Update module github.com/sigstore/sigstore to v1.10.4 [SECURITY] (release-v0.7) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/sigstore	v1.9.1 → v1.10.4

GitHub Vulnerability Alerts

CVE-2026-24137

Summary

The legacy TUF client pkg/tuf/client.go, which supports caching target files to disk, constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata, but it does not validate that the resulting path stays within the cache base directory.

Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. As this TUF client implementation is deprecated, users should migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf as soon as possible.

Note that this does not affect users of the public Sigstore deployment, where TUF metadata is validated by a quorum of trusted collaborators.

Impact

A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has.

Workarounds

Users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.

---

Release Notes

sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.4

Compare Source

What's Changed

• Escape target name - GHSA-fcv2-xgw5-pqxf in #​2265

Full Changelog: sigstore/sigstore@v1.10.3...v1.10.4

v1.10.3

Compare Source

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in #​2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

#​2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in #​2174
• set GoogleAPIClientOption on GCP KMS provider in #​2128

Refactoring

• cryptoutils: move goodkey validation to separate package in #​2194
• Stop depending on golang.org/x/crypto for sha3 in #​2209
• remove duplicative dependency for portable browser opener in #​2178
• consolidate deep Equal usage to one library in #​2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in #​2172

v1.10.0

Compare Source

Breaking change

#​2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in #​2174
• set GoogleAPIClientOption on GCP KMS provider in #​2128

Refactoring

• cryptoutils: move goodkey validation to separate package in #​2194
• Stop depending on golang.org/x/crypto for sha3 in #​2209
• remove duplicative dependency for portable browser opener in #​2178
• consolidate deep Equal usage to one library in #​2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in #​2172

Full Changelog: sigstore/sigstore@v1.9.5...v1.10.0

v1.9.5

Compare Source

What's Changed

• Add context from opts to Azure signer in #​2070
• add RWMutex around providerMap to protect concurrent ops in #​2077

Full Changelog: sigstore/sigstore@v1.9.4...v1.9.5

v1.9.4

Compare Source

What's Changed

• Add a Name field to the TargetFile struct in #​2068
• Update to use Tink v2.3.0 API in #​2069

Full Changelog: sigstore/sigstore@v1.9.3...v1.9.4

v1.9.3

Compare Source

What's Changed

• add proto hash algorithm to registry by @​loosebazooka in #​2048

New Contributors

• @​loosebazooka made their first contribution in #​2048

Full Changelog: sigstore/sigstore@v1.9.2...v1.9.3

v1.9.2

Compare Source

What's Changed

• Add tink package by @​cmurphy in #​2024
• pkg/signature: add P384/P521 compatibility algo to algorithm registry by @​ret2libc in #​2037

New Contributors

• @​cmurphy made their first contribution in #​2024

Full Changelog: sigstore/sigstore@v1.9.1...v1.9.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.6 -> 1.25.0
github.com/go-jose/go-jose/v4	v4.1.2 -> v4.1.3
github.com/google/certificate-transparency-go	v1.2.1 -> v1.3.2-0.20250507091337-0eddb39e94f8
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.2
github.com/letsencrypt/boulder	v0.0.0-20240830194243-1fcf0ee08180 -> v0.20251110.0
github.com/sigstore/protobuf-specs	v0.4.1 -> v0.5.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.63.0
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
golang.org/x/oauth2	v0.30.0 -> v0.33.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/protobuf	v1.36.10 -> v1.36.11

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 33 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.6 -> 1.25.0
github.com/aws/aws-sdk-go-v2	v1.36.3 -> v1.39.2
github.com/aws/aws-sdk-go-v2/config	v1.29.10 -> v1.31.11
github.com/aws/aws-sdk-go-v2/credentials	v1.17.63 -> v1.18.15
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.30 -> v1.18.9
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.34 -> v1.4.9
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.34 -> v2.7.9
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.12.3 -> v1.13.1
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.12.15 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/sso	v1.25.1 -> v1.29.5
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.29.2 -> v1.35.1
github.com/aws/aws-sdk-go-v2/service/sts	v1.33.17 -> v1.38.6
github.com/aws/smithy-go	v1.22.2 -> v1.23.0
github.com/cenkalti/backoff/v5	v5.0.2 -> v5.0.3
github.com/coreos/go-oidc/v3	v3.12.0 -> v3.17.0
github.com/go-jose/go-jose/v4	v4.1.2 -> v4.1.3
github.com/google/certificate-transparency-go	v1.2.1 -> v1.3.2-0.20250507091337-0eddb39e94f8
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.2
github.com/letsencrypt/boulder	v0.0.0-20240830194243-1fcf0ee08180 -> v0.20251110.0
github.com/sigstore/protobuf-specs	v0.4.1 -> v0.5.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.60.0 -> v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.63.0
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
go.opentelemetry.io/proto/otlp	v1.6.0 -> v1.7.1
golang.org/x/oauth2	v0.30.0 -> v0.33.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/protobuf	v1.36.10 -> v1.36.11

[qodo-code-review]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Test

Failed stage: Test [❌]

Failed test name: TestOCITracing, TestHTTPTracing

Failure summary: The action failed because make test failed (Makefile:104) when two Go unit tests in internal/downloader errored out: - TestOCITracing failed at /home/runner/work/cli/cli/internal/downloader/downloader_test.go:188 with unknown or unsupported trace version go 1.25. - TestHTTPTracing failed at /home/runner/work/cli/cli/internal/downloader/downloader_test.go:238 with unknown or unsupported trace version go 1.25. This indicates the tests attempted to read/parse a trace file produced with Go 1.25, but the trace parser/library used by the code under test does not support that trace version, causing go test to exit non-zero and the GitHub Action to fail.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 707: go: downloading github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240826150212-5dc58b6e29f8 708: go: downloading github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 709: go: downloading github.com/mozillazg/docker-credential-acr-helper v0.4.0 710: go: downloading sigs.k8s.io/release-utils v0.8.4 711: go: downloading go.yaml.in/yaml/v2 v2.4.2 712: go: downloading github.com/logrusorgru/aurora v2.0.3+incompatible 713: go: downloading github.com/olekukonko/tablewriter v0.0.5 714: go: downloading github.com/owenrumney/go-sarif/v2 v2.3.3 715: go: downloading github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f 716: go: downloading github.com/go-openapi/runtime v0.28.0 717: go: downloading github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 718: go: downloading github.com/go-openapi/strfmt v0.23.0 719: go: downloading github.com/go-openapi/swag v0.23.1 720: go: downloading github.com/google/certificate-transparency-go v1.3.2-0.20250507091337-0eddb39e94f8 721: go: downloading github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 722: go: downloading github.com/pkg/errors v0.9.1 723: go: downloading github.com/sigstore/timestamp-authority v1.2.2 ... 743: go: downloading github.com/google/cel-go v0.26.0 744: go: downloading k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b 745: go: downloading knative.dev/pkg v0.0.0-20240815051656-89743d9bbf7c 746: go: downloading github.com/sigstore/fulcio v1.6.3 747: go: downloading go.step.sm/crypto v0.60.0 748: go: downloading github.com/chainguard-dev/git-urls v1.0.2 749: go: downloading github.com/sigstore/protobuf-specs v0.5.0 750: go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 751: go: downloading golang.org/x/net v0.46.0 752: go: downloading github.com/theupdateframework/go-tuf v0.7.0 753: go: downloading github.com/ProtonMail/go-crypto v1.1.5 754: go: downloading github.com/go-git/go-billy/v5 v5.6.2 755: go: downloading github.com/emirpasic/gods v1.18.1 756: go: downloading github.com/hashicorp/go-cleanhttp v0.5.2 757: go: downloading github.com/hashicorp/go-retryablehttp v0.7.7 758: go: downloading github.com/go-openapi/errors v0.22.1 759: go: downloading github.com/go-openapi/validate v0.24.0 ... 948: go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 949: go: downloading github.com/googleapis/gax-go/v2 v2.14.1 950: go: downloading go.opentelemetry.io/contrib/detectors/gcp v1.36.0 951: go: downloading go.opentelemetry.io/otel/sdk/metric v1.38.0 952: go: downloading go.uber.org/multierr v1.11.0 953: go: downloading github.com/sassoftware/relic v7.2.1+incompatible 954: go: downloading github.com/go-logr/stdr v1.2.2 955: go: downloading go.opentelemetry.io/auto/sdk v1.1.0 956: go: downloading github.com/moby/locker v1.0.1 957: go: downloading github.com/dgraph-io/ristretto/v2 v2.2.0 958: go: downloading github.com/census-instrumentation/opencensus-proto v0.4.1 959: go: downloading github.com/golang/protobuf v1.5.4 960: go: downloading github.com/prometheus/statsd_exporter v0.27.1 961: go: downloading github.com/blendle/zapdriver v1.3.1 962: go: downloading github.com/golang/snappy v0.0.4 963: go: downloading github.com/hashicorp/go-multierror v1.1.1 964: go: downloading cloud.google.com/go/auth v0.15.0 ... 985: go: downloading gopkg.in/evanphx/json-patch.v4 v4.12.0 986: go: downloading github.com/go-logfmt/logfmt v0.6.0 987: go: downloading github.com/spiffe/go-spiffe/v2 v2.5.0 988: go: downloading github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 989: go: downloading github.com/zeebo/errs v1.4.0 990: go: downloading github.com/envoyproxy/protoc-gen-validate v1.2.1 991: ##[group]Run git diff --stat --patch 992: �[36;1mgit diff --stat --patch�[0m 993: shell: /usr/bin/bash -e {0} 994: env: 995: GOTOOLCHAIN: local 996: ##[endgroup] 997: ##[group]Run if ! git diff --exit-code -s; then 998: �[36;1mif ! git diff --exit-code -s; then�[0m 999: �[36;1m for f in $(git diff --exit-code --name-only); do�[0m 1000: �[36;1m echo "::error file=$f,line=1,col=1,endColumn=1::File was modified in build"�[0m 1001: �[36;1m done�[0m ... 1040: 2026/02/02 13:08:48 HEAD /v2/repository/image/blobs/sha256:54271efe67f34f4ff120ae084fb91530126a8feb5973bec1bfefc7f11bf066e7 404 BLOB_UNKNOWN Unknown blob 1041: 2026/02/02 13:08:48 POST /v2/repository/image/blobs/uploads/ 1042: 2026/02/02 13:08:48 POST /v2/repository/image/blobs/uploads/ 1043: 2026/02/02 13:08:48 POST /v2/repository/image/blobs/uploads/ 1044: 2026/02/02 13:08:48 PATCH /v2/repository/image/blobs/uploads/3680093464341705145 1045: 2026/02/02 13:08:48 PATCH /v2/repository/image/blobs/uploads/5933059241017482235 1046: 2026/02/02 13:08:48 PATCH /v2/repository/image/blobs/uploads/4935094923273576244 1047: 2026/02/02 13:08:48 PUT /v2/repository/image/blobs/uploads/3680093464341705145?digest=sha256%3A62470c62182abb05c5b3292ebf9acacab7b239bf43aa37c6ed8461732f20f58e 1048: 2026/02/02 13:08:48 PUT /v2/repository/image/blobs/uploads/4935094923273576244?digest=sha256%3A54271efe67f34f4ff120ae084fb91530126a8feb5973bec1bfefc7f11bf066e7 1049: 2026/02/02 13:08:48 PUT /v2/repository/image/blobs/uploads/5933059241017482235?digest=sha256%3A59a03353b9249a777179947faa21d38f9123f2777d27a6c04912e9ff48db2f63 1050: 2026/02/02 13:08:48 PUT /v2/repository/image/manifests/tag 1051: 2026/02/02 13:08:48 GET /v2/repository/image/manifests/tag 1052: 2026/02/02 13:08:48 GET /v2/repository/image/blobs/sha256:62470c62182abb05c5b3292ebf9acacab7b239bf43aa37c6ed8461732f20f58e 1053: 2026/02/02 13:08:48 GET /v2/repository/image/blobs/sha256:54271efe67f34f4ff120ae084fb91530126a8feb5973bec1bfefc7f11bf066e7 1054: 2026/02/02 13:08:48 GET /v2/repository/image/blobs/sha256:59a03353b9249a777179947faa21d38f9123f2777d27a6c04912e9ff48db2f63 1055: --- FAIL: TestOCITracing (0.04s) 1056: downloader_test.go:188: 1057: Error Trace: /home/runner/work/cli/cli/internal/downloader/downloader_test.go:188 1058: Error: Received unexpected error: 1059: unknown or unsupported trace version go 1.25 1060: Test: TestOCITracing 1061: --- FAIL: TestHTTPTracing (0.00s) 1062: downloader_test.go:238: 1063: Error Trace: /home/runner/work/cli/cli/internal/downloader/downloader_test.go:238 1064: Error: Received unexpected error: 1065: unknown or unsupported trace version go 1.25 ... 1081: ok github.com/conforma/cli/internal/opa/rule 1.056s coverage: 90.1% of statements 1082: ok github.com/conforma/cli/internal/output 1.141s coverage: 87.9% of statements 1083: ok github.com/conforma/cli/internal/policy 1.927s coverage: 87.2% of statements 1084: ok github.com/conforma/cli/internal/policy/source 1.039s coverage: 77.4% of statements 1085: ok github.com/conforma/cli/internal/rego/oci 1.105s coverage: 96.0% of statements 1086: ok github.com/conforma/cli/internal/rego/sigstore 1.169s coverage: 88.8% of statements 1087: ok github.com/conforma/cli/internal/signature 1.056s coverage: 65.9% of statements 1088: ok github.com/conforma/cli/internal/tracing 1.025s coverage: 97.6% of statements 1089: ok github.com/conforma/cli/internal/tracker 1.300s coverage: 69.3% of statements 1090: ok github.com/conforma/cli/internal/utils 1.039s coverage: 78.1% of statements 1091: ok github.com/conforma/cli/internal/utils/oci 1.201s coverage: 17.9% of statements 1092: ok github.com/conforma/cli/internal/validate 1.019s coverage: 56.0% of statements 1093: ok github.com/conforma/cli/internal/validate/vsa 1.152s coverage: 69.6% of statements 1094: ok github.com/conforma/cli/internal/version 1.015s coverage: 94.3% of statements 1095: FAIL 1096: make: *** [Makefile:104: test] Error 1 1097: ##[error]Process completed with exit code 2. 1098: Post job cleanup.