fix(deps): update module github.com/sigstore/fulcio to v1.8.3 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/fulcio	v1.6.5 → v1.8.3

GitHub Vulnerability Alerts

CVE-2025-66506

Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details
See identity.extractIssuerURL

Impact
Excessive memory allocation

---

Release Notes

sigstore/fulcio (github.com/sigstore/fulcio)

v1.8.3

Compare Source

Vulnerability Fixes

• GHSA-f83f-xpx7-ffpw; prevents OOM condition due to malformed OIDC token (#​2233)

Features

• feat: Add support for skipping email_verified claim requirement per issuer (#​2220)
• add meta-issuer circleci block (#​2215)
• add circleci info to fulcio (#​2192)

Testing

• Add basic E2E tests (#​2230)

v1.8.2

Compare Source

Testing

• make email address in test cases rfc822 conformant (#​2205)

v1.8.1

Compare Source

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Compare Source

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#​2111)
• fix: vault for enterprise expects only the key name (#​2117)
• fix(config): respect cacert on oidc-issuers (#​2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#​2046)

Features

• feat: adds cert loading and key-match validation. (#​2173)
• expose gcp kms retry and timeout options (#​2132)
• server: Use warning log level for client errors (#​2147)
• Add workflow to periodically validate OIDC issuers (#​2188)
• Add Chainguard issuer (#​2078)
• Add logging for template error (#​2194)
• Add extension for deployment environment (#​2190)

Removal

• Remove cmd/create_tink_keyset (#​2096)

v1.7.1

Compare Source

v1.7.1 contains a bug fix for extensions for CI providers where the OIDC claims
include HTML escape characters. If a client attempted to verify an extension value,
verification would fail unless an HTML-escaped string was used in the comparison.
Extension values will no longer be escaped.

Bug Fixes

• Do not HTML-escape extension values (#​2023)

v1.7.0

Compare Source

v1.7.0 includes a change to how proof of possession signatures are verified.
Fulcio has updated the expected hashing algorithm for ECDSA P-384 and P-521
signatures to be SHA-384 and SHA-512, in line with CSR signature verification.
Cosign is actively being updated to support this for when signing with a
managed key and requesting a certificate.

Features

• Allow configurable client signing algorithms (#​1938)
• Use different hash in proof of possession based on key (#​1959)
• Tls verification on OIDC issuers (#​1932)
• feat: adds cert-utility. (#​1870)
• feat: makes leaf optional and other changes. (#​1931)

Bug Fixes

• Remove err impossible condition: nil != nil (#​1934)
• mark principal and issuer class under pkg/identity as deprecated (#​1980)

Contributors

• Carlos Tadeu Panato Junior
• Hayden B
• ian hundere
• Praful Khanduri
• Ramon Petgrave
• Riccardo Schirone
• Sujal Gupta

v1.6.6

Compare Source

Features

• Configure additional certificate extensions for Buildkite (#​1903)
• Relax gomod (#​1909)
• update builder to use go1.23.4 (#​1883)
• config: Add IBM OIDC provider (#​1892)
• Add Kaggle identity provider (#​1850)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Healy
• Stefan Berger
• Trishank Karthik Kuppusamy

---

Configuration

📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/sigstore/fulcio@v1.8.3 requires go >= 1.25.0; switching to go1.25.5
go: downloading go1.25.5 (linux/amd64)
go: download go1.25.5: golang.org/toolchain@v0.0.1-go1.25.5.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off