Changelog for cosign-1.5.2-150400.1.7.x86_64.rpm :

* Mon Feb 21 2022 meissnerAATTsuse.com- updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239)- updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353)
* Tue Jan 25 2022 meissnerAATTsuse.com- updated to 1.5.0 [#]# Highlights
* enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
* feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
* feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
* feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
* feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
* feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
* feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) [#]# Enhancements
* Don\'t use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
* Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
* Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
* Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
* Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
* Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
* add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
* Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
* Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
* Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
* Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
* add error message (https://github.com/sigstore/cosign/pull/1296)
* Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
* Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
* One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
* refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
* Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
* Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
* Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
* Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
* Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
* Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
* Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
* Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
* clean up references to \'keyless\' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
* create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
* use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
* create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
* add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
* signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
* Remove the \"upload\" flag for \"cosign initialize\" (https://github.com/sigstore/cosign/pull/1201)
* create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) [#]# Bug Fixes
* fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
* fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
* Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
* Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
* Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
* Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
* Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
* fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
* Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
* Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)- vendor.tar.bz2: go mod vendor
* Tue Jan 25 2022 bwiedemannAATTsuse.com- Fix BUILD_DATE for reproducible build results (boo#1047218)
* Thu Jan 06 2022 meissnerAATTsuse.com- cosign 1.4.1 release, initial import- provides signing / verification support for sigstore