Skip to content

v2.4.3
Compare
Choose a tag to compare
@github-actions github-actions released this 08 May 15:15
· 191 commits to main since this release
v2.4.3
This tag was signed with the committer鈥檚 verified signature.
kate-goldenring Kate Goldenring
GPG key ID: A9C18EFC0318C1E0
Learn about vigilant mode.
ed8a665
This commit was created on GitHub.com and signed with GitHub鈥檚 verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Spin 2.4.3

This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh

Fix: ed8a665

Verifying the Release Signature 馃攺

After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.

The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:

cosign verify-blob \
  --signature spin.sig \
  --certificate crt.pem \
  --certificate-identity vaughn.dice@fermyon.com \
  --certificate-oidc-issuer https://github.com/login/oauth \
  spin

Full Changelog: v2.4.2...v2.4.3

Contributors

vdice
Assets 10