Cosign v1.7.0

« Changelog History

Cosign v1.7.0 Release Notes

• ✨ Enhancements

  • sign: set the oidc redirect uri (https://github.com/sigstore/cosign/pull/1675)
  • 👉 Use ValidatePubKey from sigstore/sigstore (https://github.com/sigstore/cosign/pull/1676)
  • ✂ Remove the hardcoded sigstore audience (https://github.com/sigstore/cosign/pull/1698)
  • 👌 verify: remove extra calls to rekor for verify and verify-blob (https://github.com/sigstore/cosign/pull/1694)
  • ➕ add leaf hash verification (https://github.com/sigstore/cosign/pull/1688)
  • 🌲 cosign clean: Don't log failure if the registry responds with 404 (https://github.com/sigstore/cosign/pull/1687)
  • ⚡️ Update error message for verify/verify attestation (https://github.com/sigstore/cosign/pull/1686)
  • change file_name_template to PackageName (https://github.com/sigstore/cosign/pull/1683)
  • 📇 Make cosign copy copy metadata attached to child images. (https://github.com/sigstore/cosign/pull/1682)
  • ➕ Add support for cert and cert chain flags with PKCS11 tokens (https://github.com/sigstore/cosign/pull/1671)
  • Find all valid entries in verify-blob (https://github.com/sigstore/cosign/pull/1673)
  • 🔨 Refactor based on discussions in #1650 (https://github.com/sigstore/cosign/pull/1674)
  • feat: add ability to override registry keychain (https://github.com/sigstore/cosign/pull/1666)
  • ➕ Add specific suffixes mediaTypes to sboms (https://github.com/sigstore/cosign/pull/1663)
  • ➕ Add certificate chain flag for signing (https://github.com/sigstore/cosign/pull/1656)
  • First batch of followups to #1650 (https://github.com/sigstore/cosign/pull/1664)
  • ➕ Add support for certificate chain to verify certificate (https://github.com/sigstore/cosign/pull/1659)
  • 🛠 Use syscall.Stdin for input handle. Fixes #1153 (https://github.com/sigstore/cosign/pull/1657)
  • Shorten example OAuth URL (https://github.com/sigstore/cosign/pull/1661)
  • Prompt user before running cosign clean (https://github.com/sigstore/cosign/pull/1649)
  • ➕ Add support for intermediate certificates when verifiying (https://github.com/sigstore/cosign/pull/1631)
  • feat: tree command utility (https://github.com/sigstore/cosign/pull/1603)
  • Validate authority keys (https://github.com/sigstore/cosign/pull/1623)
  • 👌 improve cosigned validation error messages (https://github.com/sigstore/cosign/pull/1618)
  • Init entity from ociremote when signing a digest ref (https://github.com/sigstore/cosign/pull/1616)
  • ➕ Add two env variables. One for using Rekor public key from OOB and (https://github.com/sigstore/cosign/pull/1610)
  • 🚚 Ensure entry is removed from CM on secret error. (https://github.com/sigstore/cosign/pull/1605)
  • Validate a public key in a secret is valid. (https://github.com/sigstore/cosign/pull/1602)
  • ➕ Add public key validation (https://github.com/sigstore/cosign/pull/1598)
  • ➕ Add ability to inline secrets from SecretRef to configmap. (https://github.com/sigstore/cosign/pull/1595)
  • 1417 policy validations (https://github.com/sigstore/cosign/pull/1548)
  • 👌 Support deletion of ClusterImagePolicy (https://github.com/sigstore/cosign/pull/1580)
  • Start of the necessary pieces to get #1418 and #1419 implemented (https://github.com/sigstore/cosign/pull/1562)

  🐛 Bug Fixes

  • 🛠 Fix handling of policy in verify-attestation (https://github.com/sigstore/cosign/pull/1672)
  • 🛠 Fix relative paths in Gitub OIDC blob test (https://github.com/sigstore/cosign/pull/1677)
  • 🛠 fix build date format for version command (https://github.com/sigstore/cosign/pull/1644)
  • 🛠 Fix 1608, 1613 (https://github.com/sigstore/cosign/pull/1617)
  • 🛠 Fix copy/paste mistake in repo name. (https://github.com/sigstore/cosign/pull/1600)
  • 🛠 Fix #1592 move authorities as siblings of images. (https://github.com/sigstore/cosign/pull/1593)
  • 🛠 Fix piping 'cosign verify' using fulcio/rekor (https://github.com/sigstore/cosign/pull/1590)
  • 🛠 Fix #1583 #1582. Disallow regex now until implemented. (https://github.com/sigstore/cosign/pull/1584)
  • Don't lowercase input image refs, just fail (https://github.com/sigstore/cosign/pull/1586)

  Documention

  • 👍 Document Elastic container registry support (https://github.com/sigstore/cosign/pull/1641)
  • FUN.md broke when RecordObj changed to HashedRecordObj (https://github.com/sigstore/cosign/pull/1633)
  • ➕ Add example using AWS Key Management Service (KMS) (https://github.com/sigstore/cosign/pull/1564)

  Others

  • 👉 Use the github actions from sigstore/scaffolding. (https://github.com/sigstore/cosign/pull/1699)
  • ⬆️ Bump google.golang.org/api from 0.73.0 to 0.74.0 (https://github.com/sigstore/cosign/pull/1695)
  • ⬆️ Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/cosign/pull/1690)
  • ⬆️ Bump actions/cache from 3.0.0 to 3.0.1 (https://github.com/sigstore/cosign/pull/1689)
  • ➕ Add e2e test for attest / verify-attestation (https://github.com/sigstore/cosign/pull/1685)
  • ✅ Use cosign @ HEAD for Github OIDC sign blob test (https://github.com/sigstore/cosign/pull/1678)
  • ⬆️ Bump mikefarah/yq from 4.23.1 to 4.24.2 (https://github.com/sigstore/cosign/pull/1670)
  • ✂ remove replace directive (https://github.com/sigstore/cosign/pull/1669)
  • ⚡️ update font when output the cosign version (https://github.com/sigstore/cosign/pull/1668)
  • ✅ Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind (https://github.com/sigstore/cosign/pull/1650)
  • ⬆️ Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/cosign/pull/1646)
  • ⬆️ Bump mikefarah/yq from 4.22.1 to 4.23.1 (https://github.com/sigstore/cosign/pull/1639)
  • ⬆️ Bump actions/cache from 2.1.7 to 3 (https://github.com/sigstore/cosign/pull/1640)
  • ⬆️ Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/cosign/pull/1638)
  • ➕ Add extra label and change the latest tag to unstable for non tagged releases (https://github.com/sigstore/cosign/pull/1637)
  • 🚀 push latest tag when building a release (https://github.com/sigstore/cosign/pull/1636)
  • 🚀 update crane to v0.8.0 release (https://github.com/sigstore/cosign/pull/1635)
  • ⬆️ Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 (https://github.com/sigstore/cosign/pull/1634)
  • Included OpenSSF Best Practices Badge (https://github.com/sigstore/cosign/pull/1628)
  • ✅ Use latest knative/pkg's configmap informer (https://github.com/sigstore/cosign/pull/1615)
  • ⬆️ Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (https://github.com/sigstore/cosign/pull/1621)
  • ⬆️ Bump google.golang.org/api from 0.72.0 to 0.73.0 (https://github.com/sigstore/cosign/pull/1619)
  • ⬆️ Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/cosign/pull/1622)
  • ⬆️ Bump ecr-login to pick up WithLogger rename (https://github.com/sigstore/cosign/pull/1624)
  • ⬆️ Bump to knative pkg 1.3 (https://github.com/sigstore/cosign/pull/1614)
  • ⬆️ Bump google.golang.org/api from 0.71.0 to 0.72.0 (https://github.com/sigstore/cosign/pull/1612)
  • 🚀 Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/cosign/pull/1599)
  • ⬆️ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 (https://github.com/sigstore/cosign/pull/1597)
  • ⬆️ Bump mikefarah/yq from 4.21.1 to 4.22.1 (https://github.com/sigstore/cosign/pull/1589)
  • ⬆️ Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/cosign/pull/1587)
  • ⬆️ Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/cosign/pull/1588)
  • ⬆️ Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 (https://github.com/sigstore/cosign/pull/1579)
  • ⬆️ Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 (https://github.com/sigstore/cosign/pull/1578)
  • ⬆️ Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 (https://github.com/sigstore/cosign/pull/1576)
  • ⬆️ Bump google.golang.org/api from 0.70.0 to 0.71.0 (https://github.com/sigstore/cosign/pull/1577)
  • ⬆️ Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/cosign/pull/1565)
  • ➕ add definition for artifact hub to verify the ownership (https://github.com/sigstore/cosign/pull/1563)
  • ⬆️ Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/cosign/pull/1561)
  • ⬆️ Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/cosign/pull/1559)
  • ⬆️ Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 (https://github.com/sigstore/cosign/pull/1560)
  • ⚡️ Update hashicorp/parseutil to v0.1.3. (https://github.com/sigstore/cosign/pull/1557)
  • 🚀 Mirror signed release images from GCR to GHCR as part of release with Cloud Build. (https://github.com/sigstore/cosign/pull/1547)
  • ⬆️ Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 (https://github.com/sigstore/cosign/pull/1552)
  • ⬆️ Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/cosign/pull/1553)
  • 🏗 pkcs11: fix build instructions (https://github.com/sigstore/cosign/pull/1550)
  • 🚀 Update images for release job (https://github.com/sigstore/cosign/pull/1551)

  Contributors

  • Adam A.G. Shamblin (@coyote240)
  • Adolfo García Veytia (@puerco)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Davi Garcia (@davivcgarcia)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • James Strong (@strongjz)
  • Jason Hall (@imjasonh)
  • Kavitha (@kkavitha)
  • Kenny Leung (@k4leung4)
  • Luiz Carvalho (@lcarva)
  • Marco Franssen (@marcofranssen)
  • Mark Percival (@mdp)
  • Matt Moore (@mattmoor)
  • Maxime Gréau (@mgreau)
  • Mitch Thomas (@MitchellJThomas)
  • Naveen Srinivasan (@naveensrinivasan)
  • Nghia Tran (@tcnghia)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Thomas Strömberg (@tstromberg)
  • Ville Aikas (@vaikas)
  • noamichael (@noamichael)

• All Versions
• Previous v1.6.0
• Next v1.7.1
• Latest Version