Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2026-05-12 19:28:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Tue May 12 19:28:08 2026 rev:35 rq:1352668 version:3.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2026-02-25 21:10:32.070079624 +0100 +++ /work/SRC/openSUSE:Factory/.cosign.new.1966/cosign.changes 2026-05-12 19:31:09.550254469 +0200 @@ -1,0 +2,19 @@ +Tue May 12 09:15:16 UTC 2026 - Dirk Müller <[email protected]> + +- update to 3.0.6 (bsc#1261859, CVE-2026-39395): + * Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801) + * Handle whitespace-only certificate annotation (#4760) + * fix(sign): closing SignerVerifier too early when signing with + a security key (#4761) + * Disallow --new-bundle-format and --rfc3161-timestamp (#4762) + * support managed keys in conformance testing (#4728) + * Add support for GCE metadata server env var (#4732) + * fix: preserve per-layer annotations in + WriteAttestationsReferrer (#4709) + * Fix parsing of in-toto for string predicates + * Mark batch of flags for deprecation (#4698) + * disallow key and cert identity being used together + during verification (#4636) + * support key creation in GitLab group (#4704) + +------------------------------------------------------------------- Old: ---- cosign-3.0.5.obscpio New: ---- cosign-3.0.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.15SrAG/_old 2026-05-12 19:31:10.478292894 +0200 +++ /var/tmp/diff_new_pack.15SrAG/_new 2026-05-12 19:31:10.482293060 +0200 @@ -17,7 +17,7 @@ Name: cosign -Version: 3.0.5 +Version: 3.0.6 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 @@ -26,7 +26,7 @@ Source1: vendor.tar.zst BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) = 1.25 +BuildRequires: golang(API) = 1.26 %description Cosign aims to make signatures invisible infrastructure. ++++++ _service ++++++ --- /var/tmp/diff_new_pack.15SrAG/_old 2026-05-12 19:31:10.522294716 +0200 +++ /var/tmp/diff_new_pack.15SrAG/_new 2026-05-12 19:31:10.526294882 +0200 @@ -1,24 +1,7 @@ <services> - <service name="obs_scm" mode="manual"> - <param name="url">https://github.com/sigstore/cosign</param> - <param name="scm">git</param> - <param name="exclude">.git</param> - <param name="revision">v3.0.5</param> - <param name="versionformat">@PARENT_TAG@</param> - <param name="changesgenerate">enable</param> - <param name="versionrewrite-pattern">v(.*)</param> - </service> - <service name="set_version" mode="manual"> - </service> + <service name="download_files" mode="manual"/> <service name="go_modules" mode="manual"> <param name="compression">zst</param> </service> - <!-- services below are running at buildtime --> - <service name="tar" mode="buildtime"> - </service> - <service name="recompress" mode="buildtime"> - <param name="file">*.tar</param> - <param name="compression">gz</param> - </service> </services> ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.zst /work/SRC/openSUSE:Factory/.cosign.new.1966/vendor.tar.zst differ: char 5, line 1
