Bump github.com/sigstore/sigstore-go from 1.1.4 to 1.2.0 by dependabot[bot] · Pull Request #396 · slsa-framework/source-tool

dependabot · 2026-06-03T22:55:18Z

Bumps github.com/sigstore/sigstore-go from 1.1.4 to 1.2.0.

Release notes

Sourced from github.com/sigstore/sigstore-go's releases.

v1.2.0

What's Changed

Add preferred method for verifying log entry proofs by @Hayden-IO in sigstore/sigstore-go#557

docs(verify): annotate identity matchers and regexp semantics by @1seal in sigstore/sigstore-go#558

Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in sigstore/sigstore-go#563

Bump the minor-patch group across 1 directory with 7 updates by @dependabot[bot] in sigstore/sigstore-go#565

ensure we have verification material before attempting to extract public key by @bobcallaway in sigstore/sigstore-go#566

fix(tlog): fail closed for rekor v2 parsing by @1seal in sigstore/sigstore-go#562

Bump sigstore-conformance to latest by @cmurphy in sigstore/sigstore-go#559

Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in sigstore/sigstore-go#573

Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in /examples/oci-image-verification by @dependabot[bot] in sigstore/sigstore-go#576

Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in /examples/oci-image-verification by @dependabot[bot] in sigstore/sigstore-go#571

Bump production and staging TUF roots by @Hayden-IO in sigstore/sigstore-go#580

Support DSSE signing conformance test by @aaronlew02 in sigstore/sigstore-go#582

Fix nil pointer dereference in LiveTrustedRoot refresh by @Hayden-IO in sigstore/sigstore-go#584

Bump sigstore/sigstore-conformance from 0.0.25 to 0.0.26 by @dependabot[bot] in sigstore/sigstore-go#585

chore: remove large test dependencies by replacing ctfe usage by @Hayden-IO in sigstore/sigstore-go#587

Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @dependabot[bot] in sigstore/sigstore-go#575

Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @dependabot[bot] in sigstore/sigstore-go#569

Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1 by @dependabot[bot] in sigstore/sigstore-go#578

Set minimum threshold for WithIntegratedTimestamps by @Hayden-IO in sigstore/sigstore-go#590

Bump all recent deps by @Hayden-IO in sigstore/sigstore-go#586

Bump the minor-patch group across 1 directory with 2 updates by @dependabot[bot] in sigstore/sigstore-go#591

Bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible in /examples/oci-image-verification by @dependabot[bot] in sigstore/sigstore-go#595

deps: update go-openapi/strfmt to v0.26.1 by @tonistiigi in sigstore/sigstore-go#603

verify message digest matches artifact hash by @piceri in sigstore/sigstore-go#600

Run go fix across codebase by @Hayden-IO in sigstore/sigstore-go#610

Harden verification, HTTP clients, and TUF by @Hayden-IO in sigstore/sigstore-go#609

Verify log entry digest matches artifact/envelope by @Hayden-IO in sigstore/sigstore-go#611

Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in sigstore/sigstore-go#608

Bump actions/setup-go from 6.2.0 to 6.4.0 by @dependabot[bot] in sigstore/sigstore-go#606

Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 in /examples/oci-image-verification by @dependabot[bot] in sigstore/sigstore-go#614

Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by @dependabot[bot] in sigstore/sigstore-go#601

Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 by @dependabot[bot] in sigstore/sigstore-go#613

Bump go-tuf, rekor-tiles versions by @Hayden-IO in sigstore/sigstore-go#616

Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 by @dependabot[bot] in sigstore/sigstore-go#621

Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /examples/oci-image-verification by @dependabot[bot] in sigstore/sigstore-go#623

Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by @dependabot[bot] in sigstore/sigstore-go#624

bundle: cap raw TlogEntries length before per-entry parse by @tonghuaroot in sigstore/sigstore-go#630

Prevent multi-log threshold bypasses via single compromised log by @Hayden-IO in sigstore/sigstore-go#633

Verify Rekor v2 inclusion using reconstructed leaf hash by @codysoyland in sigstore/sigstore-go#635

Encode Rekor v2 DSSE envelopes as hashedrekord by @codysoyland in sigstore/sigstore-go#627

Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in sigstore/sigstore-go#631

Bump the minor-patch group across 2 directories with 10 updates by @dependabot[bot] in sigstore/sigstore-go#637

Fix conformance test failures for managed-key verification by @codysoyland in sigstore/sigstore-go#638

New Contributors

@1seal made their first contribution in sigstore/sigstore-go#558

@aaronlew02 made their first contribution in sigstore/sigstore-go#582

@tonistiigi made their first contribution in sigstore/sigstore-go#603

... (truncated)

Commits

8ca80c4 Fix conformance test failures for managed-key verification (#561) (#638)
40d743a Bump the minor-patch group across 2 directories with 10 updates (#637)
7960906 Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#631)
ef6e924 Encode Rekor v2 DSSE envelopes as hashedrekord (#627)
56c2528 Verify Rekor v2 inclusion using reconstructed leaf hash (#635)
dbb07e6 Prevent multi-log threshold bypasses via single compromised log (#633)
7e8ee0f bundle: cap raw TlogEntries length before per-entry parse (#630)
58c7950 Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 (#624)
1ad51ea Bump github.com/in-toto/in-toto-golang (#623)
566ec6c Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 (#621)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.4 to 1.2.0. - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](sigstore/sigstore-go@v1.1.4...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/sigstore/sigstore-go from 1.1.4 to 1.2.0#396

Bump github.com/sigstore/sigstore-go from 1.1.4 to 1.2.0#396
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/sigstore/sigstore-go-1.2.0

dependabot Bot commented on behalf of github Jun 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 3, 2026

v1.2.0

What's Changed

New Contributors

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants