12 Apr 12:15

sigstore-bot

1b1bca3

v1.7.2

What's Changed

Bump codecov/codecov-action from 2.1.0 to 3 by @dependabot in #1714
Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in #1713
Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in #1712
Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 by @dependabot in #1711
Makefile: fix directory not found error by @hectorj2f in #1718
Update release job by @cpanato in #1720
[Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
fix: add permissions to patch events by @hectorj2f in #1722
Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 by @dependabot in #1723
Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 by @dependabot in #1721
Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in #1725
Make public all types required to use ValidatePolicy by @jdolitsky in #1727
Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 by @dependabot in #1724
Remove newline from download sbom output by @ribbybibby in #1732
Fix packages name and binary in the packages by @cpanato in #1734
Fix fulcioroots test and linter error by @haydentherapper in #1741
Support non-ECDSA public keys in certificates by @haydentherapper in #1740
bug: remove old fulcio root and fix fallback target code by @asraa in #1738
Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in #1737
add changelog for v1.7.2 by @cpanato in #1735

Full Changelog: v1.7.1...v1.7.2

Thanks to all contributors!

Contributors

jdolitsky, hectorj2f, and 7 other contributors

Assets 137

05 Apr 18:05

cpanato

v1.7.1

53c28e4

v1.7.1

What's Changed

commenting out the copy from gcr to ghcr due issues on github side by @cpanato in #1715
Update images for release job by @cpanato in #1551
pkcs11: fix build instructions by @rgerganov in #1550
Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in #1553
Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 by @dependabot in #1552
Mirror signed release images from GCR to GHCR as part of release with… by @k4leung4 in #1547
Update hashicorp/parseutil to v0.1.3. by @dlorenc in #1557
Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 by @dependabot in #1560
Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 by @dependabot in #1559
Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in #1561
add definition for artifact hub to verify the ownership by @cpanato in #1563
Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in #1565
Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
Bump google.golang.org/api from 0.70.0 to 0.71.0 by @dependabot in #1577
Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 by @dependabot in #1576
Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 by @dependabot in #1578
Support deletion of ClusterImagePolicy by @vaikas in #1580
Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 by @dependabot in #1579
1417 policy validations by @kkavitha in #1548
Don't lowercase input image refs, just fail by @imjasonh in #1586
Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #1588
Bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in #1587
Bump mikefarah/yq from 4.21.1 to 4.22.1 by @dependabot in #1589
Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
Fix #1592 move authorities as siblings of images. by @vaikas in #1593
Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 by @dependabot in #1597
Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
Fix copy/paste mistake in repo name. by @k4leung4 in #1600
Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
Add public key validation by @kkavitha in #1598
Validate a public key in a secret is valid. by @vaikas in #1602
Ensure entry is removed from CM on secret error. by @vaikas in #1605
Bump google.golang.org/api from 0.71.0 to 0.72.0 by @dependabot in #1612
Bump to knative pkg 1.3 by @mattmoor in #1614
Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
Init entity from ociremote when signing a digest ref by @puerco in #1616
rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
improve cosigned validation error messages by @cpanato in #1618
Bump ecr-login to pick up WithLogger rename by @mattmoor in #1624
Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in #1622
Bump google.golang.org/api from 0.72.0 to 0.73.0 by @dependabot in #1619
Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in #1621
Use latest knative/pkg's configmap informer by @tcnghia in #1615
Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 by @dependabot in #1634
FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
update crane to v0.8.0 release by @cpanato in #1635
push latest tag when building a release by @cpanato in #1636
Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 by @dependabot in #1638
Bump actions/cache from 2.1.7 to 3 by @dependabot in #1640
Document Elastic container registry support by @mgreau in #1641
Bump mikefarah/yq from 4.22.1 to 4.23.1 by @dependabot in #1639
Validate authority keys by @coyote240 in #1623
feat: tree command utility by @developer-guy in #1603
fix build date format for version command by @cpanato in #1644
Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in #1646
Add support for intermediate certificates when verifiying by @haydentherapper in #1631
Prompt user before running cosign clean by @priyawadhwa in #1649
Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
Add support for certificate chain to verify certificate by @haydentherapper in #1659
First batch of followups to #1650 by @vaikas in #1664
Add certificate chain flag for signing by @haydentherapper in #1656
[attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
update font when output the cosign version by @cpanato in #1668
feat: add ability to override registry keychain by @noamichael in #1666
remove replace directive by @cpanato in #1669
Bump mikefarah/yq from 4.23.1 to 4.24.2 by @dependabot in #1670
Refactor based on discussions in #1650 by @vaikas in #1674
Find all valid entries in verify-blob by @priyawadhwa in #1673
Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
Make cosign copy copy metadata attached to child images. by @mattmoor in #1682
change file_name_template to PackageName by @strongjz in #1683
Update error message for verify/verify attestation by @haydentherapper in #1686
cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
verify: add leaf hash verification for tlog entries by @asraa in #1688
Fix handling of policy in verify-attestation by @lcarva in #1672
Add e2e test for attest / verify-attestation by @vaikas in #1685
Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in #1689
Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in #1690
Bump google.golang.org/api from 0.73.0 to 0.74.0 by @dependabot in #1695
verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
Remove the hardcoded sigstore audience by @mattmoor in...

Contributors

mdp, tstromberg, and 27 other contributors

Assets 91

04 Mar 08:24

sigstore-bot

v1.6.0

4b2c3c0

v1.6.0

This release contains fixes for GHSA-ccxc-vr6p-4858, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858

What's Changed

add changelog for 1.5.1 release by @cpanato in #1376
Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 by @dependabot in #1382
Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 by @dependabot in #1383
Fix double time import in e2e tests by @saschagrunert in #1388
Add --timeout support to sign command by @saschagrunert in #1379
Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 by @dependabot in #1386
Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 by @dependabot in #1391
Fix comparison in replace option for attestation by @bburky in #1366
Add Cosign logo to README by @nsmith5 in #1395
Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
Fix a link of SECURITY.md by @knqyf263 in #1399
update cosign and cross-build image for the release job by @cpanato in #1400
Bump cuelang.org/go from 0.4.1 to 0.4.2 by @dependabot in #1401
Bump google.golang.org/api from 0.66.0 to 0.67.0 by @dependabot in #1402
feat: login command by @developer-guy in #1398
TUF: Add root status output by @asraa in #1404
Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 by @dependabot in #1403
Add a newline after password input by @knqyf263 in #1407
make imageRef lowercase before parsing by @bobcallaway in #1409
Improve error message when image is not found in registry by @imjasonh in #1410
Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 by @dependabot in #1412
Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 by @dependabot in #1411
Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
Fix incorrect error check when verifying SCT by @haydentherapper in #1422
Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
Allow PassFunc to be nil by @saschagrunert in #1426
Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
Add docs on API stability and deprecation table by @priyawadhwa in #1429
Bump google.golang.org/api from 0.67.0 to 0.68.0 by @dependabot in #1434
update cross-build image which adds goimports by @cpanato in #1435
feat: enhance clean cmd capability by @developer-guy in #1430
use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
Improve log lines to match with implementation by @marcofranssen in #1432
Bump go-containerregistry, pick up new features by @imjasonh in #1442
feat: fig autocomplete feature by @developer-guy in #1360
update cross-build to use go 1.17.7 by @cpanato in #1446
Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
feat: add -buildid= to ldflags by @developer-guy in #1451
Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
Bump webhook timeout. by @dlorenc in #1465
Fix tkn link in readme by @Yongxuanzhang in #1459
Bump the gitlab library and add a nil opt for the API change. by @dlorenc in #1466
Print message when verifying with old TUF targets by @haydentherapper in #1468
Bump google.golang.org/api from 0.68.0 to 0.69.0 by @dependabot in #1469
fix(sign): refactor unsupported provider log by @Dentrax in #1464
tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470
Double goreleaser timeout by @znewman01 in #1472
increase timeout for goreleaser snapshot by @cpanato in #1473
fix(sign): kms unspported message by @Dentrax in #1475
refactor release cloudbuild job by @cpanato in #1476
Bump sigstore/sigstore to pick up the kms change and the monkey-patch… by @dlorenc in #1479
Fix wording on attach attestation help by @luhring in #1480
update go-tuf and simplify TUF client code by @asraa in #1455
add initial changelog for 1.5.2 by @cpanato in #1483
Fix linter error on main by @priyawadhwa in #1484
Update Changelog for Security Advisory by @cpanato in #1485
Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 by @dependabot in #1481
chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
feat: support other types in copy cmd by @developer-guy in #1493
Pick up some of the shared workflows by @mattmoor in #1490
Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 by @dependabot in #1499
Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 by @dependabot in #1498
Bump actions/github-script from 4.1.1 to 6 by @dependabot in #1497
Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 by @dependabot in #1496
feat: nominate Dentrax as codeowner by @developer-guy in #1492
Bump google.golang.org/api from 0.69.0 to 0.70.0 by @dependabot in #1500
Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.4 by @dependabot in #1502
Bump google-github-actions/auth from 0.4.4 to 0.6.0 by @dependabot in #1501
add correct layer media type to cosign attach attestation by @spiffcs in #1503
Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in #1495
This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504
Bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #1509
Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 by @dependabot in #1507
Bump mikefarah/yq from 4.16.2 to 4.20.2 by @dependabot in #1510
use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in #1512
Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in #1516
bug fix: import ed25519 keys and fix error handling by @asraa in #1518
optimize codeql speed by using caching and tracing by @bobcallaway in #1519
Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
chore(ci): add artifact hub support by @Dentrax in #1522
Bump github.com/secure-systems-lab/go-securesystemsli...

Contributors

bburky, imjasonh, and 26 other contributors

Assets 162

18 Feb 22:32

sigstore-bot

v1.5.2

8ffcd12

v1.5.2 - CVE-2022-23649

This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858

Changelog

8ffcd12 Cherry-pick release notes for 1.5.1 and 1.5.2 (#1487)
c09e04a Cherry pick vulnerability PRs to release-1.5 (#1486)
52164f2 cherry picks to release-1.5 branch (#1482)

Thanks for all contributors!

Assets 117

31 Jan 18:41

sigstore-bot

v1.5.1

c3e4d8b

v1.5.1

Changelog

c3e4d8b Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
8b77279 Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
d2781b8 expose dafaults fulcio, rekor, oidc issuer urls (#1368)
4921aa7 add check to make sure the go modules are in sync (#1369)
6575648 README: fix link to race conditions (#1367)
e3024f4 Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
e1e0153 docs: verify-attestation cue and rego policy doc (#1362)
21e6b80 Update verify-blob to support DSSEs (#1355)
79012c3 organize, update select deps (#1358)
cd49449 Bump go-containerregistry to pick up ACR keychain fix (#1357)
239d4c4 Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
44de8d1 sync go modules (#1353)

Thanks to all contributors!

Full Changelog: v1.5.0...v1.5.1

Assets 116

24 Jan 19:14

sigstore-bot

v1.5.0

7572520

v1.5.0

Changelog

7572520 add ascii art when using the version command (#1349)
4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
03a2778 Add vaikas to CODEOWNERS (#1347)
f186ee3 add changelog for v1.5.0 (#1345)
9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
e534409 Fix minor typo (a missing verb) in README (#1346)
22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
1a92b50 Bump recommended Go development version in README (#1340)
1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
bca7ba6 Export function to verify individual signature (#1334)
b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
a7838c5 update go-github to v42 release (#1335)
b0848d1 install latest release for ko instead of head of main branch (#1333)
2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
fbf8dcb update gcp setup for the GH action (#1330)
888b392 fix: cosign verify for vault (#1328)
e64cc10 update some dependencies (#1326)
461b032 fix missing goimports (#1327)
78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
0532601 Take OIDC client secret into account (#1310)
475c99d Verify checksum of downloaded utilities during CI (#1322)
97509b9 pin github actions by digest (#1319)
4592c23 Fix TestSignBlobBundle (#1320)
bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
079e28d Add flag to verify OIDC issuer in certificate (#1308)
2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
24914ac add OSSF scorecard action (#1318)
244c07a Add TUF timestamp to attestation bundle (#1316)
46cf94b Provide certificate flags to all verify commands (#1305)
d58fc63 Bundle TUF timestamp with signature on signing (#1294)
c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
aa0b8c1 add error message (#1296)
a7bd67c Move bundle out of oci and into bundle package (#1295)
9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
ef380f0 update import documentation (#1290)
e671216 Fix a couple bugs in cert verification for blobs (#1287)
76e691b Fix a few bugs in cosign initialize (#1280)
b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
419be8a update release image to use go 1.17.6 (#1284)
809b091 Bump google.golang.org/api. (#1283)
4376cca Bump opa and go-gitlab. (#1281)
b6aaddc Update SBOM spec to indicate compat for syft (#1278)
f19f4f7 Update signature spec with timestamp annotation (#1274)
7f54a8f Bump miekg/pkcs11 (#1275)
36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
6af964c Fix the unit tests with expired TUF metadata. (#1270)
242f586 One-to-one mapping of invocation to scan result (#1268)
1a7f9d6 refactor common utilities (#1266)
d89eb8e Fix output-file flag. (#1264)
9a27e1f Importing RSA and EC keypairs (#1050)
8194edd enable sbom generation when releasing (#1261)
0a4a68a feat: log error to stderr (#1260)
591601c feat: support attach attestation (#1253)
2e99320 Refactor the tuf client code. (#1252)
dfc0347 Moved certificate output before checking for upload during signing (#1255)
c09d682 Remove remaining ioutil usage (#1256)
894a3bc Update the embedded TUF metadata. (#1251)
645c259 Bump sigstore/sigstore. (#1247)
4ecb43d fix: typo in the error message (#1250)
1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
f32c1d7 Fix semantic bug in DSSE specification. (#1248)
4e4bbf6 Spelling (#1246)
7e5abbf feat: resolve --cert from URL (#1245)
c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
6f41b4b Log the proper remote repo for the signatures on verify (#1243)
24d43bd feat: generate/upload sbom for cosign projects (#1237)
b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
47d936c update codeowners list with miissing codeowners (#1238)
3dd690e feat: vuln attest support (#1168)
6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
1104dfd feat: generate/upload sbom for cosign projects (#1236)
0c25819 update build images for release and bump cosign in the release job (#1234)
ac8a7e9 feat: implement cosign download attestation (#1216)
d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
9da74c9 update deps (#1222)
b2d6393 nit: add comments to Signer interface (#1228)
f2e034d clean up references to 'keyless' in ephemeral.Signer (#1225)
acf5900 create DSSEAttestor interface, payload.DSSEAttestor implementation (#1221)
ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
1feacab use mutate.Signature in the new Signers (#1213)
28b03f7 create mutate functions for oci.Signature (#1199)
500cd40 update snapshot and timestamp (#1211)
cbdc1b3 add a writeable $HOME for the nonroot cosigned user (#1209)
4d4c830 signing attestation should private key (#1200)
6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
008f860 create KeylessSigner (#1189)
2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
cfd981e nit: drop every section title down a level (#1188)

Thanks for all contributors!

Assets 116

10 Dec 17:24

sigstore-bot

v1.4.1

934567a

v1.4.1

A whole buncha bugfixes!

Enhancements

Files created with --output-signature and --output-certificate now created with 0600 permissions (#1151)
Added cosign verify-attestation --local-image for verifying signed images with attestations from disk (#1174)
Added the ability to fetch the TUF root over HTTP with cosign initialize --mirror (#1185)

Bug Fixes

Fixed saving and loading a signed image index to disk (#1147)
Fixed sign-blob --output-certificate writing an empty file (#1149)
Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)

Contributors

Carlos Alexandro Becker (@caarlos0)
Carlos Panato (@cpanato)
Hayden Blauzvern (@haydentherapper)
Jake Sanders (@dekkagaijin)
Matt Moore (@mattmoor)
Priya Wadhwa (@priyawadhwa)
Radoslav Gerganov (@rgerganov)

Changelog

934567a add 1.4.1 relnotes (#1186)
fe3a030 Allow fetching TUF root from HTTP (#1185)
d8e1795 update golang cross image to use go1.17.5 (#1184)
2e9d3d8 add e2e tests for Windows + PowerShell (#1177)
4c473e5 add tests for cosign initialize (#1182)
b113e30 update go-tuf and use the newly exposed Close() (#1181)
5a5914f Add option to verify attestations from local image (#1174)
d0d91ab add test for interactive private key password prompt (#1176)
e5056ed enable e2e-test coverage for Win & OSX (#1166)
dc744ea use a different repo for each e2e test against the registry (#1175)
4652b36 re-enable windows in e2e-with-binary, fix issues (#1172)
75e3d62 Bump GGCR to latest. (#1169)
287bb27 disable broken Windows e2e-with-binary (#1167)
8644a7a use sync.Once to init the global tuf root (#1163)
10b7f9d Add option to verify local image (#1159)
bd8b7d5 bump k8s versions used for kind-e2e-cosigned (#1164)
1510379 Add make target for doc generation (#1162)
79a843b expand CI testing to Windows and OSX, fix issues uncovered (#1158)
9394f85 Pull in the new Fulcio client code. (#1126)
dd53292 return error when rekor pub cannot be retrieved, fix file path construction (#1157)
a684c45 add job to run some e2e tests to sing a artifcat and check the outputs (#1154)
96c02ba fix: improve perms, error handling (#1151)
ab632c8 update crane (#1150)
b454d08 cosigned: add version to cosigned (#1139)
26c99d8 fix: --output-certificate not working properly (#1149)
430080f Fix bug when saving and loading an image index (#1147)
39e6540 sign-blob --output -> --output-signature (#1148)

Thanks for all contributors!

Contributors

caarlos0, rgerganov, and 5 other contributors

Assets 70

07 Dec 00:03

sigstore-bot

v1.4.0

50315fc

v1.4.0

Highlights

BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (#1127)
BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (#1083)
cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (#1052)
Releases are now additionally signed using the keyless workflow (#1073, #1111)

Enhancements

Validate the whole attestation statement, not just the predicate (#1035)
Added the options to replace attestations using cosign attest --replace (#1039)
Added URI to cosign verify-blob output (#1047)
Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (#1016, #1093, #1066, #1095)
[cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (#1040, #1096)
[cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (#1084)
Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071)
Builds should now be reproducible (#1053)
Allows base64 files as --cert in cosign verify-blob (#1088)
Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (#1094)
cosign sign will no longer fail to sign private images in keyless mode without --force (#1116)
cosign verify now supports signatures stored in files and remote URLs with --signature (#1068)
cosign verify now supports certs stored in files (#1095)
Added support for syft format in cosign attach sbom (#1137)

Bug Fixes

Fixed verification of Rekor bundles for InToto attestations (#1030)
Fixed a potential memory leak when signing and verifying with security keys (#1113)

Contributors

Ashley Davis (@SgtCoDFish)
Asra Ali (@asraa)
Batuhan Apaydın (@developer-guy)
Brandon Philips (@philips)
Carlos Alexandro Becker (@caarlos0)
Carlos Panato (@cpanato)
Christian Rebischke (@shibumi)
Dan Lorenc (@dlorenc)
Erkan Zileli (@erkanzileli)
Furkan Türkal (@Dentrax)
garantir-km (@garantir-km)
Jake Sanders (@dekkagaijin)
jbpratt (@jbpratt)
Matt Moore (@mattmoor)
Mikey Strauss (@houdini91)
Naveen Srinivasan (@naveensrinivasan)
Priya Wadhwa (@priyawadhwa)
Sambhav Kothari (@samj1912)

Changelog

50315fc remove obsolete --output flag (#1146)
a1efb18 add relnotes for v1.4.0 (#1145)
a47a835 feat: enable --check flag of addlicense (#1135)
e48db5a Add support for syft json type to cosign (#1137)
7de7387 Use --recursive flag in sign example (#1143)
6d8cec1 Fixed a typo in README.md (#1142)
63e9342 cjson - Move to go-securesystemslib (#1141)
e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
a05dc7b Bump deps (#1132)
7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
9076d71 feat: sign --output-certificate and verify --cert (#1095)
034e946 Update output to note when signatures are pushed (#1117)
54fb569 feat: support signature file in verify cmd (#1068)
ec00f69 Make the transparency log upload non-fatal. (#1116)
1da6742 have rekor.NewSigner accept a *client.Rekor instead of a URL (#1115)
ac7e33c call Close() on security keys before returning error (#1113)
2294fd4 Add Fulcio v1 root to the cosign (#1112)
304c2b2 continued sign refacc (#1098)
a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
9555f33 use hashed rekord type for tlog upload (#1081)
6fc942b plumb context through to tlog requests (#1103)
fcc8256 minor: supply ShouldUploadToTlog with context (#1104)
690853e Bump non-k8s deps (#1102)
040ed3d feat(ci): Add Gofish support (#996)
79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
2dc6e4f Add support for storing attestations in oci/layout (#1096)
98cf544 Update slsa-provenance predicate to v0.2 (#1054)
7ec91a4 Add cosign save and cosign load commands (#1094)
e1141af refactoring signature logic (#1065)
4274149 fix: alias output to output-signature on sign-blob (#1093)
86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
2cc9c9a Bump client-go and viper. (#1089)
aff2e37 feat: verify-blob --cert base64 (#1088)
5586790 fix: reproducible builds (#1053)
1974064 Add flag for manually specifying a hash algo when verifying (#1071)
90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
eed3e12 Add mutate.AttachFileTo* for attaching SBOMs. (#1084)
e1acd18 Drop strfmt.Base64 from pkg/oci. (#1083)
f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
9cf8c3f Bump some deps that dependabot missed. (#1079)
18318ba implement output-signature and output-certificate flags (#1016)
857d9a5 adding keyless (#1073)
01b6c8f sync go mod (#1072)
943e824 feat: add output flag for signCmd (#1066)
d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
413d06e fix root path (#1062)
e868a54 cmd: update triangulate help command (#1061)
d48fe25 verify-blob: add URI to verify-blob output (#1047)
c5e3393 cmd: update clean command help (#1058)
bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
3e43108 Remove img field from sigLayer (#1042)
ccc4468 feat: replace option for same attestation (#1039)
5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
fe00315 README: simplify the install section (#1049)
cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
6ed55d6 split private signature and attestation verification fns (#1043)
c338616 PKCS11: Fix certificate check (#1041)
f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
c85db3a release: update cosign to 1.3.1 (#1038)
84c94b6 feat: validate whole statement not just predicate part (#1035)

Thanks for all contributors!

Contributors

philips, naveensrinivasan, and 16 other contributors

Assets 70

11 Nov 20:06

sigstore-bot

v1.3.1

645ebf0

v1.3.1

Breaking Changes

[cosign/pkg]: cosign.Verify has been removed in favor of explicit cosign.VerifyImageSignatures and cosign.VerifyImageAttestations
(#1026)

Enhancements

Add ability for verify-blob to find signing cert in transparency log (#991)
root policy: add optional issuer to maintainer keys (#999)
PKCS11 signing support (#985)
Included timeout option for uploading to Rekor (#1001)

Bug Fixes

Bump sigstore/sigstore to pickup a fix for azure kms (#1011 / #1028)

Contributors

Asra Ali (@asraa)
Batuhan Apaydın (@developer-guy)
Carlos Panato (@cpanato)
Dan Lorenc (@dlorenc)
Dennis Leon (@DennisDenuto)
Erkan Zileli (@erkanzileli)
Furkan Türkal (@Dentrax)
garantir-km (@garantir-km)
Jake Sanders (@dekkagaijin)
Naveen (@naveensrinivasan)

Changelog

645ebf0 add change to 1.3.1 changelog (#1036)
5a33731 remove Verify in favor of explicit VerifyImage{Signatures, Attestations} (#1026)
5d866c3 fix help msg upload=>no-upload (#1033)
076e179 add changelog for v1.3.1 (#1032)
c2c3a1d fix variable (#1031)
ff2104c ci: update oidc ci tests (#1029)
ce7cf28 update sigstore/sigstore to v1.0.1 (#1028)
0c771f8 Bump the thales pkcs11 library to v1.2.5 (#1009)
cb41bd4 make the purpose of secrets checked into .github/workflows explicit (#1025)
5a350e4 fix(doc): add an example for existing option on verify-blob command (#1024)
c0744b3 Add the missing GIT_HASH env var in the post-submit github-oidc.yaml action. (#1022)
88313ee Remove fuzzing check - unsupported go-fuzz (#1020)
d442592 Included timeout option for uploading to Rekor (#1001)
d3440b5 remove not needed dockerfiles (#1017)
82c9cee refactor release process to use ko to build the images (#1008)
55471fc Add an initial comparison document between nv2 and cosign. (#1014)
bb05c81 Bump sigstore/sigstore to pickup a fix for azure kms. (#1011)
db34c33 refactor version and add version command to sget (#1010)
391bac3 Bump k8s.io/apimachinery and opa. (#1004)
7066f12 PKCS11 signing support (#985)
9b9cd94 add optional issuer to root policy (#999)
5deaca0 Add ability for verify-blob to find signing cert in transparency log (#991)
6573dcd update automation to use 1.3.0 release (#997)
c6c032e update deps, go mod tidy (#994)

Thanks for all contributors!

Contributors

naveensrinivasan, dekkagaijin, and 8 other contributors

Assets 50

03 Nov 00:40

sigstore-bot

v1.3.0

a91aa20

v1.3.0

Release 1.3.0

Highlights

BREAKING: verify-manifest is now manifest verify (#712)
BREAKING: /pkg has been heavily refactored. Further refactoring work will make its way into 1.4.0
WARNING: The CLI now uses POSIX-style (double-dash --flag) for long-form flags. It will temporarily accept the single-dash -flag form with a warning, which will become an error in a future release (#835)
Added sget as part of Cosign's releases (#752)
The copasetic utility was unceremoniously baleeted (#785)

Enhancements

Began reworking /pkg around new abstrations for signing, verification, and storage (#666)
- Notice: refactoring of /pkg will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with cosign as a library and found it lacking (#844)
- GGCR-style libraries for interacting with images now exist under pkg/oci (#770)
- pkg/cosign/remote.UploadSignature API was been removed in favor of new pkg/oci/remote APIs (#774)
- The function signature of cosign.Verify was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see also cosign.Verify{Signatures,Attestations} (#782)
- Removed cremote.UploadFile in favor of static.NewFile and remote.Write (#797)
Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
Migrated the CLI to cobra (Welcome to the team, @n3wscott)
Added the --allow-insecure-registry flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (#669)
🔒 cosigned now includes a mutating webhook that resolves image tags to digests (#800)
🔒 The cosigned validating webhook now requires image digest references (#799)
The cosigned webhook now ignores resources that are being deleted (#803)
The cosigned webhook now supports resolving private images that are authenticated via imagePullSecrets (#804)
manifest verify now supports verifying images in all Kubernetes objects that fit within PodSpec, PodSpecTemplate, or JobSpecTemplate, including CRDs (#697)
Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! #836)
cosign has generated Markdown docs available in the doc/ directory (#839)
Added support for verifying with secrets from a Gitlab project (#934)
Added a --k8s-keychain option that enables cosign to support ambient registry credentials based on the "k8schain" library (#972)
CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (#973)
attest: replaced --upload flag with a --no-upload flag (#979)

Bug Fixes

cosigned now verifies CronJob images (Terve, @vaikas #809)
Fixed the verify --cert-email option to actually work (Sweet as, @passcod #821)
public-key -sk no longer causes error: x509: unsupported public key type: *crypto.PublicKey (#864)
Fixed interactive terminal support in Windows (#871)
The -ct flag is no longer ignored in upload blob (#910)

Contributors

Aditya Sirish (@adityasaky)
Asra Ali (@asraa)
Axel Simon (@axelsimon)
Batuhan Apaydın (@developer-guy)
Brandon Mitchell (@sudo-bmitch)
Carlos Panato (@cpanato)
Chao Lin (@blackcat-lin)
Dan Lorenc (@dlorenc)
Dan Luhring (@luhring)
Eng Zer Jun (@Juneezee)
Erkan Zileli (@erkanzileli)
Félix Saparelli (@passcod)
Furkan Türkal (@Dentrax)
Hector Fernandez (@hectorj2f)
Ivan Font (@font)
Jake Sanders (@dekkagaijin)
Jason Hall (@imjasonh)
Jim Bugwadia (@JimBugwadia)
Joel Kamp (@mrjoelkamp)
Luke Hinds (@lukehinds)
Matt Moore (@mattmoor)
Naveen (@naveensrinivasan)
Olivier Gaumond (@oliviergaumond)
Priya Wadhwa (@priyawadhwa)
Radoslav Gerganov (@rgerganov)
Ramkumar Chinchani (@rchincha)
Rémy Greinhofer (@rgreinho)
Scott Nichols (@n3wscott)
Shubham Palriwala (@ShubhamPalriwala)
Viacheslav Vasilyev (@avoidik)
Ville Aikas (@vaikas)

Full Changelog

a91aa20 Fix the release (#987)
ae36ba5 update changelog for 1.3.0 (#986)
6d5f08c Bump opa and apis. (#980)
daa78e4 Add luhring to codeowners (#981)
58f8d20 Invert upload flag to allow for not uploading attestation (#979)
0ebe3b5 refactor: move from io/ioutil to io and os packages (#978)
79c0dc9 Remove commented out sections in CI configs (#960)
c875e7e Bump google.golang.org/api and github.com/go-openapi/strfmt. (#975)
bd469e7 Fixed modtime for reproducible goreleaser (#971)
70138fb Ship multi-arch images for all the cosign components. (#973)
fbe6fab Add support for using k8schain under a flag. (#972)
51803c2 Fix cosign attach sbom with COSIGN_REPOSITORY. (#970)
6f3aec5 Included trimpath in goreleaser (#968)
bfeb7d4 Add issuer URL to the verification blob. (#967)
c45f841 Have download sbom use the Attachment API. (#965)
068a277 Return better errors from cosigned (#964)
7957228 Make the DSSE wrapped private. (#966)
0bf537f release: fix registry name, push to gcr and not to ghcr (#958)
9314b85 Add a "filesystem" OIDC provider. (#956)
2f6560f Use setup-ko. (#957)
46e2740 Allow disabling verifySCT. (#955)
19fce84 Improve GitHub OIDC example (#954)
7c48e9a feat: extract pub key from GitLab (#941)
91bb398 fix codeql workflow permission (#951)
1f67ea7 cmd/policy: ability to pass expire days (#938)
7e295f1 Scorecard improvements (#949)
be6ab36 Reproducible builds with trimpath (#944)
b753a22 fix: Fixed multiple public keys issue (#942)
9f80297 Verify a signature using secrets from a gitlab project (#934)
9e304d1 Return k8schain error. (#937)
23ccfd8 fix: add dollars (#933)
0915b41 Document Red Hat Quay support (#929)
b2351d3 Add keyless signing w/ storage in rekor to FUN.md (#924)
9e406b3 fix issue 919 (#930)
617bc78 docs: fix broken link (#926)
fc58838 Bump go-github, go-gitlab, and cloudstorage. (#922)
f482fff Hook up k8schain to verification. (#920)
dcfb11d Don't ignore the media type flag to upload-blob! (#910)
0bab648 Add the OIDC options to AttestOptions. (#918)
f34112c Bump in-toto and cloud storage. (#909)
2594f7a Fix two bugs in the pivkey code related to cleanup and certs. (#912)
699fab4 Add Attachment to empty. (#911)
c9bf33a add Attachment to SignedEntity (#857)
7991c87 Bump dependencies and tidy. (#902)
7dd85a7 Fix the KO_VERSION variable in the post-merge container build. (#905)
19300db Replace predicate file path with io.Reader (#904)
42e5df0 Sign without pulling from the registry (#903)
7d2d51d update root ux (#747)
e2f034e feat: store public key within GitHub/GitLab variable (#900)
a1180fa Pin crane dependency used in e2e tests (#896)
c041930 verify: add support for rsapkcs15 keys (#851)
a9aa82b Fix verify-blob error message (#676) (#895)
5e54075 Fix verify command line options (#894)
aa1028f Fix CI (#897)
8e3be12 Add a test/example for signing using GitHub OIDC (#901)
0605155 fix: use GITLAB_HOST env var name (#899)
8588a92 fix: show reasons of the rego validations (#885)
4c5112c fix: safer way to install google/ko (#889)
37bcea0 Error with the filename provided (#891)
5499d63 chore: KO_VERSION as environment var (#886)
42ec945 Clarify how to install sget (#882)
a064fab Re-expose commands. (#883)
f85fe3f chore: add image details to the error msg (#875)
5302c87 add github&gitlab reference support to generate-key-pair (#848)
8a67024 fix: make isTerminal suitable for windows (#871)
a04f060 disable usage on errors (#878)
1bd3067 added keyvault doc (#870)
cc4ce1b Remove the preallocation of signatures slice. (#869)
2ba1605 Allow cosigned to validate Fulcio signatures. (#867)
b0408bf feat: add validation for predicates via cue or rego policy files support (#641)
278ad7d make COSIGN_REPOSITORY use explicit again (#860)
142e7ed fix x509: unsupported public key type: *crypto.PublicKey (#864)
c79fa81 TagOptions -> ReferenceOptions (#863)
5c1240b feat: add custom signature tag registry options (#808)
2f6a293 release: update golang-cross image to image tag v1.17.2 (#861)
d49fa54 [root policy] Add root policy signing (#856)
0142711 get rid of "." in default tag suffixes (#853)
2919bf0 oic. -> oci. (#852)
9962e87 Add changelog for v1.3.0 (#849)
37000c8 update select dependencies (#850)
e6d08d6 support user customizable predicates (#847)
75c326b move make help below the default rules so that naked make does the right thing (#845)
6c5c65f Only run CI on PRs and push to main or releases (#842)
06...