Update module github.com/sigstore/rekor to v1.5.0 [SECURITY] (release-v0.6)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/rekor	v1.3.6 → v1.5.0

GitHub Vulnerability Alerts

CVE-2026-24117

Summary

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

Impact

• SSRF to cloud metadata (169.254.169.254)
• SSRF to internal Kubernetes APIs
• SSRF to any service accessible from Fulcio's network

Patches

Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.

Workarounds

Disable the search endpoint with --enable_retrieve_api=false.

CVE-2026-23831

Summary

Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.

Impact

A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

Patches

Upgrade to v1.5.0

Workarounds

None

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.0

Compare Source

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this
drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#​2729)
• Drop support for fetching public keys by URL in the search index (#​2731)

Features

• Add support for a custom TLS config for clients (#​2709)

v1.4.3

Compare Source

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a
Sigstore bundle. To verify a release, use the
latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#​2681)
• restapi: Don't log client errors as errors (#​2680)
• pkg: separate pki types from implementations (#​2668)
• e2e: don't mix e2e and regular utilities (#​2672)
• pkg: remove viper config from spec definitions (#​2669)
• log: remove zap & go-chi dependecy from pkg/types (#​2667)
• chore: update go-openapi/runtime to v0.29.0 (#​2670)
• chore: remove double imported mapstructure pkg (#​2671)
• remove archived dependency and use stdlib slices (#​2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#​2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

Compare Source

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

Fixes

• use pubsub client to check IAM permissions (#​2605)
• process type contents serially (#​2604)
• move to direct decoding instead of mapstructure (#​2598)
• optimize performance of regex operations (#​2603)

Contributors

• Bob Callaway

v1.4.1

Compare Source

This release includes updated dependencies for known CVEs, as well as some optimizations to minimize gRPC traffic between Rekor and Trillian.

Fixes

• use less expensive gRPC call to implement GetLeafAndProofByHash (#​2581)
• move to per-shard trillian client manager (#​2564)
• use cheaper gRPC endpoint when we already have the inclusion proof (#​2580)
• simplify hash and signature verification in rekord type (#​2579)
• use correct type; just look for len() instead of nil check (#​2576)
• return correct error if GetLeafAndProofByHash fails (#​2574)
• fix incorrect client lb policy in test config (#​2551)
• numerous upgraded dependencies

Contributors

• Bob Callaway
• Carlos Alexandro Becker

v1.4.0

Compare Source

This is a minor version release given the removal of the stable checkpoint feature. To our knowledge, this was not
used effectively anywhere and therefore was removed from Rekor v1. Witnessing will be added as part of the upcoming
Rekor v2 release.

Features

• enable retries and timeouts on GCP KMS calls (#​2548)
• allow configuring gRPC default service config for trillian client load balancing & timeouts (#​2549)
• move context handling in trillian RPC calls to be request based and idiomatic (#​2536)

Fixes

• Fix docker compose up --wait failing when Trillian server isn't healthy (#​2473)
• better mysql healthcheck (#​2459)
• numerous upgraded dependencies, including moving to go 1.24

Removed

• remove stable checkpoint feature (#​2537)
• Don't initialize index storage with stable checkpoint publishing (#​2486)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Emmanuel Ferdman
• Hayden B
• Ramon Petgrave

v1.3.10

Compare Source

Note that Rekor v1 is in maintenance mode as we are actively developing
its successor, Rekor v2, designed to be easy to maintain and cheaper to operate.. See the
README
for more information.

Features

• Added --client-signing-algorithms flag (#​1974)

Fixes / Misc

• emit unpopulated values when marshalling (#​2438)
• pkg/api: better logs when algorithm registry rejects a key (#​2429)
• chore: improve mysql readiness checks (#​2397)

Contributors

• Bob Callaway
• cangqiaoyuzhuo
• Carlos Tadeu Panato Junior
• cpanato
• Hayden B
• Praful Khanduri
• Ramon Petgrave
• Riccardo Schirone
• rubyisrust
• Sascha Grunert

v1.3.9

Compare Source

Features

• Cache checkpoint for inactive shards (#​2332)
• Support per-shard signing keys (#​2330)

Contributors

• Hayden B

v1.3.8

Compare Source

Bug Fixes

• fix zizmor issues (#​2298)
• remove unneeded value in log message (#​2282)

Quality Enhancements

• chore: relax go directive to permit 1.22.x
• fetch minisign from homebrew instead of custom ppa (#​2329)
• fix(ci): simplify GOVERSION extraction
• chore(deps): bump actions pins to latest
• Updates go and golangci-lint (#​2302)
• update builder to use go1.23.4 (#​2301)
• clean up spaces
• log request body on 500 error to aid debugging (#​2283)

Contributors

• Appu Goundan
• Bob Callaway
• Carlos Tadeu Panato Junior
• Dominic Evans
• sgpinkus

v1.3.7

Compare Source

New Features

• log request body on 500 error to aid debugging (#​2283)
• Add support for signing with Tink keyset (#​2228)
• Add public key hash check in Signed Note verification (#​2214)
• update Trillian TLS configuration (#​2202)
• Add TLS support for Trillian server (#​2164)
• Replace docker-compose with plugin if available (#​2153)
• Add flags to backfill script (#​2146)
• Unset DisableKeepalive for backfill HTTP client (#​2137)
• Add script to delete indexes from Redis (#​2120)
• Run CREATE statement in backfill script (#​2109)
• Add MySQL support to backfill script (#​2081)
• Run e2e tests on mysql and redis index backends (#​2079)

Bug Fixes

• remove unneeded value in log message (#​2282)
• Add error message when computing consistency proof (#​2278)
• fix validation error handling on API (#​2217)
• fix error in pretty-printed inclusion proof from verify subcommand (#​2210)
• Fix index scripts (#​2203)
• fix failing sharding test
• Better error handling in backfill script (#​2148)
• Batch entries in cleanup script (#​2158)
• Add missing workflow for index cleanup test (#​2121)
• hashedrekord: fix schema $id (#​2092)

Contributors

• Aditya Sirish
• Bob Callaway
• Colleen Murphy
• cpanato
• Firas Ghanmi
• Hayden B
• Hojoung (Brian) Jang
• William Woodruff

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 53 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.6 -> 1.25.0
github.com/go-openapi/strfmt	v0.23.0 -> v0.25.0
github.com/google/go-containerregistry	v0.20.2 -> v0.20.7
github.com/secure-systems-lab/go-securesystemslib	v0.9.0 -> v0.9.1
github.com/sigstore/sigstore	v1.8.15 -> v1.10.3
github.com/containerd/stargz-snapshotter/estargz	v0.15.1 -> v0.18.1
github.com/docker/cli	v27.2.0+incompatible -> v29.0.3+incompatible
github.com/docker/docker	v27.2.0+incompatible -> v28.5.2+incompatible
github.com/docker/docker-credential-helpers	v0.8.2 -> v0.9.3
github.com/go-jose/go-jose/v4	v4.1.2 -> v4.1.3
github.com/go-openapi/analysis	v0.23.0 -> v0.24.1
github.com/go-openapi/errors	v0.22.0 -> v0.22.6
github.com/go-openapi/jsonpointer	v0.21.0 -> v0.22.4
github.com/go-openapi/jsonreference	v0.21.0 -> v0.21.4
github.com/go-openapi/loads	v0.22.0 -> v0.23.2
github.com/go-openapi/runtime	v0.28.0 -> v0.29.2
github.com/go-openapi/spec	v0.21.0 -> v0.22.3
github.com/go-openapi/swag	v0.23.0 -> v0.25.4
github.com/google/certificate-transparency-go	v1.2.1 -> v1.3.2-0.20250507091337-0eddb39e94f8
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.2
github.com/hashicorp/hcl	v1.0.1-vault-5 -> v1.0.1-vault-7
github.com/letsencrypt/boulder	v0.0.0-20240830194243-1fcf0ee08180 -> v0.20251110.0
github.com/rogpeppe/go-internal	v1.13.1 -> v1.14.1
github.com/sagikazarmark/locafero	v0.6.0 -> v0.11.0
github.com/sigstore/protobuf-specs	v0.4.0 -> v0.5.0
github.com/sourcegraph/conc	v0.3.0 -> v0.3.1-0.20240121214520-5f936abd7ae8
github.com/spf13/afero	v1.11.0 -> v1.15.0
github.com/spf13/cast	v1.7.0 -> v1.10.0
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.6 -> v1.0.10
github.com/spf13/viper	v1.19.0 -> v1.21.0
github.com/vbatts/tar-split	v0.11.5 -> v0.12.2
go.mongodb.org/mongo-driver	v1.16.1 -> v1.17.6
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.60.0 -> v0.63.0
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.35.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/crypto	v0.41.0 -> v0.46.0
golang.org/x/mod	v0.29.0 -> v0.30.0
golang.org/x/net	v0.43.0 -> v0.48.0
golang.org/x/oauth2	v0.30.0 -> v0.34.0
golang.org/x/sync	v0.17.0 -> v0.19.0
golang.org/x/sys	v0.37.0 -> v0.39.0
golang.org/x/term	v0.34.0 -> v0.38.0
golang.org/x/text	v0.28.0 -> v0.32.0
google.golang.org/api	v0.217.0 -> v0.260.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20251222181119-0a764e51fe1b
google.golang.org/grpc	v1.76.0 -> v1.78.0
google.golang.org/protobuf	v1.36.10 -> v1.36.11
gopkg.in/ini.v1	v1.67.0 -> v1.67.1