chore(deps): update module github.com/sigstore/cosign/v3 to v3.0.5 [security]

[renovate-rancher]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/cosign/v3	v3.0.4 → v3.0.5

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign

BIT-cosign-2026-24122 / CVE-2026-24122 / GHSA-wfqv-66vq-46rm / GO-2026-4529

More information

Details

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign

Severity

Unknown

References

• https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm
• https://nvd.nist.gov/vuln/detail/CVE-2026-24122
• https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e
• https://github.com/sigstore/cosign/releases/tag/v3.0.5

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v3)

v3.0.5

Compare Source

Deprecations

• Deprecate rekor-entry-type flag (#​4691)
• Deprecate cosign triangulate (#​4676)
• Deprecate cosign copy (#​4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#​4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
• Add mTLS support for TSA client connections when signing with a signing config (#​4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
• fix: avoid panic on malformed attestation payload (#​4651)
• fix: avoid panic on malformed tlog entries (#​4649)
• fix: avoid panic on malformed replace payload (#​4653)
• Gracefully fail if bundle payload body is not a string (#​4648)
• Verify validity of chain rather than just certificate (#​4663)
• fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#​4642)
• Fix typo in CLI help (#​4701)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[renovate-rancher]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 17 additional dependencies were updated

Details:

Package	Change
github.com/sirupsen/logrus	v1.9.4-0.20230606125235-dd1b4c2e81af -> v1.9.4
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3 -> v2.27.5
github.com/miekg/pkcs11	v1.1.1 -> v1.1.2
github.com/sigstore/rekor-tiles/v2	v2.0.1 -> v2.2.0
gitlab.com/gitlab-org/api/client-go	v1.11.0 -> v1.25.0
golang.org/x/crypto	v0.46.0 -> v0.47.0
golang.org/x/mod	v0.31.0 -> v0.32.0
golang.org/x/net	v0.48.0 -> v0.49.0
golang.org/x/oauth2	v0.34.0 -> v0.35.0
golang.org/x/sys	v0.39.0 -> v0.40.0
golang.org/x/term	v0.38.0 -> v0.39.0
golang.org/x/text	v0.32.0 -> v0.33.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251222181119-0a764e51fe1b -> v0.0.0-20260203192932-546029d2fa20
k8s.io/api	v0.35.0 -> v0.35.1
k8s.io/apimachinery	v0.35.0 -> v0.35.1
k8s.io/client-go	v0.35.0 -> v0.35.1