diff --git a/gitsign.yaml b/gitsign.yaml
index 6d6a22ba0c6f..a429f34d0ffe 100644
--- a/gitsign.yaml
+++ b/gitsign.yaml
@@ -1,7 +1,7 @@
 package:
   name: gitsign
   version: "0.13.0"
-  epoch: 7 # CVE-2025-61729
+  epoch: 8 # GHSA-whqx-f9j3-ch6m
   description: Keyless Git signing with Sigstore!
   copyright:
     - license: Apache-2.0
@@ -23,6 +23,7 @@ pipeline:
         golang.org/x/net@v0.38.0
         github.com/cloudflare/circl@v1.6.1
         golang.org/x/crypto@v0.45.0
+        github.com/sigstore/cosign/v2@v2.6.2
 
   - uses: go/build
     with: