamlPath, []byte("original content"), 0o644) @@ -964,7 +982,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.SignPackage(ctx, signOpts) require.NoError(t, err) - require.FileExists(t, signedPath) + require.FileExists(t, bundlePath) // Modify the zarf.yaml after signing (tampering) err = os.WriteFile(yamlPath, []byte("modified content"), 0o644) @@ -977,4 +995,44 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.VerifyPackageSignature(ctx, verifyOpts) require.Error(t, err) }) + + t.Run("verification falls back to legacy signature format", func(t *testing.T) { + tmpDir := t.TempDir() + yamlPath := filepath.Join(tmpDir, ZarfYAML) + bundlePath := filepath.Join(tmpDir, Bundle) + legacySignaturePath := filepath.Join(tmpDir, Signature) + + // Create and sign package + err := os.WriteFile(yamlPath, []byte("test content"), 0o644) + require.NoError(t, err) + + pkgLayout := &PackageLayout{ + dirPath: tmpDir, + Pkg: v1alpha1.ZarfPackage{}, + } + + // Sign the package + passFunc := cosign.PassFunc(func(_ bool) ([]byte, error) { + return []byte("test"), nil + }) + signOpts := utils.DefaultSignBlobOptions() + signOpts.KeyRef = "./testdata/cosign.key" + signOpts.PassFunc = passFunc + + err = pkgLayout.SignPackage(ctx, signOpts) + require.NoError(t, err) + require.FileExists(t, bundlePath) + require.FileExists(t, legacySignaturePath) + + // Remove the bundle to test legacy fallback + err = os.Remove(bundlePath) + require.NoError(t, err) + + // Verification should still work with legacy signature + verifyOpts := utils.DefaultVerifyBlobOptions() + verifyOpts.KeyRef = "./testdata/cosign.pub" + + err = pkgLayout.VerifyPackageSignature(ctx, verifyOpts) + require.NoError(t, err, "verification should succeed with legacy signature format") + }) } From 049fcb8d2a0551c90d3b0cc9e5be8201c4aecf99 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sat, 15 Nov 2025 14:28:04 +0000 Subject: [PATCH 03/13] chore(docs): add tutorial documentation for signing and verification Signed-off-by: Brandt Keller --- .../5-package-signing-and-verification.mdx | 347 ++++++++++++++++++ src/pkg/packager/layout/package.go | 11 +- 2 files changed, 356 insertions(+), 2 deletions(-) create mode 100644 site/src/content/docs/tutorials/5-package-signing-and-verification.mdx diff --git a/site/src/content/docs/tutorials/5-package-signing-and-verification.mdx b/site/src/content/docs/tutorials/5-package-signing-and-verification.mdx new file mode 100644 index 0000000000..abd222e968 --- /dev/null +++ b/site/src/content/docs/tutorials/5-package-signing-and-verification.mdx @@ -0,0 +1,347 @@ +--- +title: Package Signing and Verification +sidebar: + order: 5 +--- + +## Introduction + +In this tutorial, we will demonstrate how to cryptographically sign Zarf packages and verify their signatures to ensure package integrity and authenticity. Package signing is a critical security practice for airgap environments, allowing you to verify that packages have not been tampered with and come from a trusted source. + +Zarf uses [Cosign](https://github.com/sigstore/cosign) for signing and verification, supporting both the modern [Sigstore bundle format](https://docs.sigstore.dev/about/bundle/) and cloud-based Key Management Services (KMS). + +## Prerequisites + +Before beginning this tutorial you will need the following: + +- Zarf binary installed on your $PATH: ([Installing Zarf](/getting-started/install/)) +- A Zarf package to sign (you can create one by following the [Creating a Zarf Package](/tutorials/0-creating-a-zarf-package/) tutorial) + +## Understanding Package Signing + +Zarf package signatures provide: + +- **Authenticity**: Verify that a package comes from a trusted source +- **Integrity**: Ensure the package has not been modified or corrupted +- **Non-repudiation**: Prove who signed the package and when + +Zarf signs the `zarf.yaml` file within a package, which contains metadata and checksums for all package contents. This allows verification of the entire package through a single signature. + +:::note + +As of Zarf's recent updates, packages are signed using the **Sigstore bundle format** (`zarf.bundle.sig`), which is the modern, recommended format. The legacy signature format (`zarf.yaml.sig`) is being deprecated. + +::: + +## Generating a Signing Key Pair + +To sign packages, you'll need a private/public key pair. You can generate one using Zarf: + +```bash +# Generate a key pair (you'll be prompted for a password) +zarf tools gen-key + +# This creates two files: +# - cosign.key (private key - keep this secure!) +# - cosign.pub (public key - share this for verification) +``` + +:::caution + +Keep your private key (`cosign.key`) secure and never share it. Anyone with access to your private key can sign packages as you. Consider using a hardware security module (HSM) or cloud KMS for production environments. + +::: + +## Signing a Zarf Package + +### Signing During Package Creation + +You can sign a package automatically during creation by providing the signing key: + +```bash +# Create and sign a package in one step +zarf package create . --signing-key cosign.key --signing-key-pass +``` + +### Signing an Existing Package + +You can also sign a package after it has been created using the `zarf package sign` command: + +```bash +# Sign an unsigned package +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst --signing-key cosign.key +``` + +The signature will be embedded within the package archive, and the package's `zarf.yaml` will be updated to indicate it is signed. + +### Re-signing a Package + +If you need to replace an existing signature with a new one (for example, when rotating keys), use the `--overwrite` flag: + +```bash +# Re-sign with a new key (overwrite existing signature) +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key new-cosign.key \ + --overwrite +``` + +### Signing Packages in OCI Registries + +Zarf supports signing packages stored in OCI registries: + +```bash +# Sign a package from an OCI registry and output to local directory +zarf package sign oci://ghcr.io/my-org/my-package:1.0.0 \ + --signing-key cosign.key \ + --output ./signed/ + +# Sign a package and publish directly to OCI registry +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key cosign.key \ + --output oci://ghcr.io/my-org/signed-packages + +# Sign a package from OCI and re-publish to OCI (in place) +zarf package sign oci://ghcr.io/my-org/my-package:1.0.0 \ + --signing-key cosign.key +``` + +### Using Cloud KMS for Signing + +For production environments, you can use cloud-based Key Management Services instead of local key files: + +```bash +# Sign with AWS KMS +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key awskms://alias/my-signing-key + +# Sign with Google Cloud KMS +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key gcpkms://projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY + +# Sign with Azure Key Vault +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key azurekms://VAULT_NAME.vault.azure.net/keys/KEY_NAME/KEY_VERSION + +# Sign with HashiCorp Vault +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key hashivault://KEY_NAME +``` + +:::note + +Cloud KMS providers require proper authentication and permissions configured on your system. Refer to each provider's documentation for setup instructions. Additionally you need to ensure your KMS key is an Asymmetric key. + +::: + +## Verifying Package Signatures + +### Verifying a Signed Package + +To verify a package's signature, use the `zarf package verify` command with the public key: + +```bash +# Verify a signed package +zarf package verify zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub +``` + +If the signature is valid, you'll see a success message: + +``` +2025-11-15 14:17:13 INF checksum verification status=PASSED +Verified OK +2025-11-15 14:17:16 INF signature verification status=PASSED +2025-11-15 14:17:16 INF verification complete status=SUCCESS +``` + +If verification fails, the command will exit with a non-zero status code and display an error message. + +### Verifying Unsigned Packages + +You can also verify the integrity (checksums) of unsigned packages without providing a key: + +```bash +# Verify checksums only (no signature verification) +zarf package verify zarf-package-wordpress-amd64-26.0.0.tar.zst +``` + +This confirms that the package files match their expected checksums but does not verify authenticity. + +### Automatic Verification During Deployment + +By default, Zarf automatically verifies signatures when deploying signed packages. You must provide the public key: + +```bash +# Deploy with automatic signature verification +zarf package deploy zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub +``` + +If signature verification fails during deployment, Zarf will abort the deployment to prevent deploying potentially compromised packages. + +### Skipping Signature Validation + +In some situations (such as testing), you may want to skip signature validation: + +```bash +# Deploy without signature verification (not recommended for production) +zarf package deploy zarf-package-wordpress-amd64-26.0.0.tar.zst --skip-signature-validation +``` + +:::caution + +Skipping signature validation removes an important security control. Only use `--skip-signature-validation` in trusted development/testing environments, never in production. + +::: + +## Signature Format Migration + +### Understanding the Sigstore Bundle Format + +Zarf now uses the [Sigstore bundle format](https://docs.sigstore.dev/about/bundle/) for package signatures. This format provides several advantages over the legacy signature format: + +- **Self-contained**: Bundles include all verification materials in a single file +- **Standardized**: Based on the widely-adopted Sigstore specification +- **Enhanced metadata**: Includes timestamps, certificate chains, and transparency log entries +- **Better interoperability**: Compatible with other Sigstore tooling and services + +The bundle format is stored as `zarf.bundle.sig` within the package, following the [Sigstore Bundle Specification](https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md). + +### Legacy Signature Format Deprecation + +:::caution[Signature Format Deprecation] + +The legacy signature format (`zarf.yaml.sig`) is being deprecated in favor of the Sigstore bundle format (`zarf.bundle.sig`). While Zarf currently supports both formats for backward compatibility, the legacy format will be removed in a future release. + +**Reasons for deprecation:** + +1. **Limited metadata**: The legacy format only stores the raw signature without additional verification context +2. **Non-standard**: Uses a custom format not compatible with other Sigstore tooling +3. **Reduced functionality**: Cannot support advanced features like keyless signing or transparency log integration +4. **Maintenance burden**: Supporting multiple formats increases complexity and testing requirements + +**Migration path:** + +- New packages are automatically signed using the bundle format +- Existing packages with legacy signatures will display a deprecation warning during verification +- Re-sign legacy packages with the `zarf package sign` command to upgrade to the bundle format + +::: + +## Complete Example Workflow + +Here's a complete workflow demonstrating package signing and verification: + +```bash +# Step 1: Generate a signing key pair +zarf tools gen-key +# Enter password when prompted +# Creates: cosign.key and cosign.pub + +# Step 2: Create and sign a package +zarf package create . --signing-key cosign.key --signing-key-pass +# Creates: zarf-package-wordpress-amd64-26.0.0.tar.zst (signed) + +# Step 3: Verify the package signature +zarf package verify zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub +# Output: ✔ Package signature verified successfully + +# Step 4: Inspect the package (signature validation is automatic) +zarf package inspect definition zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub +# Shows package contents with verified signature and `signed: true` in the build data + +# Step 5: Deploy the package with signature verification +zarf package deploy zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub --confirm +# Package is verified before deployment +``` + +## Best Practices for Package Signing + +1. **Protect private keys**: Store private keys securely and never commit them to version control +2. **Use strong passwords**: Encrypt private keys with strong, unique passwords +3. **Consider KMS for production**: Use cloud KMS or HSMs for production signing operations +4. **Verify before deployment**: Always verify package signatures before deploying to critical environments +5. **Rotate keys periodically**: Establish a key rotation schedule and re-sign packages with new keys +6. **Document your process**: Maintain clear documentation of your signing and verification procedures +7. **Automate verification**: Integrate signature verification into your CI/CD pipelines + +## Troubleshooting + +### Signature Verification Failed + +``` +✖ failed to verify signature: invalid signature when validating ASN.1 encoded signature +``` + +:::note[Remediation] + +This error indicates the signature is invalid. Common causes: + +1. The package was modified after signing +2. Wrong public key used for verification +3. Package corruption during transfer + +**Steps to resolve:** +1. Verify you're using the correct public key that corresponds to the signing key +2. Re-download the package if it may have been corrupted +3. Contact the package author if the signature is genuinely invalid + +::: + +### Package is Signed But No Key Provided + +``` +✖ package is signed but no key was provided +``` + +:::note[Remediation] + +When deploying or inspecting a signed package, you must provide the public key: + +```bash +# Add the --key flag with the path to the public key +zarf package deploy zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub +``` + +::: + +### Private Key Password Incorrect + +``` +ERR failed to sign package: failed to sign package: reading key: decrypt: encrypted: decryption failed +``` + +:::note[Remediation] + +The password provided for the private key is incorrect. Try again with the correct password: + +```bash +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst --signing-key cosign.key --signing-key-pass +``` + +::: + +### Cannot Overwrite Existing Signature + +``` +✖ package is already signed. Use --overwrite to replace the existing signature +``` + +:::note[Remediation] + +The package already has a signature. If you want to replace it with a new signature, use the `--overwrite` flag: + +```bash +zarf package sign zarf-package-wordpress-amd64-26.0.0.tar.zst \ + --signing-key cosign.key \ + --overwrite +``` + +::: + +## Additional Resources + +- [Cosign GitHub Repository](https://github.com/sigstore/cosign) +- [Sigstore Bundle Format Documentation](https://docs.sigstore.dev/about/bundle/) +- [Sigstore Bundle Specification](https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md) +- [Zarf Package Sign Command Reference](/commands/zarf_package_sign/) +- [Zarf Package Verify Command Reference](/commands/zarf_package_verify/) +- [Zarf Package Create Command Reference](/commands/zarf_package_create/) diff --git a/src/pkg/packager/layout/package.go b/src/pkg/packager/layout/package.go index 83985acb49..3bbb0ad4d1 100644 --- a/src/pkg/packager/layout/package.go +++ b/src/pkg/packager/layout/package.go @@ -216,11 +216,18 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti signOpts.BundlePath = tmpBundlePath // Check if signature already exists in actual layout and warn + // Note: duplicate warnings - this one will be removed when the standard signature is deprecated actualSignaturePath := filepath.Join(p.dirPath, Signature) if _, err := os.Stat(actualSignaturePath); err == nil { l.Warn("overwriting existing package signature", "path", actualSignaturePath) } + // Check if signature already exists in actual layout and warn + actualBundlePath := filepath.Join(p.dirPath, Bundle) + if _, err := os.Stat(actualBundlePath); err == nil { + l.Warn("overwriting existing package signature bundle", "path", actualBundlePath) + } + // Perform the signing operation on the temp file l.Debug("signing package", "source", tmpZarfYAMLPath, "signature", tmpSignaturePath) _, err = utils.CosignSignBlobWithOptions(ctx, tmpZarfYAMLPath, signOpts) @@ -246,12 +253,12 @@ func (p *PackageLayout) SignPackage(ctx context.Context, opts utils.SignBlobOpti return fmt.Errorf("failed to move signature after signing: %w", err) } - err = os.Rename(tmpBundlePath, filepath.Join(p.dirPath, Bundle)) + err = os.Rename(tmpBundlePath, actualBundlePath) if err != nil { return fmt.Errorf("failed to move bundle after signing: %w", err) } - l.Info("package signed successfully", "signature", actualSignaturePath) + l.Info("package signed successfully") return nil } From c47b2aeed49490dc0da652ff3d274c8193f3f5bd Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 14:56:21 +0000 Subject: [PATCH 04/13] fix(ci): add debug logging for upgrade test Signed-off-by: Brandt Keller --- .github/workflows/test-upgrade.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml index 440fced63b..6388f4cc94 100644 --- a/.github/workflows/test-upgrade.yml +++ b/.github/workflows/test-upgrade.yml @@ -104,12 +104,9 @@ jobs: run: | sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true APPLIANCE_MODE_KEEP=true make test-e2e-with-cluster ARCH=amd64 - - name: "Describe nodes, pods and deployments" - # NOTE: We describe nodes, pods and deployments here to help understand failures - run: | - sudo env "PATH=$PATH" CI=true zarf tools kubectl describe nodes - sudo env "PATH=$PATH" CI=true zarf tools kubectl describe deployments -n=podinfo-upgrade - sudo env "PATH=$PATH" CI=true zarf tools kubectl describe pods -n=podinfo-upgrade + - name: get cluster info + uses: ./.github/actions/debug-cluster + if: always() # Before we run the upgrade tests we need to aggressively cleanup files to reduce disk pressure - name: Cleanup files From e14d75f2002f47a3ab4f423eac5c198e2d661ce3 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 19:08:14 +0000 Subject: [PATCH 05/13] fix(ci): test pruning registry Signed-off-by: Brandt Keller --- src/test/common.go | 10 ++++++++++ src/test/e2e/22_git_and_gitops_test.go | 6 ++---- src/test/e2e/25_helm_test.go | 12 ++++++++++++ src/test/e2e/31_checksum_and_signature_test.go | 3 +++ src/test/e2e/50_oci_publish_deploy_test.go | 3 +++ src/test/e2e/99_yolo_test.go | 2 ++ 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/test/common.go b/src/test/common.go index 273ebb381c..5dfb5b9a6a 100644 --- a/src/test/common.go +++ b/src/test/common.go @@ -183,3 +183,13 @@ func (e2e *ZarfE2ETest) GetZarfVersion(t *testing.T) string { require.NoError(t, err, stdOut, stdErr) return strings.Trim(stdOut, "\n") } + +// PruneRegistry executes zarf tools registry prune to reduce disk pressure. +// This should be called after package removal operations to clean up unused images +// from the in-cluster registry, helping to reduce disk pressure during E2E tests. +func (e2e *ZarfE2ETest) PruneRegistry(t *testing.T) { + t.Helper() + t.Log("Pruning registry to reduce disk pressure") + stdOut, stdErr, err := e2e.Zarf(t, "tools", "registry", "prune", "--confirm") + require.NoError(t, err, stdOut, stdErr) +} diff --git a/src/test/e2e/22_git_and_gitops_test.go b/src/test/e2e/22_git_and_gitops_test.go index 9650dd2662..fa751c5a75 100644 --- a/src/test/e2e/22_git_and_gitops_test.go +++ b/src/test/e2e/22_git_and_gitops_test.go @@ -185,8 +185,7 @@ func waitFluxPodInfoDeployment(t *testing.T) { require.NoError(t, err, stdOut, stdErr) // Prune the flux images to reduce disk pressure - stdOut, stdErr, err = e2e.Zarf(t, "tools", "registry", "prune", "--confirm") - require.NoError(t, err, stdOut, stdErr) + e2e.PruneRegistry(t) } func waitArgoDeployment(t *testing.T) { @@ -219,6 +218,5 @@ func waitArgoDeployment(t *testing.T) { require.NoError(t, err, stdOut, stdErr) // Prune the ArgoCD images to reduce disk pressure - stdOut, stdErr, err = e2e.Zarf(t, "tools", "registry", "prune", "--confirm") - require.NoError(t, err, stdOut, stdErr) + e2e.PruneRegistry(t) } diff --git a/src/test/e2e/25_helm_test.go b/src/test/e2e/25_helm_test.go index d06dfb0a25..dc4a947557 100644 --- a/src/test/e2e/25_helm_test.go +++ b/src/test/e2e/25_helm_test.go @@ -107,6 +107,9 @@ func testHelmChartsExample(t *testing.T) { // Remove the example package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "helm-charts", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(t) } func testHelmExampleWithOverrides(t *testing.T) { @@ -149,6 +152,9 @@ func testHelmEscaping(t *testing.T) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "evil-templates", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(t) } func testHelmUninstallRollback(t *testing.T, tmpdir string) { @@ -206,6 +212,9 @@ func testHelmUninstallRollback(t *testing.T, tmpdir string) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(t) } func testHelmAdoption(t *testing.T, tmpdir string) { @@ -238,4 +247,7 @@ func testHelmAdoption(t *testing.T, tmpdir string) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(t) } diff --git a/src/test/e2e/31_checksum_and_signature_test.go b/src/test/e2e/31_checksum_and_signature_test.go index 227706318b..06eecce731 100644 --- a/src/test/e2e/31_checksum_and_signature_test.go +++ b/src/test/e2e/31_checksum_and_signature_test.go @@ -45,4 +45,7 @@ func TestChecksumAndSignature(t *testing.T) { // Remove the package stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", pkgName, publicKeyFlag, "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(t) } diff --git a/src/test/e2e/50_oci_publish_deploy_test.go b/src/test/e2e/50_oci_publish_deploy_test.go index f54e5234b4..76349bcc71 100644 --- a/src/test/e2e/50_oci_publish_deploy_test.go +++ b/src/test/e2e/50_oci_publish_deploy_test.go @@ -98,6 +98,9 @@ func (suite *PublishDeploySuiteTestSuite) Test_1_Deploy() { stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) + // Prune the registry to reduce disk pressure + e2e.PruneRegistry(suite.T()) + // Test deploy w/ bad ref. _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--plain-http", "--confirm") suite.Error(err, stdErr) diff --git a/src/test/e2e/99_yolo_test.go b/src/test/e2e/99_yolo_test.go index 578538441b..9f994eb9af 100644 --- a/src/test/e2e/99_yolo_test.go +++ b/src/test/e2e/99_yolo_test.go @@ -54,6 +54,8 @@ func TestYOLOMode(t *testing.T) { stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "yolo", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Note: No registry prune here as YOLO mode doesn't use the in-cluster registry } func TestDevDeploy(t *testing.T) { From 550fb2ee6e3edceb5a75284252043dd9c3cd5921 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 19:57:04 +0000 Subject: [PATCH 06/13] fix(ci): prune registry where possible Signed-off-by: Brandt Keller --- .github/workflows/test-upgrade.yml | 4 ---- src/test/e2e/37_component_status_test.go | 2 ++ src/test/e2e/50_oci_publish_deploy_test.go | 3 --- src/test/e2e/99_yolo_test.go | 2 -- 4 files changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml index 6388f4cc94..85513a2d74 100644 --- a/.github/workflows/test-upgrade.yml +++ b/.github/workflows/test-upgrade.yml @@ -104,10 +104,6 @@ jobs: run: | sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true APPLIANCE_MODE_KEEP=true make test-e2e-with-cluster ARCH=amd64 - - name: get cluster info - uses: ./.github/actions/debug-cluster - if: always() - # Before we run the upgrade tests we need to aggressively cleanup files to reduce disk pressure - name: Cleanup files uses: ./.github/actions/cleanup-files diff --git a/src/test/e2e/37_component_status_test.go b/src/test/e2e/37_component_status_test.go index 7ae7455820..ed750ad82c 100644 --- a/src/test/e2e/37_component_status_test.go +++ b/src/test/e2e/37_component_status_test.go @@ -89,6 +89,8 @@ func TestComponentStatus(t *testing.T) { t.Cleanup(func() { stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "component-status", "--confirm") require.NoError(t, err, stdOut, stdErr) + + e2e.PruneRegistry(t) }) } diff --git a/src/test/e2e/50_oci_publish_deploy_test.go b/src/test/e2e/50_oci_publish_deploy_test.go index 76349bcc71..f54e5234b4 100644 --- a/src/test/e2e/50_oci_publish_deploy_test.go +++ b/src/test/e2e/50_oci_publish_deploy_test.go @@ -98,9 +98,6 @@ func (suite *PublishDeploySuiteTestSuite) Test_1_Deploy() { stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(suite.T()) - // Test deploy w/ bad ref. _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--plain-http", "--confirm") suite.Error(err, stdErr) diff --git a/src/test/e2e/99_yolo_test.go b/src/test/e2e/99_yolo_test.go index 9f994eb9af..578538441b 100644 --- a/src/test/e2e/99_yolo_test.go +++ b/src/test/e2e/99_yolo_test.go @@ -54,8 +54,6 @@ func TestYOLOMode(t *testing.T) { stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "yolo", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Note: No registry prune here as YOLO mode doesn't use the in-cluster registry } func TestDevDeploy(t *testing.T) { From 8aa9484146d8a2cf30260d46303793570db924ab Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 20:30:44 +0000 Subject: [PATCH 07/13] fix(ci): cleanup testing for CI Disk space Signed-off-by: Brandt Keller --- .github/workflows/test-upgrade.yml | 7 +++++++ src/test/common.go | 10 ---------- src/test/e2e/22_git_and_gitops_test.go | 6 ------ src/test/e2e/25_helm_test.go | 12 ------------ src/test/e2e/31_checksum_and_signature_test.go | 3 --- src/test/e2e/37_component_status_test.go | 2 -- 6 files changed, 7 insertions(+), 33 deletions(-) diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml index 85513a2d74..440fced63b 100644 --- a/.github/workflows/test-upgrade.yml +++ b/.github/workflows/test-upgrade.yml @@ -104,6 +104,13 @@ jobs: run: | sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true APPLIANCE_MODE_KEEP=true make test-e2e-with-cluster ARCH=amd64 + - name: "Describe nodes, pods and deployments" + # NOTE: We describe nodes, pods and deployments here to help understand failures + run: | + sudo env "PATH=$PATH" CI=true zarf tools kubectl describe nodes + sudo env "PATH=$PATH" CI=true zarf tools kubectl describe deployments -n=podinfo-upgrade + sudo env "PATH=$PATH" CI=true zarf tools kubectl describe pods -n=podinfo-upgrade + # Before we run the upgrade tests we need to aggressively cleanup files to reduce disk pressure - name: Cleanup files uses: ./.github/actions/cleanup-files diff --git a/src/test/common.go b/src/test/common.go index 5dfb5b9a6a..273ebb381c 100644 --- a/src/test/common.go +++ b/src/test/common.go @@ -183,13 +183,3 @@ func (e2e *ZarfE2ETest) GetZarfVersion(t *testing.T) string { require.NoError(t, err, stdOut, stdErr) return strings.Trim(stdOut, "\n") } - -// PruneRegistry executes zarf tools registry prune to reduce disk pressure. -// This should be called after package removal operations to clean up unused images -// from the in-cluster registry, helping to reduce disk pressure during E2E tests. -func (e2e *ZarfE2ETest) PruneRegistry(t *testing.T) { - t.Helper() - t.Log("Pruning registry to reduce disk pressure") - stdOut, stdErr, err := e2e.Zarf(t, "tools", "registry", "prune", "--confirm") - require.NoError(t, err, stdOut, stdErr) -} diff --git a/src/test/e2e/22_git_and_gitops_test.go b/src/test/e2e/22_git_and_gitops_test.go index fa751c5a75..3e583510ad 100644 --- a/src/test/e2e/22_git_and_gitops_test.go +++ b/src/test/e2e/22_git_and_gitops_test.go @@ -183,9 +183,6 @@ func waitFluxPodInfoDeployment(t *testing.T) { // Remove the flux example when deployment completes stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "podinfo-flux", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the flux images to reduce disk pressure - e2e.PruneRegistry(t) } func waitArgoDeployment(t *testing.T) { @@ -216,7 +213,4 @@ func waitArgoDeployment(t *testing.T) { // Remove the argocd example when deployment completes stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "argocd", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the ArgoCD images to reduce disk pressure - e2e.PruneRegistry(t) } diff --git a/src/test/e2e/25_helm_test.go b/src/test/e2e/25_helm_test.go index dc4a947557..d06dfb0a25 100644 --- a/src/test/e2e/25_helm_test.go +++ b/src/test/e2e/25_helm_test.go @@ -107,9 +107,6 @@ func testHelmChartsExample(t *testing.T) { // Remove the example package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "helm-charts", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(t) } func testHelmExampleWithOverrides(t *testing.T) { @@ -152,9 +149,6 @@ func testHelmEscaping(t *testing.T) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "evil-templates", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(t) } func testHelmUninstallRollback(t *testing.T, tmpdir string) { @@ -212,9 +206,6 @@ func testHelmUninstallRollback(t *testing.T, tmpdir string) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(t) } func testHelmAdoption(t *testing.T, tmpdir string) { @@ -247,7 +238,4 @@ func testHelmAdoption(t *testing.T, tmpdir string) { // Remove the package. stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(t) } diff --git a/src/test/e2e/31_checksum_and_signature_test.go b/src/test/e2e/31_checksum_and_signature_test.go index 06eecce731..227706318b 100644 --- a/src/test/e2e/31_checksum_and_signature_test.go +++ b/src/test/e2e/31_checksum_and_signature_test.go @@ -45,7 +45,4 @@ func TestChecksumAndSignature(t *testing.T) { // Remove the package stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", pkgName, publicKeyFlag, "--confirm") require.NoError(t, err, stdOut, stdErr) - - // Prune the registry to reduce disk pressure - e2e.PruneRegistry(t) } diff --git a/src/test/e2e/37_component_status_test.go b/src/test/e2e/37_component_status_test.go index ed750ad82c..7ae7455820 100644 --- a/src/test/e2e/37_component_status_test.go +++ b/src/test/e2e/37_component_status_test.go @@ -89,8 +89,6 @@ func TestComponentStatus(t *testing.T) { t.Cleanup(func() { stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "component-status", "--confirm") require.NoError(t, err, stdOut, stdErr) - - e2e.PruneRegistry(t) }) } From a98d5b95d5a309afd1a859c125c2df0475644c78 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 21:28:24 +0000 Subject: [PATCH 08/13] fix(ci): revert removal of existing registry-prune operations Signed-off-by: Brandt Keller --- src/test/e2e/22_git_and_gitops_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/test/e2e/22_git_and_gitops_test.go b/src/test/e2e/22_git_and_gitops_test.go index 3e583510ad..8cd25638f5 100644 --- a/src/test/e2e/22_git_and_gitops_test.go +++ b/src/test/e2e/22_git_and_gitops_test.go @@ -183,6 +183,10 @@ func waitFluxPodInfoDeployment(t *testing.T) { // Remove the flux example when deployment completes stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "podinfo-flux", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the flux images to reduce disk pressure + stdOut, stdErr, err = e2e.Zarf(t, "tools", "registry", "prune", "--confirm") + require.NoError(t, err, stdOut, stdErr) } func waitArgoDeployment(t *testing.T) { @@ -213,4 +217,8 @@ func waitArgoDeployment(t *testing.T) { // Remove the argocd example when deployment completes stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "argocd", "--confirm") require.NoError(t, err, stdOut, stdErr) + + // Prune the flux images to reduce disk pressure + stdOut, stdErr, err = e2e.Zarf(t, "tools", "registry", "prune", "--confirm") + require.NoError(t, err, stdOut, stdErr) } From 920f5ec1bb912dac88bd1e9309d7ab4b519a3676 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 17 Nov 2025 23:16:27 +0000 Subject: [PATCH 09/13] feat(TUF): implement a trusted root embedding strategy Signed-off-by: Brandt Keller --- go.mod | 2 +- hack/tuf/README.md | 197 +++++++++++++++++++++ hack/tuf/go.mod | 28 +++ hack/tuf/go.sum | 285 ++++++++++++++++++++++++++++++ hack/tuf/main.go | 67 +++++++ src/pkg/utils/cosign.go | 27 ++- src/pkg/utils/trustedroot.go | 114 ++++++++++++ src/pkg/utils/trustedroot_test.go | 126 +++++++++++++ 8 files changed, 840 insertions(+), 6 deletions(-) create mode 100644 hack/tuf/README.md create mode 100644 hack/tuf/go.mod create mode 100644 hack/tuf/go.sum create mode 100644 hack/tuf/main.go create mode 100644 src/pkg/utils/trustedroot.go create mode 100644 src/pkg/utils/trustedroot_test.go diff --git a/go.mod b/go.mod index b77ba54365..43185ac5e7 100644 --- a/go.mod +++ b/go.mod @@ -47,6 +47,7 @@ require ( github.com/pterm/pterm v0.12.82 github.com/sergi/go-diff v1.4.0 github.com/sigstore/cosign/v3 v3.0.2 + github.com/sigstore/sigstore-go v1.1.3 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3 @@ -188,7 +189,6 @@ require ( github.com/segmentio/asm v1.2.0 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect github.com/sigstore/rekor-tiles v0.1.11 // indirect - github.com/sigstore/sigstore-go v1.1.3 // indirect github.com/sorairolake/lzip-go v0.3.8 // indirect github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb // indirect github.com/theupdateframework/go-tuf/v2 v2.2.0 // indirect diff --git a/hack/tuf/README.md b/hack/tuf/README.md new file mode 100644 index 0000000000..7759edeed2 --- /dev/null +++ b/hack/tuf/README.md @@ -0,0 +1,197 @@ +# TUF Trusted Root Management + +This directory contains tooling for managing Zarf's embedded Sigstore trusted root. + +## Overview + +Zarf embeds the Sigstore public trusted root to enable **offline/air-gapped signature verification** without requiring network access to `tuf-repo-cdn.sigstore.dev`. + +The embedded trusted root is fetched via **TUF (The Update Framework)**, which provides: +- Cryptographic verification of the trusted root +- Protection against rollback attacks +- Secure key rotation +- Supply chain security guarantees + +## How It Works + +1. **At Build Time**: The trusted root is fetched via TUF and embedded in the Zarf binary +2. **At Runtime**: Zarf uses the embedded root for signature verification (no network calls) +3. **Custom Roots**: Users can override with custom trusted roots for private Sigstore deployments + +## Usage + +### Updating the Embedded Trusted Root + +Run this command to fetch the latest trusted root via TUF: + +```bash +go run hack/tuf/main.go +``` + +This will: +- Connect to `tuf-repo-cdn.sigstore.dev` +- Cryptographically verify the trusted root using TUF +- Write to `src/pkg/utils/data/trusted_root.json` + +Then commit the updated file: + +```bash +git add src/pkg/utils/data/trusted_root.json +git commit -m "chore: update embedded Sigstore trusted root" +``` + +### When to Update + +Update the embedded trusted root: +- **Before major releases** (recommended) +- **Monthly or quarterly** (good practice) +- **When Sigstore announces trust root updates** +- **After Sigstore key rotations** + +### Using Custom Trusted Roots + +For private Sigstore deployments, users can provide a custom trusted root: + +```bash +# Create custom trusted root for private deployment +cosign trusted-root create \ + --rekor-url https://private-rekor.example.com \ + --fulcio-url https://private-fulcio.example.com \ + --output custom_trusted_root.json + +# Use with Zarf +zarf package verify my-package.tar.zst \ + --key cosign.pub \ + --trusted-root custom_trusted_root.json +``` + +## Architecture + +### File Structure + +``` +hack/tuf/ +├── main.go # Tool to fetch trusted root via TUF +└── README.md # This file + +src/pkg/utils/ +├── data/ +│ └── trusted_root.json # Embedded trusted root (committed to git) +├── trustedroot.go # Trusted root selection logic +├── trustedroot_test.go # Tests +└── cosign.go # Verification using trusted root +``` + +### Priority Order + +When verifying signatures, Zarf uses this priority order: + +1. **Custom Path**: If `--trusted-root` flag is provided, use that file +2. **Embedded Root**: Otherwise, use the embedded trusted root (no network access) + +### Air-Gap Compatibility + +The embedded approach ensures **zero network calls** during verification: +- ✅ TUF fetching happens at **build time** (developer's machine or CI/CD) +- ✅ Trusted root is **embedded** in the binary +- ✅ Verification works **completely offline** +- ✅ No dependency on external TUF servers at runtime + +## CI/CD Integration + +### Manual Updates (Simple) + +Add to your release checklist: +```bash +go run hack/tuf/main.go +git add src/pkg/utils/data/trusted_root.json +git commit -m "chore: update embedded Sigstore trusted root" +``` + +### Automated Updates (Recommended) + +Create a scheduled workflow (`.github/workflows/update-trusted-root.yml`): + +```yaml +name: Update Trusted Root + +on: + schedule: + - cron: '0 0 1 * *' # Monthly + workflow_dispatch: + +jobs: + update: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: Update trusted root + run: go run hack/tuf/main.go + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: 'chore: update embedded Sigstore trusted root' + title: 'Update Embedded Sigstore Trusted Root' + body: | + Automated update of the embedded Sigstore trusted root. + + Fetched via TUF from tuf-repo-cdn.sigstore.dev with cryptographic verification. +``` + +## Security Considerations + +### Why Embed vs. Fetch at Runtime? + +**Embedding provides better security for air-gapped environments:** + +| Approach | Air-Gap Compatible | Supply Chain Verified | Reproducible Builds | +|----------|-------------------|----------------------|---------------------| +| Runtime TUF fetch | ❌ No (requires network) | ✅ Yes | ❌ No (non-deterministic) | +| Embedded (this approach) | ✅ Yes | ✅ Yes (at build time) | ✅ Yes | + +### Trust Model + +- **Build Time**: Developer/CI verifies trusted root via TUF +- **Distribution**: Trusted root embedded in binary +- **Runtime**: Users trust the embedded root (or provide their own) + +This follows the same model as: +- Cosign embedding the Sigstore TUF root +- Package managers embedding distribution keys +- Operating systems embedding CA certificates + +## Troubleshooting + +### "failed to parse embedded trusted root" + +The embedded file may be corrupted. Re-fetch it: +```bash +go run hack/tuf/main.go +``` + +### "custom trusted root not found" + +Verify the path is correct and the file exists: +```bash +ls -la /path/to/custom_trusted_root.json +``` + +### Network Errors During Update + +The TUF fetch requires internet access. Ensure: +- You can reach `tuf-repo-cdn.sigstore.dev` +- Firewall/proxy settings allow HTTPS +- DNS resolution is working + +## References + +- [Sigstore TUF Repository](https://github.com/sigstore/root-signing) +- [The Update Framework (TUF)](https://theupdateframework.io/) +- [Cosign Trusted Root Documentation](https://docs.sigstore.dev/cosign/overview/) diff --git a/hack/tuf/go.mod b/hack/tuf/go.mod new file mode 100644 index 0000000000..a517b4c0a3 --- /dev/null +++ b/hack/tuf/go.mod @@ -0,0 +1,28 @@ +module github.com/zarf-dev/zarf/hack/tuf + +go 1.25.1 + +require github.com/sigstore/sigstore-go v1.1.3 + +require ( + github.com/cenkalti/backoff/v5 v5.0.3 // indirect + github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect + github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect + github.com/go-jose/go-jose/v4 v4.1.1 // indirect + github.com/google/go-containerregistry v0.20.6 // indirect + github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect + github.com/sigstore/protobuf-specs v0.5.0 // indirect + github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 // indirect + github.com/sigstore/timestamp-authority v1.2.9 // indirect + github.com/theupdateframework/go-tuf/v2 v2.2.0 // indirect + github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect + golang.org/x/crypto v0.42.0 // indirect + golang.org/x/sys v0.36.0 // indirect + golang.org/x/term v0.35.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect + google.golang.org/protobuf v1.36.9 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/hack/tuf/go.sum b/hack/tuf/go.sum new file mode 100644 index 0000000000..44d0012297 --- /dev/null +++ b/hack/tuf/go.sum @@ -0,0 +1,285 @@ +cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c= +cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI= +cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI= +cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ= +cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= +cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= +cloud.google.com/go/compute/metadata v0.8.0 h1:HxMRIbao8w17ZX6wBnjhcDkW6lTFpgcaobyVfZWqRLA= +cloud.google.com/go/compute/metadata v0.8.0/go.mod h1:sYOGTp851OV9bOFJ9CH7elVvyzopvWQFNNghtDQ/Biw= +cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8= +cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE= +cloud.google.com/go/kms v1.22.0 h1:dBRIj7+GDeeEvatJeTB19oYZNV0aj6wEqSIT/7gLqtk= +cloud.google.com/go/kms v1.22.0/go.mod h1:U7mf8Sva5jpOb4bxYZdtw/9zsbIjrklYwPcvMk34AL8= +cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE= +cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 h1:Hr5FTipp7SL07o2FvoVOX9HRiRH3CR3Mj8pxqCcdD5A= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2/go.mod h1:QyVsSSN64v5TGltphKLQ2sQxe4OBQg0J1eKRcVBnfgE= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 h1:MhRfI58HblXzCtWEZCO0feHs8LweePB3s90r7WaR1KU= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0/go.mod h1:okZ+ZURbArNdlJ+ptXoyHNuOETzOl1Oww19rm8I2WLA= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= +github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU= +github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= +github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4= +github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I= +github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM= +github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 h1:ieRzyHXypu5ByllM7Sp4hC5f/1Fy5wqxqY0yB85hC7s= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3/go.mod h1:O5ROz8jHiOAKAwx179v+7sHMhfobFVi6nZt8DEyiYoM= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 h1:Z95XCqqSnwXr0AY7PgsiOUBhUG2GoDM5getw6RfD1Lg= +github.com/aws/aws-sdk-go-v2/service/kms v1.44.0/go.mod h1:DqcSngL7jJeU1fOzh5Ll5rSvX/MlMV6OZlE4mVdFAQc= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 h1:Mc/MKBf2m4VynyJkABoVEN+QzkfLqGj0aiJuEe7cMeM= +github.com/aws/aws-sdk-go-v2/service/sso v1.28.0/go.mod h1:iS5OmxEcN4QIPXARGhavH7S8kETNL11kym6jhoS7IUQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7yBW653Wy/B9hnBofW+sw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs= +github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8= +github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw= +github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE= +github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I= +github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI= +github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= +github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= +github.com/go-openapi/errors v0.22.2 h1:rdxhzcBUazEcGccKqbY1Y7NS8FDcMyIRr0934jrYnZg= +github.com/go-openapi/errors v0.22.2/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco= +github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs= +github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ= +github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc= +github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY= +github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= +github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= +github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= +github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8= +github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A= +github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I= +github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8= +github.com/go-openapi/swag/conv v0.24.0 h1:ejB9+7yogkWly6pnruRX45D1/6J+ZxRu92YFivx54ik= +github.com/go-openapi/swag/conv v0.24.0/go.mod h1:jbn140mZd7EW2g8a8Y5bwm8/Wy1slLySQQ0ND6DPc2c= +github.com/go-openapi/swag/fileutils v0.24.0 h1:U9pCpqp4RUytnD689Ek/N1d2N/a//XCeqoH508H5oak= +github.com/go-openapi/swag/fileutils v0.24.0/go.mod h1:3SCrCSBHyP1/N+3oErQ1gP+OX1GV2QYFSnrTbzwli90= +github.com/go-openapi/swag/jsonname v0.24.0 h1:2wKS9bgRV/xB8c62Qg16w4AUiIrqqiniJFtZGi3dg5k= +github.com/go-openapi/swag/jsonname v0.24.0/go.mod h1:GXqrPzGJe611P7LG4QB9JKPtUZ7flE4DOVechNaDd7Q= +github.com/go-openapi/swag/jsonutils v0.24.0 h1:F1vE1q4pg1xtO3HTyJYRmEuJ4jmIp2iZ30bzW5XgZts= +github.com/go-openapi/swag/jsonutils v0.24.0/go.mod h1:vBowZtF5Z4DDApIoxcIVfR8v0l9oq5PpYRUuteVu6f0= +github.com/go-openapi/swag/loading v0.24.0 h1:ln/fWTwJp2Zkj5DdaX4JPiddFC5CHQpvaBKycOlceYc= +github.com/go-openapi/swag/loading v0.24.0/go.mod h1:gShCN4woKZYIxPxbfbyHgjXAhO61m88tmjy0lp/LkJk= +github.com/go-openapi/swag/mangling v0.24.0 h1:PGOQpViCOUroIeak/Uj/sjGAq9LADS3mOyjznmHy2pk= +github.com/go-openapi/swag/mangling v0.24.0/go.mod h1:Jm5Go9LHkycsz0wfoaBDkdc4CkpuSnIEf62brzyCbhc= +github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w= +github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM= +github.com/go-openapi/swag/stringutils v0.24.0 h1:i4Z/Jawf9EvXOLUbT97O0HbPUja18VdBxeadyAqS1FM= +github.com/go-openapi/swag/stringutils v0.24.0/go.mod h1:5nUXB4xA0kw2df5PRipZDslPJgJut+NjL7D25zPZ/4w= +github.com/go-openapi/swag/typeutils v0.24.0 h1:d3szEGzGDf4L2y1gYOSSLeK6h46F+zibnEas2Jm/wIw= +github.com/go-openapi/swag/typeutils v0.24.0/go.mod h1:q8C3Kmk/vh2VhpCLaoR2MVWOGP8y7Jc8l82qCTd1DYI= +github.com/go-openapi/swag/yamlutils v0.24.0 h1:bhw4894A7Iw6ne+639hsBNRHg9iZg/ISrOVr+sJGp4c= +github.com/go-openapi/swag/yamlutils v0.24.0/go.mod h1:DpKv5aYuaGm/sULePoeiG8uwMpZSfReo1HR3Ik0yaG8= +github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= +github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= +github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= +github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= +github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= +github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= +github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= +github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4= +github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= +github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo= +github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48= +github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw= +github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5LhwQN4= +github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA= +github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc= +github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= +github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= +github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= +github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= +github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= +github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= +github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= +github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= +github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= +github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= +github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= +github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3 h1:IEhSeWfhTd0kaBpHUXniWU2Tl5K5OUACN69mi1WGd+8= +github.com/sigstore/sigstore v1.9.6-0.20250729224751-181c5d3339b3/go.mod h1:JuqyPRJYnkNl6OTnQiG503EUnKih4P5EV6FUw+1B0iA= +github.com/sigstore/sigstore-go v1.1.3 h1:5lKcbXZa5JC7wb/UVywyCulccfYTUju1D5h4tkn+fXE= +github.com/sigstore/sigstore-go v1.1.3/go.mod h1:3jKC4IDh7TEVtCSJCjx0lpq5YfJbDJmfp65WsMvY2mg= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5/go.mod h1:b9rFfITq2fp1M3oJmq6lFFhSrAz5vOEJH1qzbMsZWN4= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5 h1:7U0GsO0UGG1PdtgS6wBkRC0sMgq7BRVaFlPRwN4m1Qg= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5/go.mod h1:/2qrI0nnCy/DTIPOMFaZlFnNPWEn5UeS70P37XEM88o= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 h1:S2ukEfN1orLKw2wEQIUHDDlzk0YcylhcheeZ5TGk8LI= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5/go.mod h1:m7sQxVJmDa+rsmS1m6biQxaLX83pzNS7ThUEyjOqkCU= +github.com/sigstore/timestamp-authority v1.2.9 h1:L9Fj070/EbMC8qUk8BchkrYCS1BT5i93Bl6McwydkFs= +github.com/sigstore/timestamp-authority v1.2.9/go.mod h1:QyRnZchz4o+xdHyK5rvCWacCHxWmpX+mgvJwB1OXcLY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/theupdateframework/go-tuf/v2 v2.2.0 h1:Hmb+Azgd7IKOZeNJFT2C91y+YZ+F+TeloSIvQIaXCQw= +github.com/theupdateframework/go-tuf/v2 v2.2.0/go.mod h1:CubcJiJlBHQ2YkA5j9hlBO4B+tHFlLjRbWCJCT7EIKU= +github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI= +github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis= +github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0= +github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw= +github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0 h1:6nAX1aRGnkg2SEUMwO5toB2tQkP0Jd6cbmZ/K5Le1V0= +github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0/go.mod h1:HOC5NWW1wBI2Vke1FGcRBvDATkEYE7AUDiYbXqi2sBw= +github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= +github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= +github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= +github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= +go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= +go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= +go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= +go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= +go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= +go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= +go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= +go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds= +go.step.sm/crypto v0.70.0/go.mod h1:pzfUhS5/ue7ev64PLlEgXvhx1opwbhFCjkvlhsxVds0= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= +golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= +golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= +golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= +golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= +golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= +golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= +golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +google.golang.org/api v0.248.0 h1:hUotakSkcwGdYUqzCRc5yGYsg4wXxpkKlW5ryVqvC1Y= +google.golang.org/api v0.248.0/go.mod h1:yAFUAF56Li7IuIQbTFoLwXTCI6XCFKueOlS7S9e4F9k= +google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= +google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= +google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ= +google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo= +google.golang.org/grpc v1.75.0 h1:+TW+dqTd2Biwe6KKfhE5JpiYIBWq865PhKGSXiivqt4= +google.golang.org/grpc v1.75.0/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= +google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/hack/tuf/main.go b/hack/tuf/main.go new file mode 100644 index 0000000000..0af646728f --- /dev/null +++ b/hack/tuf/main.go @@ -0,0 +1,67 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package main provides a tool to fetch the latest Sigstore trusted root via TUF +// This tool should be run periodically (e.g., before releases) to update the +// embedded trusted root with proper supply chain verification. +package main + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/tuf" +) + +const ( + outputPath = "src/pkg/utils/data/trusted_root.json" +) + +func main() { + fmt.Println("Fetching latest Sigstore trusted root via TUF...") + fmt.Println("This uses The Update Framework (TUF) to cryptographically verify the trusted root.") + fmt.Println() + + // Use default TUF options (fetches from tuf-repo-cdn.sigstore.dev) + // This provides cryptographic verification of the trusted root + opts := tuf.DefaultOptions() + + trustedRoot, err := root.FetchTrustedRootWithOptions(opts) + if err != nil { + fmt.Fprintf(os.Stderr, "Error fetching trusted root: %v\n", err) + os.Exit(1) + } + + // Get JSON representation + rootJSON, err := trustedRoot.MarshalJSON() + if err != nil { + fmt.Fprintf(os.Stderr, "Error marshaling trusted root: %v\n", err) + os.Exit(1) + } + + // Ensure output directory exists + dir := filepath.Dir(outputPath) + if err := os.MkdirAll(dir, 0o755); err != nil { + fmt.Fprintf(os.Stderr, "Error creating directory %s: %v\n", dir, err) + os.Exit(1) + } + + // Write to file for embedding + if err := os.WriteFile(outputPath, rootJSON, 0o644); err != nil { + fmt.Fprintf(os.Stderr, "Error writing trusted root: %v\n", err) + os.Exit(1) + } + + fmt.Printf("✓ Trusted root successfully written to %s\n", outputPath) + fmt.Printf(" Size: %d bytes\n", len(rootJSON)) + fmt.Println() + fmt.Println("This file will be embedded in the Zarf binary at build time.") + fmt.Println("Commit this file to ensure reproducible builds with verified trust roots.") + fmt.Println() + fmt.Println("To update periodically:") + fmt.Println(" go run hack/tuf/main.go") + fmt.Println(" git add src/pkg/utils/data/trusted_root.json") + fmt.Println(" git commit -m 'chore: update embedded Sigstore trusted root'") +} diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index 6d88781426..f548b639ff 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -6,6 +6,7 @@ package utils import ( "context" + "fmt" "time" "github.com/google/go-containerregistry/pkg/name" @@ -59,9 +60,10 @@ type VerifyBlobOptions struct { options.CertVerifyOptions // Verification-specific options - SigRef string // Path to signature file - Offline bool // Enable offline verification mode - IgnoreTlog bool // Skip transparency log verification + SigRef string // Path to signature file + TrustedRootPath string // Custom path to trusted root (optional, for private deployments) + Offline bool // Enable offline verification mode + IgnoreTlog bool // Skip transparency log verification // General options Timeout time.Duration // Timeout for verification operations @@ -163,6 +165,10 @@ func CosignSignBlobWithOptions(ctx context.Context, blobPath string, opts SignBl // CosignVerifyBlobWithOptions verifies a blob signature with comprehensive cosign options. // This function supports all cosign v3 verify-blob capabilities by leveraging // the embedded KeyOpts and CertVerifyOptions structures. +// +// For air-gapped/offline verification, this function automatically uses the embedded +// Sigstore trusted root (fetched via TUF at build time). No network calls are made +// during verification. func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts VerifyBlobOptions) error { l := logger.From(ctx) @@ -170,11 +176,20 @@ func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts Veri keyOpts := opts.KeyOpts certVerifyOpts := opts.CertVerifyOptions + // Get trusted root path with automatic fallback to embedded root + // This prevents network calls - the embedded root was fetched via TUF at build time + trustedRootPath, cleanup, err := GetTrustedRootPath(opts.TrustedRootPath) + if err != nil { + return fmt.Errorf("failed to get trusted root: %w", err) + } + defer cleanup() + cmd := &verify.VerifyBlobCmd{ KeyOpts: keyOpts, CertVerifyOptions: certVerifyOpts, SigRef: opts.SigRef, - IgnoreSCT: opts.IgnoreSCT, // From CertVerifyOptions + TrustedRootPath: trustedRootPath, // Now always provided + IgnoreSCT: opts.IgnoreSCT, // From CertVerifyOptions Offline: opts.Offline, IgnoreTlog: opts.IgnoreTlog, } @@ -182,9 +197,11 @@ func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts Veri l.Debug("verifying blob with cosign", "keyRef", opts.KeyRef, "bundlePath", opts.BundlePath, + "trustedRootPath", trustedRootPath, + "usingEmbeddedRoot", opts.TrustedRootPath == "", "offline", opts.Offline) - err := cmd.Exec(ctx, blobPath) + err = cmd.Exec(ctx, blobPath) if err != nil { return err } diff --git a/src/pkg/utils/trustedroot.go b/src/pkg/utils/trustedroot.go new file mode 100644 index 0000000000..8143a31589 --- /dev/null +++ b/src/pkg/utils/trustedroot.go @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package utils + +import ( + _ "embed" + "fmt" + "os" + + "github.com/sigstore/sigstore-go/pkg/root" +) + +// EmbeddedTrustedRoot contains the Sigstore public TUF trusted root +// embedded at build time. This enables offline verification without +// requiring network access to tuf-repo-cdn.sigstore.dev. +// +// This file is fetched via TUF (The Update Framework) which provides: +// - Cryptographic verification of the trusted root +// - Protection against rollback attacks +// - Secure key rotation +// +// To update this embedded file (e.g., before releases): +// +// go run hack/tuf/main.go +// +// The file will be written to src/pkg/utils/data/trusted_root.json +// and should be committed to the repository. +// +//go:embed data/trusted_root.json +var EmbeddedTrustedRoot []byte + +// GetTrustedRootMaterial returns TrustedMaterial for Cosign verification. +// Priority order: +// 1. If customPath is provided, load and use that trusted root +// 2. Otherwise, use the embedded trusted root (for air-gap compatibility) +// +// This enables: +// - Manual override via custom path (for private Sigstore deployments) +// - Offline operation via embedded root (air-gapped environments) +// - No network calls during verification (TUF updates happen at build time) +func GetTrustedRootMaterial(customPath string) (root.TrustedMaterial, error) { + // Priority 1: Use custom path if provided + if customPath != "" { + trustedRoot, err := root.NewTrustedRootFromPath(customPath) + if err != nil { + return nil, fmt.Errorf("failed to load custom trusted root from %s: %w", customPath, err) + } + return trustedRoot, nil + } + + // Priority 2: Use embedded trusted root (offline fallback) + if len(EmbeddedTrustedRoot) == 0 { + return nil, fmt.Errorf("no trusted root available: embedded root is empty") + } + + trustedRoot, err := root.NewTrustedRootFromJSON(EmbeddedTrustedRoot) + if err != nil { + return nil, fmt.Errorf("failed to parse embedded trusted root: %w", err) + } + + return trustedRoot, nil +} + +// GetTrustedRootPath returns a path to a trusted root JSON file. +// This is useful when the verification API requires a file path instead of +// the TrustedMaterial object. +// +// Priority order: +// 1. If customPath is provided and exists, use it +// 2. Otherwise, write embedded root to temp file +// +// Returns: (path string, cleanup func(), error) +// The cleanup function should be called to remove any temporary files. +func GetTrustedRootPath(customPath string) (string, func(), error) { + cleanup := func() {} // No-op cleanup by default + + // Priority 1: Use custom path if provided + if customPath != "" { + if _, err := os.Stat(customPath); err == nil { + return customPath, cleanup, nil + } + return "", cleanup, fmt.Errorf("custom trusted root not found: %s", customPath) + } + + // Priority 2: Use embedded trusted root (write to temp file) + if len(EmbeddedTrustedRoot) == 0 { + return "", cleanup, fmt.Errorf("no trusted root available: embedded root is empty") + } + + // Write embedded root to temp file + tmpFile, err := os.CreateTemp("", "zarf-trusted-root-*.json") + if err != nil { + return "", cleanup, fmt.Errorf("failed to create temp file for embedded trusted root: %w", err) + } + + if _, err := tmpFile.Write(EmbeddedTrustedRoot); err != nil { + _ = tmpFile.Close() //nolint:errcheck + _ = os.Remove(tmpFile.Name()) //nolint:errcheck + return "", cleanup, fmt.Errorf("failed to write embedded trusted root: %w", err) + } + + if err := tmpFile.Close(); err != nil { + _ = os.Remove(tmpFile.Name()) //nolint:errcheck + return "", cleanup, fmt.Errorf("failed to close temp trusted root file: %w", err) + } + + // Setup cleanup function to remove temp file + cleanup = func() { + _ = os.Remove(tmpFile.Name()) //nolint:errcheck + } + + return tmpFile.Name(), cleanup, nil +} diff --git a/src/pkg/utils/trustedroot_test.go b/src/pkg/utils/trustedroot_test.go new file mode 100644 index 0000000000..945c9e569f --- /dev/null +++ b/src/pkg/utils/trustedroot_test.go @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package utils + +import ( + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestGetTrustedRootPath(t *testing.T) { + t.Run("returns custom path when provided and exists", func(t *testing.T) { + // Create a temporary custom trusted root file + tmpDir := t.TempDir() + customPath := filepath.Join(tmpDir, "custom_trusted_root.json") + err := os.WriteFile(customPath, []byte(`{"test": "data"}`), 0o644) + require.NoError(t, err) + + // Should use custom path + path, cleanup, err := GetTrustedRootPath(customPath) + defer cleanup() + + require.NoError(t, err) + require.Equal(t, customPath, path) + }) + + t.Run("returns error when custom path provided but does not exist", func(t *testing.T) { + customPath := "/nonexistent/path/trusted_root.json" + + _, _, err := GetTrustedRootPath(customPath) + + require.Error(t, err) + require.Contains(t, err.Error(), "custom trusted root not found") + }) + + t.Run("uses embedded root when no custom path provided", func(t *testing.T) { + // Should fall back to embedded root + path, cleanup, err := GetTrustedRootPath("") + defer cleanup() + + require.NoError(t, err) + require.NotEmpty(t, path) + + // Verify the temp file exists and has content + content, err := os.ReadFile(path) + require.NoError(t, err) + require.NotEmpty(t, content) + require.Contains(t, string(content), "mediaType") + require.Contains(t, string(content), "sigstore") + }) + + t.Run("cleanup function removes temp file", func(t *testing.T) { + path, cleanup, err := GetTrustedRootPath("") + require.NoError(t, err) + require.NotEmpty(t, path) + + // Verify file exists + _, err = os.Stat(path) + require.NoError(t, err) + + // Call cleanup + cleanup() + + // Verify file is removed + _, err = os.Stat(path) + require.True(t, os.IsNotExist(err)) + }) +} + +func TestGetTrustedRootMaterial(t *testing.T) { + t.Run("loads custom trusted root from path", func(t *testing.T) { + // Use the embedded root as our test custom root + tmpDir := t.TempDir() + customPath := filepath.Join(tmpDir, "custom_root.json") + err := os.WriteFile(customPath, EmbeddedTrustedRoot, 0o644) + require.NoError(t, err) + + material, err := GetTrustedRootMaterial(customPath) + + require.NoError(t, err) + require.NotNil(t, material) + }) + + t.Run("uses embedded root when no custom path provided", func(t *testing.T) { + material, err := GetTrustedRootMaterial("") + + require.NoError(t, err) + require.NotNil(t, material) + + // Verify it has the expected methods + cas := material.FulcioCertificateAuthorities() + require.NotEmpty(t, cas, "should have certificate authorities") + + tlogs := material.RekorLogs() + require.NotEmpty(t, tlogs, "should have transparency logs") + }) + + t.Run("returns error for invalid custom path", func(t *testing.T) { + _, err := GetTrustedRootMaterial("/nonexistent/root.json") + + require.Error(t, err) + require.Contains(t, err.Error(), "failed to load custom trusted root") + }) +} + +func TestEmbeddedTrustedRoot(t *testing.T) { + t.Run("embedded root is not empty", func(t *testing.T) { + require.NotEmpty(t, EmbeddedTrustedRoot, "embedded trusted root should not be empty") + require.Greater(t, len(EmbeddedTrustedRoot), 1000, "embedded root should be substantial") + }) + + t.Run("embedded root is valid JSON", func(t *testing.T) { + require.Contains(t, string(EmbeddedTrustedRoot), "mediaType") + require.Contains(t, string(EmbeddedTrustedRoot), "certificateAuthorities") + require.Contains(t, string(EmbeddedTrustedRoot), "tlogs") + }) + + t.Run("embedded root can be parsed as TrustedMaterial", func(t *testing.T) { + material, err := GetTrustedRootMaterial("") + require.NoError(t, err) + require.NotNil(t, material) + }) +} From 3fbfc488098478dde4cd91c9a01b81e7e0f0c1b7 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 18 Nov 2025 14:13:32 +0000 Subject: [PATCH 10/13] fix(trust): add trusted root to proper location for embedding Signed-off-by: Brandt Keller --- src/pkg/utils/root/trusted_root.json | 126 +++++++++++++++++++++++++++ src/pkg/utils/trustedroot.go | 2 +- 2 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 src/pkg/utils/root/trusted_root.json diff --git a/src/pkg/utils/root/trusted_root.json b/src/pkg/utils/root/trusted_root.json new file mode 100644 index 0000000000..28f9a4fffa --- /dev/null +++ b/src/pkg/utils/root/trusted_root.json @@ -0,0 +1,126 @@ +{ + "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1", + "tlogs": [ + { + "baseUrl": "https://rekor.sigstore.dev", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "2021-01-12T11:53:27Z" + } + }, + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + } + }, + { + "baseUrl": "https://log2025-1.rekor.sigstore.dev", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MCowBQYDK2VwAyEAt8rlp1knGwjfbcXAYPYAkn0XiLz1x8O4t0YkEhie244=", + "keyDetails": "PKIX_ED25519", + "validFor": { + "start": "2025-09-23T00:00:00Z" + } + }, + "logId": { + "keyId": "zxGZFVvd0FEmjR8WrFwMdcAJ9vtaY/QXf44Y1wUeP6A=" + } + } + ], + "certificateAuthorities": [ + { + "subject": { + "organization": "sigstore.dev", + "commonName": "sigstore" + }, + "uri": "https://fulcio.sigstore.dev", + "certChain": { + "certificates": [ + { + "rawBytes": "MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==" + } + ] + }, + "validFor": { + "start": "2021-03-07T03:20:29Z", + "end": "2022-12-31T23:59:59.999Z" + } + }, + { + "subject": { + "organization": "sigstore.dev", + "commonName": "sigstore" + }, + "uri": "https://fulcio.sigstore.dev", + "certChain": { + "certificates": [ + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "validFor": { + "start": "2022-04-13T20:06:15Z" + } + } + ], + "ctlogs": [ + { + "baseUrl": "https://ctfe.sigstore.dev/test", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "2021-03-14T00:00:00Z", + "end": "2022-10-31T23:59:59.999Z" + } + }, + "logId": { + "keyId": "CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I=" + } + }, + { + "baseUrl": "https://ctfe.sigstore.dev/2022", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "2022-10-20T00:00:00Z" + } + }, + "logId": { + "keyId": "3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4=" + } + } + ], + "timestampAuthorities": [ + { + "subject": { + "organization": "sigstore.dev", + "commonName": "sigstore-tsa-selfsigned" + }, + "uri": "https://timestamp.sigstore.dev/api/v1/timestamp", + "certChain": { + "certificates": [ + { + "rawBytes": "MIICEDCCAZagAwIBAgIUOhNULwyQYe68wUMvy4qOiyojiwwwCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTA0MDgwNjU5NDNaFw0zNTA0MDYwNjU5NDNaMC4xFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEVMBMGA1UEAxMMc2lnc3RvcmUtdHNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ra2Z8hKNig2T9kFjCAToGG30jky+WQv3BzL+mKvh1SKNR/UwuwsfNCg4sryoYAd8E6isovVA3M4aoNdm9QDi50Z8nTEyvqgfDPtTIwXItfiW/AFf1V7uwkbkAoj0xxco2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFIn9eUOHz9BlRsMCRscsc1t9tOsDMB8GA1UdIwQYMBaAFJjsAe9/u1H/1JUeb4qImFMHic6/MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMDA2gAMGUCMDtpsV/6KaO0qyF/UMsX2aSUXKQFdoGTptQGc0ftq1csulHPGG6dsmyMNd3JB+G3EQIxAOajvBcjpJmKb4Nv+2Taoj8Uc5+b6ih6FXCCKraSqupe07zqswMcXJTe1cExvHvvlw==" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUV7f0GLDOoEzIh8LXSW80OJiUp14wCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTA0MDgwNjU5NDNaFw0zNTA0MDYwNjU5NDNaMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQUQNtfRT/ou3YATa6wB/kKTe70cfJwyRIBovMnt8RcJph/COE82uyS6FmppLLL1VBPGcPfpQPYJNXzWwi8icwhKQ6W/Qe2h3oebBb2FHpwNJDqo+TMaC/tdfkv/ElJB72jRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSY7AHvf7tR/9SVHm+KiJhTB4nOvzAKBggqhkjOPQQDAwNpADBmAjEAwGEGrfGZR1cen1R8/DTVMI943LssZmJRtDp/i7SfGHmGRP6gRbuj9vOK3b67Z0QQAjEAuT2H673LQEaHTcyQSZrkp4mX7WwkmF+sVbkYY5mXN+RMH13KUEHHOqASaemYWK/E" + } + ] + }, + "validFor": { + "start": "2025-07-04T00:00:00Z" + } + } + ] +} \ No newline at end of file diff --git a/src/pkg/utils/trustedroot.go b/src/pkg/utils/trustedroot.go index 8143a31589..1dcea75ee9 100644 --- a/src/pkg/utils/trustedroot.go +++ b/src/pkg/utils/trustedroot.go @@ -27,7 +27,7 @@ import ( // The file will be written to src/pkg/utils/data/trusted_root.json // and should be committed to the repository. // -//go:embed data/trusted_root.json +//go:embed root/trusted_root.json var EmbeddedTrustedRoot []byte // GetTrustedRootMaterial returns TrustedMaterial for Cosign verification. From 56bac7593bc30c80a6369bda95649d33f3313c44 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 18 Nov 2025 22:31:06 +0000 Subject: [PATCH 11/13] fix(verify): only use trusted root path when bundle present Signed-off-by: Brandt Keller --- hack/tuf/README.md | 37 ------------------------------ src/pkg/packager/layout/package.go | 1 + src/pkg/utils/cosign.go | 22 ++++++++++-------- 3 files changed, 13 insertions(+), 47 deletions(-) diff --git a/hack/tuf/README.md b/hack/tuf/README.md index 7759edeed2..c03e97f093 100644 --- a/hack/tuf/README.md +++ b/hack/tuf/README.md @@ -108,43 +108,6 @@ git add src/pkg/utils/data/trusted_root.json git commit -m "chore: update embedded Sigstore trusted root" ``` -### Automated Updates (Recommended) - -Create a scheduled workflow (`.github/workflows/update-trusted-root.yml`): - -```yaml -name: Update Trusted Root - -on: - schedule: - - cron: '0 0 1 * *' # Monthly - workflow_dispatch: - -jobs: - update: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - - - name: Update trusted root - run: go run hack/tuf/main.go - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: - commit-message: 'chore: update embedded Sigstore trusted root' - title: 'Update Embedded Sigstore Trusted Root' - body: | - Automated update of the embedded Sigstore trusted root. - - Fetched via TUF from tuf-repo-cdn.sigstore.dev with cryptographic verification. -``` - ## Security Considerations ### Why Embed vs. Fetch at Runtime? diff --git a/src/pkg/packager/layout/package.go b/src/pkg/packager/layout/package.go index 3bbb0ad4d1..dc2bbba3a1 100644 --- a/src/pkg/packager/layout/package.go +++ b/src/pkg/packager/layout/package.go @@ -308,6 +308,7 @@ func (p *PackageLayout) VerifyPackageSignature(ctx context.Context, opts utils.V // Legacy signature found l.Warn("non-bundle format signature is being deprecated in favor of the sigstore bundle format") opts.SigRef = signaturePath + opts.NewBundleFormat = false ZarfYAMLPath := filepath.Join(p.dirPath, ZarfYAML) return utils.CosignVerifyBlobWithOptions(ctx, ZarfYAMLPath, opts) } diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index f548b639ff..5a61668e5f 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -178,18 +178,21 @@ func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts Veri // Get trusted root path with automatic fallback to embedded root // This prevents network calls - the embedded root was fetched via TUF at build time - trustedRootPath, cleanup, err := GetTrustedRootPath(opts.TrustedRootPath) - if err != nil { - return fmt.Errorf("failed to get trusted root: %w", err) + if opts.NewBundleFormat { + trustedRootPath, cleanup, err := GetTrustedRootPath(opts.TrustedRootPath) + if err != nil { + return fmt.Errorf("failed to get trusted root: %w", err) + } + opts.TrustedRootPath = trustedRootPath + defer cleanup() } - defer cleanup() cmd := &verify.VerifyBlobCmd{ KeyOpts: keyOpts, CertVerifyOptions: certVerifyOpts, SigRef: opts.SigRef, - TrustedRootPath: trustedRootPath, // Now always provided - IgnoreSCT: opts.IgnoreSCT, // From CertVerifyOptions + TrustedRootPath: opts.TrustedRootPath, + IgnoreSCT: opts.IgnoreSCT, // From CertVerifyOptions Offline: opts.Offline, IgnoreTlog: opts.IgnoreTlog, } @@ -197,11 +200,10 @@ func CosignVerifyBlobWithOptions(ctx context.Context, blobPath string, opts Veri l.Debug("verifying blob with cosign", "keyRef", opts.KeyRef, "bundlePath", opts.BundlePath, - "trustedRootPath", trustedRootPath, - "usingEmbeddedRoot", opts.TrustedRootPath == "", - "offline", opts.Offline) + "trustedRootPath", opts.TrustedRootPath, + "newBundleFormat", opts.NewBundleFormat) - err = cmd.Exec(ctx, blobPath) + err := cmd.Exec(ctx, blobPath) if err != nil { return err } From cc51e6b8fc6de164d5893d610d2a0e16b1edfc7a Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 12 Jan 2026 14:49:12 -0800 Subject: [PATCH 12/13] chore(deps): update cosign and sigstore-go Signed-off-by: Brandt Keller --- go.mod | 90 ++++++++++++------------- go.sum | 204 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 147 insertions(+), 147 deletions(-) diff --git a/go.mod b/go.mod index e67186c3c1..2c8cfbf327 100644 --- a/go.mod +++ b/go.mod @@ -44,8 +44,8 @@ require ( github.com/prometheus/client_golang v1.23.2 github.com/pterm/pterm v0.12.82 github.com/sergi/go-diff v1.4.0 - github.com/sigstore/cosign/v3 v3.0.3 - github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894 + github.com/sigstore/cosign/v3 v3.0.4 + github.com/sigstore/sigstore-go v1.1.4 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 @@ -59,9 +59,9 @@ require ( golang.org/x/sync v0.19.0 golang.org/x/term v0.38.0 helm.sh/helm/v3 v3.19.4 - k8s.io/api v0.34.3 - k8s.io/apimachinery v0.34.3 - k8s.io/client-go v0.34.3 + k8s.io/api v0.35.0 + k8s.io/apimachinery v0.35.0 + k8s.io/client-go v0.35.0 k8s.io/component-base v0.34.3 k8s.io/klog/v2 v2.130.1 k8s.io/kubectl v0.34.3 @@ -90,11 +90,11 @@ require ( github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec // indirect github.com/anchore/go-sync v0.0.0-20250714163430-add63db73ad1 // indirect github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 // indirect - github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 // indirect + github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/bitnami/go-version v0.0.0-20250505154626-452e8c5ee607 // indirect @@ -118,7 +118,7 @@ require ( github.com/containerd/containerd/api v1.9.0 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect - github.com/containerd/platforms v1.0.0-rc.1 // indirect + github.com/containerd/platforms v1.0.0-rc.2 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect @@ -167,7 +167,7 @@ require ( github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect - github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect + github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/lmittmann/tint v1.0.7 // indirect @@ -187,7 +187,7 @@ require ( github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect github.com/olekukonko/errors v1.1.0 // indirect github.com/olekukonko/ll v0.1.3 // indirect - github.com/onsi/gomega v1.36.2 // indirect + github.com/onsi/gomega v1.38.2 // indirect github.com/otiai10/mint v1.6.3 // indirect github.com/pandatix/go-cvss v0.6.2 // indirect github.com/pkg/xattr v0.4.12 // indirect @@ -199,20 +199,20 @@ require ( github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect - github.com/segmentio/asm v1.2.0 // indirect + github.com/segmentio/asm v1.2.1 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect - github.com/sigstore/timestamp-authority/v2 v2.0.3 // indirect + github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect github.com/sorairolake/lzip-go v0.3.8 // indirect github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect github.com/theupdateframework/go-tuf/v2 v2.3.0 // indirect github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect github.com/valyala/fastjson v1.6.4 // indirect - github.com/vektah/gqlparser/v2 v2.5.30 // indirect + github.com/vektah/gqlparser/v2 v2.5.31 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect github.com/x448/float16 v0.8.4 // indirect - gitlab.com/gitlab-org/api/client-go v0.160.0 // indirect + gitlab.com/gitlab-org/api/client-go v1.11.0 // indirect go.etcd.io/bbolt v1.4.2 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/bridges/prometheus v0.62.0 // indirect @@ -222,22 +222,22 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.13.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 // indirect go.opentelemetry.io/otel/exporters/prometheus v0.60.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.13.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.37.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 // indirect go.opentelemetry.io/otel/log v0.13.0 // indirect go.opentelemetry.io/otel/sdk/log v0.13.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect - go.opentelemetry.io/proto/otlp v1.8.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect + go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect go4.org v0.0.0-20230225012048-214862532bf5 // indirect - golang.org/x/tools v0.39.0 // indirect + golang.org/x/tools v0.40.0 // indirect gonum.org/v1/gonum v0.16.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect @@ -260,7 +260,7 @@ require ( cloud.google.com/go/longrunning v0.6.7 // indirect cloud.google.com/go/storage v1.57.1 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect - cuelang.org/go v0.15.1 // indirect + cuelang.org/go v0.15.3 // indirect dario.cat/mergo v1.0.2 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect @@ -333,7 +333,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.49.1 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.49.4 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect @@ -347,7 +347,7 @@ require ( github.com/blang/semver/v4 v4.0.0 // indirect github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect - github.com/buildkite/agent/v3 v3.114.1 // indirect + github.com/buildkite/agent/v3 v3.115.2 // indirect github.com/buildkite/go-pipeline v0.16.0 // indirect github.com/buildkite/interpolate v0.1.5 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -415,12 +415,12 @@ require ( github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.24.1 // indirect - github.com/go-openapi/errors v0.22.4 // indirect - github.com/go-openapi/jsonpointer v0.22.3 // indirect - github.com/go-openapi/jsonreference v0.21.3 // indirect + github.com/go-openapi/errors v0.22.5 // indirect + github.com/go-openapi/jsonpointer v0.22.4 // indirect + github.com/go-openapi/jsonreference v0.21.4 // indirect github.com/go-openapi/loads v0.23.2 // indirect github.com/go-openapi/runtime v0.29.2 // indirect - github.com/go-openapi/spec v0.22.1 // indirect + github.com/go-openapi/spec v0.22.2 // indirect github.com/go-openapi/strfmt v0.25.0 // indirect github.com/go-openapi/swag v0.25.4 // indirect github.com/go-openapi/validate v0.25.1 // indirect @@ -436,7 +436,7 @@ require ( github.com/google/certificate-transparency-go v1.3.2 // indirect github.com/google/gnostic-models v0.7.1 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/go-querystring v1.1.0 // indirect + github.com/google/go-querystring v1.2.0 // indirect github.com/google/licensecheck v0.3.1 // indirect github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 // indirect github.com/google/s2a-go v0.1.9 // indirect @@ -476,7 +476,7 @@ require ( github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect - github.com/klauspost/compress v1.18.1 // indirect + github.com/klauspost/compress v1.18.2 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 // indirect @@ -524,7 +524,7 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/oleiade/reflections v1.1.0 // indirect github.com/olekukonko/tablewriter v1.1.2 // indirect - github.com/open-policy-agent/opa v1.10.1 // indirect + github.com/open-policy-agent/opa v1.12.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/runtime-spec v1.2.1 // indirect github.com/opencontainers/selinux v1.13.0 // indirect @@ -562,9 +562,9 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shopspring/decimal v1.4.0 // indirect - github.com/sigstore/fulcio v1.8.3 // indirect + github.com/sigstore/fulcio v1.8.4 // indirect github.com/sigstore/rekor v1.4.3 // indirect - github.com/sigstore/sigstore v1.10.0 // indirect + github.com/sigstore/sigstore v1.10.3 // indirect github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af github.com/skeema/knownhosts v1.3.1 // indirect github.com/spdx/tools-golang v0.5.5 // indirect @@ -603,26 +603,26 @@ require ( go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect - go.opentelemetry.io/otel v1.38.0 // indirect - go.opentelemetry.io/otel/metric v1.38.0 // indirect - go.opentelemetry.io/otel/sdk v1.38.0 // indirect - go.opentelemetry.io/otel/trace v1.38.0 // indirect + go.opentelemetry.io/otel v1.39.0 // indirect + go.opentelemetry.io/otel/metric v1.39.0 // indirect + go.opentelemetry.io/otel/sdk v1.39.0 // indirect + go.opentelemetry.io/otel/trace v1.39.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.1 // indirect - golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect - golang.org/x/mod v0.30.0 // indirect + golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect + golang.org/x/mod v0.31.0 // indirect golang.org/x/net v0.48.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sys v0.39.0 // indirect golang.org/x/text v0.32.0 // indirect golang.org/x/time v0.14.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect - google.golang.org/api v0.256.0 // indirect + google.golang.org/api v0.258.0 // indirect google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect google.golang.org/grpc v1.77.0 // indirect - google.golang.org/protobuf v1.36.10 // indirect + google.golang.org/protobuf v1.36.11 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 // indirect diff --git a/go.sum b/go.sum index fc3e858869..216ea35d5b 100644 --- a/go.sum +++ b/go.sum @@ -81,8 +81,8 @@ cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4 cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI= cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 h1:4k1yAtPvZJZQTu8DRY8muBo0LHv6TqtrE0AO5n6IPYs= cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= -cuelang.org/go v0.15.1 h1:MRnjc/KJE+K42rnJ3a+425f1jqXeOOgq9SK4tYRTtWw= -cuelang.org/go v0.15.1/go.mod h1:NYw6n4akZcTjA7QQwJ1/gqWrrhsN4aZwhcAL0jv9rZE= +cuelang.org/go v0.15.3 h1:JKR/lZVwuIGlLTGIaJ0jONz9+CK3UDx06sQ6DDxNkaE= +cuelang.org/go v0.15.3/go.mod h1:NYw6n4akZcTjA7QQwJ1/gqWrrhsN4aZwhcAL0jv9rZE= cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8= cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= @@ -336,8 +336,8 @@ github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4= github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4= github.com/aws/aws-sdk-go-v2/config v1.32.5 h1:pz3duhAfUgnxbtVhIK39PGF/AHYyrzGEyRD9Og0QrE8= github.com/aws/aws-sdk-go-v2/config v1.32.5/go.mod h1:xmDjzSUs/d0BB7ClzYPAZMmgQdrodNjPPhd6bGASwoE= github.com/aws/aws-sdk-go-v2/credentials v1.19.5 h1:xMo63RlqP3ZZydpJDMBsH9uJ10hgHYfQFIk1cHDXrR4= @@ -350,24 +350,24 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 h1:ITi7qiDSv/mSGDSWNpZ4k4Ve0DQR6Ug2SJQ8zEHoDXg= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14/go.mod h1:k1xtME53H1b6YpZt74YmwlONMWf4ecM+lut1WQLAF/U= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 h1:CjMzUs78RDDv4ROu3JnJn/Ig1r6ZD7/T2DXLLRpejic= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16/go.mod h1:uVW4OLBqbJXSHJYA9svT9BluSvvwbzLQ2Crf6UPzR3c= github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2 h1:aq2N/9UkbEyljIQ7OFcudEgUsJzO8MYucmfsM/k/dmc= github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2/go.mod h1:1NVD1KuMjH2GqnPwMotPndQaT/MreKkWpjkF12d6oKU= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2 h1:9fe6w8bydUwNAhFVmjo+SRqAJjbBMOyILL/6hTTVkyA= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2/go.mod h1:x7gU4CAyAz4BsM9hlRkhHiYw2GIr1QCmN45uwQw9l/E= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 h1:Hjkh7kE6D81PgrHlE/m9gx+4TyyeLHuY8xJs7yXN5C4= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5/go.mod h1:nPRXgyCfAurhyaTMoBMwRBYBhaHI4lNPAnJmjM0Tslc= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 h1:DIBqIrJ7hv+e4CmIk2z3pyKT+3B6qVMgRsawHiR3qso= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7/go.mod h1:vLm00xmBke75UmpNvOcZQ/Q30ZFjbczeLFqGx5urmGo= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0Fb7QNgnEyiRCBlolLTX/Z1j65S7teM= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w= -github.com/aws/aws-sdk-go-v2/service/kms v1.49.1 h1:U0asSZ3ifpuIehDPkRI2rxHbmFUMplDA2VeR9Uogrmw= -github.com/aws/aws-sdk-go-v2/service/kms v1.49.1/go.mod h1:NZo9WJqQ0sxQ1Yqu1IwCHQFQunTms2MlVgejg16S1rY= -github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1 h1:OgQy/+0+Kc3khtqiEOk23xQAglXi3Tj0y5doOxbi5tg= -github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1/go.mod h1:wYNqY3L02Z3IgRYxOBPH9I1zD9Cjh9hI5QOy/eOjQvw= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 h1:NSbvS17MlI2lurYgXnCOLvCFX38sBW4eiVER7+kkgsU= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16/go.mod h1:SwT8Tmqd4sA6G1qaGdzWCJN99bUmPGHfRwwq3G5Qb+A= +github.com/aws/aws-sdk-go-v2/service/kms v1.49.4 h1:2gom8MohxN0SnhHZBYAC4S8jHG+ENEnXjyJ5xKe3vLc= +github.com/aws/aws-sdk-go-v2/service/kms v1.49.4/go.mod h1:HO31s0qt0lso/ADvZQyzKs8js/ku0fMHsfyXW8OPVYc= +github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2 h1:U3ygWUhCpiSPYSHOrRhb3gOl9T5Y3kB8k5Vjs//57bE= +github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2/go.mod h1:79S2BdqCJpScXZA2y+cpZuocWsjGjJINyXnOsf5DTz8= github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 h1:HpI7aMmJ+mm1wkSHIA2t5EaFFv5EFYXePW30p1EIrbQ= github.com/aws/aws-sdk-go-v2/service/signin v1.0.4/go.mod h1:C5RdGMYGlfM0gYq/tifqgn4EbyX99V15P2V3R+VHbQU= github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 h1:eYnlt6QxnFINKzwxP5/Ucs1vkG7VT3Iezmvfgc2waUw= @@ -421,16 +421,16 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA= github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= -github.com/buildkite/agent/v3 v3.114.1 h1:UpSJmnOjoep5YQyMC7rHeCx4cSRKoBZvEtZGW2akQA0= -github.com/buildkite/agent/v3 v3.114.1/go.mod h1:KJOGdrc9M4VNAkSesOrSNHIXXdQ3esyqEOCptmuFTQs= +github.com/buildkite/agent/v3 v3.115.2 h1:26A/dEabfzjorS3Wh/low+yOBM/u8QaT59BYWu0M92w= +github.com/buildkite/agent/v3 v3.115.2/go.mod h1:a3t090/PPxAIIPCjlXF5fhfRvG0E9huFsnMX7B76iIQ= github.com/buildkite/go-pipeline v0.16.0 h1:wEgWUMRAgSg1ZnWOoA3AovtYYdTvN0dLY1zwUWmPP+4= github.com/buildkite/go-pipeline v0.16.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA= github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= github.com/buildkite/roko v1.4.0 h1:DxixoCdpNqxu4/1lXrXbfsKbJSd7r1qoxtef/TT2J80= github.com/buildkite/roko v1.4.0/go.mod h1:0vbODqUFEcVf4v2xVXRfZZRsqJVsCCHTG/TBRByGK4E= -github.com/bytecodealliance/wasmtime-go/v37 v37.0.0 h1:DPjdn2V3JhXHMoZ2ymRqGK+y1bDyr9wgpyYCvhjMky8= -github.com/bytecodealliance/wasmtime-go/v37 v37.0.0/go.mod h1:Pf1l2JCTUFMnOqDIwkjzx1qfVJ09xbaXETKgRVE4jZ0= +github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE= +github.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= @@ -522,8 +522,8 @@ github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E= -github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= +github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4= +github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8= github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q= github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ= @@ -756,18 +756,18 @@ github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM= github.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84= -github.com/go-openapi/errors v0.22.4 h1:oi2K9mHTOb5DPW2Zjdzs/NIvwi2N3fARKaTJLdNabaM= -github.com/go-openapi/errors v0.22.4/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= -github.com/go-openapi/jsonpointer v0.22.3 h1:dKMwfV4fmt6Ah90zloTbUKWMD+0he+12XYAsPotrkn8= -github.com/go-openapi/jsonpointer v0.22.3/go.mod h1:0lBbqeRsQ5lIanv3LHZBrmRGHLHcQoOXQnf88fHlGWo= -github.com/go-openapi/jsonreference v0.21.3 h1:96Dn+MRPa0nYAR8DR1E03SblB5FJvh7W6krPI0Z7qMc= -github.com/go-openapi/jsonreference v0.21.3/go.mod h1:RqkUP0MrLf37HqxZxrIAtTWW4ZJIK1VzduhXYBEeGc4= +github.com/go-openapi/errors v0.22.5 h1:Yfv4O/PRYpNF3BNmVkEizcHb3uLVVsrDt3LNdgAKRY4= +github.com/go-openapi/errors v0.22.5/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= +github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4= +github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80= +github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8= +github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4= github.com/go-openapi/loads v0.23.2 h1:rJXAcP7g1+lWyBHC7iTY+WAF0rprtM+pm8Jxv1uQJp4= github.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY= github.com/go-openapi/runtime v0.29.2 h1:UmwSGWNmWQqKm1c2MGgXVpC2FTGwPDQeUsBMufc5Yj0= github.com/go-openapi/runtime v0.29.2/go.mod h1:biq5kJXRJKBJxTDJXAa00DOTa/anflQPhT0/wmjuy+0= -github.com/go-openapi/spec v0.22.1 h1:beZMa5AVQzRspNjvhe5aG1/XyBSMeX1eEOs7dMoXh/k= -github.com/go-openapi/spec v0.22.1/go.mod h1:c7aeIQT175dVowfp7FeCvXXnjN/MrpaONStibD2WtDA= +github.com/go-openapi/spec v0.22.2 h1:KEU4Fb+Lp1qg0V4MxrSCPv403ZjBl8Lx1a83gIPU8Qc= +github.com/go-openapi/spec v0.22.2/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs= github.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ= github.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8= github.com/go-openapi/swag v0.25.4 h1:OyUPUFYDPDBMkqyxOTkqDYFnrhuhi9NR6QVUvIochMU= @@ -835,8 +835,8 @@ github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk github.com/gocsaf/csaf/v3 v3.3.0 h1:zQwCgBJfMMM/Q5vuIuj8eo5fVLcCKpaBa3t5uw6ku1U= github.com/gocsaf/csaf/v3 v3.3.0/go.mod h1:cDvnE5tnrO37OcOGWJsOl3mgfZjA4/EuC7TlDVRLGos= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= -github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ= +github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw= github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0= github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0= @@ -924,8 +924,8 @@ github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4p github.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM= github.com/google/go-github/v73 v73.0.0 h1:aR+Utnh+Y4mMkS+2qLQwcQ/cF9mOTpdwnzlaw//rG24= github.com/google/go-github/v73 v73.0.0/go.mod h1:fa6w8+/V+edSU0muqdhCVY7Beh1M8F1IlQPZIANKIYw= -github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= -github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0= +github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -1150,8 +1150,8 @@ github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXw github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co= -github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0= +github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk= +github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= github.com/klauspost/cpuid v1.2.0 h1:NMpwD2G9JSFOE1/TJjGSo5zG7Yb2bTe7eq1jH+irmeE= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= @@ -1193,8 +1193,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI= github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk= -github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w= -github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ= +github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg= +github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= @@ -1370,16 +1370,16 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM= -github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= -github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/open-policy-agent/opa v1.10.1 h1:haIvxZSPky8HLjRrvQwWAjCPLg8JDFSZMbbG4yyUHgY= -github.com/open-policy-agent/opa v1.10.1/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/open-policy-agent/opa v1.12.1 h1:MWfmXuXB119O7rSOJ5GdKAaW15yBirjnLkFRBGy0EX0= +github.com/open-policy-agent/opa v1.12.1/go.mod h1:RnDgm04GA1RjEXJvrsG9uNT/+FyBNmozcPvA2qz60M4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -1537,8 +1537,8 @@ github.com/sebdah/goldie/v2 v2.7.1 h1:PkBHymaYdtvEkZV7TmyqKxdmn5/Vcj+8TpATWZjnG5 github.com/sebdah/goldie/v2 v2.7.1/go.mod h1:oZ9fp0+se1eapSRjfYbsV/0Hqhbuu3bJVvKI/NNtssI= github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= -github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= -github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0= +github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= @@ -1548,20 +1548,20 @@ github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= -github.com/sigstore/cosign/v3 v3.0.3 h1:IknuTUYM+tZ/ToghM7mvg9V0O31NG3rev97u1IJIuYA= -github.com/sigstore/cosign/v3 v3.0.3/go.mod h1:poeQqwvpDNIDyim7a2ljUhonVKpCys+fx3SY0Lkmi/4= -github.com/sigstore/fulcio v1.8.3 h1:zkuAkRHbD53hhYGlBHHeAW4NRDrrTiDHumAbcfSyyFw= -github.com/sigstore/fulcio v1.8.3/go.mod h1:YxP7TTdn9H5Gg+dXOsu61X36LLYxT2ZuvODhWelMNwA= +github.com/sigstore/cosign/v3 v3.0.4 h1:SuEn9z8V0eyjF0PWxuGgQ7QSPWReNexLJovkZ3wLaf8= +github.com/sigstore/cosign/v3 v3.0.4/go.mod h1:DJY5LPzHiI6bWpG/Q/NQUTfeASjkN8TDAUx1Nnt3I0I= +github.com/sigstore/fulcio v1.8.4 h1:awmmItiPwteo8t8sVOoIAPnmbDfLb1JGW0LPY8SNCdY= +github.com/sigstore/fulcio v1.8.4/go.mod h1:2jh+uWOfWroKHlhUzr81AFqnAYeZiIi3NC/vegCbiYw= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= github.com/sigstore/rekor v1.4.3 h1:2+aw4Gbgumv8vYM/QVg6b+hvr4x4Cukur8stJrVPKU0= github.com/sigstore/rekor v1.4.3/go.mod h1:o0zgY087Q21YwohVvGwV9vK1/tliat5mfnPiVI3i75o= github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo= github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU= -github.com/sigstore/sigstore v1.10.0 h1:lQrmdzqlR8p9SCfWIpFoGUqdXEzJSZT2X+lTXOMPaQI= -github.com/sigstore/sigstore v1.10.0/go.mod h1:Ygq+L/y9Bm3YnjpJTlQrOk/gXyrjkpn3/AEJpmk1n9Y= -github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894 h1:K8hnZhun6XacjxAdCdxkowSi7+FpmfYnAcMhTXZQyPg= -github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894/go.mod h1:uuR+Edo6P+iwi0HKscycUm8mxXL748nAureqSg6jFLA= +github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0= +github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk= +github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg= +github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 h1:D/FRl5J9UYAJPGZRAJbP0dH78pfwWnKsyCSBwFBU8CI= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3/go.mod h1:2GIWuNvTRMvrzd0Nl8RNqxrt9H7X0OBStwOSzGYRjYw= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 h1:k5VMLf/ms7hh6MLgVoorM0K+hSMwZLXoywlxh4CXqP8= @@ -1570,8 +1570,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 h1:AVWs0E6rVZMoDTE0Iy github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3/go.mod h1:nxQYF0D6u7mVtiP1azj1YVDIrtz7S0RYCVTqUG8IcCk= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.3 h1:lJSdaC/aOlFHlvqmmV696n1HdXLMLEKGwpNZMV0sKts= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.3/go.mod h1:b2rV9qPbt/jv/Yy75AIOZThP8j+pe1ZdLEjOwmjPdoA= -github.com/sigstore/timestamp-authority/v2 v2.0.3 h1:sRyYNtdED/ttLCMdaYnwpf0zre1A9chvjTnCmWWxN8Y= -github.com/sigstore/timestamp-authority/v2 v2.0.3/go.mod h1:mDaHxkt3HmZYoIlwYj4QWo0RUr7VjYU52aVO5f5Qb3I= +github.com/sigstore/timestamp-authority/v2 v2.0.4 h1:65IBa4LUeFWDQu9hiTt5lBpi/F5jonJWZtH6VLn4InU= +github.com/sigstore/timestamp-authority/v2 v2.0.4/go.mod h1:EXJLiMDBqRPlzC02hPiFSiYTCqSuUpU68a4vr0DFePM= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= @@ -1667,10 +1667,10 @@ github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuX github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis= github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0= github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw= -github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0 h1:6nAX1aRGnkg2SEUMwO5toB2tQkP0Jd6cbmZ/K5Le1V0= -github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0/go.mod h1:HOC5NWW1wBI2Vke1FGcRBvDATkEYE7AUDiYbXqi2sBw= -github.com/tink-crypto/tink-go/v2 v2.5.0 h1:B8KLF6AofxdBIE4UJIaFbmoj5/1ehEtt7/MmzfI4Zpw= -github.com/tink-crypto/tink-go/v2 v2.5.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8= +github.com/tink-crypto/tink-go-hcvault/v2 v2.4.0 h1:j+S+WKBQ5ya26A5EM/uXoVe+a2IaPQN8KgBJZ22cJ+4= +github.com/tink-crypto/tink-go-hcvault/v2 v2.4.0/go.mod h1:OCKJIujnTzDq7f+73NhVs99oA2c1TR6nsOpuasYM6Yo= +github.com/tink-crypto/tink-go/v2 v2.6.0 h1:+KHNBHhWH33Vn+igZWcsgdEPUxKwBMEe0QC60t388v4= +github.com/tink-crypto/tink-go/v2 v2.6.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= @@ -1690,8 +1690,8 @@ github.com/vbatts/go-mtree v0.6.0 h1:n4r+Tweta4oH0+zWfv77VmfvWXrO69smspK37xvzgMI github.com/vbatts/go-mtree v0.6.0/go.mod h1:W7bcG9PCn6lFY+ljGlZxx9DONkxL3v8a7HyN+PrSrjA= github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= -github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE= -github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= +github.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k= +github.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts= github.com/vifraa/gopom v1.0.0 h1:L9XlKbyvid8PAIK8nr0lihMApJQg/12OBvMA28BcWh0= github.com/vifraa/gopom v1.0.0/go.mod h1:oPa1dcrGrtlO37WPDBm5SqHAT+wTgF8An1Q71Z6Vv4o= github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc= @@ -1751,8 +1751,8 @@ github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1 h1:V+UsotZpAVvfj3X/LMoEytoLzSiP6Lg0F7wdVyu9gGg= github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1/go.mod h1:ly2RBz4mnz1yeuVbQA/VFwGjK3mnHGRj1JuoG336Bis= -gitlab.com/gitlab-org/api/client-go v0.160.0 h1:aMQzbcE8zFe0lR/J+a3zneEgH+/EBFs8rD8Chrr4Snw= -gitlab.com/gitlab-org/api/client-go v0.160.0/go.mod h1:ooCNtKB7OyP7GBa279+HrUS3eeJF6Yi6XABZZy7RTSk= +gitlab.com/gitlab-org/api/client-go v1.11.0 h1:L+qzw4kiCf3jKdKHQAwiqYKITvzBrW/tl8ampxNLlv0= +gitlab.com/gitlab-org/api/client-go v1.11.0/go.mod h1:adtVJ4zSTEJ2fP5Pb1zF4Ox1OKFg0MH43yxpb0T0248= go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I= go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM= go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= @@ -1781,8 +1781,8 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.6 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= -go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= -go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.13.0 h1:z6lNIajgEBVtQZHjfw2hAccPEBDs+nx58VemmXWa2ec= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.13.0/go.mod h1:+kyc3bRx/Qkq05P6OCu3mTEIOxYRYzoIg+JsUp5X+PM= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.13.0 h1:zUfYw8cscHHLwaY8Xz3fiJu+R59xBnkgq2Zr1lwmK/0= @@ -1791,12 +1791,12 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 h1:9PgnL3QNlj10uGxExowIDIZu66aVBwWhXmbOp1pa6RA= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0/go.mod h1:0ineDcLELf6JmKfuo0wvvhAVMuxWFYvkTin2iV4ydPQ= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 h1:Ckwye2FpXkYgiHX7fyVrN1uA/UYd9ounqqTuSNAv0k4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0/go.mod h1:teIFJh5pW2y+AN7riv6IBPX2DuesS3HgP39mwOspKwU= go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo= go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk= go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.13.0 h1:yEX3aC9KDgvYPhuKECHbOlr5GLwH6KTjLJ1sBSkkxkc= @@ -1807,23 +1807,23 @@ go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 h1:SNhVp/9q4Go/XHB go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0/go.mod h1:tx8OOlGH6R4kLV67YaYO44GFXloEjGPZuMjEkaaqIp4= go.opentelemetry.io/otel/log v0.13.0 h1:yoxRoIZcohB6Xf0lNv9QIyCzQvrtGZklVbdCoyb7dls= go.opentelemetry.io/otel/log v0.13.0/go.mod h1:INKfG4k1O9CL25BaM1qLe0zIedOpvlS5Z7XgSbmN83E= -go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= -go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= -go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= -go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= go.opentelemetry.io/otel/sdk/log v0.13.0 h1:I3CGUszjM926OphK8ZdzF+kLqFvfRY/IIoFq/TjwfaQ= go.opentelemetry.io/otel/sdk/log v0.13.0/go.mod h1:lOrQyCCXmpZdN7NchXb6DOZZa1N5G1R2tm5GMMTpDBw= go.opentelemetry.io/otel/sdk/log/logtest v0.13.0 h1:9yio6AFZ3QD9j9oqshV1Ibm9gPLlHNxurno5BreMtIA= go.opentelemetry.io/otel/sdk/log/logtest v0.13.0/go.mod h1:QOGiAJHl+fob8Nu85ifXfuQYmJTFAvcrxL6w5/tu168= -go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= -go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= -go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= -go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE= -go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0= -go.step.sm/crypto v0.74.0 h1:/APBEv45yYR4qQFg47HA8w1nesIGcxh44pGyQNw6JRA= -go.step.sm/crypto v0.74.0/go.mod h1:UoXqCAJjjRgzPte0Llaqen7O9P7XjPmgjgTHQGkKCDk= +go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= +go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.step.sm/crypto v0.75.0 h1:UAHYD6q6ggYyzLlIKHv1MCUVjZIesXRZpGTlRC/HSHw= +go.step.sm/crypto v0.75.0/go.mod h1:wwQ57+ajmDype9mrI/2hRyrvJd7yja5xVgWYqpUN3PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= @@ -1873,8 +1873,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc= -golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= +golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 h1:SbTAbRFnd5kjQXbczszQ0hdk3ctwYf3qBNH9jIsGclE= +golang.org/x/exp v0.0.0-20250813145105-42675adae3e6/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1903,8 +1903,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= -golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= +golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= +golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2180,8 +2180,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ= -golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ= +golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= +golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2223,8 +2223,8 @@ google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdr google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw= -google.golang.org/api v0.256.0 h1:u6Khm8+F9sxbCTYNoBHg6/Hwv0N/i+V94MvkOSor6oI= -google.golang.org/api v0.256.0/go.mod h1:KIgPhksXADEKJlnEoRa9qAII4rXcy40vfI8HRqcU964= +google.golang.org/api v0.258.0 h1:IKo1j5FBlN74fe5isA2PVozN3Y5pwNKriEgAXPOkDAc= +google.golang.org/api v0.258.0/go.mod h1:qhOMTQEZ6lUps63ZNq9jhODswwjkjYYguA7fA3TBFww= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2297,10 +2297,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9 h1:LvZVVaPE0JSqL+ZWb6ErZfnEOKIqqFWUJE2D0fObSmc= google.golang.org/genproto v0.0.0-20250922171735-9219d122eba9/go.mod h1:QFOrLhdAe2PsTp3vQY4quuLKTi9j3XG3r6JPPaw7MSc= -google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4= -google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 h1:tRPGkdGHuewF4UisLzzHHr1spKw92qLM98nIzxbC0wY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -2344,8 +2344,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= -google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -2395,18 +2395,18 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4= -k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk= +k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY= +k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA= k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo= k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE= -k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= -k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8= +k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE= k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI= k8s.io/cli-runtime v0.34.3 h1:YRyMhiwX0dT9lmG0AtZDaeG33Nkxgt9OlCTZhRXj9SI= k8s.io/cli-runtime v0.34.3/go.mod h1:GVwL1L5uaGEgM7eGeKjaTG2j3u134JgG4dAI6jQKhMc= -k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A= -k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM= +k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE= +k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o= k8s.io/component-base v0.34.3 h1:zsEgw6ELqK0XncCQomgO9DpUIzlrYuZYA0Cgo+JWpVk= k8s.io/component-base v0.34.3/go.mod h1:5iIlD8wPfWE/xSHTRfbjuvUul2WZbI2nOUK65XL0E/c= k8s.io/component-helpers v0.34.3 h1:Iws1GQfM89Lxo7IZITGmVdFOW0Bmyd7SVwwIu1/CCkE= From 48df3d1827ccef8230d2452c0622bc4d4e58e47c Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 14 Jan 2026 13:38:23 -0800 Subject: [PATCH 13/13] fix(unit): resolve unit testing issue Signed-off-by: Brandt Keller --- go.mod | 10 +++++----- go.sum | 26 +++++++++++++------------ src/pkg/packager/layout/package_test.go | 2 +- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 1212d0b07a..6c23ccb8e7 100644 --- a/go.mod +++ b/go.mod @@ -44,8 +44,8 @@ require ( github.com/prometheus/client_golang v1.23.2 github.com/pterm/pterm v0.12.82 github.com/sergi/go-diff v1.4.0 - github.com/sigstore/cosign/v3 v3.0.4 - github.com/sigstore/sigstore-go v1.1.4 + github.com/sigstore/cosign/v3 v3.0.3 + github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 @@ -59,9 +59,9 @@ require ( golang.org/x/sync v0.19.0 golang.org/x/term v0.39.0 helm.sh/helm/v3 v3.19.4 - k8s.io/api v0.35.0 - k8s.io/apimachinery v0.35.0 - k8s.io/client-go v0.35.0 + k8s.io/api v0.34.3 + k8s.io/apimachinery v0.34.3 + k8s.io/client-go v0.34.3 k8s.io/component-base v0.34.3 k8s.io/klog/v2 v2.130.1 k8s.io/kubectl v0.34.3 diff --git a/go.sum b/go.sum index 27ecb2f003..7632f98d06 100644 --- a/go.sum +++ b/go.sum @@ -1370,8 +1370,8 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= -github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/ginkgo/v2 v2.25.1 h1:Fwp6crTREKM+oA6Cz4MsO8RhKQzs2/gOIVOUscMAfZY= +github.com/onsi/ginkgo/v2 v2.25.1/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= @@ -1548,8 +1548,8 @@ github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= -github.com/sigstore/cosign/v3 v3.0.4 h1:SuEn9z8V0eyjF0PWxuGgQ7QSPWReNexLJovkZ3wLaf8= -github.com/sigstore/cosign/v3 v3.0.4/go.mod h1:DJY5LPzHiI6bWpG/Q/NQUTfeASjkN8TDAUx1Nnt3I0I= +github.com/sigstore/cosign/v3 v3.0.3 h1:IknuTUYM+tZ/ToghM7mvg9V0O31NG3rev97u1IJIuYA= +github.com/sigstore/cosign/v3 v3.0.3/go.mod h1:poeQqwvpDNIDyim7a2ljUhonVKpCys+fx3SY0Lkmi/4= github.com/sigstore/fulcio v1.8.4 h1:awmmItiPwteo8t8sVOoIAPnmbDfLb1JGW0LPY8SNCdY= github.com/sigstore/fulcio v1.8.4/go.mod h1:2jh+uWOfWroKHlhUzr81AFqnAYeZiIi3NC/vegCbiYw= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= @@ -1560,8 +1560,8 @@ github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PG github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU= github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0= github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk= -github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg= -github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg= +github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894 h1:K8hnZhun6XacjxAdCdxkowSi7+FpmfYnAcMhTXZQyPg= +github.com/sigstore/sigstore-go v1.1.4-0.20251201121426-2cdedea80894/go.mod h1:uuR+Edo6P+iwi0HKscycUm8mxXL748nAureqSg6jFLA= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 h1:D/FRl5J9UYAJPGZRAJbP0dH78pfwWnKsyCSBwFBU8CI= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3/go.mod h1:2GIWuNvTRMvrzd0Nl8RNqxrt9H7X0OBStwOSzGYRjYw= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 h1:k5VMLf/ms7hh6MLgVoorM0K+hSMwZLXoywlxh4CXqP8= @@ -1825,6 +1825,8 @@ go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pq go.step.sm/crypto v0.75.0 h1:UAHYD6q6ggYyzLlIKHv1MCUVjZIesXRZpGTlRC/HSHw= go.step.sm/crypto v0.75.0/go.mod h1:wwQ57+ajmDype9mrI/2hRyrvJd7yja5xVgWYqpUN3PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= +go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= @@ -2395,18 +2397,18 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY= -k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA= +k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4= +k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk= k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo= k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE= -k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8= -k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= +k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE= k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI= k8s.io/cli-runtime v0.34.3 h1:YRyMhiwX0dT9lmG0AtZDaeG33Nkxgt9OlCTZhRXj9SI= k8s.io/cli-runtime v0.34.3/go.mod h1:GVwL1L5uaGEgM7eGeKjaTG2j3u134JgG4dAI6jQKhMc= -k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE= -k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o= +k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A= +k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM= k8s.io/component-base v0.34.3 h1:zsEgw6ELqK0XncCQomgO9DpUIzlrYuZYA0Cgo+JWpVk= k8s.io/component-base v0.34.3/go.mod h1:5iIlD8wPfWE/xSHTRfbjuvUul2WZbI2nOUK65XL0E/c= k8s.io/component-helpers v0.34.3 h1:Iws1GQfM89Lxo7IZITGmVdFOW0Bmyd7SVwwIu1/CCkE= diff --git a/src/pkg/packager/layout/package_test.go b/src/pkg/packager/layout/package_test.go index 6d7bd64993..d15dc65b7b 100644 --- a/src/pkg/packager/layout/package_test.go +++ b/src/pkg/packager/layout/package_test.go @@ -839,7 +839,7 @@ func TestPackageLayoutVerifyPackageSignature(t *testing.T) { err = pkgLayout.VerifyPackageSignature(ctx, verifyOpts) require.Error(t, err) - require.Contains(t, err.Error(), "signature not found: neither bundle nor legacy signature exists") + require.Contains(t, err.Error(), "a key was provided but the package is not signed") }) t.Run("verification fails with empty dirPath", func(t *testing.T) {