Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cosign for openSUSE:Factory checked
in at 2025-07-18 16:00:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cosign (Old)
and /work/SRC/openSUSE:Factory/.cosign.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign"
Fri Jul 18 16:00:30 2025 rev:28 rq:1294392 version:2.5.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2025-04-14
12:58:16.271969217 +0200
+++ /work/SRC/openSUSE:Factory/.cosign.new.8875/cosign.changes 2025-07-18
16:01:52.910867467 +0200
@@ -1,0 +2,34 @@
+Fri Jul 18 11:54:31 UTC 2025 - meiss...@suse.com
+
+- Update to version 2.5.3 (jsc#SLE-23879)
+ - Add signing-config create command (#4280)
+ - Allow multiple services to be specified for trusted-root create (#4285)
+ - force when copying the latest image to overwrite (#4298)
+ - Fix cert verification logic for trusted-root/SCTs (#4294)
+ - Fix lint error for types package (#4295)
+ - feat: Add OCI 1.1+ experimental support to tree (#4205)
+ - Add validity period end for trusted-root create (#4271)
+ - avoid double-loading trustedroot from file (#4264)
+- Update to 2.5.2:
+ - Do not load trusted root when CT env key is set
+ - docs: improve doc for --no-upload option (#4206)
+- Update to 2.5.1:
+ * Features
+ - Add Rekor v2 support for trusted-root create (#4242)
+ - Add baseUrl and Uri to trusted-root create command
+ - Upgrade to TUF v2 client with trusted root
+ - Don't verify SCT for a private PKI cert (#4225)
+ - Bump TSA library to relax EKU chain validation rules (#4219)
+ * Bug Fixes
+ - Bump sigstore-go to pick up log index=0 fix (#4162)
+ - remove unused recursive flag on attest command (#4187)
+ * Docs
+ - Fix indentation in verify-blob cmd examples (#4160)
+* GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection
of Rego (bsc#1246725)
+
+-------------------------------------------------------------------
+Wed May 28 15:47:32 UTC 2025 - Marcus Meissner <meiss...@suse.com>
+
+- switch to go1.24, enable fips build
+
+-------------------------------------------------------------------
Old:
----
cosign-2.5.0.obscpio
New:
----
cosign-2.5.3.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cosign.spec ++++++
--- /var/tmp/diff_new_pack.2fg85W/_old 2025-07-18 16:01:54.982953963 +0200
+++ /var/tmp/diff_new_pack.2fg85W/_new 2025-07-18 16:01:54.982953963 +0200
@@ -17,7 +17,7 @@
Name: cosign
-Version: 2.5.0
+Version: 2.5.3
Release: 0
Summary: Container Signing, Verification and Storage in an OCI registry
License: Apache-2.0
@@ -26,7 +26,7 @@
Source1: vendor.tar.zst
BuildRequires: golang-packaging
BuildRequires: zstd
-BuildRequires: golang(API) = 1.23
+BuildRequires: golang(API) = 1.24
%description
Cosign aims to make signatures invisible infrastructure.
@@ -81,6 +81,7 @@
CLI_PKG=sigs.k8s.io/release-utils/version
CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X
${CLI_PKG}.gitCommit=$COMMIT_HASH -X ${CLI_PKG}.gitTreeState=release -X
${CLI_PKG}.buildDate=${BUILD_DATE}"
+export GOFIPS140=v1.0.0
CGO_ENABLED=1 go build -mod=vendor -buildmode=pie -trimpath -ldflags
"${CLI_LDFLAGS}" -o cosign ./cmd/cosign
%check
++++++ _service ++++++
--- /var/tmp/diff_new_pack.2fg85W/_old 2025-07-18 16:01:55.034956134 +0200
+++ /var/tmp/diff_new_pack.2fg85W/_new 2025-07-18 16:01:55.038956300 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/sigstore/cosign</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v2.5.0</param>
+ <param name="revision">v2.5.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.2fg85W/_old 2025-07-18 16:01:55.086958304 +0200
+++ /var/tmp/diff_new_pack.2fg85W/_new 2025-07-18 16:01:55.094958638 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/sigstore/cosign</param>
- <param
name="changesrevision">38bb98697005cdc5c092f031594c0e45d039f4a0</param></service></servicedata>
+ <param
name="changesrevision">488ef8ceed5ab5d77379e9077a124a0d0df41d06</param></service></servicedata>
(No newline at EOF)
++++++ cosign-2.5.0.obscpio -> cosign-2.5.3.obscpio ++++++
++++ 8867 lines of diff (skipped)
++++++ cosign.obsinfo ++++++
--- /var/tmp/diff_new_pack.2fg85W/_old 2025-07-18 16:01:55.510976004 +0200
+++ /var/tmp/diff_new_pack.2fg85W/_new 2025-07-18 16:01:55.518976338 +0200
@@ -1,5 +1,5 @@
name: cosign
-version: 2.5.0
-mtime: 1744058029
-commit: 38bb98697005cdc5c092f031594c0e45d039f4a0
+version: 2.5.3
+mtime: 1752782207
+commit: 488ef8ceed5ab5d77379e9077a124a0d0df41d06
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/cosign/vendor.tar.zst
/work/SRC/openSUSE:Factory/.cosign.new.8875/vendor.tar.zst differ: char 7, line
1
