Cosign v1.3.0 Release Notes
-
- π₯ BREAKING:
verify-manifest
is nowmanifest verify
(https://github.com/sigstore/cosign/pull/712) - π₯ BREAKING:
/pkg
has been heavily refactored. Further refactoring work will make its way into 1.4.0 - π WARNING: The CLI now uses POSIX-style (double-dash
--flag
) for long-form flags. It will temporarily accept the single-dash-flag
form with a warning, which will become an error in a future release (https://github.com/sigstore/cosign/pull/835) - β Added
sget
as part of Cosign's releases (https://github.com/sigstore/cosign/pull/752) - The
copasetic
utility was unceremoniously baleeted (https://github.com/sigstore/cosign/pull/785)
β¨ Enhancements
- Began reworking
/pkg
around new abstrations for signing, verification, and storage (https://github.com/sigstore/cosign/issues/666)- Notice: refactoring of
/pkg
will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting withcosign
as a library and found it lacking (https://github.com/sigstore/cosign/issues/844) - GGCR-style libraries for interacting with images now exist under
pkg/oci
(https://github.com/sigstore/cosign/pull/770) pkg/cosign/remote.UploadSignature
API was been removed in favor of newpkg/oci/remote
APIs (https://github.com/sigstore/cosign/pull/774)- The function signature of
cosign.Verify
was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see alsocosign.Verify{Signatures,Attestations}
(https://github.com/sigstore/cosign/pull/782) - Removed
cremote.UploadFile
in favor ofstatic.NewFile
andremote.Write
(https://github.com/sigstore/cosign/pull/797)
- Notice: refactoring of
- Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
- Migrated the CLI to
cobra
(Welcome to the team, @n3wscott) - β Added the
--allow-insecure-registry
flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (https://github.com/sigstore/cosign/pull/669) - π
cosigned
now includes a mutating webhook that resolves image tags to digests (https://github.com/sigstore/cosign/pull/800) - π The
cosigned
validating webhook now requires image digest references (https://github.com/sigstore/cosign/pull/799) - The
cosigned
webhook now ignores resources that are being deleted (https://github.com/sigstore/cosign/pull/803) - π The
cosigned
webhook now supports resolving private images that are authenticated viaimagePullSecrets
(https://github.com/sigstore/cosign/pull/804) - π·
manifest verify
now supports verifying images in all Kubernetes objects that fit withinPodSpec
,PodSpecTemplate
, orJobSpecTemplate
, including CRDs (https://github.com/sigstore/cosign/pull/697) - β Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! https://github.com/sigstore/cosign/pull/836)
- π
cosign
has generated Markdown docs available in thedoc/
directory (https://github.com/sigstore/cosign/pull/839) - β Added support for verifying with secrets from a Gitlab project (https://github.com/sigstore/cosign/pull/934)
- β Added a
--k8s-keychain
option that enables cosign to support ambient registry credentials based on the "k8schain" library (https://github.com/sigstore/cosign/pull/972) - β CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (https://github.com/sigstore/cosign/pull/973)
- β
attest
: replaced--upload
flag with a--no-upload
flag (https://github.com/sigstore/cosign/pull/979)
π Bug Fixes
- π·
cosigned
now verifiesCronJob
images (Terve, @vaikas https://github.com/sigstore/cosign/pull/809) - π Fixed the
verify
--cert-email
option to actually work (Sweet as, @passcod https://github.com/sigstore/cosign/pull/821) - π
public-key -sk
no longer causeserror: x509: unsupported public key type: *crypto.PublicKey
(https://github.com/sigstore/cosign/pull/864) - π Fixed interactive terminal support in Windows (https://github.com/sigstore/cosign/pull/871)
- The
-ct
flag is no longer ignored inupload blob
(https://github.com/sigstore/cosign/pull/910)
Contributors
- Aditya Sirish (@adityasaky)
- Asra Ali (@asraa)
- Axel Simon (@axelsimon)
- Batuhan ApaydΔ±n (@developer-guy)
- Brandon Mitchell (@sudo-bmitch)
- Carlos Panato (@cpanato)
- Chao Lin (@blackcat-lin)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Eng Zer Jun (@Juneezee)
- Erkan Zileli (@erkanzileli)
- FΓ©lix Saparelli (@passcod)
- Furkan TΓΌrkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Ivan Font (@font)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Jim Bugwadia (@JimBugwadia)
- Joel Kamp (@mrjoelkamp)
- Luke Hinds (@lukehinds)
- Matt Moore (@mattmoor)
- Naveen (@naveensrinivasan)
- Olivier Gaumond (@oliviergaumond)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Ramkumar Chinchani (@rchincha)
- RΓ©my Greinhofer (@rgreinho)
- Scott Nichols (@n3wscott)
- Shubham Palriwala (@ShubhamPalriwala)
- Viacheslav Vasilyev (@avoidik)
- Ville Aikas (@vaikas)
- π₯ BREAKING: