Cosign v1.5.0 Release Notes
-
Highlights
- enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
- ๐ฒ feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
- โ feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
- feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
- feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
- โ feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
- feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
- feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
- โ feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
โจ Enhancements
- Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
- Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
- โ Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
- Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
- โ Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
- โ Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
- โ add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
- โ Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
- Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
- Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
- โ Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
- โ add error message (https://github.com/sigstore/cosign/pull/1296)
- ๐ฆ Move bundle out of
oci
and intobundle
package (https://github.com/sigstore/cosign/pull/1295) - โ Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
- One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
- ๐จ refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
- Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
- ๐จ Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
- ๐ Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
- โ Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
- ๐ Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
- โ Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
- ๐ฒ Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
- Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
- clean up references to 'keyless' in
ephemeral.Signer
(https://github.com/sigstore/cosign/pull/1225) - โ
create
DSSEAttestor
interface,payload.DSSEAttestor
implementation (https://github.com/sigstore/cosign/pull/1221) - ๐ use
mutate.Signature
in the newSigner
s (https://github.com/sigstore/cosign/pull/1213) - create
mutate
functions foroci.Signature
(https://github.com/sigstore/cosign/pull/1199) - โ add a writeable
$HOME
for thenonroot
cosigned user (https://github.com/sigstore/cosign/pull/1209) - โ signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
- โ Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
- create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
๐ Bug Fixes
- ๐ fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
- ๐ fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
- ๐ Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
- ๐ Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
- ๐ Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
- ๐ Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
- ๐ Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
- ๐ fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
- ๐ Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
- ๐ Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
Others
- โฌ๏ธ Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (https://github.com/sigstore/cosign/pull/1343)
- โฌ๏ธ Bump recommended Go development version in README (https://github.com/sigstore/cosign/pull/1340)
- ๐ Bump the snapshot and timestamp roles metadata from root signing. (https://github.com/sigstore/cosign/pull/1339)
- โฌ๏ธ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (https://github.com/sigstore/cosign/pull/1336)
- ๐ update go-github to v42 release (https://github.com/sigstore/cosign/pull/1335)
- ๐ install latest release for ko instead of head of main branch (https://github.com/sigstore/cosign/pull/1333)
- โ remove wrong settings in the gco auth for gh actions (https://github.com/sigstore/cosign/pull/1332)
- โก๏ธ update gcp setup for the GH action (https://github.com/sigstore/cosign/pull/1330)
- โก๏ธ update some dependencies (https://github.com/sigstore/cosign/pull/1326)
- ๐ Verify checksum of downloaded utilities during CI (https://github.com/sigstore/cosign/pull/1322)
- ๐ pin github actions by digest (https://github.com/sigstore/cosign/pull/1319)
- โฌ๏ธ Bump google.golang.org/api from 0.64.0 to 0.65.0 (https://github.com/sigstore/cosign/pull/1303)
- โฌ๏ธ Bump cuelang.org/go from 0.4.0 to 0.4.1 (https://github.com/sigstore/cosign/pull/1302)
- โฌ๏ธ Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (https://github.com/sigstore/cosign/pull/1292)
- ๐ update import documentation (https://github.com/sigstore/cosign/pull/1290)
- ๐ update release image to use go 1.17.6 (https://github.com/sigstore/cosign/pull/1284)
- โฌ๏ธ Bump google.golang.org/api. (https://github.com/sigstore/cosign/pull/1283)
- โฌ๏ธ Bump opa and go-gitlab. (https://github.com/sigstore/cosign/pull/1281)
- โก๏ธ Update SBOM spec to indicate compat for syft (https://github.com/sigstore/cosign/pull/1278)
- โฌ๏ธ Bump miekg/pkcs11 (https://github.com/sigstore/cosign/pull/1275)
- โก๏ธ Update signature spec with timestamp annotation (https://github.com/sigstore/cosign/pull/1274)
- โ Pick up latest knative.dev/pkg, and k8s 0.22 libs (https://github.com/sigstore/cosign/pull/1269)
- โฌ๏ธ Bump sigstore/sigstore. (https://github.com/sigstore/cosign/pull/1247)
- Spelling (https://github.com/sigstore/cosign/pull/1246)
- ๐ Use ${{github.repository}} placeholder in OIDC GitHub workflow (https://github.com/sigstore/cosign/pull/1244)
- โก๏ธ update codeowners list with missing codeowners (https://github.com/sigstore/cosign/pull/1238)
- ๐ update build images for release and bump cosign in the release job (https://github.com/sigstore/cosign/pull/1234)
- โก๏ธ update deps (https://github.com/sigstore/cosign/pull/1222)
- nit: add comments to
Signer
interface (https://github.com/sigstore/cosign/pull/1228) - โก๏ธ update google.golang.org/api from 0.62.0 to 0.63.0 (https://github.com/sigstore/cosign/pull/1214)
- โก๏ธ update snapshot and timestamp (https://github.com/sigstore/cosign/pull/1211)
- โฌ๏ธ Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (https://github.com/sigstore/cosign/pull/1198)
- โฌ๏ธ Bump the DSSE library and handle manual changes in the API. (https://github.com/sigstore/cosign/pull/1191)
- nit: drop every section title down a level (https://github.com/sigstore/cosign/pull/1188)
Contributors
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Batuhan Apaydฤฑn (@developer-guy)
- Bob Callaway (@bobcallaway)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- Itxaka (@Itxaka)
- Ivan Wallis (@venafi-iw)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Josh Dolitsky (@jdolitsky)
- Josh Soref (@jsoref)
- Matt Moore (@mattmoor)
- Morten Linderud (@Foxboron)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Rob Best (@ribbybibby)
- Sambhav Kothari (@samj1912)
- Ville Aikas (@vaikas)
- Zack Newman (@znewman01)