Skip to content

v0.1.0
Compare
Choose a tag to compare
@github-actions github-actions released this 07 Oct 00:33
· 81 commits to main since this release
v0.1.0
9ac7653
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This is the first release of the project!

A description of this release is here.

Features

  • Easy use as a kubectl subcommand plugin
    • Users can install it easily by go install command. (installation)
    • Once installed, users can use it by a simple command like kubectl sigstore sign -f xxxxxx.yaml .
  • Signing Kubernetes YAML manifest specification
    • Sign "specification" of Kubernetes YAML manifests. A generated signature is composed of an encoded YAML manifest, signature payload and some other data. This encoded manifest is compared to a target manifest for equivalence checking at the time of verification.
    • There are 2 options how to store a generated signature.
      1. self-contained ... Embed signature into YAML manifests.
      2. external store ... Upload manifest & signature to OCI registry (= upload manifest bundle image). There is no need to change YAMLs in this case.
  • Verifying YAML manifests specification
    • Verify a local YAML manifest file by checking YAML specification as described above. If signature is not provided or if the manifest specification has been changed after signing, the verification fails.
  • Verifying Kubernetes resources that exist on a cluster
    • Kubernetes resources on a cluster can be verified with signature which is generated against YAML manifests.
    • There are 2 ways to specify resources.
      • Use the same arguments as kubectl get. For example, kubectl sigstore verify-resource cm -n default sample-cm.
      • By specifying manifest bundle image in OCI registry, it automatically selects the target resources. For example, kubectl sigstore verify-resource -n default -i sample-registry/sample-cm-manifest:dev.

Contributors

  • Hiro Kitahara
  • Luke Hinds
  • Batuhan Apaydın
  • Aditya Sirish
  • Yuji Watanabe
  • dlorenc

Thank you to all our contributors!!

Changelog

9ac7653 add a latest release doc (#50)
c0b9d67 fix issue of signing a directory (#49)
d7afc29 Switch DSSE provider to go-securesystemslib (#48)
4421fbf add github action to prepare for release v0.1.0 (#47)
f1329bb add github actions for releasing and enable go install (#46)
04236a2 add github action for tests and lint (#45)
6f446ea bump cosign version up to 1.2.0 (#44)
a8a0ec1 add e2e test and move related packages (#43)
1d5ef2f improve unit test coverage in core packages (#42)
2120192 bump cosign up to v1.1.0 (#41)
eeb8906 enable version command to show version of the executable (#40)
5bc6630 update admission controller example with the latest verify-resource codes (#39)
1922b2a improve verify-resource speed with concurrency in go (#36)
20bbc69 enable local file cache for verify-resource speed up (#37)
d360794 improve constraint option and update default profile (#35)
c4245c9 add manifest-build command for YAML manifest provenance (#34)
1767e96 enable to get signature and provenance from a resource in a cluster (#33)
b0ebd0e add provenance tracking option to verify-resource command (#32)
7bf33d6 add support of verifying pgp and x509 signatures (#30)
3af3485 enable to load config from constraint resource in a cluster (#31)
a32b6c6 fix input path issue in sign command (#29)
06f664e fix manifest detection config bug (#28)
3281adc Pick a resource from N resources in manifest file robustly (#27)
d6c202d support directly attached signature and related things into k8s annotations (#23)
437f81f add dryrun namespace option to verifyresourceoption (#24)
67f63f7 update go.mod (#22)
989d586 fix sign to set oidc option (#21)
a9407f0 bump up cosign version to v1.0.1 (#20)
65741c2 support non-compressed YAML manifest in manifest image (#19)
720a2b8 enable robust search mechanism for finding YAML manifest (#17)
88eb6dc update cosign version to v0.6.0 (#18)
eac5e6a extend verify-resource subcommand capability (#16)
3adf7ff image annotations added for signing/verifying process (#15)
d1cb533 Fix a few typos in the README. (#14)
86c17f5 fix for using public key, if public key used disable tlog (#12)
3f7db77 enable to output verify-resource result in JSON/YAML format (#10)
f9007b1 refactor codes and add known k8s ignore fields (#9)
8db49ca Add initial codes for kubectl signing plugins (#1) (#4)
e6625d6 CodeQL action (#2)
7262bc0 Create codeql-analysis.yml
38e9dd7 Merge pull request #1 from lukehinds/proj-bootstrap
acb4e79 Project bootstrap
fffb294 Initial commit

Assets 7
Loading