Bump toolchain/cosign to 1.8.0

[cOS-cibot]

Signed-off-by: cOS-cibot [bot] [email protected]

[Itxaka]

Changelog:

7572520 add ascii art when using the version command (#1349)
4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
03a2778 Add vaikas to CODEOWNERS (#1347)
f186ee3 add changelog for v1.5.0 (#1345)
9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
e534409 Fix minor typo (a missing verb) in README (#1346)
22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
1a92b50 Bump recommended Go development version in README (#1340)
1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
bca7ba6 Export function to verify individual signature (#1334)
b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
a7838c5 update go-github to v42 release (#1335)
b0848d1 install latest release for ko instead of head of main branch (#1333)
2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
fbf8dcb update gcp setup for the GH action (#1330)
888b392 fix: cosign verify for vault (#1328)
e64cc10 update some dependencies (#1326)
461b032 fix missing goimports (#1327)
78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
0532601 Take OIDC client secret into account (#1310)
475c99d Verify checksum of downloaded utilities during CI (#1322)
97509b9 pin github actions by digest (#1319)
4592c23 Fix TestSignBlobBundle (#1320)
bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
079e28d Add flag to verify OIDC issuer in certificate (#1308)
2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
24914ac add OSSF scorecard action (#1318)
244c07a Add TUF timestamp to attestation bundle (#1316)
46cf94b Provide certificate flags to all verify commands (#1305)
d58fc63 Bundle TUF timestamp with signature on signing (#1294)
c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
aa0b8c1 add error message (#1296)
a7bd67c Move bundle out of oci and into bundle package (#1295)
9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
ef380f0 update import documentation (#1290)
e671216 Fix a couple bugs in cert verification for blobs (#1287)
76e691b Fix a few bugs in cosign initialize (#1280)
b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
419be8a update release image to use go 1.17.6 (#1284)
809b091 Bump google.golang.org/api. (#1283)
4376cca Bump opa and go-gitlab. (#1281)
b6aaddc Update SBOM spec to indicate compat for syft (#1278)
f19f4f7 Update signature spec with timestamp annotation (#1274)
7f54a8f Bump miekg/pkcs11 (#1275)
36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
6af964c Fix the unit tests with expired TUF metadata. (#1270)
242f586 One-to-one mapping of invocation to scan result (#1268)
1a7f9d6 refactor common utilities (#1266)
d89eb8e Fix output-file flag. (#1264)
9a27e1f Importing RSA and EC keypairs (#1050)
8194edd enable sbom generation when releasing (#1261)
0a4a68a feat: log error to stderr (#1260)
591601c feat: support attach attestation (#1253)
2e99320 Refactor the tuf client code. (#1252)
dfc0347 Moved certificate output before checking for upload during signing (#1255)
c09d682 Remove remaining ioutil usage (#1256)
894a3bc Update the embedded TUF metadata. (#1251)
645c259 Bump sigstore/sigstore. (#1247)
4ecb43d fix: typo in the error message (#1250)
1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
f32c1d7 Fix semantic bug in DSSE specification. (#1248)
4e4bbf6 Spelling (#1246)
7e5abbf feat: resolve --cert from URL (#1245)
c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
6f41b4b Log the proper remote repo for the signatures on verify (#1243)
24d43bd feat: generate/upload sbom for cosign projects (#1237)
b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
47d936c update codeowners list with miissing codeowners (#1238)
3dd690e feat: vuln attest support (#1168)
6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
1104dfd feat: generate/upload sbom for cosign projects (#1236)
0c25819 update build images for release and bump cosign in the release job (#1234)
ac8a7e9 feat: implement cosign download attestation (#1216)
d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
9da74c9 update deps (#1222)
b2d6393 nit: add comments to Signer interface (#1228)
f2e034d clean up references to 'keyless' in ephemeral.Signer (#1225)
acf5900 create DSSEAttestor interface, payload.DSSEAttestor implementation (#1221)
ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
1feacab use mutate.Signature in the new Signers (#1213)
28b03f7 create mutate functions for oci.Signature (#1199)
500cd40 update snapshot and timestamp (#1211)
cbdc1b3 add a writeable $HOME for the nonroot cosigned user (#1209)
4d4c830 signing attestation should private key (#1200)
6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
008f860 create KeylessSigner (#1189)
2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
cfd981e nit: drop every section title down a level (#1188)

[Itxaka]

This should fix the problem with the TUF_ROOT that we had, so we should move to use SIGSTORE_NO_CACHE instead of what we do now so the cache is set on memory instead of creating random temp dirs.

The only problem I can see with this is sigstore/cosign#1260 which logs a not really important error to os.stderror which may break something when used as plugin?

[Itxaka]

not ready yet

[Itxaka]

I can see an issue reported that may affect us:

• GitHub OIDC CI test panic: error retrieving CT public key sigstore/cosign#1331

[mudler]

huh.. maybe time to set up staging repo to run tests ?