From ef9416d2fa7aad5b325d7c6d191e1d94a56e7295 Mon Sep 17 00:00:00 2001
From: "renovate-rancher[bot]"
 <119870437+renovate-rancher[bot]@users.noreply.github.com>
Date: Fri, 23 Jan 2026 06:44:40 +0000
Subject: [PATCH] chore(deps): update module github.com/sigstore/sigstore to
 v1.10.4 [security]

---
 go.mod                                                | 2 +-
 go.sum                                                | 4 ++--
 vendor/github.com/sigstore/sigstore/pkg/tuf/client.go | 8 ++++++--
 vendor/modules.txt                                    | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 29ff3c40..67583ced 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/google/go-containerregistry v0.20.7
 	github.com/sigstore/cosign/v3 v3.0.4
 	github.com/sigstore/rekor v1.4.3
-	github.com/sigstore/sigstore v1.10.3
+	github.com/sigstore/sigstore v1.10.4
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
 	github.com/theupdateframework/go-tuf v0.7.0
 )
diff --git a/go.sum b/go.sum
index 132c8b5a..766d06c4 100644
--- a/go.sum
+++ b/go.sum
@@ -398,8 +398,8 @@ github.com/sigstore/rekor v1.4.3 h1:2+aw4Gbgumv8vYM/QVg6b+hvr4x4Cukur8stJrVPKU0=
 github.com/sigstore/rekor v1.4.3/go.mod h1:o0zgY087Q21YwohVvGwV9vK1/tliat5mfnPiVI3i75o=
 github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo=
 github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU=
-github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0=
-github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk=
+github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE=
+github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI=
 github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg=
 github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 h1:D/FRl5J9UYAJPGZRAJbP0dH78pfwWnKsyCSBwFBU8CI=
diff --git a/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go b/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
index dd78dd1c..3477a8cf 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
@@ -671,12 +671,16 @@ type diskCache struct {
 	memory *memoryCache
 }
 
+func (d *diskCache) safePath(p string) string {
+	return filepath.FromSlash(filepath.Join(d.base, url.PathEscape(p)))
+}
+
 func (d *diskCache) Get(p string) ([]byte, error) {
 	// Read from the in-memory cache first.
 	if b, err := d.memory.Get(p); err == nil {
 		return b, nil
 	}
-	fp := filepath.FromSlash(filepath.Join(d.base, p))
+	fp := d.safePath(p)
 	return os.ReadFile(fp)
 }
 
@@ -685,7 +689,7 @@ func (d *diskCache) Set(p string, b []byte) error {
 		return err
 	}
 
-	fp := filepath.FromSlash(filepath.Join(d.base, p))
+	fp := d.safePath(p)
 	if err := os.MkdirAll(filepath.Dir(fp), 0o700); err != nil {
 		return fmt.Errorf("creating targets dir: %w", err)
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 714a2166..b8ed164e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -397,7 +397,7 @@ github.com/sigstore/rekor-tiles/v2/pkg/generated/protobuf
 github.com/sigstore/rekor-tiles/v2/pkg/note
 github.com/sigstore/rekor-tiles/v2/pkg/types/verifier
 github.com/sigstore/rekor-tiles/v2/pkg/verify
-# github.com/sigstore/sigstore v1.10.3
+# github.com/sigstore/sigstore v1.10.4
 ## explicit; go 1.25.0
 github.com/sigstore/sigstore/pkg/cryptoutils
 github.com/sigstore/sigstore/pkg/cryptoutils/goodkey