update: bump the gomod-packages group with 7 updates

[dependabot[bot]]

Bumps the gomod-packages group with 7 updates:

Package	From	To
github.com/google/go-containerregistry	0.20.1	0.20.2
github.com/sigstore/cosign/v2	2.3.0	2.4.0
github.com/sigstore/sigstore	1.8.7	1.8.8
github.com/sigstore/sigstore/pkg/signature/kms/aws	1.8.7	1.8.8
github.com/sigstore/sigstore/pkg/signature/kms/azure	1.8.7	1.8.8
github.com/sigstore/sigstore/pkg/signature/kms/gcp	1.8.7	1.8.8
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	1.8.7	1.8.8

Updates github.com/google/go-containerregistry from 0.20.1 to 0.20.2

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.2

What's Changed

• deps: bump docker dep by @​imjasonh in google/go-containerregistry#1991

Full Changelog: https://github.com/google/go-containerregistry/compare/v0.20.1...v0.20.2

Commits

• c195f15 deps: bump docker dep (#1991)
• See full diff in compare view

Updates github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

• General support for the trust root file, instead of only when using the bundle format during verification
• Simplification of trust root flags and deprecation of the Cosign-specific bundle format
• Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

• Add new bundle support to verify-blob and verify-blob-attestation (#3796)
• Adding protobuf bundle support to sign-blob and attest-blob (#3752)
• Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
• Conformance testing for cosign (#3806)
• move incremental builds per commit to GHCR instead of GCR (#3808)
• Add support for recording creation timestamp for cosign attest (#3797)
• Include SCT verification failure details in error message (#3799)

Contributors

• Bob Callaway
• Hayden B
• Slavek Kabrda
• Zach Steindler
• Zsolt Horvath

Full Changelog: https://github.com/sigstore/cosign/compare/v2.3.0...v2.4.0

Commits

• b5e7dc1 Add login for GHCR (#3820)
• c346825 Bump sigstore/sigstore (#3819)
• fd0368a Conformance testing for cosign (#3806)
• 2387b50 chore(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 (#3815)
• be43902 move incremental builds per commit to GHCR instead of GCR (#3808)
• d0492cf chore(deps): bump github.com/buildkite/agent/v3 from 3.75.1 to 3.76.2 (#3813)
• e3a3914 chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (#3814)
• 7bac5e9 tidy up validate release script (#3817)
• 983a368 chore(deps): bump go.step.sm/crypto from 0.50.0 to 0.51.1 (#3812)
• 71a4952 chore(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#3811)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.8.8

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in sigstore/sigstore#1752
• Support email_verified as a String by @​sabre1041 in sigstore/sigstore#1794
• Dependency updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8

Commits

• 7053232 build(deps): Bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#1796)
• dd948da build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#1797)
• 7cc4a3e build(deps): Bump golang.org/x/oauth2 in /pkg/signature/kms/gcp
• 9584c8e build(deps): Bump dexidp/dex in /test/e2e in the all group
• 5b69695 build(deps): Bump github.com/aws/aws-sdk-go
• 54745c6 build(deps): Bump the all group with 2 updates
• 0a54fea Support email_verified as a String (#1794)
• 89b9585 Fixes issue in Device access token request (#1752)
• 562745e build(deps): Bump localstack/localstack in /test/e2e in the all group
• 516ef6e build(deps): Bump github.com/aws/aws-sdk-go in /pkg/signature/kms/aws
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/aws's releases.

v1.8.8

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in sigstore/sigstore#1752
• Support email_verified as a String by @​sabre1041 in sigstore/sigstore#1794
• Dependency updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8

Commits

• 7053232 build(deps): Bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#1796)
• dd948da build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#1797)
• 7cc4a3e build(deps): Bump golang.org/x/oauth2 in /pkg/signature/kms/gcp
• 9584c8e build(deps): Bump dexidp/dex in /test/e2e in the all group
• 5b69695 build(deps): Bump github.com/aws/aws-sdk-go
• 54745c6 build(deps): Bump the all group with 2 updates
• 0a54fea Support email_verified as a String (#1794)
• 89b9585 Fixes issue in Device access token request (#1752)
• 562745e build(deps): Bump localstack/localstack in /test/e2e in the all group
• 516ef6e build(deps): Bump github.com/aws/aws-sdk-go in /pkg/signature/kms/aws
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/azure's releases.

v1.8.8

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in sigstore/sigstore#1752
• Support email_verified as a String by @​sabre1041 in sigstore/sigstore#1794
• Dependency updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8

Commits

• 7053232 build(deps): Bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#1796)
• dd948da build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#1797)
• 7cc4a3e build(deps): Bump golang.org/x/oauth2 in /pkg/signature/kms/gcp
• 9584c8e build(deps): Bump dexidp/dex in /test/e2e in the all group
• 5b69695 build(deps): Bump github.com/aws/aws-sdk-go
• 54745c6 build(deps): Bump the all group with 2 updates
• 0a54fea Support email_verified as a String (#1794)
• 89b9585 Fixes issue in Device access token request (#1752)
• 562745e build(deps): Bump localstack/localstack in /test/e2e in the all group
• 516ef6e build(deps): Bump github.com/aws/aws-sdk-go in /pkg/signature/kms/aws
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/gcp's releases.

v1.8.8

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in sigstore/sigstore#1752
• Support email_verified as a String by @​sabre1041 in sigstore/sigstore#1794
• Dependency updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8

Commits

• 7053232 build(deps): Bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#1796)
• dd948da build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#1797)
• 7cc4a3e build(deps): Bump golang.org/x/oauth2 in /pkg/signature/kms/gcp
• 9584c8e build(deps): Bump dexidp/dex in /test/e2e in the all group
• 5b69695 build(deps): Bump github.com/aws/aws-sdk-go
• 54745c6 build(deps): Bump the all group with 2 updates
• 0a54fea Support email_verified as a String (#1794)
• 89b9585 Fixes issue in Device access token request (#1752)
• 562745e build(deps): Bump localstack/localstack in /test/e2e in the all group
• 516ef6e build(deps): Bump github.com/aws/aws-sdk-go in /pkg/signature/kms/aws
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/hashivault's releases.

v1.8.8

What's Changed

• Fixes issue in Device access token request by @​rishabhsvats in sigstore/sigstore#1752
• Support email_verified as a String by @​sabre1041 in sigstore/sigstore#1794
• Dependency updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8

Commits

• 7053232 build(deps): Bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#1796)
• dd948da build(deps): Bump google.golang.org/api in /pkg/signature/kms/gcp (#1797)
• 7cc4a3e build(deps): Bump golang.org/x/oauth2 in /pkg/signature/kms/gcp
• 9584c8e build(deps): Bump dexidp/dex in /test/e2e in the all group
• 5b69695 build(deps): Bump github.com/aws/aws-sdk-go
• 54745c6 build(deps): Bump the all group with 2 updates
• 0a54fea Support email_verified as a String (#1794)
• 89b9585 Fixes issue in Device access token request (#1752)
• 562745e build(deps): Bump localstack/localstack in /test/e2e in the all group
• 516ef6e build(deps): Bump github.com/aws/aws-sdk-go in /pkg/signature/kms/aws
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

[dependabot[bot]]

Looks like these dependencies are updatable in another way, so this is no longer needed.