Add changelog for v2.2.3 (sigstore#3513)

Signed-off-by: Hayden Blauzvern <[email protected]>

add tests

Signed-off-by: Noah Kreiger <[email protected]>

add e2e test for pkcs11 token signing (sigstore#3495)

* added e2e test for pkcs11 token signing

Signed-off-by: Vivek Kumar Sahu <[email protected]>

add license

Signed-off-by: Vivek Kumar Sahu <[email protected]>

small fix

Signed-off-by: Vivek Kumar Sahu <[email protected]>

update shebang portable with cross platform

Signed-off-by: Vivek Kumar Sahu <[email protected]>

enable exit on error and xtrace mode

Signed-off-by: Vivek Kumar Sahu <[email protected]>

cleanup container

Signed-off-by: Vivek Kumar Sahu <[email protected]>

pkcs11 test with upcoming changes

Signed-off-by: Vivek Kumar Sahu <[email protected]>

run pkcs11 e2e test in a separate workflow

Signed-off-by: Vivek Kumar Sahu <[email protected]>

add pkcs11 test in separate workflow

Signed-off-by: Vivek Kumar Sahu <[email protected]>

* set shell to bash

Signed-off-by: Vivek Kumar Sahu <[email protected]>

* set shell options

Signed-off-by: Vivek Kumar Sahu <[email protected]>

---------

Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the actions group with 1 update (sigstore#3516)

Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).

Updates `sigstore/cosign-installer` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@9614fae...e1523de)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump codecov/codecov-action from 3.1.5 to 4.0.1 (sigstore#3517)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.5 to 4.0.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@4fe8c5f...e0b68c6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump go.step.sm/crypto from 0.42.1 to 0.43.0 (sigstore#3519)

Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the gomod group with 1 update (sigstore#3518)

Signed-off-by: Noah Kreiger <[email protected]>

Update codeql-analysis.yml (sigstore#3524)

Signed-off-by: Hayden B <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

ErrNoSignaturesFound should be used when there is no signature attached to an image. (sigstore#3526)

* ErrNoSignaturesFound should be used when there is no signature attached to an image.

Signed-off-by: zhaoyonghe <[email protected]>

* Change error message.

Signed-off-by: zhaoyonghe <[email protected]>

* Add error type tests.

Signed-off-by: zhaoyonghe <[email protected]>

---------

Signed-off-by: zhaoyonghe <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

Make E2E tests hermetic (sigstore#3499)

* Set rekor URL for online and offline tests

Some tests were setting the REKOR_URL environment variable to try to
test offline verification. This variable is no longer read so it was not
doing anything. This change removes the variable and instead sets
RekorURL in the command to either the local rekor instance (so that the
public instance is not used) or to a bad url with Offline set to true so
that offline verification is truly tested.

This change also removes the COSIGN_EXPERIMENTAL variable which is no
longer used, and replaces os.Setenv with testing.Setenv which
localizes the environment setting to the scope of the test and removes
the need for a cleanup function.

Signed-off-by: Colleen Murphy <[email protected]>

* Fix cleanup in E2E script

Calling trap multiple times replaces the last signal handler rather than
appending to it. This change ensures that the most recent trap includes
all previous traps so that all cleanups are executed.

Signed-off-by: Colleen Murphy <[email protected]>

* Move verify tests from shell script to Go suite

Move the `cosign dockerfile verify` and `cosign manifest verify` tests
out of the shell script and into the e2e Go test suite file with all the
other tests. This makes them consistent to manage.

The initialization of fulcio roots in other tests pollutes the trust
root in the new tests, so a reset is added to the fulcioroots package
for testing only.

Signed-off-by: Colleen Murphy <[email protected]>

* Use local services for verify tests

Update TestDockerfileVerify and TestManifestVerify to sign ephemeral
images within the tests so that the signatures can be created with and
verified from the locally running Fulcio and Rekor instances instead of
verifying images with the public Rekor instance, so that the tests no
longer depend on external services.

The images are signed using --identity-token to avoid changing the
nature of the verification tests, which were originally written to be
keyless. A mock OIDC server is provisioned to provide the token and
enable verification.

Signed-off-by: Colleen Murphy <[email protected]>

* Set rekor env variable in Go test suite

Move the setting of SIGSTORE_REKOR_PUBLIC_KEY from the e2e shell script
to the Go test suite, so that only the tests that need it have it set
and the shell script is doing less setup. Also remove unnecessary
instances of os.RemoveAll for temporary directories that the Go testing
framework will automatically clean up.

Signed-off-by: Colleen Murphy <[email protected]>

---------

Signed-off-by: Colleen Murphy <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

Correct help text of verify-attestation policy argument (sigstore#3527)

Signed-off-by: michaelvl <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

Don't ignore transparency log in tests if possible (sigstore#3528)

Update the e2e tests to default to setting IgnoreTlog to false where
possible. In some cases, where the IgnoreTlog functionality is being
explicitly tested, continue to set it to true.

Since the transparency log isn't being ignored, the signing commands
need to upload it and need the rekor public key and URL in order to do
so.

Removes one redundant test.

Signed-off-by: Colleen Murphy <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the gomod group with 1 update (sigstore#3530)

Bumps the gomod group with 1 update: cuelang.org/go.

Updates `cuelang.org/go` from 0.7.0 to 0.7.1

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 (sigstore#3531)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.18.0 to 0.19.0.
- [Commits](golang/crypto@v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (sigstore#3532)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.16.0 to 0.17.0.
- [Commits](golang/oauth2@v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the actions group with 3 updates (sigstore#3535)

Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [mikefarah/yq](https://github.com/mikefarah/yq).

Updates `google-github-actions/auth` from 2.1.0 to 2.1.1
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](google-github-actions/auth@5a50e58...a6e2e39)

Updates `actions/upload-artifact` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@26f96df...5d5d22a)

Updates `mikefarah/yq` from 4.40.5 to 4.40.7
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@dd64899...bb66c9c)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump github.com/google/go-containerregistry (sigstore#3521)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (sigstore#3536)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@3a91952...3cfe3a4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump github.com/xanzy/go-gitlab from 0.96.0 to 0.97.0 (sigstore#3522)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.96.0 to 0.97.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.96.0...v0.97.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump google.golang.org/api from 0.160.0 to 0.164.0 (sigstore#3538)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.160.0 to 0.164.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.160.0...v0.164.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

use go1.21.7 as go-version in actions/setup-go (sigstore#3540)

* use go1.21 as go-version in actions/setup-go

Signed-off-by: Dmitry S <[email protected]>

* e2e-tests.yml - remove unused GO_VERSION env var

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 (sigstore#3537)

* chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9

Updates the requirements on [github/codeql-action](https://github.com/github/codeql-action) to permit the latest version.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/commits/65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update scorecard-action.yml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

fix semgrep issues for dgryski.semgrep-go ruleset (sigstore#3541)

* fix semgrep issues dgryski.semgrep-go ruleset

Signed-off-by: Dmitry S <[email protected]>

* golangci-lint: check error value of out.Write()

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump google.golang.org/api from 0.164.0 to 0.165.0 (sigstore#3545)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.164.0 to 0.165.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.164.0...v0.165.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the actions group with 1 update (sigstore#3546)

Bumps the actions group with 1 update: [mikefarah/yq](https://github.com/mikefarah/yq).

Updates `mikefarah/yq` from 4.40.7 to 4.41.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@bb66c9c...0476945)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the gomod group with 2 updates (sigstore#3543)

Bumps the gomod group with 2 updates: [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) and [go.step.sm/crypto](https://github.com/smallstep/crypto).

Updates `github.com/sigstore/timestamp-authority` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/sigstore/timestamp-authority/releases)
- [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md)
- [Commits](sigstore/timestamp-authority@v1.2.1...v1.2.2)

Updates `go.step.sm/crypto` from 0.43.0 to 0.43.1
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](smallstep/crypto@v0.43.0...v0.43.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/timestamp-authority
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

fix 'go vet -tags e2e ./...' (sigstore#3550)

* fix 'go vet -tags e2e ./...'

Signed-off-by: Dmitry S <[email protected]>

* fix typo in 'concatenating'

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (sigstore#3556)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.97.0...v0.98.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump google.golang.org/api from 0.165.0 to 0.167.0 (sigstore#3557)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.165.0 to 0.167.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.165.0...v0.167.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

remove unused rootPool var (sigstore#3559)

Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

Bump sigstore/sigstore to v1.8.2 (sigstore#3561)

Signed-off-by: Noah Kreiger <[email protected]>

Correct help text of triangulate cmd (sigstore#3551)

Signed-off-by: michaelvl <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (sigstore#3554)

* chore(deps): bump imranismail/setup-kustomize

Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198.
- [Release notes](https://github.com/imranismail/setup-kustomize/releases)
- [Commits](imranismail/setup-kustomize@a76db1c...f6959cf)

---
updated-dependencies:
- dependency-name: imranismail/setup-kustomize
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update kind-e2e-insecure-registry.yaml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>
Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the actions group with 3 updates (sigstore#3564)

Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action).

Updates `google-github-actions/auth` from 2.1.1 to 2.1.2
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](google-github-actions/auth@a6e2e39...55bd3a7)

Updates `mikefarah/yq` from 4.41.1 to 4.42.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@0476945...9adde1a)

Updates `codecov/codecov-action` from 4.0.1 to 4.1.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e0b68c6...54bcd87)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Noah Kreiger <[email protected]>

add flag for fulcio auth flow and client creds

Signed-off-by: Noah Kreiger <[email protected]>

chore(deps): bump the actions group with 1 update (sigstore#3516)

Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).

Updates `sigstore/cosign-installer` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@9614fae...e1523de)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Update codeql-analysis.yml (sigstore#3524)

Signed-off-by: Hayden B <[email protected]>

ErrNoSignaturesFound should be used when there is no signature attached to an image. (sigstore#3526)

* ErrNoSignaturesFound should be used when there is no signature attached to an image.

Signed-off-by: zhaoyonghe <[email protected]>

* Change error message.

Signed-off-by: zhaoyonghe <[email protected]>

* Add error type tests.

Signed-off-by: zhaoyonghe <[email protected]>

---------

Signed-off-by: zhaoyonghe <[email protected]>

Correct help text of verify-attestation policy argument (sigstore#3527)

Signed-off-by: michaelvl <[email protected]>

Don't ignore transparency log in tests if possible (sigstore#3528)

Update the e2e tests to default to setting IgnoreTlog to false where
possible. In some cases, where the IgnoreTlog functionality is being
explicitly tested, continue to set it to true.

Since the transparency log isn't being ignored, the signing commands
need to upload it and need the rekor public key and URL in order to do
so.

Removes one redundant test.

Signed-off-by: Colleen Murphy <[email protected]>

chore(deps): bump the gomod group with 1 update (sigstore#3530)

Bumps the gomod group with 1 update: cuelang.org/go.

Updates `cuelang.org/go` from 0.7.0 to 0.7.1

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore(deps): bump github.com/google/go-containerregistry (sigstore#3521)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (sigstore#3536)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@3a91952...3cfe3a4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

use go1.21.7 as go-version in actions/setup-go (sigstore#3540)

* use go1.21 as go-version in actions/setup-go

Signed-off-by: Dmitry S <[email protected]>

* e2e-tests.yml - remove unused GO_VERSION env var

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>

chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 (sigstore#3537)

* chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9

Updates the requirements on [github/codeql-action](https://github.com/github/codeql-action) to permit the latest version.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/commits/65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update scorecard-action.yml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>

fix semgrep issues for dgryski.semgrep-go ruleset (sigstore#3541)

* fix semgrep issues dgryski.semgrep-go ruleset

Signed-off-by: Dmitry S <[email protected]>

* golangci-lint: check error value of out.Write()

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>

fix 'go vet -tags e2e ./...' (sigstore#3550)

* fix 'go vet -tags e2e ./...'

Signed-off-by: Dmitry S <[email protected]>

* fix typo in 'concatenating'

Signed-off-by: Dmitry S <[email protected]>

---------

Signed-off-by: Dmitry S <[email protected]>

chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (sigstore#3556)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.97.0...v0.98.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

remove unused rootPool var (sigstore#3559)

Signed-off-by: Dmitry S <[email protected]>

Bump sigstore/sigstore to v1.8.2 (sigstore#3561)

Correct help text of triangulate cmd (sigstore#3551)

Signed-off-by: michaelvl <[email protected]>

chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (sigstore#3554)

* chore(deps): bump imranismail/setup-kustomize

Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198.
- [Release notes](https://github.com/imranismail/setup-kustomize/releases)
- [Commits](imranismail/setup-kustomize@a76db1c...f6959cf)

---
updated-dependencies:
- dependency-name: imranismail/setup-kustomize
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update kind-e2e-insecure-registry.yaml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>

chore(deps): bump the actions group with 3 updates (sigstore#3564)

Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action).

Updates `google-github-actions/auth` from 2.1.1 to 2.1.2
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](google-github-actions/auth@a6e2e39...55bd3a7)

Updates `mikefarah/yq` from 4.41.1 to 4.42.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@0476945...9adde1a)

Updates `codecov/codecov-action` from 4.0.1 to 4.1.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e0b68c6...54bcd87)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

re-add missing from rebase

Signed-off-by: Noah Kreiger <[email protected]>

add to doc

Signed-off-by: Noah Kreiger <[email protected]>

Author: haydentherapper

.github/workflows/build.yaml

@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
@@ -54,7 +54,7 @@ jobs:
       - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0
+        uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
         with:
           workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign'
           service_account: '[email protected]'

.github/workflows/codeql-analysis.yml

@@ -67,12 +67,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+      uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
       with:
         languages: ${{ matrix.language }}
 
     - name: Build cosign for CodeQL
       run: make cosign
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+      uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1

.github/workflows/cross.yaml

@@ -67,7 +67,7 @@ jobs:
           echo "artifactsfilename=$name" >> $GITHUB_ENV
       - name: Upload artifacts
         if: github.event_name != 'pull_request'
-        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: artifacts-${{ env.artifactsfilename }}
           path: |

.github/workflows/e2e-tests.yml

@@ -73,3 +73,17 @@ jobs:
       - name: Run e2e_signblob_tsa_mtls.sh
         shell: bash
         run: make && PATH="$PWD:$PATH" ./test/e2e_signblob_tsa_mtls.sh
+
+  e2e-test-pkcs11:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: '1.21' 
+          check-latest: true
+
+      - name: Run pkcs11 end-to-end tests
+        shell: bash
+        run: ./test/e2e_test_pkcs11.sh

.github/workflows/kind-e2e-insecure-registry.yaml

@@ -54,10 +54,10 @@ jobs:
 
     - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
-    - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v1.6.1
+    - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
 
     - name: Install yq
-      uses: mikefarah/yq@dd648994340a5d03225d97abf19c9bf1086c3f07 # v4.40.5
+      uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1
 
     - name: Install Cosign
       run: |

.github/workflows/kind-verify-attestation.yaml

@@ -57,7 +57,7 @@ jobs:
     - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
     - name: Install yq
-      uses: mikefarah/yq@dd648994340a5d03225d97abf19c9bf1086c3f07 # v4.40.5
+      uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1
 
     - name: build cosign
       run: |

.github/workflows/scorecard-action.yml

@@ -44,14 +44,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
         with:
           sarif_file: results.sarif

.github/workflows/tests.yaml

@@ -73,7 +73,7 @@ jobs:
           GODEBUG: x509sha1=1
         run: go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
       - name: Upload Coverage Report
-        uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # v3.1.5
+        uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
         with:
           env_vars: OS
       - name: Run Go tests w/ `-race`
@@ -175,7 +175,7 @@ jobs:
           go-version: '1.21'
           check-latest: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
           version: v1.55

CHANGELOG.md

@@ -1,3 +1,38 @@
+# v2.2.3
+
+## Bug Fixes
+
+* Fix race condition on verification with multiple signatures attached to image (#3486)
+* fix(clean): Fix clean cmd for private registries (#3446)
+* Fixed BYO PKI verification (#3427)
+
+## Features
+
+* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
+* Add support for OpenVEX predicate type (#3405)
+
+## Documentation
+
+* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
+* add examples for cosign attach signature cmd (#3468)
+
+## Misc
+
+* Remove CertSubject function (#3467)
+* Use local rekor and fulcio instances in e2e tests (#3478)
+
+## Contributors
+
+* aalsabag
+* Bob Callaway
+* Carlos Tadeu Panato Junior
+* Colleen Murphy
+* Hayden B
+* Mukuls77
+* Omri Bornstein
+* Puerco
+* vivek kumar sahu
+
 # v2.2.2
 
 v2.2.2 adds a new container with a shell, `gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
@@ -25,7 +60,7 @@ For private deployments, we have also added an alias for `--insecure-skip-log`,
 
 ## Documentation
 
-* Update SBOM_SPEC.md (#3358)
+* Update SBOM\_SPEC.md (#3358)
 
 ## Contributors
 

cmd/cosign/cli/attest.go

@@ -74,6 +74,7 @@ func Attest() *cobra.Command {
 				Slot:                     o.SecurityKey.Slot,
 				FulcioURL:                o.Fulcio.URL,
 				IDToken:                  o.Fulcio.IdentityToken,
+				FulcioAuthFlow:           o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                 o.Rekor.URL,
 				OIDCIssuer:               o.OIDC.Issuer,

cmd/cosign/cli/attest_blob.go

@@ -61,6 +61,7 @@ func AttestBlob() *cobra.Command {
 				Slot:                     o.SecurityKey.Slot,
 				FulcioURL:                o.Fulcio.URL,
 				IDToken:                  o.Fulcio.IdentityToken,
+				FulcioAuthFlow:           o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                 o.Rekor.URL,
 				OIDCIssuer:               o.OIDC.Issuer,

cmd/cosign/cli/download/sbom.go

@@ -100,7 +100,9 @@ func SBOMCmd(
 	}
 
 	sboms = append(sboms, string(sbom))
-	fmt.Fprint(out, string(sbom))
+	if _, err := out.Write(sbom); err != nil {
+		return nil, err
+	}
 
 	return sboms, nil
 }

cmd/cosign/cli/fulcio/fulcio.go

@@ -38,9 +38,10 @@ import (
 )
 
 const (
-	flowNormal = "normal"
-	flowDevice = "device"
-	flowToken  = "token"
+	flowNormal            = "normal"
+	flowDevice            = "device"
+	flowToken             = "token"
+	flowClientCredentials = "client_credentials"
 )
 
 type oidcConnector interface {
@@ -89,6 +90,8 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect
 func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) {
 	c := &realConnector{}
 	switch flow {
+	case flowClientCredentials:
+		c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer)
 	case flowDevice:
 		c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer)
 	case flowNormal:

cmd/cosign/cli/generate/generate.go

@@ -17,7 +17,6 @@ package generate
 
 import (
 	"context"
-	"fmt"
 	"io"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -49,6 +48,6 @@ func GenerateCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef
 	if err != nil {
 		return err
 	}
-	fmt.Fprint(w, string(json))
+	w.Write(json)
 	return nil
 }

cmd/cosign/cli/options/fulcio.go

@@ -24,6 +24,7 @@ const DefaultFulcioURL = "https://fulcio.sigstore.dev"
 // FulcioOptions is the wrapper for Fulcio related options.
 type FulcioOptions struct {
 	URL                      string
+	AuthFlow                 string
 	IdentityToken            string
 	InsecureSkipFulcioVerify bool
 }
@@ -36,6 +37,9 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.URL, "fulcio-url", DefaultFulcioURL,
 		"address of sigstore PKI server")
 
+	cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
+		"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment.")
+
 	cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
 		"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")
 

cmd/cosign/cli/options/verify.go

@@ -143,7 +143,7 @@ func (o *VerifyAttestationOptions) AddFlags(cmd *cobra.Command) {
 		"whether to check the claims found")
 
 	cmd.Flags().StringSliceVar(&o.Policies, "policy", nil,
-		"specify CUE or Rego files will be using for validation")
+		"specify CUE or Rego files with policies to be used for validation")
 
 	cmd.Flags().StringVarP(&o.Output, "output", "o", "json",
 		"output format for the signing image information (json|text)")

cmd/cosign/cli/sign.go

@@ -107,6 +107,7 @@ race conditions or (worse) malicious tampering.
 				Slot:                           o.SecurityKey.Slot,
 				FulcioURL:                      o.Fulcio.URL,
 				IDToken:                        o.Fulcio.IdentityToken,
+				FulcioAuthFlow:                 o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify:       o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                       o.Rekor.URL,
 				OIDCIssuer:                     o.OIDC.Issuer,

cmd/cosign/cli/signblob.go

@@ -75,6 +75,7 @@ func SignBlob() *cobra.Command {
 				Slot:                           o.SecurityKey.Slot,
 				FulcioURL:                      o.Fulcio.URL,
 				IDToken:                        o.Fulcio.IdentityToken,
+				FulcioAuthFlow:                 o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify:       o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                       o.Rekor.URL,
 				OIDCIssuer:                     o.OIDC.Issuer,

cmd/cosign/cli/triangulate.go

@@ -29,7 +29,7 @@ func Triangulate() *cobra.Command {
 
 	cmd := &cobra.Command{
 		Use:              "triangulate",
-		Short:            "Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.",
+		Short:            "Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.",
 		Example:          "  cosign triangulate <IMAGE>",
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {

cmd/cosign/cli/verify/verify_blob.go

@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 
@@ -313,7 +314,7 @@ func base64signature(sigRef, bundlePath string) (string, error) {
 	case sigRef != "":
 		targetSig, err = blob.LoadFileOrURL(sigRef)
 		if err != nil {
-			if !os.IsNotExist(err) {
+			if !errors.Is(err, fs.ErrNotExist) {
 				// ignore if file does not exist, it can be a base64 encoded string as well
 				return "", err
 			}