Update and unignore github.com/sigstore/sigstore in open-component-model/ocm

[frewilhelm]

Description

This is a follow-up for open-component-model/ocm#1699.

In open-component-model/ocm#1699 we ignored the package github.com/sigstore/sigstore because it introduced a breaking change (see release notes ) that breaks github.com/sigstore/cosign/v2@v2.6.1:

# github.com/sigstore/cosign/v2/pkg/cosign
Error: /home/runner/go/pkg/mod/github.com/sigstore/cosign/v2@v2.6.1/pkg/cosign/keys.go:143:24: undefined: cryptoutils.ValidatePubKey
Error: /home/runner/go/pkg/mod/github.com/sigstore/cosign/v2@v2.6.1/pkg/cosign/keys.go:152:24: undefined: cryptoutils.ValidatePubKey
Error: /home/runner/go/pkg/mod/github.com/sigstore/cosign/v2@v2.6.1/pkg/cosign/keys.go:163:25: undefined: cryptoutils.ValidatePubKey

A fix is already prepared, see open-component-model/ocm#1699 (comment)

Done Criteria

• Update github.com/sigstore/sigstore and github.com/sigstore/cosign/v2 when available and possible (hopefully the will update 2.6.x too)
• Code has been reviewed by other team members
• Analysis of existing tests (Unit and Integration)
• Unit Tests created for new code or existing Unit Tests updated
• Integration Test Suite updated (includes deletion of existing unnecessary Integration Test and/or creation of new ones if required)

[frewilhelm]

@frewilhelm We need conformation that sigstore is still be maintained

[frewilhelm]

github.com/sigstore/sigstore shows no sign of not being maintained. Even though there is no post that it is actively maintained, there is nothing about a deprecation of the package and PRs are worked on and merged on a weekly basis.

[frewilhelm]

sigstore got bumped into cosign. However, it is unclear to me if this will be fixed for 2.x versions or only for 3.x versions. If the latter one, we probably need to upgrade to cosign 3.x

[frewilhelm]

I asked if they plan to bump the fix into 2.x but got no answer yet.

In theory:

Cosign 2.x is a stable release and will continue to receive periodic feature updates and bug fixes. PRs that are small in scope and size are most likely to be quickly reviewed.

source

[frewilhelm]

@morri-son & @frewilhelm discuss if we should migrate to cosign v3 which would not need the 2.x backport.