Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2026-07-07 21:07:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Tue Jul 7 21:07:06 2026 rev:36 rq:1364359 version:3.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2026-05-12 19:31:09.550254469 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.1982/cosign.changes 2026-07-07 21:09:42.035775131 +0200 @@ -1,0 +2,61 @@ +Tue Jul 7 10:20:28 UTC 2026 - Dirk Müller <[email protected]> + +- update to 3.1.1 (bsc#1267044, + CVE-2026-25680,CVE-2026-42502, + CVE-2026-27136,CVE-2026-25681,CVE-2026-42506, + bsc#1266049, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, + CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, + CVE-2026-39834, CVE-2026-39835, CVE-2026-42508, CVE-2026-46595, + CVE-2026-46597, CVE-2026-46598, + bsc#1261811, CVE-2026-33815): + * This release deprecates a number of flags related to + verification material input for trust root material, as well + as the bundle format, standardized across Sigstore SDKs, + which is now the default output and input for signing and + verifying respectively. You may continue to use the + deprecated flags with Cosign v3.x releases. The deprecated + flags will be removed in a future Cosign v4 release. + * This release also updates the signing path for logging to + Rekor v2. DSSE attestations will be logged as hashed entries, + using the DSSE's pre-auth encoding (PAE). This should unblock + developers who want to upload large signed DSSEs such as + SBOMs. + * Initialize PKCS11 slots Before Getting Token Info in + * Sign exclusively via sigstore-go in + * bundle create: Prevent IgnoreTlog when bundle contains SET in + * Require bundle output or registry upload in + * fix(load): pass NameOptions to name.ParseReference in + * fix: honor --digestAlg when hashing a blob in verify-blob- + attestation in https://github.com/sigstore/cosign/pull/4813 + * Deprecate Flags for v4: Certificates in + * Deprecate flags signing config in + * Deprecate flags bundle in + * Fix typo in map of verify command fields unsupported for new + bundle format in https://github.com/sigstore/cosign/pull/4853 + * Add bundle upgrade command in + * Deprecate Flags for v4 in + * fix: close file descriptor leaked in + WriteSignedImageIndexImages loop in + * fix: use Header.Set to prevent duplicate Authorization on + retry in https://github.com/sigstore/cosign/pull/4870 + * feat(cli): add Rekor v2 flag to cosign signing-config create + * Fix crash verifying timestamps when no timestamp was verified + * Deprecate Flags for v4: OCI Referrers in + * Use the configured Target Repository more consistently in + * fix: check HTTP status code in LoadFileOrURL in + * Fix unsafe type assertion in Rego policy evaluation by in + * Fix Ed25519ph check to respect custom signing configs in + sign-blob in https://github.com/sigstore/cosign/pull/4880 + * Enable initialize command output in conformance in + * verify: return TUF errors for new bundle trusted roots in + * Deprecate subcommands in + * Remove docstring references to deprecated flags in + * fix(verify): Attach detached certificates to static + signatures via wrapped verifier in + * fix(verify): copy CheckOpts inside VerifyNewBundle to fix + data race in https://github.com/sigstore/cosign/pull/4917 + * Update sigstore-go to v1.2.0 in + * **Full Changelog**: + https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1 + +------------------------------------------------------------------- Old: ---- cosign-3.0.6.tar.gz New: ---- cosign-3.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.zRJ24z/_old 2026-07-07 21:09:42.879804262 +0200 +++ /var/tmp/diff_new_pack.zRJ24z/_new 2026-07-07 21:09:42.879804262 +0200 @@ -17,7 +17,7 @@ Name: cosign -Version: 3.0.6 +Version: 3.1.1 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 ++++++ cosign-3.0.6.tar.gz -> cosign-3.1.1.tar.gz ++++++ ++++ 9000 lines of diff (skipped) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.zst /work/SRC/openSUSE:Factory/.cosign.new.1982/vendor.tar.zst differ: char 7, line 1
