v2.3.0-rc.2

What's Changed

• docs(gh-action): update actions installer path by @sunnyyip in #581
• chore: update slsa provenance to v1 by @asraa in #579
• fix(deps): update github.com/sigstore/protobuf-specs digest to 91485b4 by @renovate-bot in #584
• chore(deps): update github/codeql-action action to v2.3.3 by @renovate-bot in #585

New Contributors

• @sunnyyip made their first contribution in #581

Full Changelog: v2.3.0-rc.1...v2.3.0-rc.2

v2.3.0-rc.1

What's Changed

• chore(deps): update github/codeql-action action to v2.3.2 by @renovate-bot in #569
• fix(deps): update github.com/sigstore/protobuf-specs digest to 13e09aa by @renovate-bot in #578
• feat: npm: Make package name and version mandatory for verification by @laurentsimon in #576
• chore(deps): update npm dev by @renovate-bot in #568
• feat: Use low-perms delegator for Node.js builder by @ianlewis in #577

Full Changelog: v2.3.0-rc.0...v2.3.0-rc.1

v2.3.0-rc.0

Summary

Initial support was added to the verify-npm-package command for the Node.js builder.

What's Changed

• docs: remove duplicated table of contents by @asraa in #557
• docs: Update docs for 2.2.0 release. by @ianlewis in #556
• fix: Slack badge by @ianlewis in #558
• chore(deps): update github-actions by @renovate-bot in #560
• chore(deps): update golang:1.19 docker digest to 9f2dd04 by @renovate-bot in #516
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 42311d8 by @renovate-bot in #504
• fix(deps): update github.com/sigstore/protobuf-specs digest to b6d2576 by @renovate-bot in #559
• feat: support for BYOB verification by @laurentsimon in #562
• fix: Read newer attestation file format by @ianlewis in #564

Full Changelog: v2.2.0...v2.3.0-rc.0

v2.2.0

Summary

Support was added for the --source-tag and --source-versioned-tag flags for GCB container provenance verification.

What's Changed

• fix: Update references check by @ianlewis in #533
• chore: update docs for release v2.1.0 by @asraa in #530
• feat: verification for provenance by @developer-guy in #537
• feat: GCB tag and versioned-tag support for containers by @laurentsimon in #540
• chore(deps): update github-actions (major) by @renovate-bot in #536
• fix(deps): update github.com/sigstore/protobuf-specs digest to c8a23a4 by @renovate-bot in #528
• chore(deps): update github-actions by @renovate-bot in #529
• chore: report scheduled release workflow failures by @asraa in #543
• fix: Support pre-releases on trusted repos by @ianlewis in #552
• chore(deps): update dependency typescript to v5 by @renovate-bot in #545
• fix(deps): update github.com/sigstore/protobuf-specs digest to 4dbf10b by @renovate-bot in #553
• chore(deps): update npm dev by @renovate-bot in #534
• chore(deps): update github-actions by @renovate-bot in #544
• docs: Update README.md by @drewroengoogle in #541
• fix(deps): update npm by @renovate-bot in #535

New Contributors

• @developer-guy made their first contribution in #537
• @drewroengoogle made their first contribution in #541

Full Changelog: v2.1.0...v2.2.0

v2.2.0-rc.0

Summary

Support was added for the --source-tag and --source-versioned-tag flags for GCB container provenance verification.

What's Changed

• fix: Update references check by @ianlewis in #533
• chore: update docs for release v2.1.0 by @asraa in #530
• feat: verification for provenance by @developer-guy in #537
• feat: GCB tag and versioned-tag support for containers by @laurentsimon in #540
• chore(deps): update github-actions (major) by @renovate-bot in #536
• fix(deps): update github.com/sigstore/protobuf-specs digest to c8a23a4 by @renovate-bot in #528
• chore(deps): update github-actions by @renovate-bot in #529
• chore: report scheduled release workflow failures by @asraa in #543
• fix: Support pre-releases on trusted repos by @ianlewis in #552
• chore(deps): update dependency typescript to v5 by @renovate-bot in #545
• fix(deps): update github.com/sigstore/protobuf-specs digest to 4dbf10b by @renovate-bot in #553
• chore(deps): update npm dev by @renovate-bot in #534
• chore(deps): update github-actions by @renovate-bot in #544
• docs: Update README.md by @drewroengoogle in #541
• fix(deps): update npm by @renovate-bot in #535

New Contributors

• @developer-guy made their first contribution in #537
• @drewroengoogle made their first contribution in #541

Full Changelog: v2.1.0...v2.1.1-rc.0

v2.1.0

Summary

This release adds support for:

• GCB V1's global signing key that uses PAE encoding for signing
• Installer Action to install the slsa-verifier in GitHub workflows. See Setup GitHub Action
• Verification of multiple artifacts via the CLI

Fixes:

• GCB now adds a prefix git+ to their material source URIs. This is fixed in #519

This release also includes the following experimental changes:

• npm package verification from the public registry via an SLSA_VERIFIER_EXPERIMENTAL=1 flag.
• Offline verification using a Sigstore bundle behind the SLSA_VERIFIER_EXPERIMENTAL=1 flag.

What's Changed

• feat: scheduled tests for installer Action by @laurentsimon in #398
• feat: allow version to be empty for Installer tests by @laurentsimon in #404
• chore: Add CODEOWNERS by @ianlewis in #401
• docs: update docs for release v2.0.1 by @asraa in #403
• fix: token permission in Installer scheduled tests by @laurentsimon in #407
• fix: permissions for script by @laurentsimon in #408
• fix: installer tests by @laurentsimon in #410
• ci: Use github.token to create issues by @ianlewis in #412
• ci: Add regression build tag by @ianlewis in #400
• feat: Enhance help message by @mihaimaruseac in #418
• ci: add git sign off to renovate-bot by @asraa in #420
• feat: Verify all artifacts passed in cmdline by @mihaimaruseac in #419
• fix: Expect at least one artifact in verification by @mihaimaruseac in #426
• fix: Use Run instead of RunE to handle usage/errors by @mihaimaruseac in #424
• fix: fix exit status on command execution errors by @asraa in #429
• ci: add verifier e2e presubmit that runs CLI at main by @asraa in #430
• fix: remove accidental checked in binary by @asraa in #432
• ci: Add large file pre-submit check by @ianlewis in #433
• ci: fix a deprecation warning by @suzuki-shunsuke in #435
• chore: release assets for multiple platforms by @suzuki-shunsuke in #434
• docs: Add instructions for GHA container generator by @ianlewis in #438
• ci: Add javascript to CodeQL analysis by @ianlewis in #413
• test: add v1.4.0 build tests for gha_go gha_generic and gha_generic_container by @asraa in #439
• chore: enable some Go linters by @asraa in #456
• test: add builder id tests for short form by @asraa in #455
• ci: Ensure all version references are up-to-date prior to release by @pnacht in #447
• feat: add experimental offline bundle signature verification by @asraa in #457
• refactor: generalize provenance out of predicate type info by @asraa in #463
• feat: add slsa v1?draft provenance experimental support by @asraa in #470
• feat: support branch and tag from slsa v1 provenance by @asraa in #476
• fix: use a uniform verifier interface for provenance type by @asraa in #478
• ci: Add go mod tidy to renovate post update by @ianlewis in #484
• test: add docker based spport and start adding tests by @asraa in #486
• test: Add test data for v1.5.0 by @ianlewis in #506
• feat: npm default runner support by @laurentsimon in #495
• feat: Update SLSA verifier to support a global signing key for GCB V1 which… by @khalkie in #509
• fix: fix GCB verification with git material source prefix by @asraa in #519
• feat: verify sourceURI for npm packages by @laurentsimon in #521
• docs: update installation to cover the Action and to receive updates by @laurentsimon in #523
• chore: add a file extension ".exe" to Windows artifacts by @suzuki-shunsuke in #527

New Contributors

• @mihaimaruseac made their first contribution in #418
• @pnacht made their first contribution in #447
• @khalkie made their first contribution in #509

Full Changelog: v2.0.1...v2.1.0

v2.0.1

v2.0.1

This patch release fixes the Go module path for the major version update to support installation via go install.
It also ensures a version is displayed in the version command.

Bug Fixes

• fix: fix the Go package version to v2 by @suzuki-shunsuke in #373
• fix: handle workflow input flag parsing by @asraa in #379
• fix: show version in version command by @laurentsimon in #392

What's Changed

• fix: fix the Go package version to v2 by @suzuki-shunsuke in #373
• docs: refer v2.0.0 in README by @suzuki-shunsuke in #375
• docs: add the checksum of v2.0.0 by @suzuki-shunsuke in #374
• docs: fix go install by @suzuki-shunsuke in #376
• fix: handle workflow input flag parsing by @asraa in #379
• docs: add release steps for a new major release by @asraa in #378
• docs: Add comment for signature decoding by @laurentsimon in #380
• fix: Fix error check for decodeSignature by @ianlewis in #385
• feat: add more tests for GCB verification by @laurentsimon in #389
• fix: show version in version command by @laurentsimon in #392
• feat: Add env variable to facilitate CI tests of Action installer by @laurentsimon in #393
• fix: TUF error in GHA installer by @laurentsimon in #394
• fix: command in installer Action by @laurentsimon in #396

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Breaking Changes

• refactor: add subcommands and separate functionality from artifacts a… by @asraa in #231. Users running

slsa-verifier -artifact-path ${ARTIFACT} -provenance ${PROVENANCE} -source ${SOURCE} -tag ${TAG} -branch ${BRANCH} -versioned-tag ${VTAG}

must migrate to

slsa-verifier verify-artifact ${ARTIFACT} -provenance-path ${PROVENANCE} -source-uri ${SOURCE} -source-tag {TAG} -source-branch {BRANCH} -source-versioned-tag ${VTAG}

Major Features

• feat: slsa-verifier now performs OCI verification using slsa-verifier verify-image. See #147.
• feat: GCB-generated container image SLSA provenance verification is supported. See https://github.com/slsa-framework/slsa-verifier#verification-for-google-cloud-build and #202
• feat: Add a GitHub Action for installing slsa-verifier. by @kpk47 in #246

What's Changed

• release: release v1.3.0 of verifier by @asraa in #218
• feat: support oci image verification by @asraa in #147
• fix(deps): update module github.com/go-openapi/swag to v0.22.3 by @renovate-bot in #215
• chore(deps): update golang:1.18 docker digest to 616aa98 by @renovate-bot in #214
• chore(deps): update github-actions by @renovate-bot in #222
• chore(deps): update actions/checkout action to v3 by @renovate-bot in #227
• fix(deps): update module github.com/sigstore/cosign to v1.11.0 by @renovate-bot in #224
• fix(deps): update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #225
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 533c15e by @renovate-bot in #228
• feat: Support for GCB verification by @laurentsimon in #202
• Correct installation command in README by @laurentsimon in #241
• release: add release v1.0.3 by @asraa in #235
• Verify text provenance for GCB by @laurentsimon in #242
• doc: fix comment typos by @laurentsimon in #244
• fix(deps): update module github.com/sigstore/cosign to v1.11.1 by @renovate-bot in #239
• chore(deps): update github-actions by @renovate-bot in #240
• feat: add CLI tests for GCB verification by @laurentsimon in #245
• chore(deps): update github/codeql-action action to v2.1.22 by @renovate-bot in #249
• chore(deps): update golang:1.18 docker digest to 5540a6a by @renovate-bot in #238
• feat: support for GCB v0.3 verification by @laurentsimon in #248
• fix: fix CLI flag mishap by @asraa in #250
• feat: CLI tests for GCB verification by @laurentsimon in #251
• feat: support builderID matching with or without semver for GCB by @laurentsimon in #256
• chore(deps): update golang docker tag to v1.19 by @renovate-bot in #196
• chore(deps): update ossf/scorecard-action action to v2 by @renovate-bot in #255
• fix(deps): update module github.com/google/go-cmp to v0.5.9 by @renovate-bot in #253
• feat: support builderID matching with or without semver for GHA by @laurentsimon in #257
• fix(deps): update module github.com/sigstore/cosign to v1.12.0 by @renovate-bot in #264
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 33fac4d by @renovate-bot in #260
• chore(deps): update github/codeql-action action to v2.1.24 by @renovate-bot in #262
• Add a GitHub Action for installing slsa-verifier. by @kpk47 in #246
• fix(deps): update module github.com/sigstore/sigstore to v1.4.1 by @renovate-bot in #263
• doc: document build id and GCB vs GHA by @laurentsimon in #266
• doc: add links to GH builders by @laurentsimon in #268
• chore(deps): update github-actions by @renovate-bot in #274
• fix(deps): update module github.com/sigstore/sigstore to v1.4.2 by @renovate-bot in #272
• Update README.md by @laurentsimon in #276
• fix: make client shard aware when verifying by @asraa in #282
• chore(deps): update github-actions by @renovate-bot in #284
• Update pre-submits by @ianlewis in #289
• release: add release v1.3.1 and v1.2.1 by @asraa in #288
• release: add release hash for v1.1.2 and v1.0.4 by @asraa in #291
• chore(deps): pin dependencies by @renovate-bot in #269
• chore(deps): update dependency jasmine to v4.4.0 by @renovate-bot in #283
• gcb: add gcb compatibility for provenance formats and buckets by @asraa in #292
• fix: fix release configuration and workflow for version info by @asraa in #296
• ci: use upstream version lib to provide version, commit, and tree state by @asraa in #297
• fix: env vars are case sensitive in configuration by @asraa in #298
• chore(deps): update github-actions by @renovate-bot in #295
• fix(deps): update module github.com/sigstore/sigstore to v1.4.4 by @renovate-bot in #294
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 3778d4f by @renovate-bot in #293
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to a6441d1 by @renovate-bot in #306
• chore(deps): update dependency eslint-plugin-github to v4.4.0 by @renovate-bot in #305
• fix(deps): update module github.com/go-openapi/runtime to v0.24.2 by @renovate-bot in #304
• rekor: use rekor client with retries by @asraa in #301
• chore(deps): update dependency eslint to v8.25.0 by @renovate-bot in #273
• tests: fix builder id matching by @asraa in #308
• test: add v1.2.1 builder tests by @asraa in #310
• docs: update release.md docs to describe a pre-release by @asraa in #314
• fix: address gcb verifier comments and add gcb documentation by @asraa in #300
• Add optional by @wietse-gmail in #316
• Fix installer: Add arguments to actions/checkout so that it checks ou… by @kpk47 in #319
• Make GitHub token optional by @laurentsimon in #324
• chore(deps): update dependency eslint to v8.26.0 by @renovate-bot in #323
• feat: run CLI tests daily by @laurentsimon in #327
• Update sigstore libraries by @ianlewis in #326
• chore(deps): update dependency typescript to v4.8.4 by @renovate-bot in #270
• chore(deps): update dependency jasmine to v4.5.0 by @renovate-bot in #345
• chore(deps): update github-actions to v3 (major) by @renovate-bot in #344
• chore(deps): update dependency @types/node to v18.11.8 by @renovate-bot in #341
• chore(deps): update github-actions by @renovate-bot in https://github.com/slsa-framework/slsa-verif...

v1.3.2

This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.

What's Changed

• Backport release/v1.3: Update sigstore libraries by @ianlewis in #329
• release/v1.3: update release builder by @asraa in #333

Full Changelog: v1.3.1...v1.3.2

v1.2.2

This fixes issue #325. Sigstore root metadata was updated to a key format incompatible with old go-tuf (the underlying TUF client) libraries. This updated sigstore libraries to new ones that pulled in the updated go-tuf libraries.

What's Changed

• chore(deps): update github-actions by @renovate-bot in #295
• fix(deps): update module github.com/sigstore/sigstore to v1.4.4 by @renovate-bot in #294
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 3778d4f by @renovate-bot in #293
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to a6441d1 by @renovate-bot in #306
• chore(deps): update dependency eslint-plugin-github to v4.4.0 by @renovate-bot in #305
• fix(deps): update module github.com/go-openapi/runtime to v0.24.2 by @renovate-bot in #304
• rekor: use rekor client with retries by @asraa in #301
• chore(deps): update dependency eslint to v8.25.0 by @renovate-bot in #273
• tests: fix builder id matching by @asraa in #308

Full Changelog: v1.4.1...v1.2.2