Update module github.com/sigstore/cosign/v3 to v3.1.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v3	v3.0.6 → v3.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v3)

v3.1.1

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

• Initialize PKCS11 slots Before Getting Token Info in #​4803
• Sign exclusively via sigstore-go in #​4618
• bundle create: Prevent IgnoreTlog when bundle contains SET in #​4829
• Require bundle output or registry upload in #​4785
• fix(load): pass NameOptions to name.ParseReference in #​4786
• fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #​4813
• Deprecate Flags for v4: Certificates in #​4822
• Deprecate flags signing config in #​4844
• Deprecate flags bundle in #​4838
• Fix typo in map of verify command fields unsupported for new bundle format in #​4853
• Add bundle upgrade command in #​4820
• Deprecate Flags for v4 in #​4854
• fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #​4869
• fix: use Header.Set to prevent duplicate Authorization on retry in #​4870
• feat(cli): add Rekor v2 flag to cosign signing-config create in #​4868
• Fix crash verifying timestamps when no timestamp was verified in #​4881
• Deprecate Flags for v4: OCI Referrers in #​4804
• Use the configured Target Repository more consistently in #​4836
• fix: check HTTP status code in LoadFileOrURL in #​4877
• Fix unsafe type assertion in Rego policy evaluation by in #​4882
• Fix Ed25519ph check to respect custom signing configs in sign-blob in #​4880
• Enable initialize command output in conformance in #​4892
• verify: return TUF errors for new bundle trusted roots in #​4878
• Deprecate subcommands in #​4894
• Remove docstring references to deprecated flags in #​4910
• fix(verify): Attach detached certificates to static signatures via wrapped verifier in #​4737
• fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #​4917
• Update sigstore-go to v1.2.0 in #​4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

v3.1.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 113 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/auth	v0.18.2 -> v0.20.0
cloud.google.com/go/iam	v1.7.0 -> v1.11.0
cloud.google.com/go/longrunning	v0.9.0 -> v1.0.0
cloud.google.com/go/monitoring	v1.24.3 -> v1.25.0
cloud.google.com/go/storage	v1.59.2 -> v1.62.2
cuelang.org/go	v0.16.0 -> v0.16.1
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.21.0 -> v1.21.1
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.11.2 -> v1.12.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys	v1.4.0 -> v1.5.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob	v1.6.4 -> v1.7.0
github.com/AzureAD/microsoft-authentication-library-for-go	v1.6.0 -> v1.7.2
github.com/aws/aws-sdk-go-v2	v1.41.6 -> v1.41.7
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.9 -> v1.7.10
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.18
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.17
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.23
github.com/aws/aws-sdk-go-v2/feature/s3/manager	v1.22.9 -> v1.22.19
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.22 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.22 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.23 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.8 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.14 -> v1.9.15
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.22 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.22 -> v1.19.23
github.com/aws/aws-sdk-go-v2/service/kms	v1.50.3 -> v1.52.0
github.com/aws/aws-sdk-go-v2/service/s3	v1.99.1 -> v1.101.0
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.36.0
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.42.1
github.com/aws/smithy-go	v1.25.0 -> v1.25.1
github.com/buildkite/agent/v3	v3.118.0 -> v3.127.2
github.com/buildkite/go-pipeline	v0.16.0 -> v0.17.1
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.4.0 -> v4.4.1
github.com/docker/cli	v29.4.0+incompatible -> v29.4.3+incompatible
github.com/docker/go-connections	v0.6.0 -> v0.7.0
github.com/go-chi/chi/v5	v5.2.5 -> v5.3.0
github.com/go-openapi/analysis	v0.24.3 -> v0.25.2
github.com/go-openapi/jsonpointer	v0.22.5 -> v0.23.1
github.com/go-openapi/jsonreference	v0.21.5 -> v0.21.6
github.com/go-openapi/runtime	v0.29.3 -> v0.32.3
github.com/go-openapi/spec	v0.22.4 -> v0.22.5
github.com/go-openapi/strfmt	v0.26.1 -> v0.26.3
github.com/go-openapi/swag	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/cmdutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/conv	v0.25.5 -> v0.26.1
github.com/go-openapi/swag/fileutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonname	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/loading	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/mangling	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/netutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/stringutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/typeutils	v0.25.5 -> v0.26.1
github.com/go-openapi/swag/yamlutils	v0.25.5 -> v0.26.0
github.com/go-openapi/validate	v0.25.2 -> v0.25.3
github.com/go-piv/piv-go/v2	v2.5.0 -> v2.6.0
github.com/go-playground/validator/v10	v10.30.2 -> v10.30.3
github.com/google/go-containerregistry	v0.21.5 -> v0.21.6
github.com/googleapis/enterprise-certificate-proxy	v0.3.14 -> v0.3.16
github.com/googleapis/gax-go/v2	v2.21.0 -> v2.22.0
github.com/hashicorp/go-version	v1.8.0 -> v1.9.0
github.com/lestrrat-go/dsig	v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3	v3.0.2 -> v3.0.5
github.com/lestrrat-go/jwx/v3	v3.0.13 -> v3.1.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0
github.com/moby/moby/api	v1.54.1 -> v1.54.2
github.com/moby/moby/client	v0.4.0 -> v0.4.1
github.com/open-policy-agent/opa	v1.14.1 -> v1.17.1
github.com/sigstore/fulcio	v1.8.5 -> v1.8.7
github.com/sigstore/protobuf-specs	v0.5.0 -> v0.5.1
github.com/sigstore/rekor	v1.5.1 -> v1.5.2
github.com/sigstore/rekor-tiles/v2	v2.2.1 -> v2.2.2-0.20260601073857-5d098a2b6443
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore-go	v1.1.4 -> v1.2.0
github.com/sigstore/sigstore/pkg/signature/kms/aws	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/azure	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/gcp	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	v1.10.5 -> v1.10.8
github.com/sigstore/timestamp-authority/v2	v2.0.6 -> v2.1.2
github.com/spiffe/go-spiffe/v2	v2.6.0 -> v2.7.0
github.com/theupdateframework/go-tuf/v2	v2.4.1 -> v2.4.2
github.com/transparency-dev/formats	v0.1.0 -> v0.1.1
github.com/valyala/fastjson	v1.6.7 -> v1.6.10
github.com/vektah/gqlparser/v2	v2.5.32 -> v2.5.33
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.64.0 -> v0.68.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.67.0 -> v0.68.0
go.opentelemetry.io/otel/sdk/metric	v1.43.0 -> v1.44.0
go.uber.org/zap	v1.27.1 -> v1.28.0
golang.org/x/crypto	v0.51.0 -> v0.53.0
golang.org/x/term	v0.43.0 -> v0.44.0
golang.org/x/tools	v0.44.0 -> v0.45.0
google.golang.org/api	v0.274.0 -> v0.283.0
google.golang.org/genproto	v0.0.0-20260319201613-d00831a3d3e7 -> v0.0.0-20260406210006-6f92a3bedf2d
gopkg.in/ini.v1	v1.67.1 -> v1.67.2
k8s.io/api	v0.35.3 -> v0.36.1
k8s.io/apimachinery	v0.35.3 -> v0.36.1
k8s.io/client-go	v0.35.3 -> v0.36.1
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2
github.com/grpc-ecosystem/grpc-gateway/v2	v2.28.0 -> v2.29.0
github.com/klauspost/compress	v1.18.5 -> v1.18.6
go.opentelemetry.io/otel	v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/metric	v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/sdk	v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/trace	v1.43.0 -> v1.44.0
golang.org/x/net	v0.54.0 -> v0.55.0
golang.org/x/sync	v0.20.0 -> v0.21.0
golang.org/x/text	v0.37.0 -> v0.38.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260401024825-9d38bb4040a9 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260504160031-60b97b32f348 -> v0.0.0-20260523011958-0a33c5d7ca68
google.golang.org/grpc	v1.81.0 -> v1.81.1
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af