Bump sigstore library dependencies

[Hayden-IO]

Summary

Release Note

Documentation

[Hayden-IO]

Will need to wait for sigstore/sigstore-go#543 to merge to remove TSA v1 dependency

[frewilhelm]

Will need to wait for sigstore/sigstore-go#543 to merge to remove TSA v1 dependency

sigstore/sigstore-go#543 is merged. Do you know when #4532 can be merged?

[Hayden-IO]

Will need to wait for sigstore/sigstore-go#543 to merge to remove TSA v1 dependency

sigstore/sigstore-go#543 is merged. Do you know when #4532 can be merged?

Updating now.

[codecov]

Codecov Report

❌ Patch coverage is 40.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.27%. Comparing base (2ef6022) to head (cab7ffa).
⚠️ Report is 599 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/keys.go	40.00%	0 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4532      +/-   ##
==========================================
- Coverage   40.10%   36.27%   -3.83%     
==========================================
  Files         155      220      +65     
  Lines       10044    12321    +2277     
==========================================
+ Hits         4028     4470     +442     
- Misses       5530     7156    +1626     
- Partials      486      695     +209     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[frewilhelm]

do you plan to backport this to a v2.6.x release?

[rosstimothy]

+1 to backporting this to v2. v3 requires Go 1.25 which may not be something that all consumers of this library are capable of at the moment.

[Hayden-IO]

We can work on backporting the patches to v2. Backporting is going to end up bumping v2 to 1.25 though, we've pulled in some dependencies that are setting their min version as 1.25.

[rosstimothy]

We can work on backporting the patches to v2. Backporting is going to end up bumping v2 to 1.25 though, we've pulled in some dependencies that are setting their min version as 1.25.

Is there a specific need for 1.25 to resolve the security issue? If not can it be avoided?

[Hayden-IO]

No, it's not needed for resolving the issue, but a dependency somewhere deep in the dep tree bumped its version directive and so the latest releases of fulcio and timestamp-authority were bumped as well. We've tried to keep the go version as low as possible, but then we end up having to ignore dependabot updates. No great solution in either case.

[rosstimothy]

No, it's not needed for resolving the issue, but a dependency somewhere deep in the dep tree bumped its version directive and so the latest releases of fulcio and timestamp-authority were bumped as well. We've tried to keep the go version as low as possible, but then we end up having to ignore dependabot updates. No great solution in either case.

Is it possible to fix the issue in timestamp-authority/v1 without bumping to Go 1.25?

[Hayden-IO]

Fulcio is also at 1.25, which would need to be bumped as well to resolve GHSA-f83f-xpx7-ffpw.