SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for cosign-2.3.0-1.1.x86_64.rpm :

* Wed Jul 24 2024 Marcus Meissner - update to 2.3.0 (jsc#SLE-23879)
* Features - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693) - add registry options to cosign save (#3645) - Add debug providers command. (#3728) - Make config layers in ociremote mountable (#3741) - adds tsa cert chain check for env var or tuf targets. (#3600) - add --ca-roots and --ca-intermediates flags to \'cosign verify\' (#3464) - add handling of keyless verification for all verify commands (#3761)
* Bug Fixes - fix: close attestationFile (#3679) - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
* Documentation - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
* Fri May 31 2024 Johannes Kastl - add completion subpackages (bash, fish, zsh)
* Mon Apr 15 2024 Marcus Meissner - updated to 2.2.4 (jsc#SLE-23879)
* Bug Fixes
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835) - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
* Documentation
* add oci bundle spec (#3622)
* Correct help text of triangulate cmd (#3551)
* Correct help text of verify-attestation policy argument (#3527)
* feat: add OVHcloud MPR registry tested with cosign (#3639)
* Fri Feb 02 2024 Marcus Meissner - updated to 2.2.3 (jsc#SLE-23879) Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427) Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405) Documentation:
* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468) Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
* Tue Dec 12 2023 Marcos Bjoerkelund - updated to 2.2.2 (jsc#SLE-23879) v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for - -insecure-skip-log, --private-infrastructure. Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don\'t require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371) Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify
* commands. (#3391)
* add --private-infrastructure flag (#3369) Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373) Documentation:
* Update SBOM_SPEC.md (#3358)
* Tue Nov 07 2023 Marcus Meissner - updated to 2.2.1 (jsc#SLE-23879) This release comes with a fix for CVE-2023-46737 / bsc#1216933 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Enhancements:
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225) Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224) Documentation:
* Add some docs about verifying in an air-gapped environment (#3321)
* Update CONTRIBUTING.md (#3268)
* docs: improves the Contribution guidelines (#3257)
* Remove security policy (#3230) Others:
* Set go to min 1.21 and update dependencies (#3327)
* Update contact for code of conduct (#3266)
* Update .ko.yaml (#3240)
* Fri Sep 01 2023 Marcus Meissner - updated to 2.2.0 (jsc#SLE-23879) - Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add \'cosign sign\' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172) - Bug Fixes
* Fix nondeterminsitic timestamps (#3121) - Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
* Tue Jun 27 2023 Marcus Meissner - updated to 2.1.1 (jsc#SLE-23879) - Bug Fixes - wait for the workers become available again to continue the execution (#3084) - fix help text when in a container (#3082)- updated to 2.1.0 (jsc#SLE-23879) - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. - Enhancements - Verify sigs and attestations in parallel (#3066) - Deep inspect attestations when filtering download (#3031) - refactor bundle validation code, add support for DSSE rekor type (#3016) - Allow overriding remote options (#3049) - feat: adds no cert found on sig exit code (#3038) - Make predicate a required flag in attest commands (#3033) - Added support for attaching Time stamp authority Response in attach command (#3001) - Add sign --sign-container-identity CLI (#2984) - Feature: Allow cosign to sign digests before they are uploaded. (#2959) - accepts attachment-tag-prefix for cosign copy (#3014) - Feature: adds \'--allow-insecure-registry\' for cosign load (#3000) - download attestation: support --platform flag (#2980) - Cleanup: Add Digest to the SignedEntity interface. (#2960) - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845) - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069) - Bug Fixes - Fix pkg/cosign/errors (#3050) - Fix: update doc to refer to github-actions oidc provider (#3040) - Fix: prefer GitHub OIDC provider if enabled (#3044) - Fix --sig-only in cosign copy (#3074) - Documentation - Fix links to sigstore/docs in markdown files (#3064)
* Sun May 07 2023 Marcus Meissner - update to 2.0.2 (jsc#SLE-23879) Enhancements - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891) - feat: Make cosign copy faster (#2901) - remove sget (#2885) - Require a payload to be provided with a signature (#2785) Bug Fixes - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876) - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878) Documentation - Remove experimental warning from Fulcio flags (#2923) - add missing oidc provider (#2922) - Add zot as a supported registry (#2920) - deprecates kms_support docs (#2900) - chore(docs) deprecate note for usage docs (#2906) - adds note of deprecation for examples.md docs (#2899)
* Mon Apr 17 2023 Marcus Meissner - update to 2.0.1 (jsc#SLE-23879) Enhancements - Add environment variable token provider (#2864) - Remove cosign policy command (#2846) - Allow customising \'go\' executable with GOEXE var (#2841) - Consistent tlog warnings during verification (#2840) - Add riscv64 arch (#2821) - Default generated PEM labels to SIGSTORE (#2735) - Update privacy statement and confirmation (#2797) - Add exit codes for verify errors (#2766) - Add Buildkite provider (#2779) - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746) Bug Fixes - PKCS11 sessions are now opened read only (#2853) - Makefile: date format of log should not show signatures (#2835) - Add missing flags to cosign verify dockerfile/manifest (#2830) - Add a warning to remember how to configure a custom Gitlab host (#2816) - Remove tag warning message from save/copy commands (#2799) - Mark keyless pem files with b64 (#2671)
* Tue Apr 04 2023 Dirk Müller - fix buildtags- build against a maintained golang version (upstream uses go1.20)
* Mon Feb 27 2023 Marcus Meissner - update to 2.0.0 (jsc#SLE-23879) Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411) Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor\'s API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525)
* attest-blob: add functionality for keyless signing (#2515)
* Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
* feat: add debug information to cert validation error (#2579)
* Support non-Sigstore TSA requests (#2708)
* Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
* Output certificate in bundle when entry is not uploaded to Rekor (#2715)
* attach signature and attach sbom must use STDIN to upload raw string (#2637)
* add generate-key-pair GitHub Enterprise server support (#2676)
* add in format string for warning (#2699)
* Support for fetching Fulcio certs with self-managed key (#2532)
* 2476 predicate type download (#2484) Bug Fixes:
* Fix the file existence check. (#2552)
* Fix timestamp verification, add verify-blob tests (#2527)
* Fix(verify): Consolidate certificate expiry logic (#2504)
* Updates to Timestamp signing and verification (#2499)
* Fix: removes attestation payload from attest-blob\'s output & no base64 encoding (#2498)
* Fix path for e2e-tests badge (#2490)
* Fix spdx json media type (#2479)
* Fix sct verificaction (#2426)
* Fix: panic with unsigned local image (#2656)
* Make sure a cert passed in via --cert matches the bundle cert (#2652)
* Fix: fix github oidc post submit test (#2594)
* Fix: add enhanced error messages for failing verification with TUF targets (#2589)
* Fix: Add missing schemes to cosign predicate types. (#2717)
* Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
* Fix prompts with Windows line endings (#2674)
* Tue Oct 18 2022 Marcus Meissner - update to 1.13.1:
* verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
* Nits for #2337 (#2342)
* Add verify-blob-attestation command and tests (#2337)
* Update warning when users sign images by tag. (#2313)
* Remove experimental flags from attest-blob and refactor (#2338)
* Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
* Add attest-blob command (#2286)
* Add \'--cert-identity\' flag to support subject alternate names for ver… (#2278)
* Update Dockerfile section of README (#2323)
* Fix option description: \"sign\" --> \"verify\" (#2306)- update to 1.13.0:
* feat: use stdin as an input for predicate by AATTdeveloper-guy in https://github.com/sigstore/cosign/pull/2269
* feat: improve the verification message by AATTdeveloper-guy in https://github.com/sigstore/cosign/pull/2268
* use scaffolding 0.4.8 for tests. by AATTvaikas in https://github.com/sigstore/cosign/pull/2280
* fix pivtool generate key touch policy by AATTcpanato in https://github.com/sigstore/cosign/pull/2282
* Check error on chain verification failure by AATThaydentherapper in https://github.com/sigstore/cosign/pull/2284
* Fix: Remove an extra registry request from verification path. by AATTmattmoor in https://github.com/sigstore/cosign/pull/2285
* Fix: Create a static copy of signatures as part of verification. by AATTmattmoor in https://github.com/sigstore/cosign/pull/2287
* Data race in FetchSignaturesForReference by AATTRTann in https://github.com/sigstore/cosign/pull/2283
* Add support for Fulcio username identity in SAN by AATThaydentherapper in https://github.com/sigstore/cosign/pull/2291
* fix: make tlog entry lookups for online verification shard-aware by AATTasraa in https://github.com/sigstore/cosign/pull/2297
* Better help text to sign and verify SBOM by AATTChristianCiach in https://github.com/sigstore/cosign/pull/2308
* Adding warning to pin to digest by AATTChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311
* Add annotations for upload blob. by AATTcldmnky in https://github.com/sigstore/cosign/pull/2188
* replace deprecate package by AATTcpanato in https://github.com/sigstore/cosign/pull/2314
* update release images to use go1.19.2 and cosign v1.12.1 by AATTcpanato in https://github.com/sigstore/cosign/pull/2315
* Tue Sep 27 2022 Dirk Müller - update to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio\'s CA root instead (restoring the earlier behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade- use go-modules service to generate the vendor.tar and use zstd
* Thu Sep 15 2022 Marcus Meissner - updated to 1.12.0 (jsc#SLE-23879) - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) - Support non-ECDSA key types for verify-blob by AATThaydentherapper in #2203 - feat: integrate Alibaba Cloud Container Registry cred helper by AATTmozillazg in #2008 - remove double quotes, looks like it is passing as a single string to cosign and not as an array by AATTcpanato in #2205 - Clarify error when KMS provider fails to load by AATTznewman01 in #2220 - feat: set annotations to generate additional bash completion information by AATTdirien in #2221 - Add deprecation warning for sget CLI and packages by AATTimjasonh in #2019 - upgrade setup-ko to point to new repo by AATTimjasonh in #2225 - Temp fix for e2e test by AATThaydentherapper in #2247 - update kind to use release v0.15.0 and some version comments by AATTcpanato in #2246 - Fix e2e test failure, add test for local bundle without rekor bundle by AATThaydentherapper in #2248 - fix: fix secret test, non-experimental bundle should pass by AATTasraa in #2249- updated to 1.11.1 - add stale workflow using the workflow template by AATTcpanato in #2175 - Update Scorecard action to v2:alpha by AATTazeemshaikh38 in #2177 - add release cadence section in the readme by AATTcpanato in #2179 - feat: Rework fig autocomplete command by AATTdirien in #2187 - fix: fix typo that caused attestation verification failure by AATTasraa in #2199- updated to 1.11.0 - Verify the certificate chain against the Fulcio root trust by default by AATTwata727 in #2139 - Add notes to clarify registry use. by AATTbendory in #2145 - Use TUF from scaffolding for validating cosign. by AATTvaikas in #2146 - docs: clarify wording in spec about usage of certificate chain by AATTasraa in #2152 - fix: fix blob verification output with sharded rekor tlogs by AATTasraa in #2157 - fix: adds envelope hash to in-toto entries in tlog entry creation by AATTnkreiger in #2118 - fix handling of verify-attestation types for URIs by AATTotms61 in #2159 - fix oidc post-merge job by AATTcpanato in #2164 - Remove third_party by AATTimjasonh in #2166 - use updated device flow logic with PKCE by AATTbobcallaway in #2163 - fix: rekor get tlog entry with uuid by AATTasraa in #2058 - update e2e job to run only when push to main by AATTcpanato in #2169 - fix: add env cmd to root by AATTdeveloper-guy in #2171 - fix panic when os.Stat returns an error besides ErrNotExists by AATTdsa0x in #2162
* Fri Aug 05 2022 Marcus Meissner - updated to 1.10.1 (jsc#SLE-23879) - CVE-2022-35929: Fixed that cosign verify-attestaton --type can report a false positive if any attestation exists (GHSA-vjxv-45g9-9296 (bsc#1202157)- What else changed: - add flag to allow skipping upload to transparency log by AATTk4leung4 in #2089 - Improve error message when no sigs/atts are found for an image by AATTimjasonh in #2101 - Change Result in Vulnerability Attestation to interface{} by AATTknqyf263 in #2096 - Fix field names in the vulnerability attestation by AATTotms61 in #2099 - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by AATTcpanato in #2105 - sparkles Enable Scorecard badge by AATTazeemshaikh38 in #2109 - Resolves #522 set Created date to time of execution by AATTLerentis in #2108 - Introduce a custom error type to classify errors. by AATTmattmoor in #2114 - feat: attach: attestation: allow passing multiple payloads by AATTDentrax in #2085 - update cross-builder to go1.18.5 and cosign image to 1.10.0 by AATTcpanato in #2119 - chore: fix documentation and warning on using untrusted rekor key by AATTasraa in #2124 - Correct the type used for attest by AATTmattmoor in #2128
* Wed Jul 27 2022 Marcus Meissner - updated to 1.10.0 - replace gcr.io/distroless/ to use ghcr.io/distroless/ by AATTcpanato in #1961 - Separate RegExp matching of issuer/subject from strict by AATTvaikas in #1956 - tuf: improve TUF client concurrency and caching by AATTasraa in #1953 - Add Cloudsmith Container Registry to tested registry list by AATTciaracarey in #1966 - feat(fulcioroots): singleton error pattern by AATTdeveloper-guy in #1965 - Drop tuf client dependency on GCS client library by AATTimjasonh in #1967 - Add spdxjson predicate type for attestations by AATTjdolitsky in #1974 - Remove policy-controller now that it lives in sigstore/policy-controller by AATTvaikas in #1976 - cleanup: unexport kubernetes.Client method by AATTimjasonh in #1973 - cleanup ci job and remove policy-controller references by AATTcpanato in #1981 - fix/update post build job by AATTcpanato in #1983 - docs: updated Azure kms commands. by AATTJBrejnholt in #1972 - Add cyclonedx predicate type for attestations by AATTjdolitsky in #1977 - Route deprecated -version to version subcommand by AATTpuerco in #1854 - docs(readme): add installation steps for container image for cosign binary by AATTdeveloper-guy in #1986 - Add --platform flag to cosign sbom download by AATTpuerco in #1975 - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by AATTimjasonh in #1866 - Add --oidc-provider flag to specify which provider to use for ambient credentials by AATTpriyawadhwa in #1998 - encrypt values to create the github action secret by AATTcpanato in #1990 - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by AATTDentrax in #2016 - Attempt to clean up pkg/cosign by AATTimjasonh in #2018 - public-key: fix command description by AATTDentrax in #2024 - [NFC] specs: fix list formatting on SIGNATURE_SPEC by AATTwoodruffw in #2030 - feat: cert-extensions verify by AATTdeveloper-guy in #1626 - Fix #1378 create new attestation signature in replace mode if not existent by AATTSyquel in #2014 - Use cosign.ConfirmPrompt more consistently by AATTimjasonh in #2039 - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by AATThectorj2f in #2040 - Fix OIDC test by AATTcpanato in #2050 - Add env subcommand. by AATTwlynch in #2051 - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by AATTcpanato in #2055 - update ct/otel and etcd by AATTcpanato in #2054 - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by AATTmasahiro331 in #2067 - Remove replace directives in go.mod. by AATTwlynch in #2070 - update design doc link by AATTbobcallaway in #2077 - Remove hack/tools.go by AATTimjasonh in #2080 - fix missing quote by AATTcpanato in #2090- removed cosigned and webhook
* Sat Jun 18 2022 Marcus Meissner - updated to 1.9.0 - Check failure message of policy that fails with issuer mismatch by AATTvaikas in #1815 - [Cosigned] Add signature pull secrets by AATTDennyHoang in #1805 - feat: add rego policy support by AATThectorj2f in #1817 - Refactor fulcio signer to take in KeyOpts (take 2) by AATTwlynch in #1818 - cosigned: Test unsupported KMS providers by AATTimjasonh in #1820 - chore(deps): Included dependency review by AATTnaveensrinivasan in #1792 - Add auth flow option to KeyOpts. by AATTwlynch in #1827 - Document Staging instance usage with Keyless by AATTk4leung4 in #1824 - New flag --oidc-providers-disable to disable OIDC providers by AATTpuerco in #1832 - Validate tlog entry when verifying signature via public key. by AATTwlynch in #1833 - Add function to explicitly request a certain provider by AATTpriyawadhwa in #1837 - cosigned: Fix podAntiAffinity labels by AATTelfotografo007 in #1841 - remove exclude from go.mod by AATTcpanato in #1846 - [Cosigned] Glob matching improvement by AATTDennyHoang in #1842 - sget: Enable KMS providers for sget by AATTimjasonh in #1852 - Fix piv-tool generate-key command in TOKENS doc by AATTnealmcb in #1850 - Add IBM Cloud Container Registry to tested registry list by AATTbainsy88 in #1856 - If SBOM ref has .json suffix, assume JSON mediatype by AATTjdolitsky in #1859 - Add rekor.0.pub TUF target to unit tests by AATTpriyawadhwa in #1860 - Normalize certificate flag names by AATThaydentherapper in #1868 - Check certificate policy flags with only a certificate by AATThaydentherapper in #1869 - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by AATTcpanato in #1861 - Point git commmit FUN.md to gitsign! by AATTwlynch in #1874 - [cosigned] remove regex from the image pattern fields by AATThectorj2f in #1873 - go.mod: format go.mod by AATTzchee in #1879 - Remove dependency on deprecated github.com/pkg/errors by AATTzchee in #1887 - tree: only report artifacts that are present by AATTribbybibby in #1872 - update README with ebpf modules by AATTEItanya in #1888 - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by AATTvpnachev in #1889 - v1beta1 API for cosigned by AATTvaikas in #1890 - tree: support --attachment-tag-prefix by AATTribbybibby in #1900 - [cosigned] Remove undefined apiGroups from policy clusterrole by AATTvpnachev in #1896 - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by AATTjanisz in #1894 - The timeout arg in golangci-lint has been moved to the generic args p… by AATTdlorenc in #1901 - [cosigned] Rename cosigned references to policy-controller by AATThectorj2f in #1893 - Move deprecated dependency: google/trillian/merkle to transparency-dev by AATTcpanato in #1910 - Add support for \"
*
*\" in image glob matching by AATTimjasonh in #1914 - Add privacy statement for PII storage by AATThaydentherapper in #1909 - Do not push to public rekor. by AATTvaikas in #1931 - fix: fix fetching updated targets from TUF root by AATTasraa in #1921 - fix: fix #1930 for AWS KMS formats by AATTvaikas in #1946 - update cross-builder image to use go1.17.11 by AATTcpanato in #1950 - remove deprecation from goreleaser, go-fish is not supported anymore by AATTcpanato in #1952 - add changelog for v1.9.0 by AATTcpanato in #1955 - add parallelism for goreleaser by AATTcpanato in #1957
* Sat May 21 2022 Marcus Meissner - updated to 1.8.0 - Move the KMS integration imports into the binary entrypoints by AATTmattmoor in #1744 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by AATTDennyHoang in #1736 - Refactor policy related code, add support for vuln verify by AATTvaikas in #1747 - Use bundle log ID to find verification key by AATThaydentherapper in #1748 - [cosigned] The webhook name is now configurable via --webhook-name flag by AATTvpnachev in #1726 - Add intermediate CA certificate pool for Fulcio by AATThaydentherapper in #1749 - test: create fake TUF test root and create test SETs for verification by AATTasraa in #1750 - Implement identities, fix bug in webhook validation. by AATTvaikas in #1759 - Validate issuer/subject regexp in validate webhook. by AATTvaikas in #1761 - chore: add warning when attaching sBOMs by AATThectorj2f in #1756 - Verify embedded SCTs by AATThaydentherapper in #1731 - chore: add warning when downloading a sBOM by AATThectorj2f in #1763 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by AATTvpnachev in #1757 - Break the CIP action tests into a sh script. by AATTvaikas in #1767 - tuf: add debug info if tuf update fails by AATTasraa in #1766 - cosigned: add support for rsa keys by AATThectorj2f in #1768 - Cosigned validate against remote sig src by AATTDennyHoang in #1754 - Add Fulcio intermediate CA certificate to intermediate pool by AATThaydentherapper in #1774 - fix: more informative error by AATTybelMekk in #1778 - Run update-codegen. by AATTwlynch in #1789 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by AATTvaikas in #1790 - Refactor fulcio signer to take in KeyOpts. by AATTwlynch in #1788 - test: add cue unit tests by AATThectorj2f in #1791 - Attestations + policy in cip. by AATTvaikas in #1772 - chore: add rego function to consume modules and evaluate them by AATThectorj2f in #1787 - Add parallelization for processing policies / authorities. by AATTvaikas in #1795 - Allow passing keys via environment variables (env:// refs) by AATTznewman01 in #1794 - Handle context cancelled properly + tests. by AATTvaikas in #1796 - Fix a bug where an error would send duplicate results. by AATTvaikas in #1797 - Revert \"Refactor fulcio signer to take in KeyOpts. (#1788)\" by AATTwlynch in #1798 - cosigned: Unify cue data and policy before evaluating it by AATThectorj2f in #1793 - Don\'t fail open in VerifyBundle by AATTmtrmac in #1648 - Load in intermediate cert pool from TUF by AATThaydentherapper in #1804 - Support PKCS1 encoded and non-ECDSA CT log public keys by AATThaydentherapper in #1806
* Tue Apr 26 2022 Marcus Meissner - updated to 1.7.2 - [Cosigned] Fix publicKey unmarshal by AATTDennyHoang in #1719 - fix: add permissions to patch events by AATThectorj2f in #1722 - Make public all types required to use ValidatePolicy by AATTjdolitsky in #1727 - Add unit tests for IntotoAttestation verifier. by AATTvaikas in #1728 - Remove newline from download sbom output by AATTribbybibby in #1732 - Fix packages name and binary in the packages by AATTcpanato in #1734 - Fix fulcioroots test and linter error by AATThaydentherapper in #1741 - Support non-ECDSA public keys in certificates by AATThaydentherapper in #1740 - bug: remove old fulcio root and fix fallback target code by AATTasraa in #1738- updated to 1.7.1 - pkcs11: fix build instructions by AATTrgerganov in #1550 - add definition for artifact hub to verify the ownership by AATTcpanato in #1563 - Add example using AWS Key Management Service (KMS) by AATTdavivcgarcia in #1564 - Start of the necessary pieces to get #1418 and #1419 implemented by AATTvaikas in #1562 - Support deletion of ClusterImagePolicy by AATTvaikas in #1580 - 1417 policy validations by AATTkkavitha in #1548 - Don\'t lowercase input image refs, just fail by AATTimjasonh in #1586 - Fix #1583 #1582. Disallow regex now until implemented. by AATTvaikas in #1584 - Fix piping \'cosign verify\' using fulcio/rekor by AATTmarcofranssen in #1590 - Fix #1592 move authorities as siblings of images. by AATTvaikas in #1593 - Add ability to inline secrets from SecretRef to configmap. by AATTvaikas in #1595 - Fix copy/paste mistake in repo name. by AATTk4leung4 in #1600 - Use reusuable release workflow in sigstore/sigstore by AATTk4leung4 in #1599 - Add public key validation by AATTkkavitha in #1598 - Validate a public key in a secret is valid. by AATTvaikas in #1602 - Ensure entry is removed from CM on secret error. by AATTvaikas in #1605 - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by AATTvaikas in #1610 - Init entity from ociremote when signing a digest ref by AATTpuerco in #1616 - rename ca-key to ca-cert. Fix 1608, 1613 by AATTvaikas in #1617 - improve cosigned validation error messages by AATTcpanato in #1618 - Use latest knative/pkg\'s configmap informer by AATTtcnghia in #1615 - Included OpenSSF Best Practices Badge by AATTnaveensrinivasan in #1628 - FUN.md broke when RecordObj changed to HashedRecordObj by AATTMitchellJThomas in #1633 - update crane to v0.8.0 release by AATTcpanato in #1635 - push latest tag when building a release by AATTcpanato in #1636 - Add extra label and change the latest tag to unstable for non tagged releases by AATTcpanato in #1637 - Document Elastic container registry support by AATTmgreau in #1641 - Validate authority keys by AATTcoyote240 in #1623 - feat: tree command utility by AATTdeveloper-guy in #1603 - fix build date format for version command by AATTcpanato in #1644 - Add support for intermediate certificates when verifiying by AATThaydentherapper in #1631 - Prompt user before running cosign clean by AATTpriyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by AATTvaikas in #1650 - KEYLESS.md: Shorten example OAuth URL by AATTtstromberg in #1661 - Use syscall.Stdin for input handle. Fixes #1153 by AATTmdp in #1657 - Add support for certificate chain to verify certificate by AATThaydentherapper in #1659 - First batch of followups to #1650 by AATTvaikas in #1664 - Add certificate chain flag for signing by AATThaydentherapper in #1656 - [attach]: Add specific suffixes mediaTypes to sboms by AATThectorj2f in #1663 - update font when output the cosign version by AATTcpanato in #1668 - feat: add ability to override registry keychain by AATTnoamichael in #1666 - remove replace directive by AATTcpanato in #1669 - Refactor based on discussions in #1650 by AATTvaikas in #1674 - Find all valid entries in verify-blob by AATTpriyawadhwa in #1673 - Fix relative paths in Gitub OIDC blob test by AATTpriyawadhwa in #1677 - Add support for cert and cert chain flags with PKCS11 tokens by AATThaydentherapper in #1671 - Use cosign AATT HEAD for Github OIDC sign blob test by AATTpriyawadhwa in #1678 - Make cosign copy copy metadata attached to child images. by AATTmattmoor in #1682 - change file_name_template to PackageName by AATTstrongjz in #1683 - Update error message for verify/verify attestation by AATThaydentherapper in #1686 - cosign clean: Don\'t log failure if the registry responds with 404 by AATTimjasonh in #1687 - verify: add leaf hash verification for tlog entries by AATTasraa in #1688 - Fix handling of policy in verify-attestation by AATTlcarva in #1672 - Add e2e test for attest / verify-attestation by AATTvaikas in #1685 - verify: remove extra calls to rekor for verify and verify-blob by AATTasraa in #1694 - Remove the hardcoded sigstore audience by AATTmattmoor in #1698 - Use ValidatePubKey from sigstore/sigstore by AATThaydentherapper in #1676 - Use the github actions from sigstore/scaffolding. by AATTvaikas in #1699 - sign: set the oidc redirect uri by AATThectorj2f in #1675 - add back the go mod proxy by AATTcpanato in #1701 - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by AATTcpanato in #1702 - Fix incorrect unmarshalling of SCT response by AATThaydentherapper in #1704 - Make CLI flag for OIDC client secret take a path by AATTznewman01 in #1705 - cosigned: read the public key from the kms authority by AATThectorj2f in #1706 - fix latest tag when running a release job by AATTcpanato in #1707 - [Cosigned] Parse and store publicKey data earlier by AATTDennyHoang in #1681 - Dont overwrite token set in keyOpts by AATTpuerco in #1709 - refactor release job by AATTcpanato in #1710
* Fri Apr 01 2022 Marcus Meissner - updated to 1.6.0 - Fix double time import in e2e tests by AATTsaschagrunert in #1388 - Add --timeout support to sign command by AATTsaschagrunert in #1379 - Fix comparison in replace option for attestation by AATTbburky in #1366 - Add Cosign logo to README by AATTnsmith5 in #1395 - Minor refactor to verify SCT and Rekor entry with multiple keys by AATThaydentherapper in #1396 - Fix a link of SECURITY.md by AATTknqyf263 in #1399 - update cosign and cross-build image for the release job by AATTcpanato in #1400 - feat: login command by AATTdeveloper-guy in #1398 - TUF: Add root status output by AATTasraa in #1404 - Add a newline after password input by AATTknqyf263 in #1407 - make imageRef lowercase before parsing by AATTbobcallaway in #1409 - Improve error message when image is not found in registry by AATTimjasonh in #1410 - Add ability to override the Spiffe socket via environmental variable: by AATTvaikas in #1421 - Fix incorrect error check when verifying SCT by AATThaydentherapper in #1422 - Skip the ReadWrite test that flakes on Windows. by AATTdlorenc in #1415 - Allow PassFunc to be nil by AATTsaschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by AATTdlorenc in #1427 - Remove TUF timestamp from OCI signature bundle by AATThaydentherapper in #1428 - Add docs on API stability and deprecation table by AATTpriyawadhwa in #1429 - update cross-build image which adds goimports by AATTcpanato in #1435 - feat: enhance clean cmd capability by AATTdeveloper-guy in #1430 - use the upstream kubernetes version lib and ldflags by AATTn3wscott in #1413 - Improve log lines to match with implementation by AATTmarcofranssen in #1432 - feat: fig autocomplete feature by AATTdeveloper-guy in #1360 - update cross-build to use go 1.17.7 by AATTcpanato in #1446 - Fetch verification targets by TUF custom metadata by AATThaydentherapper in #1423 - feat: add -buildid= to ldflags by AATTdeveloper-guy in #1451 - Streamline SignBlobCmd API with SignCmd by AATTsaschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by AATTk4leung4 in #1453 - Fix tkn link in readme by AATTYongxuanzhang in #1459 - Print message when verifying with old TUF targets by AATThaydentherapper in #1468 - fix(sign): refactor unsupported provider log by AATTDentrax in #1464 - tests: /bin/bash -> /usr/bin/env bash by AATTznewman01 in #1470 - Double goreleaser timeout by AATTznewman01 in #1472 - increase timeout for goreleaser snapshot by AATTcpanato in #1473 - fix(sign): kms unspported message by AATTDentrax in #1475 - refactor release cloudbuild job by AATTcpanato in #1476 - Fix wording on attach attestation help by AATTluhring in #1480 - update go-tuf and simplify TUF client code by AATTasraa in #1455 - add initial changelog for 1.5.2 by AATTcpanato in #1483 - Fix linter error on main by AATTpriyawadhwa in #1484 - Update Changelog for Security Advisory by AATTcpanato in #1485 - chore(makefile): use kocache, convert publish to build by AATTdeveloper-guy in #1488 - Pick up a change to quiet ECR-login logging. by AATTmattmoor in #1491 - feat: support other types in copy cmd by AATTdeveloper-guy in #1493 - Pick up some of the shared workflows by AATTmattmoor in #1490 - feat: nominate Dentrax as codeowner by AATTdeveloper-guy in #1492 - add correct layer media type to cosign attach attestation by AATTspiffcs in #1503 - This sets up the scaffolding for the cosigned CRD types. by AATTmattmoor in #1504 - use v6 api calls in GH action for updating release milestones by AATTbobcallaway in #1511 - Add skeleton reconciler for cosigned API CRD. by AATTmattmoor in #1513 - bug fix: import ed25519 keys and fix error handling by AATTasraa in #1518 - optimize codeql speed by using caching and tracing by AATTbobcallaway in #1519 - Add a dummy.go file to allow vendoring config by AATTjdolitsky in #1520 - Add CertExtensions func to extract all extensions by AATTckotzbauer in #1515 - chore(ci): add artifact hub support by AATTDentrax in #1522 - Change Fulcio URL default to be fulcio.sigstore.dev by AATThaydentherapper in #1529 - Add codecov as github action, set permissions to read content only by AATTk4leung4 in #1530 - images: remove --bare flags that conflict with --base-import-paths by AATTcpanato in #1533 - Quay OCI Support in README by AATTsabre1041 in #1539 - add rpm,deb and apks for cosign packages by AATTstrongjz in #1537 - Consistent parenthesis use in Makefile by AATTk4leung4 in #1541 - add changelog for 1.6.0 by AATTcpanato in #1535 - update golang cross image by AATTcpanato in #1543 - Add fields in policy CRD by AATTkkavitha in #1540 - Disable for now due some issues when downloading the knative module by AATTcpanato in #1546
* Mon Feb 21 2022 Marcus Meissner - updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239)- updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353)
* Tue Jan 25 2022 Marcus Meissner - updated to 1.5.0 [#]# Highlights
* enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
* feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
* feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
* feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
* feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
* feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
* feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) [#]# Enhancements
* Don\'t use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
* Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
* Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
* Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
* Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
* Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
* add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
* Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
* Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
* Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
* Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
* add error message (https://github.com/sigstore/cosign/pull/1296)
* Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
* Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
* One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
* refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
* Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
* Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
* Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
* Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
* Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
* Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
* Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
* Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
* clean up references to \'keyless\' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
* create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
* use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
* create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
* add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
* signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
* Remove the \"upload\" flag for \"cosign initialize\" (https://github.com/sigstore/cosign/pull/1201)
* create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) [#]# Bug Fixes
* fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
* fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
* Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
* Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
* Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
* Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
* Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
* fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
* Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
* Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)- vendor.tar.bz2: go mod vendor
* Tue Jan 25 2022 Bernhard Wiedemann - Fix BUILD_DATE for reproducible build results (boo#1047218)
* Thu Jan 06 2022 Marcus Meissner - cosign 1.4.1 release, initial import- provides signing / verification support for sigstore
  
ICM