Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package falcoctl for openSUSE:Factory checked in at 2026-01-29 17:45:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/falcoctl (Old) and /work/SRC/openSUSE:Factory/.falcoctl.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "falcoctl" Thu Jan 29 17:45:09 2026 rev:11 rq:1329669 version:0.12.2 Changes: -------- --- /work/SRC/openSUSE:Factory/falcoctl/falcoctl.changes 2026-01-22 15:16:00.742817297 +0100 +++ /work/SRC/openSUSE:Factory/.falcoctl.new.1995/falcoctl.changes 2026-01-29 17:45:38.383093525 +0100 @@ -1,0 +2,13 @@ +Wed Jan 28 12:32:04 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.12.2: + * chore(deps): Bump github.com/theupdateframework/go-tuf/v2 + * fix(signature): pass registry credentials to cosign for + signature verification + * chore(deps): Bump actions/checkout in the actions group + * chore(deps): Bump github.com/sigstore/sigstore from 1.10.3 to + 1.10.4 + * chore(deps): Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 + * chore(deps): Bump github.com/theupdateframework/go-tuf/v2 + +------------------------------------------------------------------- Old: ---- falcoctl-0.12.1.obscpio New: ---- falcoctl-0.12.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ falcoctl.spec ++++++ --- /var/tmp/diff_new_pack.A1IuFF/_old 2026-01-29 17:45:39.691148762 +0100 +++ /var/tmp/diff_new_pack.A1IuFF/_new 2026-01-29 17:45:39.695148931 +0100 @@ -17,7 +17,7 @@ Name: falcoctl -Version: 0.12.1 +Version: 0.12.2 Release: 0 Summary: CLI / Administrative tooling for Falco License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.A1IuFF/_old 2026-01-29 17:45:39.743150958 +0100 +++ /var/tmp/diff_new_pack.A1IuFF/_new 2026-01-29 17:45:39.751151296 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/falcosecurity/falcoctl</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.12.1</param> + <param name="revision">v0.12.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.A1IuFF/_old 2026-01-29 17:45:39.775152309 +0100 +++ /var/tmp/diff_new_pack.A1IuFF/_new 2026-01-29 17:45:39.779152478 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/falcosecurity/falcoctl</param> - <param name="changesrevision">d35bf927a3c8ae109907183dcefea19ec9e9a054</param></service></servicedata> + <param name="changesrevision">ae89b7462adb8e9eff3b00eabe1da923211562e3</param></service></servicedata> (No newline at EOF) ++++++ falcoctl-0.12.1.obscpio -> falcoctl-0.12.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/cmd/artifact/install/install.go new/falcoctl-0.12.2/cmd/artifact/install/install.go --- old/falcoctl-0.12.1/cmd/artifact/install/install.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/cmd/artifact/install/install.go 2026-01-27 09:07:04.000000000 +0100 @@ -297,7 +297,7 @@ digestRef := fmt.Sprintf("%s@%s", repo, result.RootDigest) logger.Info("Verifying signature for artifact", logger.Args("digest", digestRef)) - err = signature.Verify(ctx, digestRef, sig) + err = signature.Verify(ctx, digestRef, sig, o.PlainHTTP) if err != nil { return fmt.Errorf("error while verifying signature for %s: %w", digestRef, err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/cmd/registry/auth/basic/basic.go new/falcoctl-0.12.2/cmd/registry/auth/basic/basic.go --- old/falcoctl-0.12.1/cmd/registry/auth/basic/basic.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/cmd/registry/auth/basic/basic.go 2026-01-27 09:07:04.000000000 +0100 @@ -26,7 +26,6 @@ "github.com/spf13/cobra" "github.com/spf13/viper" "golang.org/x/term" - "oras.land/oras-go/v2/registry/remote/credentials" "github.com/falcosecurity/falcoctl/internal/config" "github.com/falcosecurity/falcoctl/internal/login/basic" @@ -110,11 +109,9 @@ client := authn.NewClient() // create credential store - credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{ - AllowPlaintextPut: true, - }) + credentialStore, err := authn.NewCredentialStore() if err != nil { - return fmt.Errorf("unable to create new store: %w", err) + return fmt.Errorf("unable to create credential store: %w", err) } if err := basic.Login(ctx, client, credentialStore, reg, o.username, o.password); err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/go.mod new/falcoctl-0.12.2/go.mod --- old/falcoctl-0.12.1/go.mod 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/go.mod 2026-01-27 09:07:04.000000000 +0100 @@ -1,6 +1,6 @@ module github.com/falcosecurity/falcoctl -go 1.25.0 +go 1.25.5 require ( cloud.google.com/go/storage v1.57.1 @@ -26,7 +26,7 @@ github.com/pterm/pterm v0.12.80 github.com/robfig/cron/v3 v3.0.1 github.com/sigstore/cosign/v3 v3.0.4 - github.com/sigstore/sigstore v1.10.3 + github.com/sigstore/sigstore v1.10.4 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3 @@ -41,8 +41,8 @@ golang.org/x/oauth2 v0.34.0 golang.org/x/sys v0.40.0 golang.org/x/term v0.38.0 - google.golang.org/api v0.259.0 - gopkg.in/ini.v1 v1.67.0 + google.golang.org/api v0.260.0 + gopkg.in/ini.v1 v1.67.1 gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.35.0 k8s.io/apimachinery v0.35.0 @@ -168,18 +168,18 @@ github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/gabriel-vasile/mimetype v1.4.11 // indirect - github.com/go-chi/chi/v5 v5.2.3 // indirect + github.com/go-chi/chi/v5 v5.2.4 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-jose/go-jose/v4 v4.1.3 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.24.1 // indirect - github.com/go-openapi/errors v0.22.5 // indirect + github.com/go-openapi/errors v0.22.6 // indirect github.com/go-openapi/jsonpointer v0.22.4 // indirect github.com/go-openapi/jsonreference v0.21.4 // indirect github.com/go-openapi/loads v0.23.2 // indirect github.com/go-openapi/runtime v0.29.2 // indirect - github.com/go-openapi/spec v0.22.2 // indirect + github.com/go-openapi/spec v0.22.3 // indirect github.com/go-openapi/strfmt v0.25.0 // indirect github.com/go-openapi/swag v0.25.4 // indirect github.com/go-openapi/swag/cmdutils v0.25.4 // indirect @@ -211,7 +211,7 @@ github.com/google/pprof v0.0.0-20250602020802-c6617b811d0e // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect github.com/googleapis/gax-go/v2 v2.16.0 // indirect github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect @@ -285,21 +285,21 @@ github.com/prometheus/procfs v0.19.2 // indirect github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3 // indirect github.com/redis/go-redis/extra/redisotel/v9 v9.5.3 // indirect - github.com/redis/go-redis/v9 v9.14.1 // indirect + github.com/redis/go-redis/v9 v9.17.2 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sagikazarmark/locafero v0.11.0 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect - github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sigstore/fulcio v1.8.5 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect - github.com/sigstore/rekor v1.4.3 // indirect + github.com/sigstore/rekor v1.5.0 // indirect github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect github.com/sigstore/sigstore-go v1.1.4 // indirect github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect - github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect + github.com/sirupsen/logrus v1.9.4 // indirect github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect github.com/spf13/afero v1.15.0 // indirect github.com/spf13/cast v1.10.0 // indirect @@ -308,7 +308,7 @@ github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect - github.com/theupdateframework/go-tuf/v2 v2.3.0 // indirect + github.com/theupdateframework/go-tuf/v2 v2.4.1 // indirect github.com/tidwall/btree v1.6.0 // indirect github.com/tidwall/buntdb v1.3.0 // indirect github.com/tidwall/gjson v1.18.0 // indirect @@ -385,7 +385,7 @@ sigs.k8s.io/kustomize/api v0.20.1 // indirect sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/release-utils v0.12.2 // indirect + sigs.k8s.io/release-utils v0.12.3 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect sigs.k8s.io/yaml v1.6.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/go.sum new/falcoctl-0.12.2/go.sum --- old/falcoctl-0.12.1/go.sum 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/go.sum 2026-01-27 09:07:04.000000000 +0100 @@ -377,8 +377,8 @@ github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= -github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE= -github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= +github.com/go-chi/chi/v5 v5.2.4 h1:WtFKPHwlywe8Srng8j2BhOD9312j9cGUxG1SP4V2cR4= +github.com/go-chi/chi/v5 v5.2.4/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= @@ -395,8 +395,8 @@ github.com/go-oauth2/oauth2/v4 v4.5.3/go.mod h1:ryzb7zr8fdQBlciD0+tcnEWeOok5B0J8V/DniwYqQ2k= github.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM= github.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84= -github.com/go-openapi/errors v0.22.5 h1:Yfv4O/PRYpNF3BNmVkEizcHb3uLVVsrDt3LNdgAKRY4= -github.com/go-openapi/errors v0.22.5/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= +github.com/go-openapi/errors v0.22.6 h1:eDxcf89O8odEnohIXwEjY1IB4ph5vmbUsBMsFNwXWPo= +github.com/go-openapi/errors v0.22.6/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk= github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4= github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80= github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8= @@ -405,8 +405,8 @@ github.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY= github.com/go-openapi/runtime v0.29.2 h1:UmwSGWNmWQqKm1c2MGgXVpC2FTGwPDQeUsBMufc5Yj0= github.com/go-openapi/runtime v0.29.2/go.mod h1:biq5kJXRJKBJxTDJXAa00DOTa/anflQPhT0/wmjuy+0= -github.com/go-openapi/spec v0.22.2 h1:KEU4Fb+Lp1qg0V4MxrSCPv403ZjBl8Lx1a83gIPU8Qc= -github.com/go-openapi/spec v0.22.2/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs= +github.com/go-openapi/spec v0.22.3 h1:qRSmj6Smz2rEBxMnLRBMeBWxbbOvuOoElvSvObIgwQc= +github.com/go-openapi/spec v0.22.3/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs= github.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ= github.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8= github.com/go-openapi/swag v0.25.4 h1:OyUPUFYDPDBMkqyxOTkqDYFnrhuhi9NR6QVUvIochMU= @@ -535,8 +535,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ= -github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= +github.com/googleapis/enterprise-certificate-proxy v0.3.9 h1:TOpi/QG8iDcZlkQlGlFUti/ZtyLkliXvHDcyUIMuFrU= +github.com/googleapis/enterprise-certificate-proxy v0.3.9/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y= github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14= github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0= @@ -813,8 +813,8 @@ github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3/go.mod h1:3dZmcLn3Qw6FLlWASn1g4y+YO9ycEFUOM+bhBmzLVKQ= github.com/redis/go-redis/extra/redisotel/v9 v9.5.3 h1:kuvuJL/+MZIEdvtb/kTBRiRgYaOmx1l+lYJyVdrRUOs= github.com/redis/go-redis/extra/redisotel/v9 v9.5.3/go.mod h1:7f/FMrf5RRRVHXgfk7CzSVzXHiWeuOQUu2bsVqWoa+g= -github.com/redis/go-redis/v9 v9.14.1 h1:nDCrEiJmfOWhD76xlaw+HXT0c9hfNWeXgl0vIRYSDvQ= -github.com/redis/go-redis/v9 v9.14.1/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= +github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI= +github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -833,8 +833,8 @@ github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= -github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= -github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= +github.com/secure-systems-lab/go-securesystemslib v0.10.0 h1:l+H5ErcW0PAehBNrBxoGv1jjNpGYdZ9RcheFkB2WI14= +github.com/secure-systems-lab/go-securesystemslib v0.10.0/go.mod h1:MRKONWmRoFzPNQ9USRF9i1mc7MvAVvF1LlW8X5VWDvk= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= @@ -847,12 +847,12 @@ github.com/sigstore/fulcio v1.8.5/go.mod h1:tSLYK3JsKvJpDW1BsIsVHZgHj+f8TjXARzqIUWSsSPQ= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/rekor v1.4.3 h1:2+aw4Gbgumv8vYM/QVg6b+hvr4x4Cukur8stJrVPKU0= -github.com/sigstore/rekor v1.4.3/go.mod h1:o0zgY087Q21YwohVvGwV9vK1/tliat5mfnPiVI3i75o= +github.com/sigstore/rekor v1.5.0 h1:rL7SghHd5HLCtsCrxw0yQg+NczGvM75EjSPPWuGjaiQ= +github.com/sigstore/rekor v1.5.0/go.mod h1:D7JoVCUkxwQOpPDNYeu+CE8zeBC18Y5uDo6tF8s2rcQ= github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo= github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU= -github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0= -github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk= +github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE= +github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI= github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg= github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 h1:D/FRl5J9UYAJPGZRAJbP0dH78pfwWnKsyCSBwFBU8CI= @@ -867,8 +867,8 @@ github.com/sigstore/timestamp-authority/v2 v2.0.4/go.mod h1:EXJLiMDBqRPlzC02hPiFSiYTCqSuUpU68a4vr0DFePM= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= -github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= +github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.1.0 h1:MkTeG1DMwsrdH7QtLXy5W+fUxWq+vmb6cLmyJ7aRtF0= github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= @@ -906,6 +906,7 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= @@ -916,8 +917,8 @@ github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.3.0 h1:gt3X8xT8qu/HT4w+n1jgv+p7koi5ad8XEkLXXZqG9AA= -github.com/theupdateframework/go-tuf/v2 v2.3.0/go.mod h1:xW8yNvgXRncmovMLvBxKwrKpsOwJZu/8x+aB0KtFcdw= +github.com/theupdateframework/go-tuf/v2 v2.4.1 h1:K6ewW064rKZCPkRo1W/CTbTtm/+IB4+coG1iNURAGCw= +github.com/theupdateframework/go-tuf/v2 v2.4.1/go.mod h1:Nex2enPVYDFCklrnbTzl3OVwD7fgIAj0J5++z/rvCj8= github.com/tidwall/assert v0.1.0 h1:aWcKyRBUAdLoVebxo95N7+YZVTFF/ASTr7BN4sLP6XI= github.com/tidwall/assert v0.1.0/go.mod h1:QLYtGyeqse53vuELQheYl9dngGCJQ+mTtlxcktb+Kj8= github.com/tidwall/btree v0.0.0-20191029221954-400434d76274/go.mod h1:huei1BkDWJ3/sLXmO+bsCNELL+Bp2Kks9OLyQFkzvA8= @@ -1182,7 +1183,6 @@ golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1233,8 +1233,8 @@ golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/api v0.259.0 h1:90TaGVIxScrh1Vn/XI2426kRpBqHwWIzVBzJsVZ5XrQ= -google.golang.org/api v0.259.0/go.mod h1:LC2ISWGWbRoyQVpxGntWwLWN/vLNxxKBK9KuJRI8Te4= +google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4= +google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= @@ -1274,8 +1274,9 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k= +gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1352,8 +1353,8 @@ sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/release-utils v0.12.2 h1:H06v3FuLElAkf7Ikkd9ll8hnhdtQ+OgktJAni3iIAl8= -sigs.k8s.io/release-utils v0.12.2/go.mod h1:Ab9Lb/FpGUw4lUXj1QYbUcF2TRzll+GS7Md54W1G7sA= +sigs.k8s.io/release-utils v0.12.3 h1:iNVJY81QfmMCmXxMg8IvvkkeQNk6ZWlLj+iPKSlKyVQ= +sigs.k8s.io/release-utils v0.12.3/go.mod h1:BvbNmm1BmM3cnEpBmNHWL3wOSziOdGlsYR8vCFq/Q0o= sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/internal/cosign/verify.go new/falcoctl-0.12.2/internal/cosign/verify.go --- old/falcoctl-0.12.1/internal/cosign/verify.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/internal/cosign/verify.go 2026-01-27 09:07:04.000000000 +0100 @@ -112,6 +112,11 @@ return fmt.Errorf("constructing client options: %w", err) } + // Allow HTTP registries when configured + if c.AllowHTTPRegistry || c.AllowInsecure { + c.NameOptions = append(c.NameOptions, name.Insecure) + } + co := &cosign.CheckOpts{ Annotations: c.Annotations.Annotations, RegistryClientOpts: ociremoteOpts, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/internal/follower/follower.go new/falcoctl-0.12.2/internal/follower/follower.go --- old/falcoctl-0.12.1/internal/follower/follower.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/internal/follower/follower.go 2026-01-27 09:07:04.000000000 +0100 @@ -387,7 +387,8 @@ // Verify the signature if needed if f.Config.Signature != nil { f.logger.Debug("Verifying signature", f.logger.Args("followerName", f.ref, "digest", digestRef)) - err = signature.Verify(ctx, digestRef, f.Config.Signature) + //nolint:staticcheck // Ignore QF1008: we want to keep embedded config.Signature field + err = signature.Verify(ctx, digestRef, f.Config.Signature, f.Config.PlainHTTP) if err != nil { return filePaths, res, fmt.Errorf("could not verify signature for %s: %w", res.RootDigest, err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/internal/signature/signature.go new/falcoctl-0.12.2/internal/signature/signature.go --- old/falcoctl-0.12.1/internal/signature/signature.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/internal/signature/signature.go 2026-01-27 09:07:04.000000000 +0100 @@ -17,15 +17,18 @@ import ( "context" + "fmt" "github.com/sigstore/cosign/v3/cmd/cosign/cli/options" "github.com/falcosecurity/falcoctl/internal/cosign" "github.com/falcosecurity/falcoctl/pkg/index/index" + "github.com/falcosecurity/falcoctl/pkg/oci/authn" ) // Verify checks that a fully qualified reference is signed according to the parameters. -func Verify(ctx context.Context, ref string, signature *index.Signature) error { +// It uses the same authentication sources as falcoctl's artifact operations. +func Verify(ctx context.Context, ref string, signature *index.Signature, plainHTTP bool) error { if signature == nil { // nothing to do return nil @@ -36,7 +39,17 @@ return nil } + keychain, err := authn.NewKeychain() + if err != nil { + return fmt.Errorf("failed to create keychain: %w", err) + } + v := cosign.VerifyCommand{ + RegistryOptions: options.RegistryOptions{ + AllowHTTPRegistry: plainHTTP, + AllowInsecure: plainHTTP, + Keychain: keychain, + }, CertVerifyOptions: options.CertVerifyOptions{ CertIdentity: signature.Cosign.CertificateIdentity, CertIdentityRegexp: signature.Cosign.CertificateIdentityRegexp, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/internal/signature/signature_test.go new/falcoctl-0.12.2/internal/signature/signature_test.go --- old/falcoctl-0.12.1/internal/signature/signature_test.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/internal/signature/signature_test.go 2026-01-27 09:07:04.000000000 +0100 @@ -24,7 +24,7 @@ func TestVerify_NilSignature(t *testing.T) { ctx := context.Background() - err := Verify(ctx, "ghcr.io/test/image:latest", nil) + err := Verify(ctx, "ghcr.io/test/image:latest", nil, false) if err != nil { t.Errorf("Verify with nil signature should return nil, got: %v", err) } @@ -35,7 +35,7 @@ sig := &index.Signature{ Cosign: nil, } - err := Verify(ctx, "ghcr.io/test/image:latest", sig) + err := Verify(ctx, "ghcr.io/test/image:latest", sig, false) if err != nil { t.Errorf("Verify with nil Cosign should return nil, got: %v", err) } @@ -50,7 +50,7 @@ }, } // Empty ref should fail during parsing - err := Verify(ctx, "", sig) + err := Verify(ctx, "", sig, false) if err == nil { t.Error("Verify with empty ref should return an error") } @@ -65,8 +65,78 @@ }, } // Invalid ref should fail during parsing - err := Verify(ctx, "not a valid ref!!!", sig) + err := Verify(ctx, "not a valid ref!!!", sig, false) if err == nil { t.Error("Verify with invalid ref should return an error") } } + +func TestVerify_PlainHTTP(t *testing.T) { + ctx := context.Background() + sig := &index.Signature{ + Cosign: &index.CosignSignature{ + CertificateOidcIssuer: "https://token.actions.githubusercontent.com";, + CertificateIdentity: "[email protected]", + }, + } + // This should create keychain and set plainHTTP options correctly + // It will fail because the image doesn't exist, but the keychain creation should work + err := Verify(ctx, "localhost:5000/test/image:latest", sig, true) + // We expect an error (image doesn't exist), but not a keychain creation error + if err == nil { + t.Error("Verify should fail for non-existent image") + } + // The error should be about the image not existing, not about keychain + if err != nil && err.Error() == "failed to create keychain" { + t.Errorf("Verify should not fail on keychain creation: %v", err) + } +} + +func TestVerify_WithKeyRef(t *testing.T) { + ctx := context.Background() + sig := &index.Signature{ + Cosign: &index.CosignSignature{ + KeyRef: "cosign.pub", + }, + } + // This tests that KeyRef is properly passed to cosign + err := Verify(ctx, "ghcr.io/test/image:latest", sig, false) + // We expect an error (image doesn't exist), but the signature config should be valid + if err == nil { + t.Error("Verify should fail for non-existent image") + } +} + +func TestVerify_WithIgnoreTlog(t *testing.T) { + ctx := context.Background() + sig := &index.Signature{ + Cosign: &index.CosignSignature{ + CertificateOidcIssuer: "https://token.actions.githubusercontent.com";, + CertificateIdentity: "[email protected]", + IgnoreTlog: true, + }, + } + // This tests that IgnoreTlog is properly passed to cosign + err := Verify(ctx, "ghcr.io/test/image:latest", sig, false) + // We expect an error (image doesn't exist), but the signature config should be valid + if err == nil { + t.Error("Verify should fail for non-existent image") + } +} + +func TestVerify_WithCertIdentityRegexp(t *testing.T) { + ctx := context.Background() + sig := &index.Signature{ + Cosign: &index.CosignSignature{ + CertificateOidcIssuer: "https://token.actions.githubusercontent.com";, + CertificateIdentityRegexp: ".*@example.com", + CertificateOidcIssuerRegexp: "https://token.actions.*";, + }, + } + // This tests that regexp options are properly passed to cosign + err := Verify(ctx, "ghcr.io/test/image:latest", sig, false) + // We expect an error (image doesn't exist), but the signature config should be valid + if err == nil { + t.Error("Verify should fail for non-existent image") + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/pkg/oci/authn/client.go new/falcoctl-0.12.2/pkg/oci/authn/client.go --- old/falcoctl-0.12.1/pkg/oci/authn/client.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/pkg/oci/authn/client.go 2026-01-27 09:07:04.000000000 +0100 @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -// Copyright (C) 2023 The Falco Authors +// Copyright (C) 2026 The Falco Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -23,6 +23,8 @@ "oras.land/oras-go/v2/registry/remote/auth" "oras.land/oras-go/v2/registry/remote/credentials" + + "github.com/falcosecurity/falcoctl/internal/config" ) const ( @@ -151,3 +153,11 @@ c.ClientTokenCache = cache } } + +// NewCredentialStore creates a new credential store using falcoctl's configuration. +// This is the single source of truth for creating credential stores in falcoctl. +func NewCredentialStore() (credentials.Store, error) { + return credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{ + AllowPlaintextPut: true, + }) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/pkg/oci/authn/keychain.go new/falcoctl-0.12.2/pkg/oci/authn/keychain.go --- old/falcoctl-0.12.1/pkg/oci/authn/keychain.go 1970-01-01 01:00:00.000000000 +0100 +++ new/falcoctl-0.12.2/pkg/oci/authn/keychain.go 2026-01-27 09:07:04.000000000 +0100 @@ -0,0 +1,101 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright (C) 2026 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package authn + +import ( + "context" + + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/v1/google" + "golang.org/x/exp/slices" + "oras.land/oras-go/v2/registry/remote/credentials" + + "github.com/falcosecurity/falcoctl/internal/config" +) + +// Keychain implements authn.Keychain using the same authentication +// sources that falcoctl uses for pulling artifacts: +// 1. Falcoctl credential store (from falcoctl registry auth basic). +// 2. OAuth2 client credentials (from falcoctl's config). +// 3. GCP credentials (for registries configured with falcoctl registry auth gcp). +type Keychain struct { + credentialStore credentials.Store + oauthStore OAuthClientCredentialsStore +} + +// NewKeychain creates a new keychain that uses falcoctl's authentication sources. +func NewKeychain() (*Keychain, error) { + credentialStore, err := NewCredentialStore() + if err != nil { + return nil, err + } + + return &Keychain{ + credentialStore: credentialStore, + oauthStore: NewOauthClientCredentialsStore(), + }, nil +} + +// Resolve implements authn.Keychain. +func (k *Keychain) Resolve(resource authn.Resource) (authn.Authenticator, error) { + ctx := context.Background() + registry := resource.RegistryStr() + + // 1. Try credential store (from falcoctl registry auth basic) + cred, err := k.credentialStore.Get(ctx, registry) + if err == nil && (cred.Username != "" || cred.AccessToken != "") { + if cred.AccessToken != "" { + return authn.FromConfig(authn.AuthConfig{ + RegistryToken: cred.AccessToken, + }), nil + } + return authn.FromConfig(authn.AuthConfig{ + Username: cred.Username, + Password: cred.Password, + }), nil + } + + // 2. Try OAuth2 client credentials + oauthCred, err := k.oauthStore.Credential(ctx, registry) + if err == nil && oauthCred.AccessToken != "" { + return authn.FromConfig(authn.AuthConfig{ + RegistryToken: oauthCred.AccessToken, + }), nil + } + + // 3. Try GCP credentials (for registries configured with falcoctl registry auth gcp) + if isGCPRegistry(registry) { + return google.Keychain.Resolve(resource) + } + + // No credentials found + return authn.Anonymous, nil +} + +// isGCPRegistry checks if the registry is configured for GCP authentication +// in falcoctl's configuration (via falcoctl registry auth gcp). +func isGCPRegistry(registry string) bool { + gcpAuths, err := config.Gcps() + if err != nil { + return false + } + + idx := slices.IndexFunc(gcpAuths, func(c config.GcpAuth) bool { + return c.Registry == registry + }) + + return idx != -1 +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/falcoctl-0.12.1/pkg/oci/utils/utils.go new/falcoctl-0.12.2/pkg/oci/utils/utils.go --- old/falcoctl-0.12.1/pkg/oci/utils/utils.go 2026-01-21 15:09:32.000000000 +0100 +++ new/falcoctl-0.12.2/pkg/oci/utils/utils.go 2026-01-27 09:07:04.000000000 +0100 @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -// Copyright (C) 2023 The Falco Authors +// Copyright (C) 2026 The Falco Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -21,9 +21,7 @@ "oras.land/oras-go/v2/registry/remote" "oras.land/oras-go/v2/registry/remote/auth" - "oras.land/oras-go/v2/registry/remote/credentials" - "github.com/falcosecurity/falcoctl/internal/config" "github.com/falcosecurity/falcoctl/pkg/oci/authn" ocipuller "github.com/falcosecurity/falcoctl/pkg/oci/puller" ocipusher "github.com/falcosecurity/falcoctl/pkg/oci/pusher" @@ -53,11 +51,9 @@ // Client returns a new auth.Client. // It authenticates the client if credentials are found in the system. func Client(enableClientTokenCache bool) (remote.Client, error) { - credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{ - AllowPlaintextPut: true, - }) + credentialStore, err := authn.NewCredentialStore() if err != nil { - return nil, fmt.Errorf("unable to create new store: %w", err) + return nil, fmt.Errorf("unable to create credential store: %w", err) } // create client that ++++++ falcoctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.A1IuFF/_old 2026-01-29 17:45:40.423179674 +0100 +++ /var/tmp/diff_new_pack.A1IuFF/_new 2026-01-29 17:45:40.427179843 +0100 @@ -1,5 +1,5 @@ name: falcoctl -version: 0.12.1 -mtime: 1769004572 -commit: d35bf927a3c8ae109907183dcefea19ec9e9a054 +version: 0.12.2 +mtime: 1769501224 +commit: ae89b7462adb8e9eff3b00eabe1da923211562e3 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/falcoctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.falcoctl.new.1995/vendor.tar.gz differ: char 145, line 1
