Update module github.com/sigstore/rekor to v1.5.0 [SECURITY] (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/rekor	v1.4.3 → v1.5.0

GitHub Vulnerability Alerts

CVE-2026-24117

Summary

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

Impact

• SSRF to cloud metadata (169.254.169.254)
• SSRF to internal Kubernetes APIs
• SSRF to any service accessible from Fulcio's network

Patches

Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.

Workarounds

Disable the search endpoint with --enable_retrieve_api=false.

CVE-2026-23831

Summary

Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.

Impact

A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

Patches

Upgrade to v1.5.0

Workarounds

None

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.0

Compare Source

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this
drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#​2729)
• Drop support for fetching public keys by URL in the search index (#​2731)

Features

• Add support for a custom TLS config for clients (#​2709)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated

Details:

Package	Change
github.com/go-chi/chi/v5	v5.2.3 -> v5.2.4
github.com/go-openapi/errors	v0.22.5 -> v0.22.6
github.com/go-openapi/spec	v0.22.2 -> v0.22.3
google.golang.org/api	v0.258.0 -> v0.260.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251213004720-97cd9d5aeac2 -> v0.0.0-20251222181119-0a764e51fe1b
google.golang.org/grpc	v1.77.0 -> v1.78.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated

Details:

Package	Change
github.com/sirupsen/logrus	v1.9.4-0.20230606125235-dd1b4c2e81af -> v1.9.4
cloud.google.com/go/auth	v0.17.0 -> v0.18.0
cloud.google.com/go/monitoring	v1.24.2 -> v1.24.3
github.com/go-chi/chi/v5	v5.2.3 -> v5.2.4
github.com/go-openapi/errors	v0.22.5 -> v0.22.6
github.com/go-openapi/spec	v0.22.2 -> v0.22.3
github.com/googleapis/enterprise-certificate-proxy	v0.3.7 -> v0.3.9
github.com/googleapis/gax-go/v2	v2.15.0 -> v2.16.0
github.com/mattn/go-runewidth	v0.0.16 -> v0.0.19
github.com/olekukonko/ll	v0.0.9 -> v0.1.3
github.com/olekukonko/tablewriter	v1.1.0 -> v1.1.2
google.golang.org/api	v0.258.0 -> v0.260.0
google.golang.org/genproto	v0.0.0-20250922171735-9219d122eba9 -> v0.0.0-20251202230838-ff82c1b0f217
gopkg.in/ini.v1	v1.67.0 -> v1.67.1
sigs.k8s.io/release-utils	v0.12.2 -> v0.12.3

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.51% <ø> (+<0.01%)	⬆️
generative	18.56% <ø> (ø)
integration	27.56% <ø> (ø)
unit	68.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.