Skip to content

v2.0.3 incompatible with sigstore v1.10.0+ due to removed cryptoutils/goodkey package #1252

Closed
#1258
Closed
v2.0.3 incompatible with sigstore v1.10.0+ due to removed cryptoutils/goodkey package#1252
#1258
Labels
enhancementNew feature or request
@saisaketh-devops

Description

@saisaketh-devops
saisaketh-devops
opened on Dec 15, 2025

timestamp-authority v2.0.3 requires sigstore v1.10.0+ but imports github.com/sigstore/sigstore/pkg/cryptoutils/goodkey, which was removed in sigstore v1.10.0. This creates a build failure.

Error

go: github.com/sigstore/timestamp-authority/v2@v2.0.3 used for two different module paths (github.com/sigstore/timestamp-authority and github.com/sigstore/timestamp-authority/v2)
go: finding module for package github.com/sigstore/sigstore/pkg/cryptoutils/goodkey
go: github.com/sigstore/timestamp-authority/pkg/x509 imports
	github.com/sigstore/sigstore/pkg/cryptoutils/goodkey: module github.com/sigstore/sigstore@latest found (v1.10.2, replaced by github.com/sigstore/sigstore@v1.9.5), but does not contain package github.com/sigstore/sigstore/pkg/cryptoutils/goodkey

Context

  • timestamp-authority version: v2.0.3
  • sigstore version required: v1.10.0+ (as per go.mod)
  • sigstore version where goodkey was removed: v1.10.0
  • Vulnerability: GHSA-4qg8-fj49-pxjh (High severity)
  • Fixed in: v2.0.3 (but incompatible with required sigstore version)

Impact

This prevents upgrading to timestamp-authority v2.0.3 to fix the high-severity vulnerability (GHSA-4qg8-fj49-pxjh) because:

  1. v2.0.3 requires sigstore v1.10.0+
  2. v2.0.3 imports goodkey package
  3. goodkey was removed in sigstore v1.10.0
  4. Result: Cannot build with v2.0.3

Attempted Workarounds

  1. ✅ Direct update: Build fails
  2. ✅ Update sigstore first: Build fails (missing package)
  3. ✅ Replace directives: Module path conflicts (v1 vs v2)
  4. ✅ Exclude old versions: Still pulls incompatible versions

Request

Please provide one of the following:

  1. A compatible version of timestamp-authority v2 that works with sigstore v1.10.0+ (without goodkey dependency)
  2. A patch/PR to remove goodkey dependency from v2.0.3
  3. Guidance on how to proceed

Additional Context

This is blocking image signing in our CI/CD pipeline, which requires zero high vulnerabilities. The vulnerability has EPSS < 0.1% but our security policy requires all high vulnerabilities to be fixed.

Related Issues

  • Similar issue exists in fulcio v1.8.3
  • cosign also uses removed ValidatePubKey function

Environment

  • Go version: 1.25.5
  • Project: Kyverno (Kubernetes policy engine)
  • Dependency: Indirect (via cosign/sigstore-go)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions