build(deps): bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3 in /rootfs/cosign

[dependabot]

Bumps github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.3

Changelog

v2.6.3 resolves GHSA-w6c6-c85g-mmv6.

• fecddd3c22045a39f52392e71e79f66854b41352 Fix DSSE predicate check (#4802)
• 564c5b1b0bed7bd991910774c47df1150ffb8aa8 Backport bundle detection to sign and attest (#4727)

Thanks to all contributors!

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v3.0.5

Deprecations

• Deprecate rekor-entry-type flag (#4691)
• Deprecate cosign triangulate (#4676)
• Deprecate cosign copy (#4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
• Add mTLS support for TSA client connections when signing with a signing config (#4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
• fix: avoid panic on malformed attestation payload (#4651)
• fix: avoid panic on malformed tlog entries (#4649)
• fix: avoid panic on malformed replace payload (#4653)
• Gracefully fail if bundle payload body is not a string (#4648)
• Verify validity of chain rather than just certificate (#4663)
• fix: avoid panic on malformed tlog entry body (#4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#4642)
• Fix typo in CLI help (#4701)

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)
• Optimize cosign tree performance by caching digest resolution (#4612)
• Don't require a trusted root to verify offline with a key (#4613)
• Support default services for trusted-root and signing-config creation (#4592)

Commits

• fecddd3 Fix DSSE predicate check (#4802)
• 564c5b1 Backport bundle detection to sign and attest (#4727)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)