build(deps): bump github.com/containerd/imgcrypt

Bumps [github.com/containerd/imgcrypt](https://github.com/containerd/imgcrypt) from 1.1.12-0.20240528203804-3ca09a2db5cd to 1.2.0-rc1.
- [Release notes](https://github.com/containerd/imgcrypt/releases)
- [Changelog](https://github.com/containerd/imgcrypt/blob/main/CHANGES)
- [Commits](https://github.com/containerd/imgcrypt/commits/v1.2.0-rc1)

---
updated-dependencies:
- dependency-name: github.com/containerd/imgcrypt
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

vendor/github.com/containers/ocicrypt/.golangci.yml

@@ -7,7 +7,7 @@ linters:
     - goimports
     - revive
     - ineffassign
-    - vet
+    - govet
     - unused
     - misspell
 

vendor/github.com/containers/ocicrypt/blockcipher/blockcipher.go

@@ -96,9 +96,8 @@ func (lbco LayerBlockCipherOptions) GetOpt(key string) (value []byte, ok bool) {
 		return v, ok
 	} else if v, ok := lbco.Private.CipherOptions[key]; ok {
 		return v, ok
-	} else {
-		return nil, false
 	}
+	return nil, false
 }
 
 func wrapFinalizerWithType(fin Finalizer, typ LayerCipherType) Finalizer {

vendor/github.com/containers/ocicrypt/gpg.go

@@ -79,9 +79,8 @@ func GuessGPGVersion() GPGVersion {
 		return GPGv2
 	} else if err := exec.Command("gpg", "--version").Run(); err == nil {
 		return GPGv1
-	} else {
-		return GPGVersionUndetermined
 	}
+	return GPGVersionUndetermined
 }
 
 // NewGPGClient creates a new GPGClient object representing the given version

vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go

@@ -24,7 +24,7 @@ import (
 	"github.com/containers/ocicrypt/config"
 	"github.com/containers/ocicrypt/keywrap"
 	"github.com/containers/ocicrypt/utils"
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 )
 
 type jweKeyWrapper struct {
@@ -65,7 +65,11 @@ func (kw *jweKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []byte) ([]
 }
 
 func (kw *jweKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jweString []byte) ([]byte, error) {
-	jwe, err := jose.ParseEncrypted(string(jweString))
+	// cf. list of algorithms in func addPubKeys() below
+	keyEncryptionAlgorithms := []jose.KeyAlgorithm{jose.RSA_OAEP, jose.RSA_OAEP_256, jose.ECDH_ES_A128KW, jose.ECDH_ES_A192KW, jose.ECDH_ES_A256KW}
+	// accept all algorithms defined in RFC 7518, section 5.1
+	contentEncryption := []jose.ContentEncryption{jose.A128CBC_HS256, jose.A192CBC_HS384, jose.A256CBC_HS512, jose.A128GCM, jose.A192GCM, jose.A256GCM}
+	jwe, err := jose.ParseEncrypted(string(jweString), keyEncryptionAlgorithms, contentEncryption)
 	if err != nil {
 		return nil, errors.New("jose.ParseEncrypted failed")
 	}

vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go

@@ -124,9 +124,8 @@ func (kw *keyProviderKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []b
 			}
 
 			return protocolOuput.KeyWrapResults.Annotation, nil
-		} else {
-			return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 		}
+		return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 	}
 
 	return nil, nil
@@ -162,9 +161,8 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString
 		}
 
 		return protocolOuput.KeyUnwrapResults.OptsData, nil
-	} else {
-		return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 	}
+	return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 }
 
 func getProviderGRPCOutput(input []byte, connString string, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) {

vendor/github.com/containers/ocicrypt/utils/utils.go

@@ -26,7 +26,7 @@ import (
 	"strings"
 
 	"github.com/containers/ocicrypt/crypto/pkcs11"
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"golang.org/x/crypto/openpgp"
 )