🌱 Bump github.com/sigstore/cosign from 1.12.0 to 1.12.1

[dependabot]

Bumps github.com/sigstore/cosign from 1.12.0 to 1.12.1.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.12.1

Highlights

fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).

What's Changed

• fix: fix cert chain validation for verify-blob in non-experimental mode by @​asraa in sigstore/cosign#2256
• fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba by @​developer-guy in sigstore/cosign#2254
• Fix BYO-root with intermediate to fetch intermediates from annotation by @​haydentherapper in sigstore/cosign#2244
• fix: fixing breaking changes in rekor v1.12.0 upgrade by @​developer-guy in sigstore/cosign#2260

New Contributors

• @​n3k0m4 made their first contribution in sigstore/cosign#2263

Full Changelog: sigstore/cosign@v1.12.0...v1.12.1

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.12.1

Highlights

• Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).

Bug Fixes

• fix: fixing breaking changes in rekor v1.12.0 upgrade (sigstore/cosign#2260)
• Fixed bug where intermediate certificates were not automatically read from the OCI chain annotation (sigstore/cosign#2244)
• fix: add COSIGN_EXPERIMENTAL=1 for verify-blob (sigstore/cosign#2254)
• fix: fix cert chain validation for verify-blob in non-experimental mode (sigstore/cosign#2256)
• fix: fix secret test, non-experimental bundle should pass (sigstore/cosign#2249)
• Fix e2e test failure, add test for local bundle without rekor bundle (sigstore/cosign#2248)

Contributors

• Asra Ali (@​asraa)
• Batuhan Apaydın (@​developer-guy)
• Carlos Tadeu Panato Junior (@​cpanato)
• Hayden Blauzvern (@​haydentherapper)
• n3k0m4 (@​n3k0m4)

Commits

• 0baa044 fix: fixing breaking changes in rekor v1.12.0 upgrade (#2260)
• bc66c2f chore(deps): bump codecov/codecov-action from 3.1.0 to 3.1.1 (#2266)
• 63fb755 Fix BYO-root with intermediate to fetch intermediates from annotation (#2244)
• c1322bc Resolves sigstore/community#121 (#2263)
• fde55b6 fix: add COSIGN_EXPERIMENTAL=1 for verify-blob (#2254)
• d11982b Bump github/codeql-action from 2.1.23 to 2.1.24 (#2261)
• ff18e66 add changelog for v1.12.0 and v1.11.1 (#2250)
• af581bb Bump github/codeql-action from 2.1.22 to 2.1.23 (#2257)
• 63fe875 fix: fix cert chain validation for verify-blob in non-experimental mode (#2256)
• f43839b Bump google.golang.org/api from 0.95.0 to 0.96.0 (#2251)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @naveensrinivasan.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

Merging #947 (9a7fbc0) into main (9a2bfd4) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #947   +/-   ##
=======================================
  Coverage   62.19%   62.19%           
=======================================
  Files           4        4           
  Lines         246      246           
=======================================
  Hits          153      153           
  Misses         77       77           
  Partials       16       16           

[naveensrinivasan]

@dependabot merge