Releases: sigstore/cosign
v1.5.2 - CVE-2022-23649
This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858
Changelog
- 8ffcd12 Cherry-pick release notes for 1.5.1 and 1.5.2 (#1487)
- c09e04a Cherry pick vulnerability PRs to release-1.5 (#1486)
- 52164f2 cherry picks to release-1.5 branch (#1482)
Thanks for all contributors!
v1.5.1
Changelog
- c3e4d8b Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
- 8b77279 Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
- d2781b8 expose dafaults fulcio, rekor, oidc issuer urls (#1368)
- 4921aa7 add check to make sure the go modules are in sync (#1369)
- 6575648 README: fix link to race conditions (#1367)
- e3024f4 Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
- e1e0153 docs: verify-attestation cue and rego policy doc (#1362)
- 21e6b80 Update verify-blob to support DSSEs (#1355)
- 79012c3 organize, update select deps (#1358)
- cd49449 Bump go-containerregistry to pick up ACR keychain fix (#1357)
- 239d4c4 Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
- 44de8d1 sync go modules (#1353)
Thanks to all contributors!
Full Changelog: v1.5.0...v1.5.1
v1.5.0
Changelog
- 7572520 add ascii art when using the version command (#1349)
- 4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
- 03a2778 Add vaikas to CODEOWNERS (#1347)
- f186ee3 add changelog for v1.5.0 (#1345)
- 9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
- e534409 Fix minor typo (a missing verb) in README (#1346)
- 22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
- a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
- 1a92b50 Bump recommended Go development version in README (#1340)
- 1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
- bca7ba6 Export function to verify individual signature (#1334)
- b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
- a7838c5 update go-github to v42 release (#1335)
- b0848d1 install latest release for ko instead of head of main branch (#1333)
- 2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
- fbf8dcb update gcp setup for the GH action (#1330)
- 888b392 fix: cosign verify for vault (#1328)
- e64cc10 update some dependencies (#1326)
- 461b032 fix missing goimports (#1327)
- 78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
- 0532601 Take OIDC client secret into account (#1310)
- 475c99d Verify checksum of downloaded utilities during CI (#1322)
- 97509b9 pin github actions by digest (#1319)
- 4592c23 Fix TestSignBlobBundle (#1320)
- bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
- 079e28d Add flag to verify OIDC issuer in certificate (#1308)
- 2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
- 24914ac add OSSF scorecard action (#1318)
- 244c07a Add TUF timestamp to attestation bundle (#1316)
- 46cf94b Provide certificate flags to all verify commands (#1305)
- d58fc63 Bundle TUF timestamp with signature on signing (#1294)
- c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
- 754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
- aa0b8c1 add error message (#1296)
- a7bd67c Move bundle out of
oci
and intobundle
package (#1295) - 9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
- ef380f0 update import documentation (#1290)
- e671216 Fix a couple bugs in cert verification for blobs (#1287)
- 76e691b Fix a few bugs in cosign initialize (#1280)
- b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
- 419be8a update release image to use go 1.17.6 (#1284)
- 809b091 Bump google.golang.org/api. (#1283)
- 4376cca Bump opa and go-gitlab. (#1281)
- b6aaddc Update SBOM spec to indicate compat for syft (#1278)
- f19f4f7 Update signature spec with timestamp annotation (#1274)
- 7f54a8f Bump miekg/pkcs11 (#1275)
- 36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
- 6af964c Fix the unit tests with expired TUF metadata. (#1270)
- 242f586 One-to-one mapping of invocation to scan result (#1268)
- 1a7f9d6 refactor common utilities (#1266)
- d89eb8e Fix output-file flag. (#1264)
- 9a27e1f Importing RSA and EC keypairs (#1050)
- 8194edd enable sbom generation when releasing (#1261)
- 0a4a68a feat: log error to stderr (#1260)
- 591601c feat: support attach attestation (#1253)
- 2e99320 Refactor the tuf client code. (#1252)
- dfc0347 Moved certificate output before checking for upload during signing (#1255)
- c09d682 Remove remaining ioutil usage (#1256)
- 894a3bc Update the embedded TUF metadata. (#1251)
- 645c259 Bump sigstore/sigstore. (#1247)
- 4ecb43d fix: typo in the error message (#1250)
- 1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
- f32c1d7 Fix semantic bug in DSSE specification. (#1248)
- 4e4bbf6 Spelling (#1246)
- 7e5abbf feat: resolve --cert from URL (#1245)
- c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
- 6f41b4b Log the proper remote repo for the signatures on verify (#1243)
- 24d43bd feat: generate/upload sbom for cosign projects (#1237)
- b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
- 47d936c update codeowners list with miissing codeowners (#1238)
- 3dd690e feat: vuln attest support (#1168)
- 6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
- 1104dfd feat: generate/upload sbom for cosign projects (#1236)
- 0c25819 update build images for release and bump cosign in the release job (#1234)
- ac8a7e9 feat: implement cosign download attestation (#1216)
- d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
- 9da74c9 update deps (#1222)
- b2d6393 nit: add comments to
Signer
interface (#1228) - f2e034d clean up references to 'keyless' in
ephemeral.Signer
(#1225) - acf5900 create
DSSEAttestor
interface,payload.DSSEAttestor
implementation (#1221) - ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
- 1feacab use
mutate.Signature
in the newSigner
s (#1213) - 28b03f7 create
mutate
functions foroci.Signature
(#1199) - 500cd40 update snapshot and timestamp (#1211)
- cbdc1b3 add a writeable
$HOME
for thenonroot
cosigned user (#1209) - 4d4c830 signing attestation should private key (#1200)
- 6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
- 008f860 create KeylessSigner (#1189)
- 2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
- 3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
- cfd981e nit: drop every section title down a level (#1188)
Thanks for all contributors!
v1.4.1
A whole buncha bugfixes!
Enhancements
- Files created with
--output-signature
and--output-certificate
now created with 0600 permissions (#1151) - Added
cosign verify-attestation --local-image
for verifying signed images with attestations from disk (#1174) - Added the ability to fetch the TUF root over HTTP with
cosign initialize --mirror
(#1185)
Bug Fixes
- Fixed saving and loading a signed image index to disk (#1147)
- Fixed
sign-blob --output-certificate
writing an empty file (#1149) - Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)
Contributors
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Jake Sanders (@dekkagaijin)
- Matt Moore (@mattmoor)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
Changelog
- 934567a add 1.4.1 relnotes (#1186)
- fe3a030 Allow fetching TUF root from HTTP (#1185)
- d8e1795 update golang cross image to use go1.17.5 (#1184)
- 2e9d3d8 add e2e tests for Windows + PowerShell (#1177)
- 4c473e5 add tests for
cosign initialize
(#1182) - b113e30 update go-tuf and use the newly exposed
Close()
(#1181) - 5a5914f Add option to verify attestations from local image (#1174)
- d0d91ab add test for interactive private key password prompt (#1176)
- e5056ed enable e2e-test coverage for Win & OSX (#1166)
- dc744ea use a different repo for each e2e test against the registry (#1175)
- 4652b36 re-enable windows in e2e-with-binary, fix issues (#1172)
- 75e3d62 Bump GGCR to latest. (#1169)
- 287bb27 disable broken Windows e2e-with-binary (#1167)
- 8644a7a use
sync.Once
to init the global tuf root (#1163) - 10b7f9d Add option to verify local image (#1159)
- bd8b7d5 bump k8s versions used for kind-e2e-cosigned (#1164)
- 1510379 Add make target for doc generation (#1162)
- 79a843b expand CI testing to Windows and OSX, fix issues uncovered (#1158)
- 9394f85 Pull in the new Fulcio client code. (#1126)
- dd53292 return error when rekor pub cannot be retrieved, fix file path construction (#1157)
- a684c45 add job to run some e2e tests to sing a artifcat and check the outputs (#1154)
- 96c02ba fix: improve perms, error handling (#1151)
- ab632c8 update
crane
(#1150) - b454d08 cosigned: add version to cosigned (#1139)
- 26c99d8 fix: --output-certificate not working properly (#1149)
- 430080f Fix bug when saving and loading an image index (#1147)
- 39e6540
sign-blob
--output
->--output-signature
(#1148)
Thanks for all contributors!
v1.4.0
Highlights
- BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosign
releases will generate signatures that do not validate in older versions ofcosign
. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.dev
when signing payloads (#1127) - BREAKING [cosign/pkg]:
SignedEntryTimestamp
is now of type[]byte
. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)
(#1083) cosign-linux-pivkey-amd64
releases are now of the formcosign-linux-pivkey-pkcs11key-amd64
(#1052)- Releases are now additionally signed using the keyless workflow (#1073, #1111)
Enhancements
- Validate the whole attestation statement, not just the predicate (#1035)
- Added the options to replace attestations using
cosign attest --replace
(#1039) - Added URI to
cosign verify-blob
output (#1047) - Signatures and certificates created by
cosign sign
andcosign sign-blob
can be output to file using the--output-signature
and--output-certificate
flags, respectively (#1016, #1093, #1066, #1095) - [cosign/pkg] Added the
pkg/oci/layout
package for storing signatures and attestations on disk (#1040, #1096) - [cosign/pkg] Added
mutate
methods to attachoci.File
s tooci.Signed*
objects (#1084) - Added the
--signature-digest-algorithm
flag tocosign verify
, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071) - Builds should now be reproducible (#1053)
- Allows base64 files as
--cert
incosign verify-blob
(#1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
- Added
cosign save
andcosign load
commands to save and upload container images and associated signatures to disk (#1094) cosign sign
will no longer fail to sign private images in keyless mode without--force
(#1116)cosign verify
now supports signatures stored in files and remote URLs with--signature
(#1068)cosign verify
now supports certs stored in files (#1095)- Added support for
syft
format incosign attach sbom
(#1137)
Bug Fixes
- Fixed verification of Rekor bundles for InToto attestations (#1030)
- Fixed a potential memory leak when signing and verifying with security keys (#1113)
Contributors
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
Changelog
- 50315fc remove obsolete
--output
flag (#1146) - a1efb18 add relnotes for v1.4.0 (#1145)
- a47a835 feat: enable --check flag of addlicense (#1135)
- e48db5a Add support for syft json type to cosign (#1137)
- 7de7387 Use --recursive flag in sign example (#1143)
- 6d8cec1 Fixed a typo in README.md (#1142)
- 63e9342 cjson - Move to go-securesystemslib (#1141)
- e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
- a05dc7b Bump deps (#1132)
- 7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
- dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
- 9076d71 feat: sign --output-certificate and verify --cert (#1095)
- 034e946 Update output to note when signatures are pushed (#1117)
- 54fb569 feat: support signature file in verify cmd (#1068)
- ec00f69 Make the transparency log upload non-fatal. (#1116)
- 1da6742 have
rekor.NewSigner
accept a*client.Rekor
instead of a URL (#1115) - ac7e33c call Close() on security keys before returning error (#1113)
- 2294fd4 Add Fulcio v1 root to the cosign (#1112)
- 304c2b2 continued sign refacc (#1098)
- a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
- 9555f33 use hashed rekord type for tlog upload (#1081)
- 6fc942b plumb context through to tlog requests (#1103)
- fcc8256 minor: supply
ShouldUploadToTlog
with context (#1104) - 690853e Bump non-k8s deps (#1102)
- 040ed3d feat(ci): Add Gofish support (#996)
- 79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
- 2dc6e4f Add support for storing attestations in
oci/layout
(#1096) - 98cf544 Update slsa-provenance predicate to v0.2 (#1054)
- 7ec91a4 Add
cosign save
andcosign load
commands (#1094) - e1141af refactoring signature logic (#1065)
- 4274149 fix: alias output to output-signature on sign-blob (#1093)
- 86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
- 2cc9c9a Bump client-go and viper. (#1089)
- aff2e37 feat: verify-blob --cert base64 (#1088)
- 5586790 fix: reproducible builds (#1053)
- 1974064 Add flag for manually specifying a hash algo when verifying (#1071)
- 90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
- eed3e12 Add
mutate.AttachFileTo*
for attaching SBOMs. (#1084) - e1acd18 Drop
strfmt.Base64
frompkg/oci
. (#1083) - f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
- 9cf8c3f Bump some deps that dependabot missed. (#1079)
- 18318ba implement output-signature and output-certificate flags (#1016)
- 857d9a5 adding keyless (#1073)
- 01b6c8f sync go mod (#1072)
- 943e824 feat: add output flag for signCmd (#1066)
- d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
- 413d06e fix root path (#1062)
- e868a54 cmd: update triangulate help command (#1061)
- d48fe25 verify-blob: add URI to verify-blob output (#1047)
- c5e3393 cmd: update clean command help (#1058)
- bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
- 3e43108 Remove img field from sigLayer (#1042)
- ccc4468 feat: replace option for same attestation (#1039)
- 5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
- fe00315 README: simplify the install section (#1049)
- cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
- 6ed55d6 split private signature and attestation verification fns (#1043)
- c338616 PKCS11: Fix certificate check (#1041)
- f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
- 89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
- c85db3a release: update cosign to 1.3.1 (#1038)
- 84c94b6 feat: validate whole statement not just predicate part (#1035)
Thanks for all contributors!
v1.3.1
Breaking Changes
- [cosign/pkg]:
cosign.Verify
has been removed in favor of explicitcosign.VerifyImageSignatures
andcosign.VerifyImageAttestations
(#1026)
Enhancements
- Add ability for verify-blob to find signing cert in transparency log (#991)
- root policy: add optional issuer to maintainer keys (#999)
- PKCS11 signing support (#985)
- Included timeout option for uploading to Rekor (#1001)
Bug Fixes
Contributors
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Dennis Leon (@DennisDenuto)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- Naveen (@naveensrinivasan)
Changelog
645ebf0 add change to 1.3.1 changelog (#1036)
5a33731 remove Verify
in favor of explicit VerifyImage{Signatures, Attestations}
(#1026)
5d866c3 fix help msg upload=>no-upload (#1033)
076e179 add changelog for v1.3.1 (#1032)
c2c3a1d fix variable (#1031)
ff2104c ci: update oidc ci tests (#1029)
ce7cf28 update sigstore/sigstore to v1.0.1 (#1028)
0c771f8 Bump the thales pkcs11 library to v1.2.5 (#1009)
cb41bd4 make the purpose of secrets checked into .github/workflows
explicit (#1025)
5a350e4 fix(doc): add an example for existing option on verify-blob command (#1024)
c0744b3 Add the missing GIT_HASH env var in the post-submit github-oidc.yaml action. (#1022)
88313ee Remove fuzzing check - unsupported go-fuzz (#1020)
d442592 Included timeout option for uploading to Rekor (#1001)
d3440b5 remove not needed dockerfiles (#1017)
82c9cee refactor release process to use ko to build the images (#1008)
55471fc Add an initial comparison document between nv2 and cosign. (#1014)
bb05c81 Bump sigstore/sigstore to pickup a fix for azure kms. (#1011)
db34c33 refactor version and add version command to sget (#1010)
391bac3 Bump k8s.io/apimachinery and opa. (#1004)
7066f12 PKCS11 signing support (#985)
9b9cd94 add optional issuer to root policy (#999)
5deaca0 Add ability for verify-blob to find signing cert in transparency log (#991)
6573dcd update automation to use 1.3.0 release (#997)
c6c032e update deps, go mod tidy
(#994)
Thanks for all contributors!
v1.3.0
Release 1.3.0
Highlights
- BREAKING:
verify-manifest
is nowmanifest verify
(#712) - BREAKING:
/pkg
has been heavily refactored. Further refactoring work will make its way into 1.4.0 - WARNING: The CLI now uses POSIX-style (double-dash
--flag
) for long-form flags. It will temporarily accept the single-dash-flag
form with a warning, which will become an error in a future release (#835) - Added
sget
as part of Cosign's releases (#752) - The
copasetic
utility was unceremoniously baleeted (#785)
Enhancements
- Began reworking
/pkg
around new abstrations for signing, verification, and storage (#666)- Notice: refactoring of
/pkg
will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting withcosign
as a library and found it lacking (#844) - GGCR-style libraries for interacting with images now exist under
pkg/oci
(#770) pkg/cosign/remote.UploadSignature
API was been removed in favor of newpkg/oci/remote
APIs (#774)- The function signature of
cosign.Verify
was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see alsocosign.Verify{Signatures,Attestations}
(#782) - Removed
cremote.UploadFile
in favor ofstatic.NewFile
andremote.Write
(#797)
- Notice: refactoring of
- Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
- Migrated the CLI to
cobra
(Welcome to the team, @n3wscott) - Added the
--allow-insecure-registry
flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (#669) - 🔒
cosigned
now includes a mutating webhook that resolves image tags to digests (#800) - 🔒 The
cosigned
validating webhook now requires image digest references (#799) - The
cosigned
webhook now ignores resources that are being deleted (#803) - The
cosigned
webhook now supports resolving private images that are authenticated viaimagePullSecrets
(#804) manifest verify
now supports verifying images in all Kubernetes objects that fit withinPodSpec
,PodSpecTemplate
, orJobSpecTemplate
, including CRDs (#697)- Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! #836)
cosign
has generated Markdown docs available in thedoc/
directory (#839)- Added support for verifying with secrets from a Gitlab project (#934)
- Added a
--k8s-keychain
option that enables cosign to support ambient registry credentials based on the "k8schain" library (#972) - CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (#973)
attest
: replaced--upload
flag with a--no-upload
flag (#979)
Bug Fixes
cosigned
now verifiesCronJob
images (Terve, @vaikas #809)- Fixed the
verify
--cert-email
option to actually work (Sweet as, @passcod #821) public-key -sk
no longer causeserror: x509: unsupported public key type: *crypto.PublicKey
(#864)- Fixed interactive terminal support in Windows (#871)
- The
-ct
flag is no longer ignored inupload blob
(#910)
Contributors
- Aditya Sirish (@adityasaky)
- Asra Ali (@asraa)
- Axel Simon (@axelsimon)
- Batuhan Apaydın (@developer-guy)
- Brandon Mitchell (@sudo-bmitch)
- Carlos Panato (@cpanato)
- Chao Lin (@blackcat-lin)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Eng Zer Jun (@Juneezee)
- Erkan Zileli (@erkanzileli)
- Félix Saparelli (@passcod)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Ivan Font (@font)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Jim Bugwadia (@JimBugwadia)
- Joel Kamp (@mrjoelkamp)
- Luke Hinds (@lukehinds)
- Matt Moore (@mattmoor)
- Naveen (@naveensrinivasan)
- Olivier Gaumond (@oliviergaumond)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Ramkumar Chinchani (@rchincha)
- Rémy Greinhofer (@rgreinho)
- Scott Nichols (@n3wscott)
- Shubham Palriwala (@ShubhamPalriwala)
- Viacheslav Vasilyev (@avoidik)
- Ville Aikas (@vaikas)
Full Changelog
a91aa20 Fix the release (#987)
ae36ba5 update changelog for 1.3.0 (#986)
6d5f08c Bump opa and apis. (#980)
daa78e4 Add luhring to codeowners (#981)
58f8d20 Invert upload flag to allow for not uploading attestation (#979)
0ebe3b5 refactor: move from io/ioutil to io and os packages (#978)
79c0dc9 Remove commented out sections in CI configs (#960)
c875e7e Bump google.golang.org/api and github.com/go-openapi/strfmt. (#975)
bd469e7 Fixed modtime for reproducible goreleaser (#971)
70138fb Ship multi-arch images for all the cosign components. (#973)
fbe6fab Add support for using k8schain under a flag. (#972)
51803c2 Fix cosign attach sbom
with COSIGN_REPOSITORY
. (#970)
6f3aec5 Included trimpath in goreleaser (#968)
bfeb7d4 Add issuer URL to the verification blob. (#967)
c45f841 Have download sbom
use the Attachment
API. (#965)
068a277 Return better errors from cosigned
(#964)
7957228 Make the DSSE wrapped private. (#966)
0bf537f release: fix registry name, push to gcr and not to ghcr (#958)
9314b85 Add a "filesystem" OIDC provider. (#956)
2f6560f Use setup-ko. (#957)
46e2740 Allow disabling verifySCT
. (#955)
19fce84 Improve GitHub OIDC example (#954)
7c48e9a feat: extract pub key from GitLab (#941)
91bb398 fix codeql workflow permission (#951)
1f67ea7 cmd/policy: ability to pass expire days (#938)
7e295f1 Scorecard improvements (#949)
be6ab36 Reproducible builds with trimpath (#944)
b753a22 fix: Fixed multiple public keys issue (#942)
9f80297 Verify a signature using secrets from a gitlab project (#934)
9e304d1 Return k8schain error. (#937)
23ccfd8 fix: add dollars (#933)
0915b41 Document Red Hat Quay support (#929)
b2351d3 Add keyless signing w/ storage in rekor to FUN.md (#924)
9e406b3 fix issue 919 (#930)
617bc78 docs: fix broken link (#926)
fc58838 Bump go-github, go-gitlab, and cloudstorage. (#922)
f482fff Hook up k8schain to verification. (#920)
dcfb11d Don't ignore the media type flag to upload-blob! (#910)
0bab648 Add the OIDC options to AttestOptions
. (#918)
f34112c Bump in-toto and cloud storage. (#909)
2594f7a Fix two bugs in the pivkey code related to cleanup and certs. (#912)
699fab4 Add Attachment to empty. (#911)
c9bf33a add Attachment
to SignedEntity (#857)
7991c87 Bump dependencies and tidy. (#902)
7dd85a7 Fix the KO_VERSION variable in the post-merge container build. (#905)
19300db Replace predicate file path with io.Reader (#904)
42e5df0 Sign without pulling from the registry (#903)
7d2d51d update root ux (#747)
e2f034e feat: store public key within GitHub/GitLab variable (#900)
a1180fa Pin crane dependency used in e2e tests (#896)
c041930 verify: add support for rsapkcs15 keys (#851)
a9aa82b Fix verify-blob error message (#676) (#895)
5e54075 Fix verify command line options (#894)
aa1028f Fix CI (#897)
8e3be12 Add a test/example for signing using GitHub OIDC (#901)
0605155 fix: use GITLAB_HOST env var name (#899)
8588a92 fix: show reasons of the rego validations (#885)
4c5112c fix: safer way to install google/ko (#889)
37bcea0 Error with the filename provided (#891)
5499d63 chore: KO_VERSION as environment var (#886)
42ec945 Clarify how to install sget (#882)
a064fab Re-expose commands. (#883)
f85fe3f chore: add image details to the error msg (#875)
5302c87 add github&gitlab reference support to generate-key-pair (#848)
8a67024 fix: make isTerminal suitable for windows (#871)
a04f060 disable usage on errors (#878)
1bd3067 added keyvault doc (#870)
cc4ce1b Remove the preallocation of signatures slice. (#869)
2ba1605 Allow cosigned
to validate Fulcio
signatures. (#867)
b0408bf feat: add validation for predicates via cue or rego policy files support (#641)
278ad7d make COSIGN_REPOSITORY
use explicit again (#860)
142e7ed fix x509: unsupported public key type: *crypto.PublicKey
(#864)
c79fa81 TagOptions
-> ReferenceOptions
(#863)
5c1240b feat: add custom signature tag registry options (#808)
2f6a293 release: update golang-cross image to image tag v1.17.2 (#861)
d49fa54 [root policy] Add root policy signing (#856)
0142711 get rid of "." in default tag suffixes (#853)
2919bf0 oic.
-> oci.
(#852)
9962e87 Add changelog for v1.3.0 (#849)
37000c8 update select dependencies (#850)
e6d08d6 support user customizable predicates (#847)
75c326b move make help
below the default rules so that naked make
does the right thing (#845)
6c5c65f Only run CI on PRs and push to main or releases (#842)
06...
v1.2.1
v1.2.0
v1.2.0
Enhancements
- BREAKING: move
verify-dockerfile
todockerfile verify
(#662) - Have the keyless
cosign sign
flow use a single 3LO. (#665) - Allow to
verify-blob
from urls (#646) - Support GCP environments without workload identity (GCB). (#652)
- Switch the release cosign container to debug. (#649)
- Add logic to detect and use ambient OIDC from exec envs. (#644)
- Add
-cert-email
flag to provide the email expected from a fulcio cert to be valid (#622) - Add support for downloading signature from remote (#629)
- Add sbom and attestations to triangulate (#628)
- Add cosign attachment signing and verification (#615)
- Embed CT log public key (#607)
- Verify SCTs returned by fulcio (#600)
- Add extra replacement variables and GCP's role identifier (#597)
- Store attestations in the layer (payload) rather than the annotation. (#579)
- Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (#583)
- Upgrade in-toto-golang to adapt SLSA Provenance (#582)
Bug Fixes
- Fix verify-dockerfile to allow lowercase FROM (#643)
- Fix signing for the cosigned image. (#634)
- Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
- helm/ci: update helm repo before installing the dependency (#598)
- Set the correct predicate type/URI for each supported predicate type. (#592)
- Warnings on admissionregistration version (#581)
- Remove unnecessary COSIGN_PASSWORD (#572)
Contributors
- Batuhan Apaydın
- Ben Walding
- Carlos Alexandro Becker
- Carlos Tadeu Panato Junior
- Erkan Zileli
- Hector Fernandez
- Jake Sanders
- Jason Hall
- Matt Moore
- Michael Lieberman
- Naveen Srinivasan
- Pradeep Chhetri
- Sambhav Kothari
- dlorenc
- priyawadhwa
Thank you to all our contributors!!
Changelog
aa5d23b CHANGELOG for cosign 1.2 (#668)
1b1cafc move verify-dockerfile
to dockerfile verify
(#662)
275e015 Have the keyless cosign sign
flow use a single 3LO. (#665)
152eefb Move LoadEcdsa...
into pkg/cosign/keys.go
(#667)
c37c20e feat: allow to verify-blob from urls (#646)
b1e7ca2 Extract a types
package for media and payload types. (#664)
e14b69d small typo (#663)
e055194 Provide a mechanism for downstream folks to avoid _
imports. (#661)
b27c63a Split apart fulcioverifier
for transparency log verification. (#660)
de598c1 Send log statement to STDERR (#659)
696a46a Remove unnecessary space after 'with index:' (#656)
3f83940 Support GCP environments without workload identity (GCB). (#652)
118399c Revert "Consistently use STDERR for output. (#647)" (#650)
60cf6b8 Refactor verification output. (#632)
f2a1276 Switch the release cosign container to debug. (#649)
f8f2e7a Pinned the dockerfile to sha256 (#619)
fefa881 Consistently use STDERR for output. (#647)
fb04df8 Refactor cosigned
to take advantage of duck typing. (#637)
739947d Add logic to detect and use ambient OIDC from exec envs. (#644)
cb310df Fix verify-dockerfile to allow lowercase FROM (#643)
6d2fc54 docs: add remote url example for verify_blog cmd (#640)
248f849 add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
59be0ee Break off a fulcioroot
package. (#639)
56d7d96 Use a nonroot base image for ko-based images (#638)
efde83c Fix signing for the cosigned image. (#634)
508cc59 Drop the unused apiReader
(#636)
6a1e1b5 Drop the distinction between Create/Update. (#635)
8d550b3 feat: add support for downloading signature from remote (#629)
cb0c46a Add ko targets for the webhook image. (#630)
53fbe01 Something changed in go 1.17 to make this a failure now. (#631)
a05fb65 Add sbom and attestations to triangulate (#628)
ff28387 Bump opa to v0.32.0 (#625)
b0e5c74 Bump k8s controller-runtime to v0.10.0. (#626)
de600d2 chore: cleanup Makefile targers (#627)
5abd51e Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
40830f1 Modify golangci-lint installation (#624)
79fa380 Add cosign attachment signing and verification (#615)
de3f9d6 Bump go/storage. (#614)
c35f311 verify_blob: add missing help option to use teh pub kwy from a remote (#616)
9906181 helm/cosigned: remove helm charts (#609)
842a81a Embed CT log public key (#607)
54c956c Actually bump dependencies and get healthy on go 1.17. (#606)
cb9f980 Verify SCTs returned by fulcio (#600)
c79ba73 Add extra replacement variables and GCP's role identifier (#597)
c875b79 helm/ci: update helm repo before installing the dependency (#598)
b41d57f Set the correct predicate type/URI for each supported predicate type. (#592)
584e63f chore: add a new CODEOWNER (#593)
b1c033d Make the warning around TUF roots a little less scary. (#590)
cosigned-v0.0.3-dev
The Helm chart for Cosigned