Skip to content

v1.8.0

Choose a tag to compare

View all tags
@sigstore-bot sigstore-bot released this 27 Apr 14:16
· 1843 commits to main since this release
v1.8.0
This tag was signed with the committer’s verified signature. The key has expired.
cpanato Carlos Tadeu Panato Junior
GPG key ID: 37CA4627A2CA778F
Expired
Verified
Learn about vigilant mode.
9ef6b20
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

⚠️ NOTE: If you use Fulcio to issue certificates you will need to use this release.

What's Changed

  • Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in #1620
  • Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in #1745
  • Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in #1746
  • Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
  • [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
  • Refactor policy related code, add support for vuln verify by @vaikas in #1747
  • Use bundle log ID to find verification key by @haydentherapper in #1748
  • [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
  • Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
  • Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in #1751
  • test: create fake TUF test root and create test SETs for verification by @asraa in #1750
  • update go builder and cosign images by @cpanato in #1755
  • Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in #1752
  • Implement identities, fix bug in webhook validation. by @vaikas in #1759
  • Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
  • chore: add warning when attaching sBOMs by @hectorj2f in #1756
  • Verify embedded SCTs by @haydentherapper in #1731
  • chore: add warning when downloading a sBOM by @hectorj2f in #1763
  • [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
  • Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in #1765
  • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in #1764
  • Break the CIP action tests into a sh script. by @vaikas in #1767
  • tuf: add debug info if tuf update fails by @asraa in #1766
  • cosigned: add support for rsa keys by @hectorj2f in #1768
  • Cosigned validate against remote sig src by @DennyHoang in #1754
  • Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
  • Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in #1784
  • fix: more informative error by @ybelMekk in #1778
  • Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in #1779
  • Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in #1780
  • Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in #1781
  • Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in #1782
  • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in #1783
  • Run update-codegen. by @wlynch in #1789
  • Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
  • Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
  • test: add cue unit tests by @hectorj2f in #1791
  • Attestations + policy in cip. by @vaikas in #1772
  • chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
  • Add parallelization for processing policies / authorities. by @vaikas in #1795
  • Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
  • Handle context cancelled properly + tests. by @vaikas in #1796
  • Fix a bug where an error would send duplicate results. by @vaikas in #1797
  • Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
  • Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in #1799
  • Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in #1800
  • Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in #1801
  • Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 by @dependabot in #1758
  • cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
  • Don't fail open in VerifyBundle by @mtrmac in #1648
  • Load in intermediate cert pool from TUF by @haydentherapper in #1804
  • add changelog for release v1.8.0 by @cpanato in #1803
  • Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806

New Contributors

Full Changelog: v1.7.2...v1.8.0

Thanks to all contributors!

Contributors

znewman01, wlynch, and 11 other contributors
Assets 137
Loading