chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.0 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v2	v2.2.4 -> v2.4.0

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.0

Compare Source

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys)
  through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

• General support for the trust root file, instead of only when using the bundle
  format during verification
• Simplification of trust root flags and deprecation of the
  Cosign-specific bundle format
• Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

• Add new bundle support to verify-blob and verify-blob-attestation (#​3796)
• Adding protobuf bundle support to sign-blob and attest-blob (#​3752)
• Bump sigstore/sigstore to support email_verified as string or boolean (#​3819)
• Conformance testing for cosign (#​3806)
• move incremental builds per commit to GHCR instead of GCR (#​3808)
• Add support for recording creation timestamp for cosign attest (#​3797)
• Include SCT verification failure details in error message (#​3799)

Contributors

• Bob Callaway
• Hayden B
• Slavek Kabrda
• Zach Steindler
• Zsolt Horvath

v2.3.0

Compare Source

Features

• Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
• add registry options to cosign save (#​3645)
• Add debug providers command. (#​3728)
• Make config layers in ociremote mountable (#​3741)
• upgrade to go1.22 (#​3739)
• adds tsa cert chain check for env var or tuf targets. (#​3600)
• add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
• add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

• fix: close attestationFile (#​3679)
• Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

• Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

• Refactor KMS E2E tests (#​3684)
• Remove sign_blob_test.sh test (#​3707)
• Remove KMS E2E test script (#​3702)
• Refactor insecure registry E2E tests (#​3701)

Contributors

• Billy Lynch
• bminahan73
• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Colleen Murphy
• Dmitry Savintsev
• guangwu
• Hayden B
• Hector Fernandez
• ian hundere
• Jason Power
• Jon Johnson
• Max Lambrecht
• Meeki1l

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 26 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.0 -> 1.23.1
github.com/sigstore/sigstore	v1.8.7 -> v1.8.8
cloud.google.com/go/compute/metadata	v0.3.0 -> v0.5.0
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.11.1 -> v1.13.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.5.2 -> v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.6.0 -> v1.10.0
github.com/aws/aws-sdk-go-v2	v1.27.2 -> v1.30.3
github.com/aws/aws-sdk-go-v2/config	v1.27.18 -> v1.27.27
github.com/aws/aws-sdk-go-v2/credentials	v1.17.18 -> v1.17.27
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.5 -> v1.16.11
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.9 -> v1.3.15
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.9 -> v2.6.15
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.11.2 -> v1.11.3
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.11.11 -> v1.11.17
github.com/aws/aws-sdk-go-v2/service/sso	v1.20.11 -> v1.22.4
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.24.5 -> v1.26.4
github.com/aws/aws-sdk-go-v2/service/sts	v1.28.12 -> v1.30.3
github.com/aws/smithy-go	v1.20.2 -> v1.20.3
github.com/docker/docker	v26.1.0+incompatible -> v26.1.4+incompatible
github.com/google/certificate-transparency-go	v1.1.8 -> v1.2.1
github.com/pelletier/go-toml/v2	v2.2.1 -> v2.2.2
github.com/sigstore/fulcio	v1.4.5 -> v1.5.1
github.com/spf13/viper	v1.18.2 -> v1.19.0
github.com/xanzy/go-gitlab	v0.103.0 -> v0.107.0
go.step.sm/crypto	v0.44.2 -> v0.51.1
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240701130421-f6361c86f094 -> v0.0.0-20240730163845-b1a4ccb954bf
sigs.k8s.io/release-utils	v0.8.1 -> v0.8.4