Update module github.com/sigstore/fulcio to v1.7.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/fulcio	v1.6.6 -> v1.7.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sigstore/fulcio (github.com/sigstore/fulcio)

v1.7.1

Compare Source

v1.7.1 contains a bug fix for extensions for CI providers where the OIDC claims
include HTML escape characters. If a client attempted to verify an extension value,
verification would fail unless an HTML-escaped string was used in the comparison.
Extension values will no longer be escaped.

Bug Fixes:

• Do not HTML-escape extension values (#​2023)

v1.7.0

Compare Source

v1.7.0 includes a change to how proof of possession signatures are verified.
Fulcio has updated the expected hashing algorithm for ECDSA P-384 and P-521
signatures to be SHA-384 and SHA-512, in line with CSR signature verification.
Cosign is actively being updated to support this for when signing with a
managed key and requesting a certificate.

Features

• Allow configurable client signing algorithms (#​1938)
• Use different hash in proof of possession based on key (#​1959)
• Tls verification on OIDC issuers (#​1932)
• feat: adds cert-utility. (#​1870)
• feat: makes leaf optional and other changes. (#​1931)

Bug Fixes

• Remove err impossible condition: nil != nil (#​1934)
• mark principal and issuer class under pkg/identity as deprecated (#​1980)

Contributors

• Carlos Tadeu Panato Junior
• Hayden B
• ian hundere
• Praful Khanduri
• Ramon Petgrave
• Riccardo Schirone
• Sujal Gupta

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: image/go.sum

Command failed: go get -t ./...
go: module github.com/sigstore/fulcio@v1.7.1 requires go >= 1.24.0; switching to go1.24.6
go: downloading go1.24.6 (linux/amd64)
go: download go1.24.6: golang.org/toolchain@v0.0.1-go1.24.6.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.7.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.