Description of the patch:
This update for cosign fixes the following issue
- CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types
(bsc#1261859).
Changes for cosign:
- Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
- Handle whitespace-only certificate annotation (#4760)
- fix(sign): closing SignerVerifier too early when signing with
a security key (#4761)
- Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
- support managed keys in conformance testing (#4728)
- Add support for GCE metadata server env var (#4732)
- fix: preserve per-layer annotations in
WriteAttestationsReferrer (#4709)
- Fix parsing of in-toto for string predicates
- Mark batch of flags for deprecation (#4698)
- disallow key and cert identity being used together
during verification (#4636)
- support key creation in GitLab group (#4704)
- Set CGO_ENABLED=1 for fixing s390x failed build
- build against a maintained golang version (upstream uses go1.20)