Cosign v1.6.0 Release Notes
-
π Security Fixes
- CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
β¨ Enhancements
- π Change Fulcio URL default to be fulcio.sigstore.dev (https://github.com/sigstore/cosign/pull/1529)
- β Add CertExtensions func to extract all extensions (https://github.com/sigstore/cosign/pull/1515)
- β Add a dummy.go file to allow vendoring config (https://github.com/sigstore/cosign/pull/1520)
- β Add skeleton reconciler for cosigned API CRD. (https://github.com/sigstore/cosign/pull/1513)
- π use v6 api calls (https://github.com/sigstore/cosign/pull/1511)
- This sets up the scaffolding for the
cosigned
CRD types. (https://github.com/sigstore/cosign/pull/1504) - β add correct layer media type to attach attestation (https://github.com/sigstore/cosign/pull/1503)
- Pick up some of the shared workflows (https://github.com/sigstore/cosign/pull/1490)
- π feat: support other types in copy cmd (https://github.com/sigstore/cosign/pull/1493)
- π² Pick up a change to quiet ECR-login logging. (https://github.com/sigstore/cosign/pull/1491)
- π Merge pull request from GHSA-ccxc-vr6p-4858
- π fix(sign): refactor unsupported provider log (https://github.com/sigstore/cosign/pull/1464)
- π¨ Print message when verifying with old TUF targets (https://github.com/sigstore/cosign/pull/1468)
- π convert release cosigned to also generate yaml artifact. (https://github.com/sigstore/cosign/pull/1453)
- Streamline
SignBlobCmd
API withSignCmd
(https://github.com/sigstore/cosign/pull/1454) - π feat: add -buildid= to ldflags (https://github.com/sigstore/cosign/pull/1451)
- π Fetch verification targets by TUF custom metadata (https://github.com/sigstore/cosign/pull/1423)
- feat: fig autocomplete feature (https://github.com/sigstore/cosign/pull/1360)
- π Improve log lines to match with implementation (https://github.com/sigstore/cosign/pull/1432)
- π use the upstream kubernetes version lib and ldflags (https://github.com/sigstore/cosign/pull/1413)
- β¨ feat: enhance clean cmd capability (https://github.com/sigstore/cosign/pull/1430)
- β Remove TUF timestamp from OCI signature bundle (https://github.com/sigstore/cosign/pull/1428)
- π Allow
PassFunc
to benil
(https://github.com/sigstore/cosign/pull/1426) - β Add ability to override the Spiffe socket via environmental variable: (https://github.com/sigstore/cosign/pull/1421)
- π Improve error message when image is not found in registry (https://github.com/sigstore/cosign/pull/1410)
- β add root status output (https://github.com/sigstore/cosign/pull/1404)
- feat: login command (https://github.com/sigstore/cosign/pull/1398)
- π¨ Minor refactor to verify SCT and Rekor entry with multiple keys (https://github.com/sigstore/cosign/pull/1396)
- β Add Cosign logo to README (https://github.com/sigstore/cosign/pull/1395)
- β Add
--timeout
support tosign
command (https://github.com/sigstore/cosign/pull/1379)
π Bug Fixes
- π bug fix: import ed25519 keys and fix error handling (https://github.com/sigstore/cosign/pull/1518)
- π Fix wording on attach attestation help (https://github.com/sigstore/cosign/pull/1480)
- π fix(sign): kms unspported message (https://github.com/sigstore/cosign/pull/1475)
- π Fix incorrect error check when verifying SCT (https://github.com/sigstore/cosign/pull/1422)
- π make imageRef lowercase before parsing (https://github.com/sigstore/cosign/pull/1409)
β Add a new line after password input (https://github.com/sigstore/cosign/pull/1407)
π Fix comparison in replace option for attestation (https://github.com/sigstore/cosign/pull/1366)
Documention
- π Quay OCI Support in README (https://github.com/sigstore/cosign/pull/1539)
- feat: nominate Dentrax as codeowner (https://github.com/sigstore/cosign/pull/1492)
- β add initial changelog for 1.5.2 (https://github.com/sigstore/cosign/pull/1483)
- π fix tkn link in readme (https://github.com/sigstore/cosign/pull/1459)
- β Add FEATURES.md and DEPRECATIONS.md (https://github.com/sigstore/cosign/pull/1429)
- π Update the cosign keyless documentation to point to the GA release. (https://github.com/sigstore/cosign/pull/1427)
- π Fix link for SECURITY.md (https://github.com/sigstore/cosign/pull/1399)
Others
- Consistent parenthesis use in Makefile (https://github.com/sigstore/cosign/pull/1541)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.55.1 to 0.56.0 (https://github.com/sigstore/cosign/pull/1538)
- β add rpm,deb and apks for cosign packages (https://github.com/sigstore/cosign/pull/1537)
- β‘οΈ update github.com/hashicorp/vault/sdk, codegen and go module to 1.17 (https://github.com/sigstore/cosign/pull/1536)
- π images: remove --bare flags that conflict with --base-import-paths (https://github.com/sigstore/cosign/pull/1533)
- β¬οΈ Bump actions/checkout from 2 to 3 (https://github.com/sigstore/cosign/pull/1531)
- β Add codecov as github action, set permissions to read content only (https://github.com/sigstore/cosign/pull/1530)
- β¬οΈ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.11 to 2.0.0-beta.12 (https://github.com/sigstore/cosign/pull/1528)
- β¬οΈ Bump actions/setup-go from 2 to 3 (https://github.com/sigstore/cosign/pull/1527)
- β¬οΈ Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1526)
- β¬οΈ Bump mikefarah/yq from 4.20.2 to 4.21.1 (https://github.com/sigstore/cosign/pull/1525)
- β¬οΈ Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/cosign/pull/1524)
- π chore(ci): add artifact hub support (https://github.com/sigstore/cosign/pull/1522)
- β‘οΈ optimize codeql speed by using caching and tracing (https://github.com/sigstore/cosign/pull/1519)
- β¬οΈ Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/cosign/pull/1516)
- β¬οΈ Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/cosign/pull/1512)
- β¬οΈ Bump mikefarah/yq from 4.16.2 to 4.20.2 (https://github.com/sigstore/cosign/pull/1510)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/cosign/pull/1507)
- β¬οΈ Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1509)
- β¬οΈ Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/cosign/pull/1495)
- β¬οΈ Bump google-github-actions/auth from 0.4.4 to 0.6.0 (https://github.com/sigstore/cosign/pull/1501)
- β¬οΈ Bump ossf/scorecard-action (https://github.com/sigstore/cosign/pull/1502)
- β¬οΈ Bump google.golang.org/api from 0.69.0 to 0.70.0 (https://github.com/sigstore/cosign/pull/1500)
- β¬οΈ Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 (https://github.com/sigstore/cosign/pull/1496)
- β¬οΈ Bump actions/github-script from 4.1.1 to 6 (https://github.com/sigstore/cosign/pull/1497)
- β‘οΈ Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 (https://github.com/sigstore/cosign/pull/1498)
- β¬οΈ Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 (https://github.com/sigstore/cosign/pull/1499)
- π chore(makefile): use kocache, convert publish to build (https://github.com/sigstore/cosign/pull/1488)
- β¬οΈ Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1481)
- β‘οΈ update changelog (https://github.com/sigstore/cosign/pull/1485)
- π fix lint (https://github.com/sigstore/cosign/pull/1484)
- β‘οΈ update go-tuf and simplify TUF client code (https://github.com/sigstore/cosign/pull/1455)
- β¬οΈ Bump sigstore/sigstore to pick up the kms change and the monkey-patch work. (https://github.com/sigstore/cosign/pull/1479)
- π refactor release cloudbuild job (https://github.com/sigstore/cosign/pull/1476)
- π increase timeout for goreleaser snapshot (https://github.com/sigstore/cosign/pull/1473)
- π Double goreleaser timeout (https://github.com/sigstore/cosign/pull/1472)
- β¬οΈ Bump google.golang.org/api from 0.68.0 to 0.69.0 (https://github.com/sigstore/cosign/pull/1469)
- β
tests:
/bin/bash
->/usr/bin/env bash
(https://github.com/sigstore/cosign/pull/1470) - β¬οΈ Bump the gitlab library and add a nil opt for the API change. (https://github.com/sigstore/cosign/pull/1466)
- β¬οΈ Bump webhook timeout. (https://github.com/sigstore/cosign/pull/1465)
- β‘οΈ update cross-build to use go 1.17.7 (https://github.com/sigstore/cosign/pull/1446)
- β¬οΈ Bump go-containerregistry, pick up new features (https://github.com/sigstore/cosign/pull/1442)
- β‘οΈ update cross-build image which adds goimports (https://github.com/sigstore/cosign/pull/1435)
- β¬οΈ Bump google.golang.org/api from 0.67.0 to 0.68.0 (https://github.com/sigstore/cosign/pull/1434)
- π Skip the ReadWrite test that flakes on Windows. (https://github.com/sigstore/cosign/pull/1415)
- β¬οΈ Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/cosign/pull/1411)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/cosign/pull/1412)
- β¬οΈ Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 (https://github.com/sigstore/cosign/pull/1403)
- β¬οΈ Bump google.golang.org/api from 0.66.0 to 0.67.0 (https://github.com/sigstore/cosign/pull/1402)
- β¬οΈ Bump cuelang.org/go from 0.4.1 to 0.4.2 (https://github.com/sigstore/cosign/pull/1401)
- π update cosign and cross-build image for the release job (https://github.com/sigstore/cosign/pull/1400)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 (https://github.com/sigstore/cosign/pull/1391)
- β¬οΈ Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 (https://github.com/sigstore/cosign/pull/1386)
- π Fix double
time
import in e2e tests (https://github.com/sigstore/cosign/pull/1388) - β¬οΈ Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (https://github.com/sigstore/cosign/pull/1383)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (https://github.com/sigstore/cosign/pull/1382)
- β add changelog for 1.5.1 release (https://github.com/sigstore/cosign/pull/1376)
Contributors
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Blake Burkhart (@bburky)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Christian Kotzbauer (@ckotzbauer)
- Christopher Angelo Phillips (@spiffcs)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Furkan TΓΌrkal (@Dentrax)
- Hayden Blauzvern (@haydentherapper)
- Jason Hall (@imjasonh)
- Josh Dolitsky (@jdolitsky)
- Kenny Leung (@k4leung4)
- Matt Moore (@mattmoor)
- Marco Franssen (@marcofranssen)
- Nathan Smith (@nsmith5)
- Priya Wadhwa (@priyawadhwa)
- Sascha Grunert (@saschagrunert)
- Scott Nichols (@n3wscott)
- Teppei Fukuda (@knqyf263)
- Ville Aikas (@vaikas)
- Yongxuan Zhang (@Yongxuanzhang)
- Zack Newman (@znewman01)