This update for cosign fixes the following issues: Updated to 2.2.3 : Bug Fixes: * Fix race condition on verification with multiple signatures attached to image * fix: Fix clean cmd for private registries * Fixed BYO PKI verification Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor * Add support for OpenVEX predicate type Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing * add examples for cosign attach signature cmd Misc: * Remove CertSubject function * Use local rekor and fulcio instances in e2e tests * bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 Updated to 2.2.2 : v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for \--insecure-skip-log, --private-infrastructure. Bug Fixes: * chore: bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 which fixes a bug with using Azure KMS * Don"t require CT log keys if using a key/sk * Fix copy without any flag set * Update cosign generate cmd to not include newline * Fix idempotency error with signing Features: * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. * Use the timeout flag value in verify* commands. * add --private-infrastructure flag Container Updates: * Bump builder image to use go1.21.4 and add new cosign image tags with shell Documentation: * Update SBOM_SPEC.md * CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh .