fix: Bump Cosign to latest v2.2.3#3355
Conversation
Versions of Cosign before v2.2.0 are not compatible with the latest TUF root. Fixes slsa-framework#3350 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Hayden-IO
requested review from
joshuagl,
kpk47 and
laurentsimon
as code owners
|
@ianlewis @laurentsimon @kpk47 This should fix the linked issue. I'm not sure if it was an intentional decision to not update Cosign though, since I see this picks up a lot of other dependency updates. |
|
Ah, I see this bumps to Go 1.21. Don't know if this will be an issue for you. Feel free to ping me offline to chat more. |
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
laurentsimon
left a comment
laurentsimon
left a comment
There was a problem hiding this comment.
LGTM. Will wait till the pre-submit is fixed.
|
Can you also update the cosign-installer at ? |
bobcallaway
changed the title
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
|
Thank you all for this fast turnaround! |
|
@laurentsimon is there an ETA on emergency / patch release tag to made to unblock downstream pipelines with this bumped version? #3392 |
|
We're working on a release as P0 and we'll cut it in the next 24hr |
|
has that release happened @laurentsimon |
|
We're going thru the release process and testing e2e that things are working. @kpk47 is on it |
5 participants
Versions of Cosign before v2.2.0 are not compatible with the latest TUF root.
Fixes #3350
Summary
...
Testing Process
...
Checklist