Skip to content

v1.12.0

Compare
Choose a tag to compare
@sigstore-bot sigstore-bot released this 14 Sep 16:13
· 1101 commits to main since this release
8483d6c

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

  • When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

What's Changed

New Contributors

Full Changelog: v1.11.1...v1.12.0