v1.8.3 incompatible with sigstore v1.10.0+ due to removed `cryptoutils/goodkey` package

[saisaketh-devops]

fulcio v1.8.3requiressigstore v1.10.0+but importsgithub.com/sigstore/sigstore/pkg/cryptoutils/goodkey, which was **removed** in sigstore v1.10.0`. This creates a build failure.

Error

go: github.com/sigstore/fulcio imports
	github.com/sigstore/fulcio/cmd/app imports
	github.com/sigstore/fulcio/pkg/ca imports
	github.com/sigstore/sigstore/pkg/cryptoutils/goodkey: cannot find module providing package github.com/sigstore/sigstore/pkg/cryptoutils/goodkey

Context

• fulcio version: v1.8.3
• sigstore version required: v1.10.0+ (as per go.mod)
• sigstore version where goodkey was removed: v1.10.0
• Vulnerability: GHSA-f83f-xpx7-ffpw (High severity)
• Fixed in: v1.8.3 (but incompatible with required sigstore version)

Impact

This prevents upgrading to fulcio v1.8.3 to fix the high-severity vulnerability (GHSA-f83f-xpx7-ffpw) because:

1. v1.8.3 requires sigstore v1.10.0+
2. v1.8.3 imports goodkey package
3. goodkey was removed in sigstore v1.10.0
4. Result: Cannot build with v1.8.3

Attempted Workarounds

1. ✅ Direct update: Build fails
2. ✅ Update sigstore first: Build fails (missing package)
3. ✅ Replace directives: Module path conflicts
4. ✅ Exclude old versions: Still pulls incompatible versions

Request

Please provide one of the following:

1. A compatible version of fulcio that works with sigstore v1.10.0+ (without goodkey dependency)
2. A patch/PR to remove goodkey dependency from v1.8.3
3. Guidance on how to proceed

Additional Context

This is blocking image signing in our CI/CD pipeline, which requires zero high vulnerabilities. The vulnerability has EPSS < 0.1% but our security policy requires all high vulnerabilities to be fixed.

Related Issues

• Similar issue likely exists in timestamp-authority v2.0.3
• cosign also uses removed ValidatePubKey function

Environment

• Go version: 1.25.5
• Project: Kyverno (Kubernetes policy engine)
• Dependency: Indirect (via cosign/sigstore-go)