chore(deps): bump sigstore/cosign-installer from 3.7.0 to 4.1.2 by dependabot[bot] · Pull Request #539 · Hanalyx/OpenWatch

dependabot · 2026-06-15T04:11:49Z

Bumps sigstore/cosign-installer from 3.7.0 to 4.1.2.

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.2

What's Changed

Bump cosign to 3.0.6 in sigstore/cosign-installer#232

v4.1.1

What's Changed

chore: update default cosign-release to v3.0.5 in sigstore/cosign-installer#223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

v4.1.0

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

Bump cosign to 3.0.5 in sigstore/cosign-installer#220

fix: add retry to curl downloads for transient network failures in sigstore/cosign-installer#210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

v4.0.0

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

Add support for Cosign v3 releases (#201)

v3.10.1

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

Bump default Cosign to v2.6.1 (#203)

v3.10.0

What's Changed

Bump default Cosign to v2.6.0 in sigstore/cosign-installer#200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

What's Changed

not fail fast and setup permissions in sigstore/cosign-installer#195

drop old unsupported versions <v2.0.0 in sigstore/cosign-installer#192

Update default to v2.5.3 in sigstore/cosign-installer#196

... (truncated)

Commits

6f9f177 Bump cosign to 3.0.6 (#232)
b5e753a Bump actions/github-script from 8.0.0 to 9.0.0 (#230)
115e4ce Bump actions/setup-go from 6.3.0 to 6.4.0 (#226)
cad07c2 chore: update default cosign-release to v3.0.5 (#223)
ba7bc0a fix: add retry to curl downloads for transient network failures (#210)
5a292e1 Bump cosign to 3.0.5 (#220)
351ea76 Bump actions/checkout from 6.0.1 to 6.0.2 (#217)
c17565f test with go 1.26 too (#221)
a6fdd19 Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)
430b6a7 docs: fix registry from gcr.io to ghcr.io (#213)
Additional commits viewable in compare view

dependabot · 2026-06-15T04:11:50Z

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

remyluslosius · 2026-06-16T13:18:43Z

Held — would break release signing. Do not merge as-is.

cosign-installer v4.1.2 installs cosign 3.0.5 by default, and cosign 3 breaks our release.yml sign-blob step (verified by downloading cosign 3.0.5 and testing offline key-based signing):

--tlog-upload was removed (we pass --tlog-upload=false → unknown flag)
--new-bundle-format=true is now the default → --output-signature is ignored, signing fails wanting --bundle
verify-blob now consults the rekor tlog by default

PR CI never runs release.yml, so this passes green and breaks signing on the next v* tag.

Paths forward: (A) bump installer to v4 but pin with: cosign-release: 'v2.6.1' to keep cosign 2.x signing, or (B) migrate to the cosign-3 bundle format (changes the published artifact .cosign.sig → .cosign.bundle + the verify instructions in RELEASING.md/KEYS). Holding pending that decision.

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.7.0 to 4.1.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@v3.7.0...v4.1.2) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 15, 2026

dependabot Bot force-pushed the dependabot/github_actions/sigstore/cosign-installer-4.1.2 branch 5 times, most recently from 94180e6 to 730f6d4 Compare June 16, 2026 12:31

dependabot Bot force-pushed the dependabot/github_actions/sigstore/cosign-installer-4.1.2 branch from 730f6d4 to 3eaf841 Compare June 16, 2026 13:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump sigstore/cosign-installer from 3.7.0 to 4.1.2#539

chore(deps): bump sigstore/cosign-installer from 3.7.0 to 4.1.2#539
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/sigstore/cosign-installer-4.1.2

dependabot Bot commented on behalf of github Jun 15, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Jun 15, 2026

Uh oh!

remyluslosius commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.1.2

What's Changed

v4.1.1

What's Changed

v4.1.0

What's Changed

v4.0.0

What's Changed?

v3.10.1

What's Changed?

v3.10.0

What's Changed

v3.9.2

What's Changed

Uh oh!

dependabot Bot commented on behalf of github Jun 15, 2026

Labels

Uh oh!

remyluslosius commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Jun 15, 2026 •

edited

Loading