Cosign v1.7.0 Release Notes
-
✨ Enhancements
- sign: set the oidc redirect uri (https://github.com/sigstore/cosign/pull/1675)
- 👉 Use ValidatePubKey from sigstore/sigstore (https://github.com/sigstore/cosign/pull/1676)
- ✂ Remove the hardcoded sigstore audience (https://github.com/sigstore/cosign/pull/1698)
- 👌 verify: remove extra calls to rekor for verify and verify-blob (https://github.com/sigstore/cosign/pull/1694)
- ➕ add leaf hash verification (https://github.com/sigstore/cosign/pull/1688)
- 🌲 cosign clean: Don't log failure if the registry responds with 404 (https://github.com/sigstore/cosign/pull/1687)
- ⚡️ Update error message for verify/verify attestation (https://github.com/sigstore/cosign/pull/1686)
- change file_name_template to PackageName (https://github.com/sigstore/cosign/pull/1683)
- 📇 Make
cosign copy
copy metadata attached to child images. (https://github.com/sigstore/cosign/pull/1682) - ➕ Add support for cert and cert chain flags with PKCS11 tokens (https://github.com/sigstore/cosign/pull/1671)
- Find all valid entries in verify-blob (https://github.com/sigstore/cosign/pull/1673)
- 🔨 Refactor based on discussions in #1650 (https://github.com/sigstore/cosign/pull/1674)
- feat: add ability to override registry keychain (https://github.com/sigstore/cosign/pull/1666)
- ➕ Add specific suffixes mediaTypes to sboms (https://github.com/sigstore/cosign/pull/1663)
- ➕ Add certificate chain flag for signing (https://github.com/sigstore/cosign/pull/1656)
- First batch of followups to #1650 (https://github.com/sigstore/cosign/pull/1664)
- ➕ Add support for certificate chain to verify certificate (https://github.com/sigstore/cosign/pull/1659)
- 🛠 Use syscall.Stdin for input handle. Fixes #1153 (https://github.com/sigstore/cosign/pull/1657)
- Shorten example OAuth URL (https://github.com/sigstore/cosign/pull/1661)
- Prompt user before running
cosign clean
(https://github.com/sigstore/cosign/pull/1649) - ➕ Add support for intermediate certificates when verifiying (https://github.com/sigstore/cosign/pull/1631)
- feat: tree command utility (https://github.com/sigstore/cosign/pull/1603)
- Validate authority keys (https://github.com/sigstore/cosign/pull/1623)
- 👌 improve cosigned validation error messages (https://github.com/sigstore/cosign/pull/1618)
- Init entity from ociremote when signing a digest ref (https://github.com/sigstore/cosign/pull/1616)
- ➕ Add two env variables. One for using Rekor public key from OOB and (https://github.com/sigstore/cosign/pull/1610)
- 🚚 Ensure entry is removed from CM on secret error. (https://github.com/sigstore/cosign/pull/1605)
- Validate a public key in a secret is valid. (https://github.com/sigstore/cosign/pull/1602)
- ➕ Add public key validation (https://github.com/sigstore/cosign/pull/1598)
- ➕ Add ability to inline secrets from SecretRef to configmap. (https://github.com/sigstore/cosign/pull/1595)
- 1417 policy validations (https://github.com/sigstore/cosign/pull/1548)
- 👌 Support deletion of ClusterImagePolicy (https://github.com/sigstore/cosign/pull/1580)
- Start of the necessary pieces to get #1418 and #1419 implemented (https://github.com/sigstore/cosign/pull/1562)
🐛 Bug Fixes
- 🛠 Fix handling of policy in verify-attestation (https://github.com/sigstore/cosign/pull/1672)
- 🛠 Fix relative paths in Gitub OIDC blob test (https://github.com/sigstore/cosign/pull/1677)
- 🛠 fix build date format for version command (https://github.com/sigstore/cosign/pull/1644)
- 🛠 Fix 1608, 1613 (https://github.com/sigstore/cosign/pull/1617)
- 🛠 Fix copy/paste mistake in repo name. (https://github.com/sigstore/cosign/pull/1600)
- 🛠 Fix #1592 move authorities as siblings of images. (https://github.com/sigstore/cosign/pull/1593)
- 🛠 Fix piping 'cosign verify' using fulcio/rekor (https://github.com/sigstore/cosign/pull/1590)
- 🛠 Fix #1583 #1582. Disallow regex now until implemented. (https://github.com/sigstore/cosign/pull/1584)
- Don't lowercase input image refs, just fail (https://github.com/sigstore/cosign/pull/1586)
Documention
- 👍 Document Elastic container registry support (https://github.com/sigstore/cosign/pull/1641)
- FUN.md broke when RecordObj changed to HashedRecordObj (https://github.com/sigstore/cosign/pull/1633)
- ➕ Add example using AWS Key Management Service (KMS) (https://github.com/sigstore/cosign/pull/1564)
Others
- 👉 Use the github actions from sigstore/scaffolding. (https://github.com/sigstore/cosign/pull/1699)
- ⬆️ Bump google.golang.org/api from 0.73.0 to 0.74.0 (https://github.com/sigstore/cosign/pull/1695)
- ⬆️ Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/cosign/pull/1690)
- ⬆️ Bump actions/cache from 3.0.0 to 3.0.1 (https://github.com/sigstore/cosign/pull/1689)
- ➕ Add e2e test for attest / verify-attestation (https://github.com/sigstore/cosign/pull/1685)
- ✅ Use cosign @ HEAD for Github OIDC sign blob test (https://github.com/sigstore/cosign/pull/1678)
- ⬆️ Bump mikefarah/yq from 4.23.1 to 4.24.2 (https://github.com/sigstore/cosign/pull/1670)
- ✂ remove replace directive (https://github.com/sigstore/cosign/pull/1669)
- ⚡️ update font when output the cosign version (https://github.com/sigstore/cosign/pull/1668)
- ✅ Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind (https://github.com/sigstore/cosign/pull/1650)
- ⬆️ Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/cosign/pull/1646)
- ⬆️ Bump mikefarah/yq from 4.22.1 to 4.23.1 (https://github.com/sigstore/cosign/pull/1639)
- ⬆️ Bump actions/cache from 2.1.7 to 3 (https://github.com/sigstore/cosign/pull/1640)
- ⬆️ Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/cosign/pull/1638)
- ➕ Add extra label and change the latest tag to unstable for non tagged releases (https://github.com/sigstore/cosign/pull/1637)
- 🚀 push latest tag when building a release (https://github.com/sigstore/cosign/pull/1636)
- 🚀 update crane to v0.8.0 release (https://github.com/sigstore/cosign/pull/1635)
- ⬆️ Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 (https://github.com/sigstore/cosign/pull/1634)
- Included OpenSSF Best Practices Badge (https://github.com/sigstore/cosign/pull/1628)
- ✅ Use latest knative/pkg's configmap informer (https://github.com/sigstore/cosign/pull/1615)
- ⬆️ Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (https://github.com/sigstore/cosign/pull/1621)
- ⬆️ Bump google.golang.org/api from 0.72.0 to 0.73.0 (https://github.com/sigstore/cosign/pull/1619)
- ⬆️ Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/cosign/pull/1622)
- ⬆️ Bump ecr-login to pick up WithLogger rename (https://github.com/sigstore/cosign/pull/1624)
- ⬆️ Bump to knative pkg 1.3 (https://github.com/sigstore/cosign/pull/1614)
- ⬆️ Bump google.golang.org/api from 0.71.0 to 0.72.0 (https://github.com/sigstore/cosign/pull/1612)
- 🚀 Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/cosign/pull/1599)
- ⬆️ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 (https://github.com/sigstore/cosign/pull/1597)
- ⬆️ Bump mikefarah/yq from 4.21.1 to 4.22.1 (https://github.com/sigstore/cosign/pull/1589)
- ⬆️ Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/cosign/pull/1587)
- ⬆️ Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/cosign/pull/1588)
- ⬆️ Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 (https://github.com/sigstore/cosign/pull/1579)
- ⬆️ Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 (https://github.com/sigstore/cosign/pull/1578)
- ⬆️ Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 (https://github.com/sigstore/cosign/pull/1576)
- ⬆️ Bump google.golang.org/api from 0.70.0 to 0.71.0 (https://github.com/sigstore/cosign/pull/1577)
- ⬆️ Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/cosign/pull/1565)
- ➕ add definition for artifact hub to verify the ownership (https://github.com/sigstore/cosign/pull/1563)
- ⬆️ Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/cosign/pull/1561)
- ⬆️ Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/cosign/pull/1559)
- ⬆️ Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 (https://github.com/sigstore/cosign/pull/1560)
- ⚡️ Update hashicorp/parseutil to v0.1.3. (https://github.com/sigstore/cosign/pull/1557)
- 🚀 Mirror signed release images from GCR to GHCR as part of release with Cloud Build. (https://github.com/sigstore/cosign/pull/1547)
- ⬆️ Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 (https://github.com/sigstore/cosign/pull/1552)
- ⬆️ Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/cosign/pull/1553)
- 🏗 pkcs11: fix build instructions (https://github.com/sigstore/cosign/pull/1550)
- 🚀 Update images for release job (https://github.com/sigstore/cosign/pull/1551)
Contributors
- Adam A.G. Shamblin (@coyote240)
- Adolfo García Veytia (@puerco)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Davi Garcia (@davivcgarcia)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- James Strong (@strongjz)
- Jason Hall (@imjasonh)
- Kavitha (@kkavitha)
- Kenny Leung (@k4leung4)
- Luiz Carvalho (@lcarva)
- Marco Franssen (@marcofranssen)
- Mark Percival (@mdp)
- Matt Moore (@mattmoor)
- Maxime Gréau (@mgreau)
- Mitch Thomas (@MitchellJThomas)
- Naveen Srinivasan (@naveensrinivasan)
- Nghia Tran (@tcnghia)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Thomas Strömberg (@tstromberg)
- Ville Aikas (@vaikas)
- noamichael (@noamichael)