chore(deps): update module github.com/sigstore/cosign/v2 to v2.5.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v2	v2.4.2 -> v2.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.5.0

Compare Source

v2.5.0 includes an implementation of the new bundle specification,
attesting and verifying OCI image attestations uploaded as OCI artifacts.
This feature is currently gated behind the --new-bundle-format flag
when running cosign attest.

Features

• Add support for new bundle specification for attesting/verifying OCI image attestations (#​3889)
• Feat/non filename completions (#​4115)
• Add TSA certificate related flags and fields for cosign attest (#​4079)

Fixes

• cmd/cosign/cli: fix typo in ignoreTLogMessage (#​4111)
• Fix replace with compliant image mediatype (#​4077)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Dmitry Savintsev
• Hayden B
• Ramon Petgrave
• Riccardo Schirone
• Stef Graces
• Ville Skyttä

v2.4.3

Compare Source

Features

• Bump sigstore/sigstore to support KMS plugins (#​4073)
• Enable fetching signatures without remote get. (#​4047)
• Feat/file flag completion improvements (#​4028)
• Update builder to use go1.23.6 (#​4052)

Bug Fixes

• fix parsing error in --only for cosign copy (#​4049)

Cleanup

• Refactor verifyNewBundle into library function (#​4013)
• fix comment typo and imports order (#​4061)
• sync comment with parameter name in function signature (#​4063)
• sort properly Go imports (#​4071)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Dmitry Savintsev
• Hayden B
• Tomasz Janiszewski
• Ville Skyttä

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 48 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go	v0.116.0 -> v0.118.3
cloud.google.com/go/iam	v1.2.2 -> v1.4.1
cloud.google.com/go/kms	v1.20.4 -> v1.21.1
cloud.google.com/go/longrunning	v0.6.2 -> v0.6.5
cloud.google.com/go/monitoring	v1.21.2 -> v1.24.0
cloud.google.com/go/storage	v1.49.0 -> v1.50.0
cuelang.org/go	v0.12.0 -> v0.12.1
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.17.0 -> v1.17.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.8.1 -> v1.8.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys	v1.3.0 -> v1.3.1
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal	v1.1.0 -> v1.1.1
github.com/AzureAD/microsoft-authentication-library-for-go	v1.3.2 -> v1.3.3
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.48.1 -> v0.49.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.48.1 -> v0.49.0
github.com/aws/aws-sdk-go-v2/service/ecr	v1.28.0 -> v1.40.3
github.com/aws/aws-sdk-go-v2/service/ecrpublic	v1.23.5 -> v1.31.2
github.com/aws/aws-sdk-go-v2/service/kms	v1.37.14 -> v1.38.1
github.com/awslabs/amazon-ecr-credential-helper/ecr-login	v0.0.0-20240514230400-03fa26f5508f -> v0.9.1
github.com/buildkite/agent/v3	v3.91.0 -> v3.95.1
github.com/go-openapi/errors	v0.22.0 -> v0.22.1
github.com/go-openapi/swag	v0.23.0 -> v0.23.1
github.com/go-playground/validator/v10	v10.24.0 -> v10.26.0
github.com/golang-jwt/jwt/v4	v4.5.1 -> v4.5.2
github.com/golang-jwt/jwt/v5	v5.2.1 -> v5.2.2
github.com/googleapis/enterprise-certificate-proxy	v0.3.4 -> v0.3.6
github.com/in-toto/attestation	v1.1.0 -> v1.1.1
github.com/mailru/easyjson	v0.7.7 -> v0.9.0
github.com/prometheus/client_golang	v1.20.5 -> v1.21.1
github.com/sagikazarmark/locafero	v0.4.0 -> v0.7.0
github.com/sigstore/protobuf-specs	v0.4.0 -> v0.4.1
github.com/sigstore/sigstore	v1.8.12 -> v1.9.1
github.com/sigstore/sigstore-go	v0.7.0 -> v0.7.1
github.com/sigstore/sigstore/pkg/signature/kms/aws	v1.8.12 -> v1.9.1
github.com/sigstore/sigstore/pkg/signature/kms/azure	v1.8.12 -> v1.9.1
github.com/sigstore/sigstore/pkg/signature/kms/gcp	v1.8.12 -> v1.9.1
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	v1.8.12 -> v1.9.1
github.com/sigstore/timestamp-authority	v1.2.4 -> v1.2.5
github.com/spf13/cast	v1.7.0 -> v1.7.1
github.com/spf13/viper	v1.19.0 -> v1.20.1
gitlab.com/gitlab-org/api/client-go	v0.121.0 -> v0.127.0
golang.org/x/oauth2	v0.26.0 -> v0.29.0
golang.org/x/time	v0.10.0 -> v0.11.0
google.golang.org/api	v0.223.0 -> v0.227.0
google.golang.org/genproto	v0.0.0-20241118233622-e639e219e697 -> v0.0.0-20250303144028-a0af3efb3deb
k8s.io/utils	v0.0.0-20240502163921-fe8a2dddb1d0 -> v0.0.0-20241210054802-24370beab758
sigs.k8s.io/release-utils	v0.11.0 -> v0.11.1
google.golang.org/genproto/googleapis/api	v0.0.0-20250218202821-56aae31c358a -> v0.0.0-20250303144028-a0af3efb3deb
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250219182151-9fdb1cabc7b2 -> v0.0.0-20250313205543-e70fdf4c4cb4

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.