Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2025-09-18 21:12:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.27445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Thu Sep 18 21:12:18 2025 rev:29 rq:1305829 version:2.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2025-07-18 16:01:52.910867467 +0200 +++ /work/SRC/openSUSE:Factory/.cosign.new.27445/cosign.changes 2025-09-18 21:13:36.750851485 +0200 @@ -1,0 +2,25 @@ +Thu Sep 18 13:33:58 UTC 2025 - Marcus Meissner <[email protected]> + +- Update to version 2.6.0: + - Require exclusively a SigningConfig or service URLs when signing (#4403) + - Add a terminal spinner while signing with sigstore-go (#4402) + - Bump sigstore-go, support alternative hash algorithms with keys (#4386) + - Add support for SigningConfig in sign/attest (#4371) + - Support self-managed keys when signing with sigstore-go (#4368) + - Remove SHA256 assumption in sign-blob/verify-blob (#4050) + - introduce dockerfile to pin the go version to decouple go version from go.mod (#4369) + - refactor: extract function to write referrer attestations (#4357) + - Break import cycle with e2e build tag (#4370) + - Update conformance test binary for signing config (#4367) + - update builder image to use go1.25 (#4366) + - Don't load content from TUF if trusted root path is specified (#4347) + - Don't require timestamps when verifying with a key (#4337) + - Fixes to cosign sign / verify for the new bundle format (#4346) + - update builder to use go1.24.6 (#4334) + - bump golangci-lint to v2.3.x (#4333) + - Have cosign sign support bundle format (#4316) + - Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319) + - Verify subject with bundle only when checking claims (#4320) + - Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306) + +------------------------------------------------------------------- Old: ---- cosign-2.5.3.obscpio New: ---- cosign-2.6.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.5TBc5D/_old 2025-09-18 21:13:37.486882550 +0200 +++ /var/tmp/diff_new_pack.5TBc5D/_new 2025-09-18 21:13:37.486882550 +0200 @@ -17,7 +17,7 @@ Name: cosign -Version: 2.5.3 +Version: 2.6.0 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.5TBc5D/_old 2025-09-18 21:13:37.526884238 +0200 +++ /var/tmp/diff_new_pack.5TBc5D/_new 2025-09-18 21:13:37.530884407 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/sigstore/cosign</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v2.5.3</param> + <param name="revision">v2.6.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.5TBc5D/_old 2025-09-18 21:13:37.554885420 +0200 +++ /var/tmp/diff_new_pack.5TBc5D/_new 2025-09-18 21:13:37.554885420 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sigstore/cosign</param> - <param name="changesrevision">488ef8ceed5ab5d77379e9077a124a0d0df41d06</param></service></servicedata> + <param name="changesrevision">37fbfc7018fb4d60a9a2c9175bd64c75dda5869a</param></service></servicedata> (No newline at EOF) ++++++ cosign-2.5.3.obscpio -> cosign-2.6.0.obscpio ++++++ ++++ 10158 lines of diff (skipped) ++++++ cosign.obsinfo ++++++ --- /var/tmp/diff_new_pack.5TBc5D/_old 2025-09-18 21:13:37.938901628 +0200 +++ /var/tmp/diff_new_pack.5TBc5D/_new 2025-09-18 21:13:37.942901797 +0200 @@ -1,5 +1,5 @@ name: cosign -version: 2.5.3 -mtime: 1752782207 -commit: 488ef8ceed5ab5d77379e9077a124a0d0df41d06 +version: 2.6.0 +mtime: 1757706542 +commit: 37fbfc7018fb4d60a9a2c9175bd64c75dda5869a ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.zst /work/SRC/openSUSE:Factory/.cosign.new.27445/vendor.tar.zst differ: char 7, line 1
