From acb9df4609478577ddea834c626333c9aa284589 Mon Sep 17 00:00:00 2001
From: l-qing <9499086+l-qing@users.noreply.github.com>
Date: Sun, 7 Jun 2026 16:30:00 +0000
Subject: [PATCH 1/4] chore(go): bump go directive to 1.26.4 to rebuild with
 fixed Go stdlib

Rebuild released binaries with Go 1.26.4 to clear stdlib CVE-2026-42504,
CVE-2026-27145 and CVE-2026-42507. The Alauda release workflow resolves the
toolchain via setup-go go-version-file: go.mod, so bumping this directive is
sufficient for the next -alauda-N release to build on Go 1.26.4.
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 42421f84988..e70b4271b54 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/cosign/v2
 
-go 1.26.3
+go 1.26.4
 
 require (
 	cuelang.org/go v0.14.1

From e080a7e8c5bc1bbca2a0599b9c16223e1003ebfd Mon Sep 17 00:00:00 2001
From: qingliu <qingliu@alauda.io>
Date: Sun, 7 Jun 2026 16:53:11 +0000
Subject: [PATCH 2/4] ci: bump Go to 1.26.4 to match go.mod toolchain
 requirement

Dockerfile and test/fakeoidc/go.mod were still pinned to 1.26.3 while
the main go.mod already requires go >= 1.26.4. With GOTOOLCHAIN=local
this caused builds to fail. Bump both to 1.26.4 to restore consistency.
---
 Dockerfile           | 2 +-
 test/fakeoidc/go.mod | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 97d18f41e63..9e508105daf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,4 +15,4 @@
 
 # This is used to we scrap the go version and use in CI to get the latest go version
 # and we use dependabot to keep the go version up to date
-FROM golang:1.26.3
+FROM golang:1.26.4
diff --git a/test/fakeoidc/go.mod b/test/fakeoidc/go.mod
index a55950336a7..2f850da4f51 100644
--- a/test/fakeoidc/go.mod
+++ b/test/fakeoidc/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/cosign/test/fakeoidc
 
-go 1.26.3
+go 1.26.4
 
 require github.com/go-jose/go-jose/v4 v4.0.5
 

From 062501ad51ac0f7b9a4bb7ebbfcdfe75a7f44967 Mon Sep 17 00:00:00 2001
From: qingliu <qing.liu@alauda.io>
Date: Sun, 7 Jun 2026 17:11:59 +0000
Subject: [PATCH 3/4] ci(lint): suppress SA1019 for in-toto-golang v0.11.0
 deprecations

The in-toto-golang v0.11.0 security bump deprecated the legacy
Statement/StatementHeader/Subject/ProvenancePredicate types in favor
of the protobuf-generated in_toto Attestation Framework v1 API. The
attestation code still uses the legacy API, so staticcheck SA1019 fails
the lint job. Migrating to the v1 API is a separate effort; mirror the
existing Rekor-v1 SA1019 exclusions and suppress the deprecation lint on
the affected files until that migration lands.
---
 .golangci.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.golangci.yml b/.golangci.yml
index f6b550d9520..a5611f912fb 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -83,6 +83,26 @@ linters:
         path: pkg/cosign/verify_bundle_test.go
         # NewEntry used for Rekor v1, will update to NewTlogEntry for Rekor v2 support
         text: SA1019
+      # in-toto-golang v0.11.0 deprecated the legacy Statement/StatementHeader/
+      # Subject/ProvenancePredicate types in favor of the protobuf-generated
+      # in_toto Attestation Framework v1 API. Migrating the attestation code is a
+      # separate effort; suppress the deprecation lint until then.
+      - linters:
+          - staticcheck
+        path: pkg/cosign/attestation/attestation.go
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: pkg/cosign/fetch.go
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: pkg/cosign/verifiers.go
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: pkg/policy/attestation
+        text: SA1019
     paths:
       - third_party$
       - builtin$

From 3e556d5028f263ad4481fc277db45c9b23379079 Mon Sep 17 00:00:00 2001
From: qingliu <qing.liu@alauda.io>
Date: Sun, 7 Jun 2026 17:40:30 +0000
Subject: [PATCH 4/4] ci(lint): extend SA1019 in-toto exclusions to cmd/ files

Two more files under cmd/cosign/cli still use the deprecated
in_toto.Statement/StatementHeader API and were missed by the first
exclusion pass. Cover them so the lint job passes.
---
 .golangci.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.golangci.yml b/.golangci.yml
index a5611f912fb..d317f4c7041 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -103,6 +103,14 @@ linters:
           - staticcheck
         path: pkg/policy/attestation
         text: SA1019
+      - linters:
+          - staticcheck
+        path: cmd/cosign/cli/attest/attest_blob_test.go
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: cmd/cosign/cli/verify/verify.go
+        text: SA1019
     paths:
       - third_party$
       - builtin$