Bump github.com/sigstore/cosign/v2 from 2.0.2 to 2.4.1

[dependabot[bot]]

Bumps github.com/sigstore/cosign/v2 from 2.0.2 to 2.4.1.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.4.1

Changelog

• 9a4cfe1aae777984c07ce373d97a65428bbff734 update changelog for v2.4.1 (#3896)
• 0bd0d91ff5532e6774c312d0d88d87b21b8ae267 chore(deps): bump actions/checkout in the actions group (#3893)
• 66af64ef9515a05ef609b5c20e9c3f8254e5f562 chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#3895)
• 677a262c3205c7bf8612f30b7b44bdf51bd68bac bump scaffolding release to v0.7.11 (#3887)
• 77f71e0d7470e31ed4ed5653fe5a7c8e3b283606 Update README.md (#3886)
• 43933130d2cae41d333e5148c54fc2fb7e77e712 Fix bug in attest-blob when using a timestamp authority with new bundles (#3877)
• 081dea1918e9536c1fe233aa2596301381967b3b fix: documentation link for installation guide (#3884)
• 780780b11e0998512c034317fd7e98776153e59d chore(deps): bump github.com/xanzy/go-gitlab from 0.108.0 to 0.109.0 (#3867)
• dee0b23f97cf9cc48a0edf985301c64014c984e0 chore(deps): bump github.com/buildkite/agent/v3 from 3.79.0 to 3.81.0 (#3874)
• 4ffbf5f681dc94cf3cb7b57aa95a97f6d8e0c72d update to use go1.22.7 and golangci-lint (#3864)
• 4c35ffc40d58e09b89c24342024a0d15b2c756d5 chore(deps): bump github.com/sigstore/sigstore-go from 0.6.0 to 0.6.1 (#3863)
• 081ad98a526de15a16ff2c0b2b25281e1eaeb05f use go1.22.6 to build cosign (#3862)
• f90977c9f881cf6e0023391ea982440296c41979 chore(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0 (#3861)
• c1e508521d73805569b86f245fa35e74c0f607f5 chore(deps): bump google.golang.org/api from 0.194.0 to 0.195.0 (#3860)
• 42fd5f2161f7e0cfd2f0abd6adcc7aa9e8fdc571 chore(deps): bump github.com/mozillazg/docker-credential-acr-helper (#3859)
• 4beb7f49ff2b0957804b6dafc87a06edfe7b416b chore(deps): bump github.com/buildkite/agent/v3 from 3.78.0 to 3.79.0 (#3858)
• 247c9dcb8d7af3702deedde50f9b84ecfbde69db chore(deps): bump go.step.sm/crypto in the gomod group (#3857)
• 842d3cc86c35198aa74fda496e003721f75ea482 chore(deps): bump actions/upload-artifact in the actions group (#3856)
• 8defb0e72baa6c0385f4097723a3574e6d0406d0 chore(deps): bump google.golang.org/api from 0.192.0 to 0.194.0 (#3852)
• fe71244d19c12561dc88cce662959ffcfff2d29a chore(deps): bump github.com/xanzy/go-gitlab from 0.107.0 to 0.108.0 (#3851)
• 84e979df87efd744c97d051c8f64fc47a84645d9 chore(deps): bump the actions group across 1 directory with 3 updates (#3853)
• 198b8e497292009deb5e657973a302954d061734 chore(deps): bump github.com/buildkite/agent/v3 from 3.77.0 to 3.78.0 (#3850)
• 282070958f0b92bbf8d0547e3bb85e13ef32031e chore(deps): bump github.com/sigstore/fulcio in the gomod group (#3848)
• d712844a0677cb07bfadbca6f8e937dd4f47ea63 add oss-fuzz build script, seeds and dictionaries (#3843)
• 8a4f39046605e0072cda5da67a457fcb57b5e767 chore(deps): bump github.com/sigstore/fulcio from 1.5.1 to 1.6.2 (#3839)
• be4cdc231b5264cb62b2f9d03354900165e04cae chore(deps): bump google.golang.org/api from 0.191.0 to 0.192.0 (#3837)
• 30c1d0f53bf9d646fe5d97c98c69dd4c16fad986 chore(deps): bump github.com/sigstore/sigstore-go from 0.5.1 to 0.6.0 (#3840)
• 9c0c81cba077a75dcdc137f735e4721cd0ad7538 fuzzing: add fuzzers for multiple packages (#3834)
• 3694644fdcb3502770658f12167404f225695c15 chore(deps): bump the gomod group with 2 updates (#3824)
• 182f64b3d7ce0be64bbbd74f31f287d409802020 chore(deps): bump github.com/buildkite/agent/v3 from 3.76.2 to 3.77.0 (#3828)
• fa128457108cfb1c4f49f953fdf1818e34857003 chore(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#3825)
• cddce0f1edc5c398ee63433b1e254b548b2c2782 chore(deps): bump google.golang.org/api from 0.190.0 to 0.191.0 (#3830)
• e99c1a536e595ce72c236ed11dc1acaaa3dca395 chore(deps): bump github.com/docker/docker (#3823)
• b23586d6390d6a48ba4789848fe6ad89710afb7f Add changelog for v2.4.0 (#3821)
• cb338e9f788f7105f51ad153825ce2b5b39663d9 Add missing permission to push containers (#3822)

Thanks to all contributors!

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.4.1

v2.4.1 largely contains bug fixes and updates dependencies.

Features

• Added fuzzing coverage to multiple packages

Bug Fixes

• Fix bug in attest-blob when using a timestamp authority with new bundles (#3877)
• fix: documentation link for installation guide (#3884)

Contributors

• AdamKorcz
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Hemil K
• Sota Sugiura
• Zach Steindler

v2.4.0

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

• General support for the trust root file, instead of only when using the bundle format during verification
• Simplification of trust root flags and deprecation of the Cosign-specific bundle format
• Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

• Add new bundle support to verify-blob and verify-blob-attestation (#3796)
• Adding protobuf bundle support to sign-blob and attest-blob (#3752)
• Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
• Conformance testing for cosign (#3806)
• move incremental builds per commit to GHCR instead of GCR (#3808)
• Add support for recording creation timestamp for cosign attest (#3797)
• Include SCT verification failure details in error message (#3799)

... (truncated)

Commits

• 9a4cfe1 update changelog for v2.4.1 (#3896)
• 0bd0d91 chore(deps): bump actions/checkout in the actions group (#3893)
• 66af64e chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#3895)
• 677a262 bump scaffolding release to v0.7.11 (#3887)
• 77f71e0 Update README.md (#3886)
• 4393313 Fix bug in attest-blob when using a timestamp authority with new bundles (#3877)
• 081dea1 fix: documentation link for installation guide (#3884)
• 780780b chore(deps): bump github.com/xanzy/go-gitlab from 0.108.0 to 0.109.0 (#3867)
• dee0b23 chore(deps): bump github.com/buildkite/agent/v3 from 3.79.0 to 3.81.0 (#3874)
• 4ffbf5f update to use go1.22.7 and golangci-lint (#3864)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)