Cosign v1.4.0 Release Notes
-
Highlights
- π₯ BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosign
releases will generate signatures that do not validate in older versions ofcosign
. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.dev
when signing payloads (https://github.com/sigstore/cosign/pull/1127) - π₯ BREAKING [cosign/pkg]:
SignedEntryTimestamp
is now of type[]byte
. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)
(https://github.com/sigstore/cosign/pull/1083) - π
cosign-linux-pivkey-amd64
releases are now of the formcosign-linux-pivkey-pkcs11key-amd64
(https://github.com/sigstore/cosign/pull/1052) - π Releases are now additionally signed using the keyless workflow (https://github.com/sigstore/cosign/pull/1073, https://github.com/sigstore/cosign/pull/1111)
β¨ Enhancements
- β Validate the whole attestation statement, not just the predicate (https://github.com/sigstore/cosign/pull/1035)
- β Added the options to replace attestations using
cosign attest --replace
(https://github.com/sigstore/cosign/pull/1039) - β Added URI to
cosign verify-blob
output (https://github.com/sigstore/cosign/pull/1047) - Signatures and certificates created by
cosign sign
andcosign sign-blob
can be output to file using the--output-signature
and--output-certificate
flags, respectively (https://github.com/sigstore/cosign/pull/1016, https://github.com/sigstore/cosign/pull/1093, https://github.com/sigstore/cosign/pull/1066, https://github.com/sigstore/cosign/pull/1095) - π¦ [cosign/pkg] Added the
pkg/oci/layout
package for storing signatures and attestations on disk (https://github.com/sigstore/cosign/pull/1040, https://github.com/sigstore/cosign/pull/1096) - [cosign/pkg] Added
mutate
methods to attachoci.File
s tooci.Signed*
objects (https://github.com/sigstore/cosign/pull/1084) - β Added the
--signature-digest-algorithm
flag tocosign verify
, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (https://github.com/sigstore/cosign/pull/1071) - π Builds should now be reproducible (https://github.com/sigstore/cosign/pull/1053)
- π Allows base64 files as
--cert
incosign verify-blob
(https://github.com/sigstore/cosign/pull/1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (https://github.com/sigstore/cosign/pull/1091)
- β Added
cosign save
andcosign load
commands to save and upload container images and associated signatures to disk (https://github.com/sigstore/cosign/pull/1094) cosign sign
will no longer fail to sign private images in keyless mode without--force
(https://github.com/sigstore/cosign/pull/1116)- π
cosign verify
now supports signatures stored in files and remote URLs with--signature
(https://github.com/sigstore/cosign/pull/1068) - π
cosign verify
now supports certs stored in files (https://github.com/sigstore/cosign/pull/1095) - β Added support for
syft
format incosign attach sbom
(https://github.com/sigstore/cosign/pull/1137)
π Bug Fixes
- π Fixed verification of Rekor bundles for InToto attestations (https://github.com/sigstore/cosign/pull/1030)
- π Fixed a potential memory leak when signing and verifying with security keys (https://github.com/sigstore/cosign/pull/1113)
Contributors
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan TΓΌrkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
- π₯ BREAKING [COSIGN_EXPERIMENTAL]: This and future