Update module github.com/sigstore/cosign to v1.12.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/sigstore/cosign	require	minor	v1.11.1 -> v1.12.0

---

Release Notes

sigstore/cosign

v1.12.0

Compare Source

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

• When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

What's Changed

• use scaffolding v0.4.6. by @​vaikas in https://github.com/sigstore/cosign/pull/2201
• Support non-ECDSA key types for verify-blob by @​haydentherapper in https://github.com/sigstore/cosign/pull/2203
• feat: integrate Alibaba Cloud Container Registry cred helper by @​mozillazg in https://github.com/sigstore/cosign/pull/2008
• remove double quotes, looks like it is passing as a single string to cosign and not as an array by @​cpanato in https://github.com/sigstore/cosign/pull/2205
• Upgrade to go1.19 by @​cpanato in https://github.com/sigstore/cosign/pull/2213
• Clarify error when KMS provider fails to load by @​znewman01 in https://github.com/sigstore/cosign/pull/2220
• feat: set annotations to generate additional bash completion information by @​dirien in https://github.com/sigstore/cosign/pull/2221
• Add deprecation warning for sget CLI and packages by @​imjasonh in https://github.com/sigstore/cosign/pull/2019
• upgrade setup-ko to point to new repo by @​imjasonh in https://github.com/sigstore/cosign/pull/2225
• update go builder to go1.19.1 by @​cpanato in https://github.com/sigstore/cosign/pull/2241
• Temp fix for e2e test by @​haydentherapper in https://github.com/sigstore/cosign/pull/2247
• update kind to use release v0.15.0 and some version comments by @​cpanato in https://github.com/sigstore/cosign/pull/2246
• Fix e2e test failure, add test for local bundle without rekor bundle by @​haydentherapper in https://github.com/sigstore/cosign/pull/2248
• fix: fix secret test, non-experimental bundle should pass by @​asraa in https://github.com/sigstore/cosign/pull/2249

New Contributors

• @​mozillazg made their first contribution in https://github.com/sigstore/cosign/pull/2008

Full Changelog: sigstore/cosign@v1.11.1...v1.12.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.