All Versions
31
Latest Version
Avg Release Cycle
-
Latest Release
-
Changelog History
Page 2
Changelog History
Page 2
-
v1.7.2 Changes
π Bug Fixes
- π Make public all types required to use ValidatePolicy (https://github.com/sigstore/cosign/pull/1727)
- π fix: add permissions to patch events (https://github.com/sigstore/cosign/pull/1722)
- π Fix publicKey unmarshal (https://github.com/sigstore/cosign/pull/1719)
- π Update release job (https://github.com/sigstore/cosign/pull/1720)
- π Makefile: fix directory not found error (https://github.com/sigstore/cosign/pull/1718)
Others
- β Remove newline from download sbom output (https://github.com/sigstore/cosign/pull/1732)
- β¬οΈ Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 (https://github.com/sigstore/cosign/pull/1724)
- β Add unit tests for IntotoAttestation verifier. (https://github.com/sigstore/cosign/pull/1728)
- β¬οΈ Bump github/codeql-action from 2.1.7 to 2.1.8 (https://github.com/sigstore/cosign/pull/1725)
- β¬οΈ Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 (https://github.com/sigstore/cosign/pull/1721)
- β¬οΈ Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (https://github.com/sigstore/cosign/pull/1723)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 (https://github.com/sigstore/cosign/pull/1711)
- β¬οΈ Bump google-github-actions/auth from 0.6.0 to 0.7.0 (https://github.com/sigstore/cosign/pull/1712)
- β¬οΈ Bump github/codeql-action from 2.1.6 to 2.1.7 (https://github.com/sigstore/cosign/pull/1713)
- β¬οΈ Bump codecov/codecov-action from 2.1.0 to 3 (https://github.com/sigstore/cosign/pull/1714)
Contributors
- Carlos Tadeu Panato Junior (@cpanato)
- Denny (@DennyHoang)
- Hector Fernandez (@hectorj2f)
- Josh Dolitsky (@jdolitsky)
- Rob Best (@ribbybibby)
- Ville Aikas (@vaikas)
-
v1.7.1 Changes
π Bug Fixes
- commenting out the copy from gcr to ghcr due issues on github side (https://github.com/sigstore/cosign/pull/1715)
-
v1.7.0 Changes
β¨ Enhancements
- sign: set the oidc redirect uri (https://github.com/sigstore/cosign/pull/1675)
- π Use ValidatePubKey from sigstore/sigstore (https://github.com/sigstore/cosign/pull/1676)
- β Remove the hardcoded sigstore audience (https://github.com/sigstore/cosign/pull/1698)
- π verify: remove extra calls to rekor for verify and verify-blob (https://github.com/sigstore/cosign/pull/1694)
- β add leaf hash verification (https://github.com/sigstore/cosign/pull/1688)
- π² cosign clean: Don't log failure if the registry responds with 404 (https://github.com/sigstore/cosign/pull/1687)
- β‘οΈ Update error message for verify/verify attestation (https://github.com/sigstore/cosign/pull/1686)
- change file_name_template to PackageName (https://github.com/sigstore/cosign/pull/1683)
- π Make
cosign copy
copy metadata attached to child images. (https://github.com/sigstore/cosign/pull/1682) - β Add support for cert and cert chain flags with PKCS11 tokens (https://github.com/sigstore/cosign/pull/1671)
- Find all valid entries in verify-blob (https://github.com/sigstore/cosign/pull/1673)
- π¨ Refactor based on discussions in #1650 (https://github.com/sigstore/cosign/pull/1674)
- feat: add ability to override registry keychain (https://github.com/sigstore/cosign/pull/1666)
- β Add specific suffixes mediaTypes to sboms (https://github.com/sigstore/cosign/pull/1663)
- β Add certificate chain flag for signing (https://github.com/sigstore/cosign/pull/1656)
- First batch of followups to #1650 (https://github.com/sigstore/cosign/pull/1664)
- β Add support for certificate chain to verify certificate (https://github.com/sigstore/cosign/pull/1659)
- π Use syscall.Stdin for input handle. Fixes #1153 (https://github.com/sigstore/cosign/pull/1657)
- Shorten example OAuth URL (https://github.com/sigstore/cosign/pull/1661)
- Prompt user before running
cosign clean
(https://github.com/sigstore/cosign/pull/1649) - β Add support for intermediate certificates when verifiying (https://github.com/sigstore/cosign/pull/1631)
- feat: tree command utility (https://github.com/sigstore/cosign/pull/1603)
- Validate authority keys (https://github.com/sigstore/cosign/pull/1623)
- π improve cosigned validation error messages (https://github.com/sigstore/cosign/pull/1618)
- Init entity from ociremote when signing a digest ref (https://github.com/sigstore/cosign/pull/1616)
- β Add two env variables. One for using Rekor public key from OOB and (https://github.com/sigstore/cosign/pull/1610)
- π Ensure entry is removed from CM on secret error. (https://github.com/sigstore/cosign/pull/1605)
- Validate a public key in a secret is valid. (https://github.com/sigstore/cosign/pull/1602)
- β Add public key validation (https://github.com/sigstore/cosign/pull/1598)
- β Add ability to inline secrets from SecretRef to configmap. (https://github.com/sigstore/cosign/pull/1595)
- 1417 policy validations (https://github.com/sigstore/cosign/pull/1548)
- π Support deletion of ClusterImagePolicy (https://github.com/sigstore/cosign/pull/1580)
- Start of the necessary pieces to get #1418 and #1419 implemented (https://github.com/sigstore/cosign/pull/1562)
π Bug Fixes
- π Fix handling of policy in verify-attestation (https://github.com/sigstore/cosign/pull/1672)
- π Fix relative paths in Gitub OIDC blob test (https://github.com/sigstore/cosign/pull/1677)
- π fix build date format for version command (https://github.com/sigstore/cosign/pull/1644)
- π Fix 1608, 1613 (https://github.com/sigstore/cosign/pull/1617)
- π Fix copy/paste mistake in repo name. (https://github.com/sigstore/cosign/pull/1600)
- π Fix #1592 move authorities as siblings of images. (https://github.com/sigstore/cosign/pull/1593)
- π Fix piping 'cosign verify' using fulcio/rekor (https://github.com/sigstore/cosign/pull/1590)
- π Fix #1583 #1582. Disallow regex now until implemented. (https://github.com/sigstore/cosign/pull/1584)
- Don't lowercase input image refs, just fail (https://github.com/sigstore/cosign/pull/1586)
Documention
- π Document Elastic container registry support (https://github.com/sigstore/cosign/pull/1641)
- FUN.md broke when RecordObj changed to HashedRecordObj (https://github.com/sigstore/cosign/pull/1633)
- β Add example using AWS Key Management Service (KMS) (https://github.com/sigstore/cosign/pull/1564)
Others
- π Use the github actions from sigstore/scaffolding. (https://github.com/sigstore/cosign/pull/1699)
- β¬οΈ Bump google.golang.org/api from 0.73.0 to 0.74.0 (https://github.com/sigstore/cosign/pull/1695)
- β¬οΈ Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/cosign/pull/1690)
- β¬οΈ Bump actions/cache from 3.0.0 to 3.0.1 (https://github.com/sigstore/cosign/pull/1689)
- β Add e2e test for attest / verify-attestation (https://github.com/sigstore/cosign/pull/1685)
- β Use cosign @ HEAD for Github OIDC sign blob test (https://github.com/sigstore/cosign/pull/1678)
- β¬οΈ Bump mikefarah/yq from 4.23.1 to 4.24.2 (https://github.com/sigstore/cosign/pull/1670)
- β remove replace directive (https://github.com/sigstore/cosign/pull/1669)
- β‘οΈ update font when output the cosign version (https://github.com/sigstore/cosign/pull/1668)
- β Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind (https://github.com/sigstore/cosign/pull/1650)
- β¬οΈ Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/cosign/pull/1646)
- β¬οΈ Bump mikefarah/yq from 4.22.1 to 4.23.1 (https://github.com/sigstore/cosign/pull/1639)
- β¬οΈ Bump actions/cache from 2.1.7 to 3 (https://github.com/sigstore/cosign/pull/1640)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/cosign/pull/1638)
- β Add extra label and change the latest tag to unstable for non tagged releases (https://github.com/sigstore/cosign/pull/1637)
- π push latest tag when building a release (https://github.com/sigstore/cosign/pull/1636)
- π update crane to v0.8.0 release (https://github.com/sigstore/cosign/pull/1635)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 (https://github.com/sigstore/cosign/pull/1634)
- Included OpenSSF Best Practices Badge (https://github.com/sigstore/cosign/pull/1628)
- β Use latest knative/pkg's configmap informer (https://github.com/sigstore/cosign/pull/1615)
- β¬οΈ Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (https://github.com/sigstore/cosign/pull/1621)
- β¬οΈ Bump google.golang.org/api from 0.72.0 to 0.73.0 (https://github.com/sigstore/cosign/pull/1619)
- β¬οΈ Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/cosign/pull/1622)
- β¬οΈ Bump ecr-login to pick up WithLogger rename (https://github.com/sigstore/cosign/pull/1624)
- β¬οΈ Bump to knative pkg 1.3 (https://github.com/sigstore/cosign/pull/1614)
- β¬οΈ Bump google.golang.org/api from 0.71.0 to 0.72.0 (https://github.com/sigstore/cosign/pull/1612)
- π Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/cosign/pull/1599)
- β¬οΈ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 (https://github.com/sigstore/cosign/pull/1597)
- β¬οΈ Bump mikefarah/yq from 4.21.1 to 4.22.1 (https://github.com/sigstore/cosign/pull/1589)
- β¬οΈ Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/cosign/pull/1587)
- β¬οΈ Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/cosign/pull/1588)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 (https://github.com/sigstore/cosign/pull/1579)
- β¬οΈ Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 (https://github.com/sigstore/cosign/pull/1578)
- β¬οΈ Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 (https://github.com/sigstore/cosign/pull/1576)
- β¬οΈ Bump google.golang.org/api from 0.70.0 to 0.71.0 (https://github.com/sigstore/cosign/pull/1577)
- β¬οΈ Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/cosign/pull/1565)
- β add definition for artifact hub to verify the ownership (https://github.com/sigstore/cosign/pull/1563)
- β¬οΈ Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/cosign/pull/1561)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/cosign/pull/1559)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 (https://github.com/sigstore/cosign/pull/1560)
- β‘οΈ Update hashicorp/parseutil to v0.1.3. (https://github.com/sigstore/cosign/pull/1557)
- π Mirror signed release images from GCR to GHCR as part of release with Cloud Build. (https://github.com/sigstore/cosign/pull/1547)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 (https://github.com/sigstore/cosign/pull/1552)
- β¬οΈ Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/cosign/pull/1553)
- π pkcs11: fix build instructions (https://github.com/sigstore/cosign/pull/1550)
- π Update images for release job (https://github.com/sigstore/cosign/pull/1551)
Contributors
- Adam A.G. Shamblin (@coyote240)
- Adolfo GarcΓa Veytia (@puerco)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Davi Garcia (@davivcgarcia)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- James Strong (@strongjz)
- Jason Hall (@imjasonh)
- Kavitha (@kkavitha)
- Kenny Leung (@k4leung4)
- Luiz Carvalho (@lcarva)
- Marco Franssen (@marcofranssen)
- Mark Percival (@mdp)
- Matt Moore (@mattmoor)
- Maxime GrΓ©au (@mgreau)
- Mitch Thomas (@MitchellJThomas)
- Naveen Srinivasan (@naveensrinivasan)
- Nghia Tran (@tcnghia)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Thomas StrΓΆmberg (@tstromberg)
- Ville Aikas (@vaikas)
- noamichael (@noamichael)
-
v1.6.0 Changes
π Security Fixes
- CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
β¨ Enhancements
- π Change Fulcio URL default to be fulcio.sigstore.dev (https://github.com/sigstore/cosign/pull/1529)
- β Add CertExtensions func to extract all extensions (https://github.com/sigstore/cosign/pull/1515)
- β Add a dummy.go file to allow vendoring config (https://github.com/sigstore/cosign/pull/1520)
- β Add skeleton reconciler for cosigned API CRD. (https://github.com/sigstore/cosign/pull/1513)
- π use v6 api calls (https://github.com/sigstore/cosign/pull/1511)
- This sets up the scaffolding for the
cosigned
CRD types. (https://github.com/sigstore/cosign/pull/1504) - β add correct layer media type to attach attestation (https://github.com/sigstore/cosign/pull/1503)
- Pick up some of the shared workflows (https://github.com/sigstore/cosign/pull/1490)
- π feat: support other types in copy cmd (https://github.com/sigstore/cosign/pull/1493)
- π² Pick up a change to quiet ECR-login logging. (https://github.com/sigstore/cosign/pull/1491)
- π Merge pull request from GHSA-ccxc-vr6p-4858
- π fix(sign): refactor unsupported provider log (https://github.com/sigstore/cosign/pull/1464)
- π¨ Print message when verifying with old TUF targets (https://github.com/sigstore/cosign/pull/1468)
- π convert release cosigned to also generate yaml artifact. (https://github.com/sigstore/cosign/pull/1453)
- Streamline
SignBlobCmd
API withSignCmd
(https://github.com/sigstore/cosign/pull/1454) - π feat: add -buildid= to ldflags (https://github.com/sigstore/cosign/pull/1451)
- π Fetch verification targets by TUF custom metadata (https://github.com/sigstore/cosign/pull/1423)
- feat: fig autocomplete feature (https://github.com/sigstore/cosign/pull/1360)
- π Improve log lines to match with implementation (https://github.com/sigstore/cosign/pull/1432)
- π use the upstream kubernetes version lib and ldflags (https://github.com/sigstore/cosign/pull/1413)
- β¨ feat: enhance clean cmd capability (https://github.com/sigstore/cosign/pull/1430)
- β Remove TUF timestamp from OCI signature bundle (https://github.com/sigstore/cosign/pull/1428)
- π Allow
PassFunc
to benil
(https://github.com/sigstore/cosign/pull/1426) - β Add ability to override the Spiffe socket via environmental variable: (https://github.com/sigstore/cosign/pull/1421)
- π Improve error message when image is not found in registry (https://github.com/sigstore/cosign/pull/1410)
- β add root status output (https://github.com/sigstore/cosign/pull/1404)
- feat: login command (https://github.com/sigstore/cosign/pull/1398)
- π¨ Minor refactor to verify SCT and Rekor entry with multiple keys (https://github.com/sigstore/cosign/pull/1396)
- β Add Cosign logo to README (https://github.com/sigstore/cosign/pull/1395)
- β Add
--timeout
support tosign
command (https://github.com/sigstore/cosign/pull/1379)
π Bug Fixes
- π bug fix: import ed25519 keys and fix error handling (https://github.com/sigstore/cosign/pull/1518)
- π Fix wording on attach attestation help (https://github.com/sigstore/cosign/pull/1480)
- π fix(sign): kms unspported message (https://github.com/sigstore/cosign/pull/1475)
- π Fix incorrect error check when verifying SCT (https://github.com/sigstore/cosign/pull/1422)
- π make imageRef lowercase before parsing (https://github.com/sigstore/cosign/pull/1409)
β Add a new line after password input (https://github.com/sigstore/cosign/pull/1407)
π Fix comparison in replace option for attestation (https://github.com/sigstore/cosign/pull/1366)
Documention
- π Quay OCI Support in README (https://github.com/sigstore/cosign/pull/1539)
- feat: nominate Dentrax as codeowner (https://github.com/sigstore/cosign/pull/1492)
- β add initial changelog for 1.5.2 (https://github.com/sigstore/cosign/pull/1483)
- π fix tkn link in readme (https://github.com/sigstore/cosign/pull/1459)
- β Add FEATURES.md and DEPRECATIONS.md (https://github.com/sigstore/cosign/pull/1429)
- π Update the cosign keyless documentation to point to the GA release. (https://github.com/sigstore/cosign/pull/1427)
- π Fix link for SECURITY.md (https://github.com/sigstore/cosign/pull/1399)
Others
- Consistent parenthesis use in Makefile (https://github.com/sigstore/cosign/pull/1541)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.55.1 to 0.56.0 (https://github.com/sigstore/cosign/pull/1538)
- β add rpm,deb and apks for cosign packages (https://github.com/sigstore/cosign/pull/1537)
- β‘οΈ update github.com/hashicorp/vault/sdk, codegen and go module to 1.17 (https://github.com/sigstore/cosign/pull/1536)
- π images: remove --bare flags that conflict with --base-import-paths (https://github.com/sigstore/cosign/pull/1533)
- β¬οΈ Bump actions/checkout from 2 to 3 (https://github.com/sigstore/cosign/pull/1531)
- β Add codecov as github action, set permissions to read content only (https://github.com/sigstore/cosign/pull/1530)
- β¬οΈ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.11 to 2.0.0-beta.12 (https://github.com/sigstore/cosign/pull/1528)
- β¬οΈ Bump actions/setup-go from 2 to 3 (https://github.com/sigstore/cosign/pull/1527)
- β¬οΈ Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1526)
- β¬οΈ Bump mikefarah/yq from 4.20.2 to 4.21.1 (https://github.com/sigstore/cosign/pull/1525)
- β¬οΈ Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/cosign/pull/1524)
- π chore(ci): add artifact hub support (https://github.com/sigstore/cosign/pull/1522)
- β‘οΈ optimize codeql speed by using caching and tracing (https://github.com/sigstore/cosign/pull/1519)
- β¬οΈ Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/cosign/pull/1516)
- β¬οΈ Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/cosign/pull/1512)
- β¬οΈ Bump mikefarah/yq from 4.16.2 to 4.20.2 (https://github.com/sigstore/cosign/pull/1510)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/cosign/pull/1507)
- β¬οΈ Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1509)
- β¬οΈ Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/cosign/pull/1495)
- β¬οΈ Bump google-github-actions/auth from 0.4.4 to 0.6.0 (https://github.com/sigstore/cosign/pull/1501)
- β¬οΈ Bump ossf/scorecard-action (https://github.com/sigstore/cosign/pull/1502)
- β¬οΈ Bump google.golang.org/api from 0.69.0 to 0.70.0 (https://github.com/sigstore/cosign/pull/1500)
- β¬οΈ Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 (https://github.com/sigstore/cosign/pull/1496)
- β¬οΈ Bump actions/github-script from 4.1.1 to 6 (https://github.com/sigstore/cosign/pull/1497)
- β‘οΈ Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 (https://github.com/sigstore/cosign/pull/1498)
- β¬οΈ Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 (https://github.com/sigstore/cosign/pull/1499)
- π chore(makefile): use kocache, convert publish to build (https://github.com/sigstore/cosign/pull/1488)
- β¬οΈ Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1481)
- β‘οΈ update changelog (https://github.com/sigstore/cosign/pull/1485)
- π fix lint (https://github.com/sigstore/cosign/pull/1484)
- β‘οΈ update go-tuf and simplify TUF client code (https://github.com/sigstore/cosign/pull/1455)
- β¬οΈ Bump sigstore/sigstore to pick up the kms change and the monkey-patch work. (https://github.com/sigstore/cosign/pull/1479)
- π refactor release cloudbuild job (https://github.com/sigstore/cosign/pull/1476)
- π increase timeout for goreleaser snapshot (https://github.com/sigstore/cosign/pull/1473)
- π Double goreleaser timeout (https://github.com/sigstore/cosign/pull/1472)
- β¬οΈ Bump google.golang.org/api from 0.68.0 to 0.69.0 (https://github.com/sigstore/cosign/pull/1469)
- β
tests:
/bin/bash
->/usr/bin/env bash
(https://github.com/sigstore/cosign/pull/1470) - β¬οΈ Bump the gitlab library and add a nil opt for the API change. (https://github.com/sigstore/cosign/pull/1466)
- β¬οΈ Bump webhook timeout. (https://github.com/sigstore/cosign/pull/1465)
- β‘οΈ update cross-build to use go 1.17.7 (https://github.com/sigstore/cosign/pull/1446)
- β¬οΈ Bump go-containerregistry, pick up new features (https://github.com/sigstore/cosign/pull/1442)
- β‘οΈ update cross-build image which adds goimports (https://github.com/sigstore/cosign/pull/1435)
- β¬οΈ Bump google.golang.org/api from 0.67.0 to 0.68.0 (https://github.com/sigstore/cosign/pull/1434)
- π Skip the ReadWrite test that flakes on Windows. (https://github.com/sigstore/cosign/pull/1415)
- β¬οΈ Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/cosign/pull/1411)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/cosign/pull/1412)
- β¬οΈ Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 (https://github.com/sigstore/cosign/pull/1403)
- β¬οΈ Bump google.golang.org/api from 0.66.0 to 0.67.0 (https://github.com/sigstore/cosign/pull/1402)
- β¬οΈ Bump cuelang.org/go from 0.4.1 to 0.4.2 (https://github.com/sigstore/cosign/pull/1401)
- π update cosign and cross-build image for the release job (https://github.com/sigstore/cosign/pull/1400)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 (https://github.com/sigstore/cosign/pull/1391)
- β¬οΈ Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 (https://github.com/sigstore/cosign/pull/1386)
- π Fix double
time
import in e2e tests (https://github.com/sigstore/cosign/pull/1388) - β¬οΈ Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (https://github.com/sigstore/cosign/pull/1383)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (https://github.com/sigstore/cosign/pull/1382)
- β add changelog for 1.5.1 release (https://github.com/sigstore/cosign/pull/1376)
Contributors
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Blake Burkhart (@bburky)
- Bob Callaway (@bobcallaway)
- Carlos Tadeu Panato Junior (@cpanato)
- Christian Kotzbauer (@ckotzbauer)
- Christopher Angelo Phillips (@spiffcs)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Furkan TΓΌrkal (@Dentrax)
- Hayden Blauzvern (@haydentherapper)
- Jason Hall (@imjasonh)
- Josh Dolitsky (@jdolitsky)
- Kenny Leung (@k4leung4)
- Matt Moore (@mattmoor)
- Marco Franssen (@marcofranssen)
- Nathan Smith (@nsmith5)
- Priya Wadhwa (@priyawadhwa)
- Sascha Grunert (@saschagrunert)
- Scott Nichols (@n3wscott)
- Teppei Fukuda (@knqyf263)
- Ville Aikas (@vaikas)
- Yongxuan Zhang (@Yongxuanzhang)
- Zack Newman (@znewman01)
-
v1.5.2 Changes
π Security Fixes
- CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
Others
- π refactor release cloudbuild job (https://github.com/sigstore/cosign/pull/1476)
- π increase timeout for goreleaser snapshot (https://github.com/sigstore/cosign/pull/1473)
- π Double goreleaser timeout (https://github.com/sigstore/cosign/pull/1472)
- β¬οΈ Bump webhook timeout. (https://github.com/sigstore/cosign/pull/1465)
- π convert release cosigned to also generate yaml artifact. (https://github.com/sigstore/cosign/pull/1453)
- π feat: add -buildid= to ldflags (https://github.com/sigstore/cosign/pull/1451)
- β‘οΈ update cross-build to use go 1.17.7 (https://github.com/sigstore/cosign/pull/1446)
Contributors
- Batuhan ApaydΔ±n (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Kenny Leung (@k4leung4)
- Matt Moore (@mattmoor)
- Nathan Smith (@nsmith5)
- Priya Wadhwa (@priyawadhwa)
- Zack Newman (@znewman01)
-
v1.5.1 Changes
π Bug Fixes
- β add check to make sure the go modules are in sync (https://github.com/sigstore/cosign/pull/1369)
- β‘οΈ Update verify-blob to support DSSEs (https://github.com/sigstore/cosign/pull/1355)
Documention
- π docs: verify-attestation cue and rego policy doc (https://github.com/sigstore/cosign/pull/1362)
- README: fix link to race conditions (https://github.com/sigstore/cosign/pull/1367)
Others
- β¬οΈ Bump sigstore/sigstore to pick up oidc login for vault. (https://github.com/sigstore/cosign/pull/1377)
- β¬οΈ Bump google.golang.org/api from 0.65.0 to 0.66.0 (https://github.com/sigstore/cosign/pull/1371)
- π¦ expose dafaults fulcio, rekor, oidc issuer urls (https://github.com/sigstore/cosign/pull/1368)
- β¬οΈ Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (https://github.com/sigstore/cosign/pull/1365)
- β‘οΈ organize, update select deps (https://github.com/sigstore/cosign/pull/1358)
- β¬οΈ Bump go-containerregistry to pick up ACR keychain fix (https://github.com/sigstore/cosign/pull/1357)
- β¬οΈ Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (https://github.com/sigstore/cosign/pull/1352)
- π sync go modules (https://github.com/sigstore/cosign/pull/1353)
Contributors
- Batuhan ApaydΔ±n (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Mark Lodato (@MarkLodato)
- RΓ©my Greinhofer (@rgreinho)
-
v1.5.0 Changes
Highlights
- enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
- π² feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
- β feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
- feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
- feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
- β feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
- feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
- feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
- β feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
β¨ Enhancements
- Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
- Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
- β Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
- Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
- β Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
- β Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
- β add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
- β Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
- Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
- Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
- β Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
- β add error message (https://github.com/sigstore/cosign/pull/1296)
- π¦ Move bundle out of
oci
and intobundle
package (https://github.com/sigstore/cosign/pull/1295) - β Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
- One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
- π¨ refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
- Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
- π¨ Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
- π Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
- β Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
- π Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
- β Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
- π² Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
- Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
- clean up references to 'keyless' in
ephemeral.Signer
(https://github.com/sigstore/cosign/pull/1225) - β
create
DSSEAttestor
interface,payload.DSSEAttestor
implementation (https://github.com/sigstore/cosign/pull/1221) - π use
mutate.Signature
in the newSigner
s (https://github.com/sigstore/cosign/pull/1213) - create
mutate
functions foroci.Signature
(https://github.com/sigstore/cosign/pull/1199) - β add a writeable
$HOME
for thenonroot
cosigned user (https://github.com/sigstore/cosign/pull/1209) - β signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
- β Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
- create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
π Bug Fixes
- π fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
- π fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
- π Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
- π Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
- π Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
- π Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
- π Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
- π fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
- π Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
- π Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
Others
- β¬οΈ Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (https://github.com/sigstore/cosign/pull/1343)
- β¬οΈ Bump recommended Go development version in README (https://github.com/sigstore/cosign/pull/1340)
- π Bump the snapshot and timestamp roles metadata from root signing. (https://github.com/sigstore/cosign/pull/1339)
- β¬οΈ Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (https://github.com/sigstore/cosign/pull/1336)
- π update go-github to v42 release (https://github.com/sigstore/cosign/pull/1335)
- π install latest release for ko instead of head of main branch (https://github.com/sigstore/cosign/pull/1333)
- β remove wrong settings in the gco auth for gh actions (https://github.com/sigstore/cosign/pull/1332)
- β‘οΈ update gcp setup for the GH action (https://github.com/sigstore/cosign/pull/1330)
- β‘οΈ update some dependencies (https://github.com/sigstore/cosign/pull/1326)
- π Verify checksum of downloaded utilities during CI (https://github.com/sigstore/cosign/pull/1322)
- π pin github actions by digest (https://github.com/sigstore/cosign/pull/1319)
- β¬οΈ Bump google.golang.org/api from 0.64.0 to 0.65.0 (https://github.com/sigstore/cosign/pull/1303)
- β¬οΈ Bump cuelang.org/go from 0.4.0 to 0.4.1 (https://github.com/sigstore/cosign/pull/1302)
- β¬οΈ Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (https://github.com/sigstore/cosign/pull/1292)
- π update import documentation (https://github.com/sigstore/cosign/pull/1290)
- π update release image to use go 1.17.6 (https://github.com/sigstore/cosign/pull/1284)
- β¬οΈ Bump google.golang.org/api. (https://github.com/sigstore/cosign/pull/1283)
- β¬οΈ Bump opa and go-gitlab. (https://github.com/sigstore/cosign/pull/1281)
- β‘οΈ Update SBOM spec to indicate compat for syft (https://github.com/sigstore/cosign/pull/1278)
- β¬οΈ Bump miekg/pkcs11 (https://github.com/sigstore/cosign/pull/1275)
- β‘οΈ Update signature spec with timestamp annotation (https://github.com/sigstore/cosign/pull/1274)
- β Pick up latest knative.dev/pkg, and k8s 0.22 libs (https://github.com/sigstore/cosign/pull/1269)
- β¬οΈ Bump sigstore/sigstore. (https://github.com/sigstore/cosign/pull/1247)
- Spelling (https://github.com/sigstore/cosign/pull/1246)
- π Use ${{github.repository}} placeholder in OIDC GitHub workflow (https://github.com/sigstore/cosign/pull/1244)
- β‘οΈ update codeowners list with missing codeowners (https://github.com/sigstore/cosign/pull/1238)
- π update build images for release and bump cosign in the release job (https://github.com/sigstore/cosign/pull/1234)
- β‘οΈ update deps (https://github.com/sigstore/cosign/pull/1222)
- nit: add comments to
Signer
interface (https://github.com/sigstore/cosign/pull/1228) - β‘οΈ update google.golang.org/api from 0.62.0 to 0.63.0 (https://github.com/sigstore/cosign/pull/1214)
- β‘οΈ update snapshot and timestamp (https://github.com/sigstore/cosign/pull/1211)
- β¬οΈ Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (https://github.com/sigstore/cosign/pull/1198)
- β¬οΈ Bump the DSSE library and handle manual changes in the API. (https://github.com/sigstore/cosign/pull/1191)
- nit: drop every section title down a level (https://github.com/sigstore/cosign/pull/1188)
Contributors
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Bob Callaway (@bobcallaway)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- Itxaka (@Itxaka)
- Ivan Wallis (@venafi-iw)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Josh Dolitsky (@jdolitsky)
- Josh Soref (@jsoref)
- Matt Moore (@mattmoor)
- Morten Linderud (@Foxboron)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Rob Best (@ribbybibby)
- Sambhav Kothari (@samj1912)
- Ville Aikas (@vaikas)
- Zack Newman (@znewman01)
-
v1.4.1 Changes
Highlights
π A whole buncha bugfixes!
β¨ Enhancements
- Files created with
--output-signature
and--output-certificate
now created with 0600 permissions (https://github.com/sigstore/cosign/pull/1151) - β Added
cosign verify-attestation --local-image
for verifying signed images with attestations from disk (https://github.com/sigstore/cosign/pull/1174) - β Added the ability to fetch the TUF root over HTTP with
cosign initialize --mirror
(https://github.com/sigstore/cosign/pull/1185)
π Bug Fixes
- π Fixed saving and loading a signed image index to disk (https://github.com/sigstore/cosign/pull/1147)
- π Fixed
sign-blob --output-certificate
writing an empty file (https://github.com/sigstore/cosign/pull/1149) - π Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (https://github.com/sigstore/cosign/pull/1157)
Contributors
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Jake Sanders (@dekkagaijin)
- Matt Moore (@mattmoor)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Files created with
-
v1.4.0 Changes
Highlights
- π₯ BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosign
releases will generate signatures that do not validate in older versions ofcosign
. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.dev
when signing payloads (https://github.com/sigstore/cosign/pull/1127) - π₯ BREAKING [cosign/pkg]:
SignedEntryTimestamp
is now of type[]byte
. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)
(https://github.com/sigstore/cosign/pull/1083) - π
cosign-linux-pivkey-amd64
releases are now of the formcosign-linux-pivkey-pkcs11key-amd64
(https://github.com/sigstore/cosign/pull/1052) - π Releases are now additionally signed using the keyless workflow (https://github.com/sigstore/cosign/pull/1073, https://github.com/sigstore/cosign/pull/1111)
β¨ Enhancements
- β Validate the whole attestation statement, not just the predicate (https://github.com/sigstore/cosign/pull/1035)
- β Added the options to replace attestations using
cosign attest --replace
(https://github.com/sigstore/cosign/pull/1039) - β Added URI to
cosign verify-blob
output (https://github.com/sigstore/cosign/pull/1047) - Signatures and certificates created by
cosign sign
andcosign sign-blob
can be output to file using the--output-signature
and--output-certificate
flags, respectively (https://github.com/sigstore/cosign/pull/1016, https://github.com/sigstore/cosign/pull/1093, https://github.com/sigstore/cosign/pull/1066, https://github.com/sigstore/cosign/pull/1095) - π¦ [cosign/pkg] Added the
pkg/oci/layout
package for storing signatures and attestations on disk (https://github.com/sigstore/cosign/pull/1040, https://github.com/sigstore/cosign/pull/1096) - [cosign/pkg] Added
mutate
methods to attachoci.File
s tooci.Signed*
objects (https://github.com/sigstore/cosign/pull/1084) - β Added the
--signature-digest-algorithm
flag tocosign verify
, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (https://github.com/sigstore/cosign/pull/1071) - π Builds should now be reproducible (https://github.com/sigstore/cosign/pull/1053)
- π Allows base64 files as
--cert
incosign verify-blob
(https://github.com/sigstore/cosign/pull/1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (https://github.com/sigstore/cosign/pull/1091)
- β Added
cosign save
andcosign load
commands to save and upload container images and associated signatures to disk (https://github.com/sigstore/cosign/pull/1094) cosign sign
will no longer fail to sign private images in keyless mode without--force
(https://github.com/sigstore/cosign/pull/1116)- π
cosign verify
now supports signatures stored in files and remote URLs with--signature
(https://github.com/sigstore/cosign/pull/1068) - π
cosign verify
now supports certs stored in files (https://github.com/sigstore/cosign/pull/1095) - β Added support for
syft
format incosign attach sbom
(https://github.com/sigstore/cosign/pull/1137)
π Bug Fixes
- π Fixed verification of Rekor bundles for InToto attestations (https://github.com/sigstore/cosign/pull/1030)
- π Fixed a potential memory leak when signing and verifying with security keys (https://github.com/sigstore/cosign/pull/1113)
Contributors
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan TΓΌrkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
- π₯ BREAKING [COSIGN_EXPERIMENTAL]: This and future
-
v1.3.1 Changes
- π₯ BREAKING [cosign/pkg]:
cosign.Verify
has been removed in favor of explicitcosign.VerifyImageSignatures
andcosign.VerifyImageAttestations
(https://github.com/sigstore/cosign/pull/1026)
β¨ Enhancements
- β Add ability for verify-blob to find signing cert in transparency log (https://github.com/sigstore/cosign/pull/991)
- root policy: add optional issuer to maintainer keys (https://github.com/sigstore/cosign/pull/999)
- π PKCS11 signing support (https://github.com/sigstore/cosign/pull/985)
- β± Included timeout option for uploading to Rekor (https://github.com/sigstore/cosign/pull/1001)
π Bug Fixes
- β¬οΈ Bump sigstore/sigstore to pickup a fix for azure kms (https://github.com/sigstore/cosign/pull/1011 / https://github.com/sigstore/cosign/pull/1028)
Contributors
- Asra Ali (@asraa)
- Batuhan ApaydΔ±n (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Dennis Leon (@DennisDenuto)
- Erkan Zileli (@erkanzileli)
- Furkan TΓΌrkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- Naveen (@naveensrinivasan)
- π₯ BREAKING [cosign/pkg]: