Skip to content

Latest commit

 

History

History
1437 lines (1210 loc) · 84.2 KB

CHANGELOG.md

File metadata and controls

1437 lines (1210 loc) · 84.2 KB

v1.11.0

Enhancements

Bug Fixes

Documention

  • docs: clarify wording in spec about usage of certificate chain (sigstore#2152)
  • Add notes to clarify registry use. (sigstore#2145)

Others

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • David Bendory (@bendory)
  • Jason Hall (@imjasonh)
  • Kazuma Watanabe (@wata727)
  • Matt Moore (@mattmoor)
  • Noah Kreiger (@nkreiger)
  • Priya Wadhwa (@priyawadhwa)
  • Samsondeen (@dsa0x)
  • Ville Aikas (@vaikas)
  • saso (@otms61)

v1.10.1

Note: This release comes with a fix for CVE-2022-35929 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

  • update cross-builder to go1.18.5 and cosign image to 1.10.0 (sigstore#2119)
  • feat: attach: attestation: allow passing multiple payloads (sigstore#2085)
  • Resolves #522 set Created date to time of execution (sigstore#2108)
  • Fix field names in the vulnerability attestation (sigstore#2099)
  • Change Result in Vulnerability Attestation to interface{} (sigstore#2096)
  • Improve error message when no sigs/atts are found for an image (sigstore#2101)
  • add flag to allow skipping upload to transparency log (sigstore#2089)

Documention

Bug Fixes

  • Merge pull request from GHSA-vjxv-45g9-9296
  • Correct the type used for attest (sigstore#2128)

Others

  • Bump mikefarah/yq from 4.26.1 to 4.27.2 (sigstore#2116)
  • Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (sigstore#2115)
  • Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (sigstore#2120)
  • Bump google.golang.org/api from 0.90.0 to 0.91.0 (sigstore#2125)
  • Bump google.golang.org/api from 0.89.0 to 0.90.0 (sigstore#2111)
  • Bump github/codeql-action from 2.1.16 to 2.1.17 (sigstore#2112)
  • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (sigstore#2110)
  • Bump google.golang.org/api from 0.88.0 to 0.89.0 (sigstore#2106)
  • Bump imjasonh/setup-ko from 0.4 to 0.5 (sigstore#2107)
  • Introduce a custom error type to classify errors. (sigstore#2114)
  • Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (sigstore#2103)
  • remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (sigstore#2105)
  • Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (sigstore#2100)
  • Remove knative/pkg deps (sigstore#2092)

Contributors

  • Asra Ali (@asraa)
  • Azeem Shaikh (@azeemshaikh38)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Furkan Türkal (@Dentrax)
  • Jason Hall (@imjasonh)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Teppei Fukuda (@knqyf263)
  • Tobias Trabelsi (@Lerentis)
  • saso (@otms61)

v1.10.0

Enhancements

Documention

Bug Fixes

Others

  • Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 (sigstore#2079)
  • Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (sigstore#2078)
  • Bump google.golang.org/api from 0.87.0 to 0.88.0 (sigstore#2081)
  • Remove hack/tools.go (sigstore#2080)
  • Remove replace directives in go.mod. (sigstore#2070)
  • Bump mikefarah/yq from 4.25.3 to 4.26.1 (sigstore#2076)
  • Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 (sigstore#2075)
  • Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (sigstore#2073)
  • Bump google.golang.org/api from 0.86.0 to 0.87.0 (sigstore#2064)
  • chore(deps): CycloneDX PredicateType changed to use in-toto-golang (sigstore#2067)
  • Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 (sigstore#2063)
  • Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (sigstore#2062)
  • Bump actions/setup-go from 3.2.0 to 3.2.1 (sigstore#2060)
  • Bump github/codeql-action from 2.1.15 to 2.1.16 (sigstore#2065)
  • Bump actions/cache from 3.0.4 to 3.0.5 (sigstore#2066)
  • update to go 1.18 (sigstore#2059)
  • Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 (sigstore#2046)
  • update ct/otel and etcd (sigstore#2054)
  • remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 (sigstore#2055)
  • Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (sigstore#2042)
  • Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 (sigstore#2032)
  • Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 (sigstore#2037)
  • Bump github/codeql-action from 2.1.14 to 2.1.15 (sigstore#2038)
  • Bump google.golang.org/api from 0.85.0 to 0.86.0 (sigstore#2036)
  • Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (sigstore#2035)
  • Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (sigstore#2033)
  • Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 (sigstore#2029)
  • Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (sigstore#2026)
  • Attempt to clean up pkg/cosign (sigstore#2018)
  • Bump github/codeql-action from 2.1.13 to 2.1.14 (sigstore#2023)
  • Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 (sigstore#2021)
  • Bump mikefarah/yq from 4.25.2 to 4.25.3 (sigstore#2022)
  • Bump google.golang.org/api from 0.84.0 to 0.85.0 (sigstore#2015)
  • Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 (sigstore#2010)
  • Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 (sigstore#2011)
  • Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#2012)
  • Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#2013)
  • Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 (sigstore#2009)
  • Bump actions/dependency-review-action from 2.0.1 to 2.0.2 (sigstore#2001)
  • Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 (sigstore#1996)
  • Bump actions/dependency-review-action from 1.0.2 to 2.0.1 (sigstore#2000)
  • Bump google.golang.org/api from 0.83.0 to 0.84.0 (sigstore#1999)
  • Bump sigstore/sigstore to HEAD (sigstore#1995)
  • Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 (sigstore#1988)
  • cleanup ci job and remove policy-controller references (sigstore#1981)
  • Bump google.golang.org/api from 0.82.0 to 0.83.0 (sigstore#1979)
  • cleanup: unexport kubernetes.Client method (sigstore#1973)
  • Remove policy-controller now that it lives in sigstore/policy-controller (sigstore#1976)
  • Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (sigstore#1980)
  • Bump actions/cache from 3.0.3 to 3.0.4 (sigstore#1970)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 (sigstore#1968)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (sigstore#1963)
  • Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (sigstore#1943)
  • Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 (sigstore#1958)
  • replace gcr.io/distroless/ to use ghcr.io/distroless/ (sigstore#1961)
  • Bump github/codeql-action from 2.1.11 to 2.1.12 (sigstore#1951)
  • Bump google.golang.org/api from 0.81.0 to 0.82.0 (sigstore#1948)

Contributors

  • Adolfo García Veytia (@puerco)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Billy Lynch (@wlynch)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Ciara Carey (@ciaracarey)
  • Frederik Boster (@Syquel)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Jason Hall (@imjasonh)
  • Jinhong Brejnholt (@JBrejnholt)
  • Josh Dolitsky (@jdolitsky)
  • Masahiro331 (@masahiro331)
  • Priya Wadhwa (@priyawadhwa)
  • Ville Aikas (@vaikas)
  • William Woodruff (@woodruffw)

v1.9.0

Enhancements

Documention

Bug Fixes

Others

  • remove deprecation (sigstore#1952)
  • Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (sigstore#1949)
  • update cross-builder image to use go1.17.11 (sigstore#1950)
  • Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (sigstore#1945)
  • Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#1944)
  • Bump actions/cache from 3.0.2 to 3.0.3 (sigstore#1937)
  • Bump mikefarah/yq from 4.25.1 to 4.25.2 (sigstore#1933)
  • Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (sigstore#1924)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 (sigstore#1926)
  • Bump actions/setup-go from 3.1.0 to 3.2.0 (sigstore#1927)
  • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (sigstore#1915)
  • Bump google-github-actions/auth from 0.7.3 to 0.8.0 (sigstore#1916)
  • Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (sigstore#1922)
  • Bump google.golang.org/api from 0.80.0 to 0.81.0 (sigstore#1918)
  • Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 (sigstore#1919)
  • Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 (sigstore#1920)
  • Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 (sigstore#1913)
  • Move deprecated dependency: google/trillian/merkle to transparency-dev (sigstore#1910)
  • Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 (sigstore#1902)
  • Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 (sigstore#1883)
  • Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 (sigstore#1906)
  • Bump actions/upload-artifact from 3.0.0 to 3.1.0 (sigstore#1907)
  • The timeout arg in golangci-lint has been moved to the generic args param. (sigstore#1901)
  • Update go-tuf (sigstore#1894)
  • Bump google.golang.org/api from 0.79.0 to 0.80.0 (sigstore#1897)
  • Bump google-github-actions/auth from 0.7.2 to 0.7.3 (sigstore#1898)
  • Bump github/codeql-action from 2.1.10 to 2.1.11 (sigstore#1891)
  • Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d (sigstore#1889)
  • Remove dependency on deprecated github.com/pkg/errors (sigstore#1887)
  • Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (sigstore#1884)
  • Bump google-github-actions/auth from 0.7.1 to 0.7.2 (sigstore#1886)
  • go.mod: format go.mod (sigstore#1879)
  • chore: remove regex from image pattern (sigstore#1873)
  • Bump actions/dependency-review-action (sigstore#1875)
  • Bump actions/github-script from 6.0.0 to 6.1.0 (sigstore#1876)
  • Bump actions/setup-go from 3.0.0 to 3.1.0 (sigstore#1870)
  • Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go (sigstore#1861)
  • Bump github/codeql-action from 2.1.9 to 2.1.10 (sigstore#1863)
  • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (sigstore#1864)
  • Bump google.golang.org/api from 0.78.0 to 0.79.0 (sigstore#1858)
  • Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 (sigstore#1857)
  • Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (sigstore#1851)
  • remove exclude from go.mod (sigstore#1846)
  • Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 (sigstore#1843)
  • Bump google.golang.org/api from 0.77.0 to 0.78.0 (sigstore#1838)
  • Bump mikefarah/yq from 4.24.5 to 4.25.1 (sigstore#1831)
  • Bump google.golang.org/api from 0.76.0 to 0.77.0 (sigstore#1829)
  • Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (sigstore#1830)
  • Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 (sigstore#1828)
  • chore(deps): Included dependency review (sigstore#1792)
  • Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (sigstore#1813)
  • Bump github/codeql-action from 2.1.8 to 2.1.9 (sigstore#1814)
  • Bump google.golang.org/api from 0.75.0 to 0.76.0 (sigstore#1810)
  • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (sigstore#1809)
  • Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 (sigstore#1808)

Contributors

  • Asra Ali (@asraa)
  • Adolfo García Veytia (@puerco)
  • Andrés Torres (@elfotografo007)
  • Billy Lynch (@wlynch)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Denny (@DennyHoang)
  • Eitan Yarmush (@EItanya)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Jack Baines (@bainsy88)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Kenny Leung (@k4leung4)
  • Koichi Shiraishi (@zchee)
  • Naveen Srinivasan (@naveensrinivasan)
  • Neal McBurnett (@nealmcb)
  • Priya Wadhwa (@priyawadhwa)
  • Rob Best (@ribbybibby)
  • Tomasz Janiszewski (@janisz)
  • Ville Aikas (@vaikas)
  • Vladimir Nachev (@vpnachev)

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

Enhancements

  • Support PKCS1 encoded and non-ECDSA CT log public keys (sigstore#1806)
  • Load in intermediate cert pool from TUF (sigstore#1804)
  • Don't fail open in VerifyBundle (sigstore#1648)
  • Handle context cancelled properly + tests. (sigstore#1796)
  • Allow passing keys via environment variables (env:// refs) (sigstore#1794)
  • Add parallelization for processing policies / authorities. (sigstore#1795)
  • Attestations + policy in cip. (sigstore#1772)
  • Refactor fulcio signer to take in KeyOpts. (sigstore#1788)
  • Remove the dependency on v1alpha1.Identity which brings in (sigstore#1790)
  • Add Fulcio intermediate CA certificate to intermediate pool (sigstore#1774)
  • Cosigned validate against remote sig src (sigstore#1754)
  • tuf: add debug info if tuf update fails (sigstore#1766)
  • Break the CIP action tests into a sh script. (sigstore#1767)
  • [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags (sigstore#1757)
  • Verify embedded SCTs (sigstore#1731)
  • Validate issuer/subject regexp in validate webhook. (sigstore#1761)
  • Add intermediate CA certificate pool for Fulcio (sigstore#1749)
  • [cosigned] The webhook name is now configurable via --webhook-name flag (sigstore#1726)
  • Use bundle log ID to find verification key (sigstore#1748)
  • Refactor policy related code, add support for vuln verify (sigstore#1747)
  • Create convert functions for internal CIP (sigstore#1736)
  • Move the KMS integration imports into the binary entrypoints (sigstore#1744)

Bug Fixes

Others

Contributors

  • Asra Ali (@asraa)
  • Billy Lynch (@wlynch)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Denny (@DennyHoang)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Matt Moore (@mattmoor)
  • Ville Aikas (@vaikas)
  • Vladimir Nachev (@vpnachev)
  • Youssef Bel Mekki (@ybelMekk)
  • Zack Newman (@znewman01)

v1.7.2

Bug Fixes

Others

  • Remove newline from download sbom output (sigstore#1732)
  • Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 (sigstore#1724)
  • Add unit tests for IntotoAttestation verifier. (sigstore#1728)
  • Bump github/codeql-action from 2.1.7 to 2.1.8 (sigstore#1725)
  • Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 (sigstore#1721)
  • Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (sigstore#1723)
  • Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 (sigstore#1711)
  • Bump google-github-actions/auth from 0.6.0 to 0.7.0 (sigstore#1712)
  • Bump github/codeql-action from 2.1.6 to 2.1.7 (sigstore#1713)
  • Bump codecov/codecov-action from 2.1.0 to 3 (sigstore#1714)

Contributors

  • Carlos Tadeu Panato Junior (@cpanato)
  • Denny (@DennyHoang)
  • Hector Fernandez (@hectorj2f)
  • Josh Dolitsky (@jdolitsky)
  • Rob Best (@ribbybibby)
  • Ville Aikas (@vaikas)

v1.7.1

Bug Fixes

  • commenting out the copy from gcr to ghcr due issues on github side (sigstore#1715)

v1.7.0

Enhancements

Bug Fixes

Documention

  • Document Elastic container registry support (sigstore#1641)
  • FUN.md broke when RecordObj changed to HashedRecordObj (sigstore#1633)
  • Add example using AWS Key Management Service (KMS) (sigstore#1564)

Others

Contributors

  • Adam A.G. Shamblin (@coyote240)
  • Adolfo García Veytia (@puerco)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Davi Garcia (@davivcgarcia)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • James Strong (@strongjz)
  • Jason Hall (@imjasonh)
  • Kavitha (@kkavitha)
  • Kenny Leung (@k4leung4)
  • Luiz Carvalho (@lcarva)
  • Marco Franssen (@marcofranssen)
  • Mark Percival (@mdp)
  • Matt Moore (@mattmoor)
  • Maxime Gréau (@mgreau)
  • Mitch Thomas (@MitchellJThomas)
  • Naveen Srinivasan (@naveensrinivasan)
  • Nghia Tran (@tcnghia)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Thomas Strömberg (@tstromberg)
  • Ville Aikas (@vaikas)
  • noamichael (@noamichael)

v1.6.0

Security Fixes

  • CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified

Enhancements

Bug Fixes

Documention

Others

Contributors

  • Andrew Block (@sabre1041)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Blake Burkhart (@bburky)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Christian Kotzbauer (@ckotzbauer)
  • Christopher Angelo Phillips (@spiffcs)
  • Dan Lorenc (@dlorenc)
  • Dan Luhring (@luhring)
  • Furkan Türkal (@Dentrax)
  • Hayden Blauzvern (@haydentherapper)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Marco Franssen (@marcofranssen)
  • Nathan Smith (@nsmith5)
  • Priya Wadhwa (@priyawadhwa)
  • Sascha Grunert (@saschagrunert)
  • Scott Nichols (@n3wscott)
  • Teppei Fukuda (@knqyf263)
  • Ville Aikas (@vaikas)
  • Yongxuan Zhang (@Yongxuanzhang)
  • Zack Newman (@znewman01)

v1.5.2

Security Fixes

  • CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified

Others

Contributors

  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Nathan Smith (@nsmith5)
  • Priya Wadhwa (@priyawadhwa)
  • Zack Newman (@znewman01)

v1.5.1

Bug Fixes

Documention

Others

Contributors

  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Mark Lodato (@MarkLodato)
  • Rémy Greinhofer (@rgreinho)

v1.5.0

Highlights

Enhancements

Bug Fixes

Others

Contributors

  • Andrew Block (@sabre1041)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Bob Callaway (@bobcallaway)
  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Itxaka (@Itxaka)
  • Ivan Wallis (@venafi-iw)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Josh Soref (@jsoref)
  • Matt Moore (@mattmoor)
  • Morten Linderud (@Foxboron)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Rob Best (@ribbybibby)
  • Sambhav Kothari (@samj1912)
  • Ville Aikas (@vaikas)
  • Zack Newman (@znewman01)

v1.4.1

Highlights

A whole buncha bugfixes!

Enhancements

  • Files created with --output-signature and --output-certificate now created with 0600 permissions (sigstore#1151)
  • Added cosign verify-attestation --local-image for verifying signed images with attestations from disk (sigstore#1174)
  • Added the ability to fetch the TUF root over HTTP with cosign initialize --mirror (sigstore#1185)

Bug Fixes

  • Fixed saving and loading a signed image index to disk (sigstore#1147)
  • Fixed sign-blob --output-certificate writing an empty file (sigstore#1149)
  • Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (sigstore#1157)

Contributors

  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Panato (@cpanato)
  • Hayden Blauzvern (@haydentherapper)
  • Jake Sanders (@dekkagaijin)
  • Matt Moore (@mattmoor)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)

v1.4.0

Highlights

  • BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (sigstore#1127)
  • BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (sigstore#1083)
  • cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (sigstore#1052)
  • Releases are now additionally signed using the keyless workflow (sigstore#1073, sigstore#1111)

Enhancements

  • Validate the whole attestation statement, not just the predicate (sigstore#1035)
  • Added the options to replace attestations using cosign attest --replace (sigstore#1039)
  • Added URI to cosign verify-blob output (sigstore#1047)
  • Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (sigstore#1016, sigstore#1093, sigstore#1066, sigstore#1095)
  • [cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (sigstore#1040, sigstore#1096)
  • [cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (sigstore#1084)
  • Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (sigstore#1071)
  • Builds should now be reproducible (sigstore#1053)
  • Allows base64 files as --cert in cosign verify-blob (sigstore#1088)
  • Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (sigstore#1091)
  • Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (sigstore#1094)
  • cosign sign will no longer fail to sign private images in keyless mode without --force (sigstore#1116)
  • cosign verify now supports signatures stored in files and remote URLs with --signature (sigstore#1068)
  • cosign verify now supports certs stored in files (sigstore#1095)
  • Added support for syft format in cosign attach sbom (sigstore#1137)

Bug Fixes

  • Fixed verification of Rekor bundles for InToto attestations (sigstore#1030)
  • Fixed a potential memory leak when signing and verifying with security keys (sigstore#1113)

Contributors

  • Ashley Davis (@SgtCoDFish)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Brandon Philips (@philips)
  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Panato (@cpanato)
  • Christian Rebischke (@shibumi)
  • Dan Lorenc (@dlorenc)
  • Erkan Zileli (@erkanzileli)
  • Furkan Türkal (@Dentrax)
  • garantir-km (@garantir-km)
  • Jake Sanders (@dekkagaijin)
  • jbpratt (@jbpratt)
  • Matt Moore (@mattmoor)
  • Mikey Strauss (@houdini91)
  • Naveen Srinivasan (@naveensrinivasan)
  • Priya Wadhwa (@priyawadhwa)
  • Sambhav Kothari (@samj1912)

v1.3.1

  • BREAKING [cosign/pkg]: cosign.Verify has been removed in favor of explicit cosign.VerifyImageSignatures and cosign.VerifyImageAttestations (sigstore#1026)

Enhancements

  • Add ability for verify-blob to find signing cert in transparency log (sigstore#991)
  • root policy: add optional issuer to maintainer keys (sigstore#999)
  • PKCS11 signing support (sigstore#985)
  • Included timeout option for uploading to Rekor (sigstore#1001)

Bug Fixes

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Dennis Leon (@DennisDenuto)
  • Erkan Zileli (@erkanzileli)
  • Furkan Türkal (@Dentrax)
  • garantir-km (@garantir-km)
  • Jake Sanders (@dekkagaijin)
  • Naveen (@naveensrinivasan)

v1.3.0

  • BREAKING: verify-manifest is now manifest verify (sigstore#712)
  • BREAKING: /pkg has been heavily refactored. Further refactoring work will make its way into 1.4.0
  • WARNING: The CLI now uses POSIX-style (double-dash --flag) for long-form flags. It will temporarily accept the single-dash -flag form with a warning, which will become an error in a future release (sigstore#835)
  • Added sget as part of Cosign's releases (sigstore#752)
  • The copasetic utility was unceremoniously baleeted (sigstore#785)

Enhancements

  • Began reworking /pkg around new abstractions for signing, verification, and storage (sigstore#666)
    • Notice: refactoring of /pkg will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with cosign as a library and found it lacking (sigstore#844)
    • GGCR-style libraries for interacting with images now exist under pkg/oci (sigstore#770)
    • pkg/cosign/remote.UploadSignature API was been removed in favor of new pkg/oci/remote APIs (sigstore#774)
    • The function signature of cosign.Verify was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see also cosign.Verify{Signatures,Attestations} (sigstore#782)
    • Removed cremote.UploadFile in favor of static.NewFile and remote.Write (sigstore#797)
  • Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
  • Migrated the CLI to cobra (Welcome to the team, @n3wscott)
  • Added the --allow-insecure-registry flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (sigstore#669)
  • 🔒 cosigned now includes a mutating webhook that resolves image tags to digests (sigstore#800)
  • 🔒 The cosigned validating webhook now requires image digest references (sigstore#799)
  • The cosigned webhook now ignores resources that are being deleted (sigstore#803)
  • The cosigned webhook now supports resolving private images that are authenticated via imagePullSecrets (sigstore#804)
  • manifest verify now supports verifying images in all Kubernetes objects that fit within PodSpec, PodSpecTemplate, or JobSpecTemplate, including CRDs (sigstore#697)
  • Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! sigstore#836)
  • cosign has generated Markdown docs available in the doc/ directory (sigstore#839)
  • Added support for verifying with secrets from a GitLab project (sigstore#934)
  • Added a --k8s-keychain option that enables cosign to support ambient registry credentials based on the "k8schain" library (sigstore#972)
  • CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (sigstore#973)
  • attest: replaced --upload flag with a --no-upload flag (sigstore#979)

Bug Fixes

  • cosigned now verifies CronJob images (Terve, @vaikas sigstore#809)
  • Fixed the verify --cert-email option to actually work (Sweet as, @passcod sigstore#821)
  • public-key -sk no longer causes error: x509: unsupported public key type: *crypto.PublicKey (sigstore#864)
  • Fixed interactive terminal support in Windows (sigstore#871)
  • The -ct flag is no longer ignored in upload blob (sigstore#910)

Contributors

  • Aditya Sirish (@adityasaky)
  • Asra Ali (@asraa)
  • Axel Simon (@axelsimon)
  • Batuhan Apaydın (@developer-guy)
  • Brandon Mitchell (@sudo-bmitch)
  • Carlos Panato (@cpanato)
  • Chao Lin (@blackcat-lin)
  • Dan Lorenc (@dlorenc)
  • Dan Luhring (@luhring)
  • Eng Zer Jun (@Juneezee)
  • Erkan Zileli (@erkanzileli)
  • Félix Saparelli (@passcod)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Ivan Font (@font)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Jim Bugwadia (@JimBugwadia)
  • Joel Kamp (@mrjoelkamp)
  • Luke Hinds (@lukehinds)
  • Matt Moore (@mattmoor)
  • Naveen (@naveensrinivasan)
  • Olivier Gaumond (@oliviergaumond)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Ramkumar Chinchani (@rchincha)
  • Rémy Greinhofer (@rgreinho)
  • Scott Nichols (@n3wscott)
  • Shubham Palriwala (@ShubhamPalriwala)
  • Viacheslav Vasilyev (@avoidik)
  • Ville Aikas (@vaikas)

v1.2.0

Enhancements

  • BREAKING: move verify-dockerfile to dockerfile verify (sigstore#662)
  • Have the keyless cosign sign flow use a single 3LO. (sigstore#665)
  • Allow to verify-blob from urls (sigstore#646)
  • Support GCP environments without workload identity (GCB). (sigstore#652)
  • Switch the release cosign container to debug. (sigstore#649)
  • Add logic to detect and use ambient OIDC from exec envs. (sigstore#644)
  • Add -cert-email flag to provide the email expected from a fulcio cert to be valid (sigstore#622)
  • Add support for downloading signature from remote (sigstore#629)
  • Add sbom and attestations to triangulate (sigstore#628)
  • Add cosign attachment signing and verification (sigstore#615)
  • Embed CT log public key (sigstore#607)
  • Verify SCTs returned by fulcio (sigstore#600)
  • Add extra replacement variables and GCP's role identifier (sigstore#597)
  • Store attestations in the layer (payload) rather than the annotation. (sigstore#579)
  • Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (sigstore#583)
  • Upgrade in-toto-golang to adapt SLSA Provenance (sigstore#582)

Bug Fixes

  • Fix verify-dockerfile to allow lowercase FROM (sigstore#643)
  • Fix signing for the cosigned image. (sigstore#634)
  • Make sure generate-key-pair doesn't overwrite existing key-pair (sigstore#623)
  • helm/ci: update helm repo before installing the dependency (sigstore#598)
  • Set the correct predicate type/URI for each supported predicate type. (sigstore#592)
  • Warnings on admissionregistration version (sigstore#581)
  • Remove unnecessary COSIGN_PASSWORD (sigstore#572)

Contributors

  • Batuhan Apaydın
  • Ben Walding
  • Carlos Alexandro Becker
  • Carlos Tadeu Panato Junior
  • Erkan Zileli
  • Hector Fernandez
  • Jake Sanders
  • Jason Hall
  • Matt Moore
  • Michael Lieberman
  • Naveen Srinivasan
  • Pradeep Chhetri
  • Sambhav Kothari
  • dlorenc
  • priyawadhwa

v1.1.0

Enhancements

  • BREAKING: The -attestation flag has been renamed to -predicate in attest (sigstore#500)
  • Added verify-manifest command (sigstore#490)
  • Added the ability to specify and validate well-known attestation types in attest with the -type flag (sigstore#504)
  • Added cosign init command to setup the trusted local repository of SigStore's TUF root metadata (sigstore#520)
  • Added timestamps to Cosign's custom In-Toto predicate (sigstore#533)
  • verify now always verifies that the image exists (even when referenced by digest) before verification (sigstore#543)

Bug Fixes

  • verify-dockerfile no longer fails on FROM scratch (sigstore#509)
  • Fixed reading from STDIN with attach sbom (sigstore#517)
  • Fixed broken documentation and implementation of -output for verify and verify-attestation (sigstore#546)
  • Fixed nil pointer error when calling upload blob without specifying -f (sigstore#563)

Contributors

  • Adolfo García Veytia (@puerco)
  • Anton Semjonov (@ansemjo)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • @gkovan
  • Hector Fernandez (@hectorj2f)
  • Jake Sanders (@dekkagaijin)
  • Jim Bugwadia (@JimBugwadia)
  • Jose Donizetti (@josedonizetti)
  • Joshua Hansen (@joshes)
  • Jason Hall (@imjasonh)
  • Priya Wadhwa (@priyawadhwa)
  • Russell Brown (@rjbrown57)
  • Stephan Renatus (@srenatus)
  • Li Yi (@denverdino)

v1.0.0

Enhancements

  • BREAKING: The default HSM key slot is now "signature" instead of "authentication" (sigstore#450)
  • BREAKING: --fulcio-server is now --fulcio-url (sigstore#471)
  • Added -cert flag to sign to allow the explicit addition of a signature certificate (sigstore#451)
  • Added the attest command (sigstore#458)
  • Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (sigstore#462)
  • cosign will now send its version string as part of the user-agent when interacting with a container registry (sigstore#479)
  • Files containing certificates for custom Fulcio endpoints can now be specified via the COSIGN_ROOT environment variable (sigstore#477)

Bug Fixes

  • Fixed a situation where lower-case as would break verify-dockerfile (Complements to @Dentrax sigstore#433)

Contributors

  • Appu Goundan (@loosebazooka)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Jake Sanders (@dekkagaijin)
  • James Alseth (@jalseth)
  • Jason Hall (@imjasonh)
  • João Pereira (@joaodrp)
  • Luke Hinds (@lukehinds)
  • Tom Hennen (@TomHennen)

v0.6.0

Enhancements

  • BREAKING: Moved cosign upload-blob to cosign upload blob (sigstore#378)
  • BREAKING: Moved cosign upload to cosign attach signature (sigstore#378)
  • BREAKING: Moved cosign download to cosign download signature (sigstore#392)
  • Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz sigstore#369)
  • Added cosign verify-dockerfile command (sigstore#395)
  • Added SBOM support in cosign attach and cosign download sbom (sigstore#387)
  • Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax sigstore#398)
  • Added support for AWS KMS (谢谢, @codysoyland sigstore#426)
  • Numerous enhancements to our build & release process, courtesy @cpanato

Bug Fixes

  • Verify entry timestamp signatures of fetched Tlog entries (sigstore#371)

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Cody Soyland (@codysoyland)
  • Dan Lorenc (@dlorenc)
  • Dino A. Dai Zovi (@ddz)
  • Furkan Türkal (@Dentrax)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Paris Zoumpouloglou (@zuBux)
  • Priya Wadhwa (@priyawadhwa)
  • Rémy Greinhofer (@rgreinho)
  • Russell Brown (@rjbrown57)

v0.5.0

Enhancements

  • Added cosign copy to easily move images and signatures between repositories (sigstore#317)
  • Added -r flag to cosign sign for recursively signing multi-arch images (sigstore#320)
  • Added cosign clean to delete signatures for an image (Thanks, @developer-guy! sigstore#324)
  • Added -k8s flag to cosign generate-key-pair to create a Kubernetes secret (Hell yeah, @priyawadhwa! sigstore#345)

Bug Fixes

  • Fixed an issue with misdirected image signatures when COSIGN_REPOSITORY was used (sigstore#323)

Contributors

  • Balazs Zachar (@Cajga)
  • Batuhan Apaydın (@developer-guy)
  • Dan Lorenc (@dlorenc)
  • Furkan Turkal (@Dentrax)
  • Jake Sanders (@dekkagaijin)
  • Jon Johnson (@jonjohnsonjr)
  • Priya Wadhwa (@priyawadhwa)

v0.4.0

Action Required

  • Signatures created with cosign before v0.4.0 are not compatible with those created after
    • The signature image's manifest now uses OCI mediaTypes (#300)
    • The signature image's tag is now terminated with .sig (instead of .cosign, #287)

Enhancements

  • 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! #285)
  • Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)

Bug Fixes

  • GCP KMS URIs now include the key version (#45)

Contributors

  • Christian Pearce (@pearcec)
  • Dan Lorenc (@dlorenc)
  • Jake Sanders (@dekkagaijin)
  • Priya Wadhwa (@priyawadhwa)
  • Richard Simpson (@RichiCoder1)
  • Ross Timson (@rosstimson)

v0.3.1

Bug Fixes

  • Fixed CI container image breakage introduced in v0.3.0
  • Fixed lack of version information in release binaries

v0.3.0

This is the third release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release. See #254 for more info.

Enhancements

  • The -output-file flag supports writing output to a specific file
  • The -key flag now supports kms references and URLs, the kms specific flag has been removed
  • Yubikey/PIV hardware support is now included!
  • Support for signing and verifying multiple images in one invocation

Bug Fixes

  • Bug fixes in KMS keypair generation
  • Bug fixes in key type parsing

Contributors

  • Dan Lorenc
  • Priya Wadhwa
  • Ivan Font
  • Dependabot!
  • Mark Bestavros
  • Jake Sanders
  • Carlos Tadeu Panato Junior

v0.2.0

This is the second release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied.

Enhancements

  • The password for private keys can now be passed via the COSIGN_PASSWORD
  • KMS keys can now be used to sign and verify blobs
  • The version command can now be used to return the release version
  • The public-key command can now be used to extract the public key from KMS or a private key
  • The COSIGN_REPOSITORY environment variable can be used to store signatures in an alternate location
  • Tons of new EXAMPLES in our help text

Bug Fixes

  • Improved error messages for command line flag verification
  • TONS more unit and integration testing
  • Too many others to count :)

Contributors

We would love to thank the contributors:

  • Dan Lorenc
  • Priya Wadhwa
  • Ahmet Alp Balkan
  • Naveen Srinivasan
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway
  • Dan POP
  • eminks
  • Mark Bestavros
  • Jake Sanders

v0.1.0

This is the first release of cosign!

The main goal of this release is to release something we can start using to sign other releases of sigstore projects, including cosign itself.

We expect many flags, commands, and formats to change going forward. No backwards compatibility is promised or implied.

Enhancements

This release added a feature to cosign called cosign. The cosign feature can be used to sign container images and blobs. Detailed documentation can be found in the README and the Detailed Usage.

Bug Fixes

There was no way to sign container images. Now there is!

Contributors

We would love to thank the contributors:

  • dlorenc
  • priyawadhwa
  • Ahmet Alp Balkan
  • Ivan Font
  • Jason Hall
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway