v0.6.0

v0.6.0

Enhancements

• BREAKING: Moved cosign upload-blob to cosign upload blob (#378)
• BREAKING: Moved cosign upload to cosign attach signature (#378)
• BREAKING: Moved cosign download to cosign download signature (#392)
• Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz #369)
• Added cosign verify-dockerfile command (#395)
• Added SBOM support in cosign attach and cosign download sbom (#387)
• Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax #398)
• Added support for AWS KMS (谢谢, @codysoyland #426)
• Numerous enhancements to our build & release process, courtesy @cpanato

Bug Fixes

• Verify entry timestamp signatures of fetched Tlog entries (#371)

Contributors

• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Cody Soyland (@codysoyland)
• Dan Lorenc (@dlorenc)
• Dino A. Dai Zovi (@ddz)
• Furkan Türkal (@Dentrax)
• Jason Hall (@imjasonh)
• Paris Zoumpouloglou (@zuBux)
• Priya Wadhwa (@priyawadhwa)
• Rémy Greinhofer (@rgreinho)
• Russell Brown (@rjbrown57)

cosign image available at gcr.io/projectsigstore/cosign:v0.6.0@sha256:2303322158802ec0452758578ac80801a3754ee9cb19c128fc5d1b2ec32fa2d2

Thanks for all contributors!