Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cosign for openSUSE:Factory checked 
in at 2026-07-07 21:07:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cosign (Old)
 and      /work/SRC/openSUSE:Factory/.cosign.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cosign"

Tue Jul  7 21:07:06 2026 rev:36 rq:1364359 version:3.1.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/cosign/cosign.changes    2026-05-12 
19:31:09.550254469 +0200
+++ /work/SRC/openSUSE:Factory/.cosign.new.1982/cosign.changes  2026-07-07 
21:09:42.035775131 +0200
@@ -1,0 +2,61 @@
+Tue Jul  7 10:20:28 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 3.1.1 (bsc#1267044,
+  CVE-2026-25680,CVE-2026-42502,
+  CVE-2026-27136,CVE-2026-25681,CVE-2026-42506,
+  bsc#1266049, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829,
+  CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833,
+  CVE-2026-39834, CVE-2026-39835, CVE-2026-42508, CVE-2026-46595,
+  CVE-2026-46597, CVE-2026-46598,
+  bsc#1261811, CVE-2026-33815):
+  * This release deprecates a number of flags related to
+    verification material input for trust root material, as well
+    as the bundle format, standardized across Sigstore SDKs,
+    which is now the default output and input for signing and
+    verifying respectively. You may continue to use the
+    deprecated flags with Cosign v3.x releases. The deprecated
+    flags will be removed in a future Cosign v4 release.
+  * This release also updates the signing path for logging to
+    Rekor v2. DSSE attestations will be logged as hashed entries,
+    using the DSSE's pre-auth encoding (PAE). This should unblock
+    developers who want to upload large signed DSSEs such as
+    SBOMs.
+  * Initialize PKCS11 slots Before Getting Token Info in
+  * Sign exclusively via sigstore-go in
+  * bundle create: Prevent IgnoreTlog when bundle contains SET in
+  * Require bundle output or registry upload in
+  * fix(load): pass NameOptions to name.ParseReference in
+  * fix: honor --digestAlg when hashing a blob in verify-blob-
+    attestation in https://github.com/sigstore/cosign/pull/4813
+  * Deprecate Flags for v4: Certificates in
+  * Deprecate flags signing config in
+  * Deprecate flags bundle in
+  * Fix typo in map of verify command fields unsupported for new
+    bundle format in https://github.com/sigstore/cosign/pull/4853
+  * Add bundle upgrade command in
+  * Deprecate Flags for v4 in
+  * fix: close file descriptor leaked in
+    WriteSignedImageIndexImages loop in
+  * fix: use Header.Set to prevent duplicate Authorization on
+    retry in https://github.com/sigstore/cosign/pull/4870
+  * feat(cli): add Rekor v2 flag to cosign signing-config create
+  * Fix crash verifying timestamps when no timestamp was verified
+  * Deprecate Flags for v4: OCI Referrers in
+  * Use the configured Target Repository more consistently in
+  * fix: check HTTP status code in LoadFileOrURL in
+  * Fix unsafe type assertion in Rego policy evaluation by in
+  * Fix Ed25519ph check to respect custom signing configs in
+    sign-blob in https://github.com/sigstore/cosign/pull/4880
+  * Enable initialize command output in conformance in
+  * verify: return TUF errors for new bundle trusted roots in
+  * Deprecate subcommands in
+  * Remove docstring references to deprecated flags in
+  * fix(verify): Attach detached certificates to static
+    signatures via wrapped verifier in
+  * fix(verify): copy CheckOpts inside VerifyNewBundle to fix
+    data race in https://github.com/sigstore/cosign/pull/4917
+  * Update sigstore-go to v1.2.0 in
+  * **Full Changelog**:
+    https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1
+
+-------------------------------------------------------------------

Old:
----
  cosign-3.0.6.tar.gz

New:
----
  cosign-3.1.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cosign.spec ++++++
--- /var/tmp/diff_new_pack.zRJ24z/_old  2026-07-07 21:09:42.879804262 +0200
+++ /var/tmp/diff_new_pack.zRJ24z/_new  2026-07-07 21:09:42.879804262 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           cosign
-Version:        3.0.6
+Version:        3.1.1
 Release:        0
 Summary:        Container Signing, Verification and Storage in an OCI registry
 License:        Apache-2.0

++++++ cosign-3.0.6.tar.gz -> cosign-3.1.1.tar.gz ++++++
++++ 9000 lines of diff (skipped)

++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/cosign/vendor.tar.zst 
/work/SRC/openSUSE:Factory/.cosign.new.1982/vendor.tar.zst differ: char 7, line 
1

Reply via email to