Cosign v1.12.1 Release Notes
-
Highlights
๐ > * Pulls Fulcio root and intermediate when
--certificate-chain
is not passed intoverify-blob
. The v1.12.0 release introduced a regression: whenCOSIGN_EXPERIMENTAL
was not set, cosignverify-blob
would check a--certificate
(without a--certificate-chain
provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).๐ Bug Fixes
- ๐ fix: fixing breaking changes in rekor v1.12.0 upgrade (https://github.com/sigstore/cosign/pull/2260)
- ๐ Fixed bug where intermediate certificates were not automatically read from the OCI chain annotation (https://github.com/sigstore/cosign/pull/2244)
- ๐ fix: add COSIGN_EXPERIMENTAL=1 for verify-blob (https://github.com/sigstore/cosign/pull/2254)
- ๐ fix: fix cert chain validation for verify-blob in non-experimental mode (https://github.com/sigstore/cosign/pull/2256)
- ๐ fix: fix secret test, non-experimental bundle should pass (https://github.com/sigstore/cosign/pull/2249)
- ๐ Fix e2e test failure, add test for local bundle without rekor bundle (https://github.com/sigstore/cosign/pull/2248)
Contributors
- Asra Ali (@asraa)
- Batuhan Apaydฤฑn (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- n3k0m4 (@n3k0m4)