Releases: sigstore/cosign
Releases · sigstore/cosign
v1.13.0
Highlights
- For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."
What's Changed
- add changelog for v1.12.1 by @cpanato in #2270
- deps: update sigstore/sigstore by @asraa in #2271
- chore(deps): bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #2274
- feat: use stdin as an input for predicate by @developer-guy in #2269
- feat: improve the verification message by @developer-guy in #2268
- use scaffolding 0.4.8 for tests. by @vaikas in #2280
- chore(deps): bump actions/dependency-review-action from 2.3.0 to 2.4.0 by @dependabot in #2281
- fix pivtool generate key touch policy by @cpanato in #2282
- Check error on chain verification failure by @haydentherapper in #2284
- Fix: Remove an extra registry request from verification path. by @mattmoor in #2285
- Fix: Create a static copy of signatures as part of verification. by @mattmoor in #2287
- Data race in FetchSignaturesForReference by @RTann in #2283
- Add support for Fulcio username identity in SAN by @haydentherapper in #2291
- fix: make tlog entry lookups for online verification shard-aware by @asraa in #2297
- Better help text to sign and verify SBOM by @ChristianCiach in #2308
- Adding warning to pin to digest by @ChaosInTheCRD in #2311
- Add annotations for upload blob. by @cldmnky in #2188
- replace deprecate package by @cpanato in #2314
- update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in #2315
New Contributors
- @RTann made their first contribution in #2283
- @ChristianCiach made their first contribution in #2308
- @ChaosInTheCRD made their first contribution in #2311
- @cldmnky made their first contribution in #2188
Full Changelog: v1.12.1...v1.13.0
Contributors
cldmnky, mattmoor, and 9 other contributors
Assets 136
v1.12.1
Highlights
fix: Pulls Fulcio root and intermediate when
--certificate-chainis not passed intoverify-blobcommand. Thev1.12.0release introduced a regression: whenCOSIGN_EXPERIMENTALwas not set, cosignverify-blobwould check a--certificate(without a--certificate-chainprovided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).
What's Changed
- fix: fix cert chain validation for verify-blob in non-experimental mode by @asraa in #2256
- fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba by @developer-guy in #2254
- Fix BYO-root with intermediate to fetch intermediates from annotation by @haydentherapper in #2244
- fix: fixing breaking changes in rekor v1.12.0 upgrade by @developer-guy in #2260
New Contributors
Full Changelog: v1.12.0...v1.12.1
Contributors
asraa, haydentherapper, and 2 other contributors
Assets 136
v1.12.0
Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP
Highlights
BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some
verify-blobcommands that used to work may not anymore. In particular:
- When using
verify-blobwith signatures created with keyless mode, we require eitherCOSIGN_EXPERIMENTAL=1or a valid Rekor bundle for offline verification passed with--bundle.If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.
What's Changed
- use scaffolding v0.4.6. by @vaikas in #2201
- Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
- feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
- remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
- Upgrade to go1.19 by @cpanato in #2213
- Clarify error when KMS provider fails to load by @znewman01 in #2220
- feat: set annotations to generate additional bash completion information by @dirien in #2221
- Add deprecation warning for sget CLI and packages by @imjasonh in #2019
- upgrade setup-ko to point to new repo by @imjasonh in #2225
- update go builder to go1.19.1 by @cpanato in #2241
- Temp fix for e2e test by @haydentherapper in #2247
- update kind to use release v0.15.0 and some version comments by @cpanato in #2246
- Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
- fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
New Contributors
- @mozillazg made their first contribution in #2008
Full Changelog: v1.11.1...v1.12.0
Contributors
imjasonh, mozillazg, and 6 other contributors
Assets 136
v1.11.1
What's Changed
- add stale workflow using the workflow template by @cpanato in #2175
- Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
- add release cadence section in the readme by @cpanato in #2179
- bump scaffold in tests to use release v0.4.5 by @cpanato in #2180
- Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 by @dependabot in #2181
- Bump google.golang.org/api from 0.92.0 to 0.93.0 by @dependabot in #2183
- Bump github.com/go-openapi/swag from 0.22.1 to 0.22.3 by @dependabot in #2182
- Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in #2184
- Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #2185
- bump fulcio dep to 0.5.2 by @k4leung4 in #2176
- feat: Rework fig autocomplete command by @dirien in #2187
- Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 by @dependabot in #2190
- Bump github.com/xanzy/go-gitlab from 0.72.0 to 0.73.0 by @dependabot in #2191
- Bump github/codeql-action from 2.1.19 to 2.1.20 by @dependabot in #2193
- Bump actions/cache from 3.0.7 to 3.0.8 by @dependabot in #2192
- Bump github.com/xanzy/go-gitlab from 0.73.0 to 0.73.1 by @dependabot in #2195
- Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #2196
- fix: fix typo that caused attestation verification failure by @asraa in #2199
Full Changelog: v1.11.0...v1.11.1
Thanks to all contributors!
Contributors
cpanato, azeemshaikh38, and 4 other contributors
Assets 136
v1.11.0
What's Changed
- Update CHANGELOG for 1.10.1 release by @priyawadhwa in #2130
- Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #2129
- Bump github.com/go-piv/piv-go from 1.9.0 to 1.10.0 by @dependabot in #2135
- Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #2136
- Bump github.com/xanzy/go-gitlab from 0.70.0 to 0.71.0 by @dependabot in #2142
- Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 by @dependabot in #2140
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.6 to 0.1.7 by @dependabot in #2141
- Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
- Add notes to clarify registry use. by @bendory in #2145
- Use TUF from scaffolding for validating cosign. by @vaikas in #2146
- Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #2151
- Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in #2150
- Bump tests to use scaffolding-0.4.3. by @vaikas in #2153
- docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
- Bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 by @dependabot in #2148
- Bump go.uber.org/atomic from 1.9.0 to 1.10.0 by @dependabot in #2155
- Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #2156
- fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
- Run tests using Go 1.18 by @imjasonh in #2093
- Bump sigs.k8s.io/release-utils from 0.6.0 to 0.7.3 by @dependabot in #2102
- fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
- fix handling of verify-attestation types for URIs by @otms61 in #2159
- bump to scaffolding v0.4.4 by @vaikas in #2165
- fix oidc post-merge job by @cpanato in #2164
- Remove third_party by @imjasonh in #2166
- use updated device flow logic with PKCE by @bobcallaway in #2163
- fix: rekor get tlog entry with uuid by @asraa in #2058
- update e2e job to run only when push to main by @cpanato in #2169
- Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #2168
- fix: add env cmd to root by @developer-guy in #2171
- Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 by @dependabot in #2167
- fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162
- add changelog for v1.11.0 by @cpanato in #2173
- update builder image by @cpanato in #2174
New Contributors
- @wata727 made their first contribution in #2139
- @bendory made their first contribution in #2145
- @nkreiger made their first contribution in #2118
- @dsa0x made their first contribution in #2162
Full Changelog: v1.10.1...v1.11.0
Thanks to all contributors!
Contributors
imjasonh, otms61, and 11 other contributors
Assets 136
v1.10.1
This release fixes a security issue
cosign verify-attestaton --type can report a false positive if any attestation exists
GHSA-vjxv-45g9-9296
What's Changed
- Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #2088
- Remove knative/pkg deps by @imjasonh in #2092
- add flag to allow skipping upload to transparency log by @k4leung4 in #2089
- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #2100
- Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
- Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
- Fix field names in the vulnerability attestation by @otms61 in #2099
- Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @dependabot in #2103
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
- Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #2107
- Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in #2106
- ✨ Enable Scorecard badge by @azeemshaikh38 in #2109
- Resolves #522 set Created date to time of execution by @Lerentis in #2108
- Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #2110
- Introduce a custom error type to classify errors. by @mattmoor in #2114
- Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #2112
- Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in #2111
- feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
- Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by @dependabot in #2115
- Bump mikefarah/yq from 4.26.1 to 4.27.2 by @dependabot in #2116
- update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
- Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by @dependabot in #2120
- chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
- Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in #2125
- Correct the type used for attest by @mattmoor in #2128
New Contributors
- @otms61 made their first contribution in #2099
- @azeemshaikh38 made their first contribution in #2109
- @Lerentis made their first contribution in #2108
Full Changelog: v1.10.0...v1.10.1
Thanks to all contributors!
Contributors
imjasonh, otms61, and 9 other contributors
Assets 136
v1.10.0
What's Changed
- Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in #1948
- Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #1951
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @dependabot in #1958
- Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #1943
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #1963
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @dependabot in #1968
- Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #1970
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #1980
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #1979
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix typos by @cpanato in #1982
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @dependabot in #1988
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Bump sigstore/sigstore to HEAD by @puerco in #1995
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #1999
- Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #2000
- Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @dependabot in #1996
- Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #2001
- encrypt values to create the github action secret by @cpanato in #1990
- Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in #2009
- Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #2013
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #2012
- Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @dependabot in #2011
- Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in #2010
- Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #2015
- sign-blob: bundle should work independently and respect
--output-certificateand--output-signatureby @Dentrax in #2016 - Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #2022
- Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #2021
- Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #2023
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #2026
- Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 by @dependabot in #2029
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #2033
- feat: cert-extensions verify by @developer-guy in #1626
- Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #2035
- Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #2036
- Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #2038
- Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #2037
- Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #2032
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #2042
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
- remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
- update ct/otel and etcd by @cpanato in #2054
- Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 by @dependabot in #2046
- update to go 1.18 by @asraa in #2059
- Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #2066
- Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #2065
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #2060
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #2062
- Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 by @dependabot in #2063
- chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
- Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #2064
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #2073
- Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 by @dependabot in #2075
- Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #2076
- Remove replace directives in go.mod. by @wlynch in #2070
- update design doc link by @bobcallaway in #2077
- Remove hack/tools.go by @imjasonh in #2080
- Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #2081
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #2078
- Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 by @dependabot in #2079
- update builder image to use go1.18.4 by @cpanato in #2086
- add changelog for v1.10.0 release by @cpanato in #2087
- fix missing quote by @cpanato in #2090
New Contributors
- @ciaracarey made their first contribution in #1966
- @JBrejnholt made their first contribution in #1972
*...
Contributors
imjasonh, jdolitsky, and 16 other contributors
Assets 136
v1.10.0-rc.1
Thanks to all contributors!
What's Changed
- Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in #1948
- Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #1951
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @dependabot in #1958
- Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #1943
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #1963
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @dependabot in #1968
- Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #1970
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #1980
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #1979
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix typos by @cpanato in #1982
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @dependabot in #1988
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Bump sigstore/sigstore to HEAD by @puerco in #1995
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #1999
- Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #2000
- Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @dependabot in #1996
- Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #2001
- encrypt values to create the github action secret by @cpanato in #1990
- Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in #2009
- Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #2013
- Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #2012
- Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @dependabot in #2011
- Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in #2010
- Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #2015
- sign-blob: bundle should work independently and respect
--output-certificateand--output-signatureby @Dentrax in #2016 - Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #2022
- Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #2021
- Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #2023
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #2026
- Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 by @dependabot in #2029
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #2033
- feat: cert-extensions verify by @developer-guy in #1626
- Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #2035
- Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #2036
- Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #2038
- Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #2037
- Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #2032
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #2042
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
- remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
- update ct/otel and etcd by @cpanato in #2054
- Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 by @dependabot in #2046
- update to go 1.18 by @asraa in #2059
- Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #2066
- Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #2065
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #2060
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #2062
- Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 by @dependabot in #2063
- chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
- Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #2064
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #2073
- Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 by @dependabot in #2075
- Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #2076
- Remove replace directives in go.mod. by @wlynch in #2070
- update design doc link by @bobcallaway in #2077
- Remove hack/tools.go by @imjasonh in #2080
- Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #2081
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #2078
- Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 by @dependabot in #2079
- update builder image to use go1.18.4 by @cpanato in #2086
- add changelog for v1.10.0 release by @cpanato in #2087
New Contributors
- @ciaracarey made their first contribution in #1966
- @JBrejnholt made their first contribution in #1972
- @woodruffw made their first contribution in h...
Contributors
imjasonh, jdolitsky, and 16 other contributors
Assets 136
v1.9.0
v1.9.0
This tag was signed with the committer’s verified signature.
The key has expired.
cpanato
Carlos Tadeu Panato Junior
What's Changed
- Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 by @dependabot in #1808
- update changelog for 1.8.0 by @cpanato in #1807
- Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in #1809
- Bump google.golang.org/api from 0.75.0 to 0.76.0 by @dependabot in #1810
- Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in #1814
- Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in #1813
- Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
- [Cosigned] Add signature pull secrets by @DennyHoang in #1805
- feat: add rego policy support by @hectorj2f in #1817
- Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
- cosigned: Test unsupported KMS providers by @imjasonh in #1820
- chore(deps): Included dependency review by @naveensrinivasan in #1792
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 by @dependabot in #1828
- Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in #1830
- Add auth flow option to KeyOpts. by @wlynch in #1827
- Bump google.golang.org/api from 0.76.0 to 0.77.0 by @dependabot in #1829
- Bump mikefarah/yq from 4.24.5 to 4.25.1 by @dependabot in #1831
- Document Staging instance usage with Keyless by @k4leung4 in #1824
- New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
- Validate tlog entry when verifying signature via public key. by @wlynch in #1833
- Add function to explicitly request a certain provider by @priyawadhwa in #1837
- cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
- Bump google.golang.org/api from 0.77.0 to 0.78.0 by @dependabot in #1838
- Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 by @dependabot in #1843
- remove exclude from go.mod by @cpanato in #1846
- [Cosigned] Glob matching improvement by @DennyHoang in #1842
- Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @dependabot in #1851
- sget: Enable KMS providers for sget by @imjasonh in #1852
- Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
- Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
- Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 by @dependabot in #1857
- Bump google.golang.org/api from 0.78.0 to 0.79.0 by @dependabot in #1858
- If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
- Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
- Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in #1864
- Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in #1863
- Normalize certificate flag names by @haydentherapper in #1868
- Check certificate policy flags with only a certificate by @haydentherapper in #1869
- Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
- Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #1870
- Point git commmit FUN.md to gitsign! by @wlynch in #1874
- Bump actions/github-script from 6.0.0 to 6.1.0 by @dependabot in #1876
- Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in #1875
- [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
- go.mod: format go.mod by @zchee in #1879
- Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in #1886
- Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in #1884
- Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
- tree: only report artifacts that are present by @ribbybibby in #1872
- update README with ebpf modules by @EItanya in #1888
- Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
- Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in #1891
- v1beta1 API for cosigned by @vaikas in #1890
- Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in #1898
- Bump google.golang.org/api from 0.79.0 to 0.80.0 by @dependabot in #1897
- tree: support --attachment-tag-prefix by @ribbybibby in #1900
- [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
- GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
- The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
- Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in #1907
- Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 by @dependabot in #1906
- [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 by @dependabot in #1883
- Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 by @dependabot in #1902
- Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
- Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 by @dependabot in #1913
- Add support for "**" in image glob matching by @imjasonh in #1914
- Add privacy statement for PII storage by @haydentherapper in #1909
- Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 by @dependabot in #1920
- Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 by @dependabot in #1919
- Bump google.golang.org/api from 0.80.0 to 0.81.0 by @dependabot in #1918
- Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in #1922
- Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in #1916
- Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in #1915
- Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #1927
- Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 by @dependabot in #1926
- Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #1924
- Do not push to public rekor. by @vaikas in #1931
- Bump mikefarah/yq from 4.25.1 to 4.25.2 by @dependabot in #1933
- Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1937
- fix: fix fetching updated targets from TUF root by @asraa in #1921
- Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in #1944
- Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in #1945
- fix: fix #1930 for AWS KMS formats by @vaikas in #1946
- update cross-builder image to use go1.17.11 by @cpanato in #1950
- Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 by @dependabot in #1949
- remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
- add cha...
Contributors
nealmcb, naveensrinivasan, and 21 other contributors
Assets 137
v1.8.0
v1.8.0
This tag was signed with the committer’s verified signature.
The key has expired.
cpanato
Carlos Tadeu Panato Junior
What's Changed
- Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in #1620
- Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in #1745
- Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in #1746
- Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
- [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
- Refactor policy related code, add support for vuln verify by @vaikas in #1747
- Use bundle log ID to find verification key by @haydentherapper in #1748
- [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
- Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
- Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in #1751
- test: create fake TUF test root and create test SETs for verification by @asraa in #1750
- update go builder and cosign images by @cpanato in #1755
- Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in #1752
- Implement identities, fix bug in webhook validation. by @vaikas in #1759
- Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
- chore: add warning when attaching sBOMs by @hectorj2f in #1756
- Verify embedded SCTs by @haydentherapper in #1731
- chore: add warning when downloading a sBOM by @hectorj2f in #1763
- [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
- Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in #1765
- Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in #1764
- Break the CIP action tests into a sh script. by @vaikas in #1767
- tuf: add debug info if tuf update fails by @asraa in #1766
- cosigned: add support for rsa keys by @hectorj2f in #1768
- Cosigned validate against remote sig src by @DennyHoang in #1754
- Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
- Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in #1784
- fix: more informative error by @ybelMekk in #1778
- Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in #1779
- Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in #1780
- Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in #1781
- Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in #1782
- Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in #1783
- Run update-codegen. by @wlynch in #1789
- Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
- Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
- test: add cue unit tests by @hectorj2f in #1791
- Attestations + policy in cip. by @vaikas in #1772
- chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
- Add parallelization for processing policies / authorities. by @vaikas in #1795
- Allow passing keys via environment variables (
env://refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796
- Fix a bug where an error would send duplicate results. by @vaikas in #1797
- Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
- Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in #1799
- Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in #1800
- Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in #1801
- Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 by @dependabot in #1758
- cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
- Don't fail open in VerifyBundle by @mtrmac in #1648
- Load in intermediate cert pool from TUF by @haydentherapper in #1804
- add changelog for release v1.8.0 by @cpanato in #1803
- Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806
New Contributors
- @vpnachev made their first contribution in #1726
- @ybelMekk made their first contribution in #1778
- @wlynch made their first contribution in #1789
- @mtrmac made their first contribution in #1648
Full Changelog: v1.7.2...v1.8.0
Thanks to all contributors!
Contributors
znewman01, wlynch, and 11 other contributors