fix(sec): upgrade github.com/sigstore/rekor to 1.2.0

[chncaption]

What happened？

There are 1 security vulnerabilities found in github.com/sigstore/rekor v1.1.2-0.20230508234306-ad288b385a44

• CVE-2023-33199

What did I do？

Upgrade github.com/sigstore/rekor from v1.1.2-0.20230508234306-ad288b385a44 to 1.2.0 for vulnerability fix

What did you expect to happen？

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

[openshift-ci]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chncaption
Once this PR has been reviewed and has the lgtm label, please assign ygalblum for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Luap99]

Contributions need a valid DCO.

Considering that this change does not touch any code here I assume our code does not use the effected code. Also I don't think we have to bump indirect dependencies unless absolutely necessary. I would assume the normal c/image update will result in a update here so I don't think we need this.
cc @mtrmac

[mtrmac]

Contributions need a valid DCO.

Yes.

Considering that this change does not touch any code here I assume our code does not use the effected code.

I assume that’s because the PR is incorrect. Podman does include that code but doesn’t run it.

Also I don't think we have to bump indirect dependencies unless absolutely necessary. I would assume the normal c/image update will result in an update here so I don't think we need this.

That’s one way of dealing with this.

Another is to follow #18709 , and Chris’ effort to have indirect dependency PRs automatically filed by Renovate.

I think getting that process working is more useful than even just thinking whether we should spend any effort on getting this PR into a mergeable state.

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Luap99]

Should be fixed in #18835 so we can close this one