chore(deps): Bump the go_modules group across 1 directory with 3 updates

[dependabot]

Bumps the go_modules group with 3 updates in the /sigstore directory: github.com/sigstore/sigstore, github.com/sigstore/rekor and github.com/theupdateframework/go-tuf/v2.

Updates github.com/sigstore/sigstore from 1.10.0 to 1.10.4

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.4

What's Changed

• Escape target name - GHSA-fcv2-xgw5-pqxf in sigstore/sigstore#2265

Full Changelog: sigstore/sigstore@v1.10.3...v1.10.4

v1.10.3

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in sigstore/sigstore#2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in sigstore/sigstore#2174
• set GoogleAPIClientOption on GCP KMS provider in sigstore/sigstore#2128

Refactoring

• cryptoutils: move goodkey validation to separate package in sigstore/sigstore#2194
• Stop depending on golang.org/x/crypto for sha3 in sigstore/sigstore#2209
• remove duplicative dependency for portable browser opener in sigstore/sigstore#2178
• consolidate deep Equal usage to one library in sigstore/sigstore#2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in sigstore/sigstore#2172

Commits

• 8ec410a Escape target name - GHSA-fcv2-xgw5-pqxf (#2265)
• deef0ee build(deps): Bump golang.org/x/crypto in /test/cliplugin/localkms (#2256)
• 641406c build(deps): Bump the gomod group across 2 directories with 4 updates (#2255)
• 1bfd00e build(deps): Bump the tools group across 1 directory with 2 updates (#2254)
• 714ac99 build(deps): Bump hashicorp/vault in /test/e2e in the all group (#2253)
• 626b82b build(deps): Bump localstack/localstack in /test/e2e in the all group (#2241)
• 72f0ed7 build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2230)
• b257168 build(deps): Bump github.com/aws/aws-sdk-go-v2 in /pkg/signature/kms/aws (#2226)
• 84f57b8 build(deps): Bump github.com/sigstore/sigstore (#2221)
• bdc1a86 build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#2220)
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.4.3 to 1.5.0

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#2729)
• Drop support for fetching public keys by URL in the search index (#2731)

Features

• Add support for a custom TLS config for clients (#2709)

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#2729)
• Drop support for fetching public keys by URL in the search index (#2731)

Features

• Add support for a custom TLS config for clients (#2709)

Commits

• fe9717f Changelog for v1.5.0 (#2730)
• 60ef2bc Drop support for fetching public keys by URL in the search index (#2731)
• ca625dc build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to 9.17.2 (#2706)
• 39bae3d Merge commit from fork (#2729)
• 812e699 build(deps): Bump google.golang.org/api from 0.256.0 to 0.259.0 (#2723)
• 4596e4e build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 (#2722)
• a3e73cd build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#2724)
• 94d259c build(deps): Bump the all group across 1 directory with 3 updates (#2727)
• a5329c9 build(deps): Bump the all group with 2 updates (#2728)
• 5e6bdcd build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2726)
• Additional commits viewable in compare view

Updates github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1

Release notes

Sourced from github.com/theupdateframework/go-tuf/v2's releases.

v2.3.1

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @​dependabot[bot] in theupdateframework/go-tuf#702
• Resolve govulncheck errors by bumping go to 1.24.11 by @​rdimitrov in theupdateframework/go-tuf#707
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] in theupdateframework/go-tuf#704
• modern go (1.20+) improvements by @​udf2457 in theupdateframework/go-tuf#705
• chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 by @​dependabot[bot] in theupdateframework/go-tuf#706
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] in theupdateframework/go-tuf#708
• Perform type assertion by @​kommendorkapten in theupdateframework/go-tuf#710
• Add tests for failing type assertions by @​rdimitrov in theupdateframework/go-tuf#711
• Verify threshold is valid by @​kommendorkapten in theupdateframework/go-tuf#712

Full Changelog: theupdateframework/go-tuf@v2.3.0...v2.3.1

Commits

• b38d91f Verify threshold is valid (#712)
• 876cf2a Add tests for failing type assertions (#711)
• 73345ab Perform type assertion (#710)
• d3cdc4b chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9....
• 880e8da chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#706)
• d8fbc2c modern go (1.20+) improvements (#705)
• c180bdd chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#704)
• d52793f Resolve govulncheck errors by bumping go to 1.24.11 (#707)
• 98340af chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 (#702)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.