fix(deps): update module github.com/sigstore/rekor to v1.3.5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/rekor	v1.2.2 -> v1.3.5

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.3.5

Compare Source

New Features

• output trace in slog and override correlation header name (#​1986)
• give log timestamps nanosecond precision (#​1985)
• Added support for sha384/sha512 hash algorithms in hashedrekords (#​1959)
• Change Redis value for locking mechanism (#​1957)

Bug Fixes

• Fix panic for DSSE canonicalization (#​1923)
• Drop conditional when verifying entry checkpoint (#​1917)
• Remove timestamp from checkpoint (#​1888)
• Additional unique index correction (#​1885)

Quality Enhancements

• bump trillian images to v1.6.0 (#​1984)
• remove trillian images from release process (#​1983)
• update builder to use go1.21

Contributors

• Andrew Block
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden Blauzvern
• Riccardo Schirone

v1.3.4

Compare Source

New Features

• add mysql indexstorage backend
• add s3 storage for attestations

Bug Fixes

• fix: Do not check for pubsub.topics.get on initialization (#​1853)
• fix optional field in cose schema

Quality Enhancements

• Update ranges.go (#​1852)
• update indexstorage interface to reduce roundtrips (#​1838)
• use a single validator library in rekor-cli (#​1818)
• Remove go-playground/validator dependency from pkg/pki (#​1817)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Alseth
• Kenny Leung
• Noah Kreiger
• Zach Steindler

v1.3.3

Compare Source

New Features

• update trillian to 1.5.3 (#​1803)
• adds redis_auth (#​1627)
• Add method to get artifact hash for an entry (#​1777)

Bug Fixes

• Update signer flag description (#​1804)
• install go at correct version for codeql (#​1762)

Quality Enhancements

• make e2e tests more usable with docker-compose (#​1770)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• ian hundere
• Kenny Leung

v1.3.2

Compare Source

• move to go 1.21.3 to pick up fixes for CVE-2023-39325

Bug Fixes

• build(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#​1753)
• build(deps): Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#​1755)
• build(deps): Bump google/cloud-sdk from 449.0.0 to 450.0.0 (#​1757)
• build(deps): Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#​1754)
• update Dockerfile for go 1.21.3 (#​1752)
• update builder image to use go1.21.3 (#​1751)

Contributors

• Carlos Tadeu Panato Junior

v1.3.1

Compare Source

New Features

• enable GCP cloud profiling on rekor-server (#​1746)
• move index storage into interface (#​1741)
• add info to readme to denote additional documentation sources (#​1722)
• Add type of ed25519 key for TUF (#​1677)
• Allow parsing base64-encoded TUF metadata and root content (#​1671)

Quality Enhancements

• disable quota in trillian in test harness (#​1680)

Bug Fixes

• Update contact for code of conduct (#​1720)
• fix: typo (#​1711)
• Fix panic when parsing SSH SK pubkeys (#​1712)
• Correct index creation (#​1708)
• Update .ko.yaml (#​1682)
• docs: fixzes a small typo on the readme (#​1686)
• chore: fix backfill-redis Makefile target (#​1685)

Contributors

• Andres Galante
• Andrew Block
• Appu
• Bob Callaway
• Carlos Tadeu Panato Junior
• guangwu
• Hayden B
• jonvnadelberg
• Lance Ball

v1.3.0

Compare Source

New Features

• feat: Support publishing new log entries to Pub/Sub topics (#​1580)
• Change values of Identity.Raw, add fingerprints (#​1628)
• Extract all subjects from SANs for x509 verifier (#​1632)
• Fix type comment for Identity struct (#​1619)
• Refactor Identities API (#​1611)
• Refactor Verifiers to return multiple keys (#​1601)

Quality Enhancements

• set min go version to 1.21 (#​1651)
• Upgrade to go1.21 (#​1636)

Bug Fixes

• Update openapi.yaml (#​1655)
• pass transient errors through retrieveLogEntry (#​1653)
• return full entryID on HTTP 409 responses (#​1650)
• Update checkpoint link (#​1597)
• Use correct log index in inclusion proof (#​1599)
• remove instrumentation library (#​1595)
• pki: clean up fuzzer (#​1594)
• alpine: add max metadata size to fuzzer (#​1571)

Contributors

• AdamKorcz
• Appu
• Bob Callaway
• Carlos Tadeu Panato Junior
• Ceridwen Coghlan
• Hayden B
• James Alseth

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[mtrmac]

DO NOT blindly merge, this bumps Go to 1.21.

We might need to adjust c/image code for the changes to allow SHA386/SHA512 ; and we might need this update anyway (eventually?)

[giuseppe]

LGTM

didn't see mitr comment

[mtrmac]

Looking at this in more detail:

• We don’t call the validation code which is updated by in 1.3.5 to accept the new SHA-* algorithm names
• To accept them, we would need to update our own code (and refer to the constants in 1.3.5)
• … but Cosign also hard-codes SHA-256, so right now there is no benefit.

Meanwhile, we still need to support at least Go 1.20 for Fedora 38, so we can’t / don’t want to update.

I have filed #2281 to document the situation for the future.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.3.5). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.