Revisions of cosign
Ana Guerrero (anag+factory)
accepted
request 1167811
from
Marcus Meissner (msmeissn)
(revision 20)
- updated to 2.2.4 (jsc#SLE-23879) * Bug Fixes * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835) - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837) * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526) * fix semgrep issues for dgryski.semgrep-go ruleset (#3541) * Honor creation timestamp for signatures again (#3549) * Features * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578) * Documentation * add oci bundle spec (#3622) * Correct help text of triangulate cmd (#3551) * Correct help text of verify-attestation policy argument (#3527) * feat: add OVHcloud MPR registry tested with cosign (#3639) (forwarded request 1167810 from msmeissn)
Ana Guerrero (anag+factory)
accepted
request 1143630
from
Marcus Meissner (msmeissn)
(revision 19)
- updated to 2.2.3 (jsc#SLE-23879) Bug Fixes: * Fix race condition on verification with multiple signatures attached to image (#3486) * fix(clean): Fix clean cmd for private registries (#3446) * Fixed BYO PKI verification (#3427) Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) * Add support for OpenVEX predicate type (#3405) Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) * add examples for cosign attach signature cmd (#3468) Misc: * Remove CertSubject function (#3467) * Use local rekor and fulcio instances in e2e tests (#3478) - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) (forwarded request 1143629 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 1132694
from
Wolfgang Frisch (wfrisch)
(revision 18)
Ana Guerrero (anag+factory)
accepted
request 1124000
from
Marcus Meissner (msmeissn)
(revision 17)
- updated to 2.2.1 (jsc#SLE-23879) This release comes with a fix for CVE-2023-46737 / bsc#1216933 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Enhancements: * feat: Support basic auth and bearer auth login to registry (#3310) * add support for ignoring certificates with pkcs11 (#3334) * Support ReplaceOp in Signatures (#3315) * feat: added ability to get image digest back via triangulate (#3255) * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) * feat: add support attaching a Rekor bundle to a container (#3246) * feat: add support outputting rekor response on signing (#3248) * feat: improve dockerfile verify subcommand (#3264) * Add guard flag for experimental OCI 1.1 verify. (#3272) * Deprecate SBOM attachments (#3256) * feat: dedent line in cosign copy doc (#3244) * feat: add platform flag to cosign copy command (#3234) * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) * attest: pass OCI remote opts to att resolver. (#3225) Bug Fixes: * Merge pull request from GHSA-vfp6-jrw2-99g9 * fix: allow cosign download sbom when image is absent (#3245) * ci: add a OCI registry test for referrers support (#3253) * Fix ReplaceSignatures (#3292) * Stop using deprecated in_toto.ProvenanceStatement (#3243) * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237) * fix: update error in `SignedEntity` to be more descriptive (#3233) * Fail timestamp verification if no root is provided (#3224) Documentation: * Add some docs about verifying in an air-gapped environment (#3321) (forwarded request 1123989 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 1108432
from
Marcus Meissner (msmeissn)
(revision 16)
- updated to 2.2.0 (jsc#SLE-23879) - Enhancements * switch to uploading DSSE types to rekor instead of intoto (#3113) * add 'cosign sign' command-line parameters for mTLS (#3052) * improve error messages around bundle != payload hash (#3146) * make VerifyImageAttestation function public (#3156) * Switch to cryptoutils function for SANS (#3185) * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) - Bug Fixes * Fix nondeterminsitic timestamps (#3121) - Documentation * doc: Add example of sign-blob with key in env var (#3152) * add deprecation notice for cosign-releases GCS bucket (#3148) * update doc links (#3186) - updated to 2.1.1 (jsc#SLE-23879) - Bug Fixes - wait for the workers become available again to continue the execution (#3084) - fix help text when in a container (#3082) - updated to 2.1.0 (jsc#SLE-23879) - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. - Enhancements - Verify sigs and attestations in parallel (#3066) - Deep inspect attestations when filtering download (#3031) - refactor bundle validation code, add support for DSSE rekor type (#3016) - Allow overriding remote options (#3049) - feat: adds no cert found on sig exit code (#3038) - Make predicate a required flag in attest commands (#3033) - Added support for attaching Time stamp authority Response in attach command (#3001) - Add sign --sign-container-identity CLI (#2984) (forwarded request 1108431 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 1079859
from
Marcus Meissner (msmeissn)
(revision 15)
- update to 2.0.1 (jsc#SLE-23879) Enhancements - Add environment variable token provider (#2864) - Remove cosign policy command (#2846) - Allow customising 'go' executable with GOEXE var (#2841) - Consistent tlog warnings during verification (#2840) - Add riscv64 arch (#2821) - Default generated PEM labels to SIGSTORE (#2735) - Update privacy statement and confirmation (#2797) - Add exit codes for verify errors (#2766) - Add Buildkite provider (#2779) - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746) Bug Fixes - PKCS11 sessions are now opened read only (#2853) - Makefile: date format of log should not show signatures (#2835) - Add missing flags to cosign verify dockerfile/manifest (#2830) - Add a warning to remember how to configure a custom Gitlab host (#2816) - Remove tag warning message from save/copy commands (#2799) - Mark keyless pem files with b64 (#2671) (forwarded request 1079858 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 1077439
from
Marcus Meissner (msmeissn)
(revision 14)
- fix buildtags - build against a maintained golang version (upstream uses go1.20) (forwarded request 1077363 from dirkmueller)
Dominique Leuenberger (dimstar_suse)
accepted
request 1067999
from
Marcus Meissner (msmeissn)
(revision 13)
- update to 2.0.0 (jsc#SLE-23879) Breaking Changes: * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620) * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411) Enhancements: * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544) * Allow users to pass in a path for the --identity-token flag (#2538) * Breaking change: Respect tlog-upload=false, default to true (#2505) * Support outputing a certificate without uploading to the tlog (#2506) * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464) * respect tlog-upload flag with TSA (#2474) * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449) * Support TSA and Rekor verifications (#2463) * add support for tsa signing and verification of images (#2460) * cosign policy sign: remove experimental flag and make keyless signing default (#2459) * Remove experimental mode from cosign attest and verify-attestation (#2458) * Remove experimental mode from sign-blob and verify-blob (#2457) * Add --offline flag to force offline verification (#2427) * Air gap support (#2299) * Breaking change: Change SCT verification behavior to default to enforcement (#2400) * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399) * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397) * Remove experimental flag from cosign sign and cosign verify (#2387) * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362) * Add warning to use digest instead of tags to other cosign commands (#2650) * Fix up UI messages (#2629) * Remove hardcoded Fulcio from output (#2621) * Fix missing privacy statement, print in multiple locations (#2622) * feat: allows custom key names for import-key-pair (#2587) * feat: support keyless verification for verify-blob-attestation (#2525) (forwarded request 1067997 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 1029810
from
Marcus Meissner (msmeissn)
(revision 12)
Richard Brown (RBrownFactory)
accepted
request 1006386
from
Marcus Meissner (msmeissn)
(revision 11)
- update to 1.12.1: * fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). * fix: fix cert chain validation for verify-blob in non-experimental mode * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba * Fix BYO-root with intermediate to fetch intermediates from annotation * fix: fixing breaking changes in rekor v1.12.0 upgrade - use go-modules service to generate the vendor.tar and use zstd (forwarded request 1006385 from dirkmueller)
Dominique Leuenberger (dimstar_suse)
accepted
request 1003868
from
Marcus Meissner (msmeissn)
(revision 10)
- updated to 1.12.0 (jsc#SLE-23879) - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203 - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008 - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205 - Clarify error when KMS provider fails to load by @znewman01 in #2220 - feat: set annotations to generate additional bash completion information by @dirien in #2221 - Add deprecation warning for sget CLI and packages by @imjasonh in #2019 - upgrade setup-ko to point to new repo by @imjasonh in #2225 - Temp fix for e2e test by @haydentherapper in #2247 - update kind to use release v0.15.0 and some version comments by @cpanato in #2246 - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248 - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249 - updated to 1.11.1 - add stale workflow using the workflow template by @cpanato in #2175 - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177 - add release cadence section in the readme by @cpanato in #2179 - feat: Rework fig autocomplete command by @dirien in #2187 - fix: fix typo that caused attestation verification failure by @asraa in #2199 - updated to 1.11.0 - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139 - Add notes to clarify registry use. by @bendory in #2145 - Use TUF from scaffolding for validating cosign. by @vaikas in #2146 - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152 - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157 - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118 - fix handling of verify-attestation types for URIs by @otms61 in #2159 - fix oidc post-merge job by @cpanato in #2164 - Remove third_party by @imjasonh in #2166 - use updated device flow logic with PKCE by @bobcallaway in #2163 (forwarded request 1003867 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 993342
from
Marcus Meissner (msmeissn)
(revision 9)
- updated to 1.10.1 (jsc#SLE-23879) - CVE-2022-35929: Fixed that cosign verify-attestaton --type can report a false positive if any attestation exists (GHSA-vjxv-45g9-9296 (bsc#1202157) - What else changed: - add flag to allow skipping upload to transparency log by @k4leung4 in #2089 - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101 - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096 - Fix field names in the vulnerability attestation by @otms61 in #2099 - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105 - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109 - Resolves #522 set Created date to time of execution by @Lerentis in #2108 - Introduce a custom error type to classify errors. by @mattmoor in #2114 - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085 - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119 - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124 - Correct the type used for attest by @mattmoor in #2128 (forwarded request 993341 from msmeissn)
Richard Brown (RBrownFactory)
accepted
request 991560
from
Marcus Meissner (msmeissn)
(revision 8)
- updated to 1.10.0 - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961 - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956 - tuf: improve TUF client concurrency and caching by @asraa in #1953 - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966 - feat(fulcioroots): singleton error pattern by @developer-guy in #1965 - Drop tuf client dependency on GCS client library by @imjasonh in #1967 - Add spdxjson predicate type for attestations by @jdolitsky in #1974 - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976 - cleanup: unexport kubernetes.Client method by @imjasonh in #1973 - cleanup ci job and remove policy-controller references by @cpanato in #1981 - fix/update post build job by @cpanato in #1983 - docs: updated Azure kms commands. by @JBrejnholt in #1972 - Add cyclonedx predicate type for attestations by @jdolitsky in #1977 - Route deprecated -version to version subcommand by @puerco in #1854 - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986 - Add --platform flag to cosign sbom download by @puerco in #1975 - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866 - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998 - encrypt values to create the github action secret by @cpanato in #1990 - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016 - Attempt to clean up pkg/cosign by @imjasonh in #2018 - public-key: fix command description by @Dentrax in #2024 - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030 - feat: cert-extensions verify by @developer-guy in #1626 - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014 - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039 - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040 - Fix OIDC test by @cpanato in #2050 - Add env subcommand. by @wlynch in #2051 (forwarded request 991559 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 983636
from
Marcus Meissner (msmeissn)
(revision 7)
- updated to 1.9.0 - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815 - [Cosigned] Add signature pull secrets by @DennyHoang in #1805 - feat: add rego policy support by @hectorj2f in #1817 - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818 - cosigned: Test unsupported KMS providers by @imjasonh in #1820 - chore(deps): Included dependency review by @naveensrinivasan in #1792 - Add auth flow option to KeyOpts. by @wlynch in #1827 - Document Staging instance usage with Keyless by @k4leung4 in #1824 - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832 - Validate tlog entry when verifying signature via public key. by @wlynch in #1833 - Add function to explicitly request a certain provider by @priyawadhwa in #1837 - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841 - remove exclude from go.mod by @cpanato in #1846 - [Cosigned] Glob matching improvement by @DennyHoang in #1842 - sget: Enable KMS providers for sget by @imjasonh in #1852 - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850 - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856 - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859 - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860 - Normalize certificate flag names by @haydentherapper in #1868 - Check certificate policy flags with only a certificate by @haydentherapper in #1869 - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861 - Point git commmit FUN.md to gitsign! by @wlynch in #1874 - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873 - go.mod: format go.mod by @zchee in #1879 - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887 - tree: only report artifacts that are present by @ribbybibby in #1872 - update README with ebpf modules by @EItanya in #1888 - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 (forwarded request 983635 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 978429
from
Marcus Meissner (msmeissn)
(revision 6)
- updated to 1.8.0 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736 - Refactor policy related code, add support for vuln verify by @vaikas in #1747 - Use bundle log ID to find verification key by @haydentherapper in #1748 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750 - Implement identities, fix bug in webhook validation. by @vaikas in #1759 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761 - chore: add warning when attaching sBOMs by @hectorj2f in #1756 - Verify embedded SCTs by @haydentherapper in #1731 - chore: add warning when downloading a sBOM by @hectorj2f in #1763 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757 - Break the CIP action tests into a sh script. by @vaikas in #1767 - tuf: add debug info if tuf update fails by @asraa in #1766 - cosigned: add support for rsa keys by @hectorj2f in #1768 - Cosigned validate against remote sig src by @DennyHoang in #1754 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774 - fix: more informative error by @ybelMekk in #1778 - Run update-codegen. by @wlynch in #1789 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788 - test: add cue unit tests by @hectorj2f in #1791 - Attestations + policy in cip. by @vaikas in #1772 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787 - Add parallelization for processing policies / authorities. by @vaikas in #1795 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796 - Fix a bug where an error would send duplicate results. by @vaikas in #1797
Dominique Leuenberger (dimstar_suse)
accepted
request 972838
from
Marcus Meissner (msmeissn)
(revision 5)
- updated to 1.7.2 - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719 - fix: add permissions to patch events by @hectorj2f in #1722 - Make public all types required to use ValidatePolicy by @jdolitsky in #1727 - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728 - Remove newline from download sbom output by @ribbybibby in #1732 - Fix packages name and binary in the packages by @cpanato in #1734 - Fix fulcioroots test and linter error by @haydentherapper in #1741 - Support non-ECDSA public keys in certificates by @haydentherapper in #1740 - bug: remove old fulcio root and fix fallback target code by @asraa in #1738 - updated to 1.7.1 - pkcs11: fix build instructions by @rgerganov in #1550 - add definition for artifact hub to verify the ownership by @cpanato in #1563 - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564 - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562 - Support deletion of ClusterImagePolicy by @vaikas in #1580 - 1417 policy validations by @kkavitha in #1548 - Don't lowercase input image refs, just fail by @imjasonh in #1586 - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584 - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590 - Fix #1592 move authorities as siblings of images. by @vaikas in #1593 - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595 - Fix copy/paste mistake in repo name. by @k4leung4 in #1600 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599 - Add public key validation by @kkavitha in #1598 - Validate a public key in a secret is valid. by @vaikas in #1602 - Ensure entry is removed from CM on secret error. by @vaikas in #1605 - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610 - Init entity from ociremote when signing a digest ref by @puerco in #1616 - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617 (forwarded request 972815 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 966617
from
Marcus Meissner (msmeissn)
(revision 4)
- updated to 1.6.0 - Fix double time import in e2e tests by @saschagrunert in #1388 - Add --timeout support to sign command by @saschagrunert in #1379 - Fix comparison in replace option for attestation by @bburky in #1366 - Add Cosign logo to README by @nsmith5 in #1395 - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396 - Fix a link of SECURITY.md by @knqyf263 in #1399 - update cosign and cross-build image for the release job by @cpanato in #1400 - feat: login command by @developer-guy in #1398 - TUF: Add root status output by @asraa in #1404 - Add a newline after password input by @knqyf263 in #1407 - make imageRef lowercase before parsing by @bobcallaway in #1409 - Improve error message when image is not found in registry by @imjasonh in #1410 - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421 - Fix incorrect error check when verifying SCT by @haydentherapper in #1422 - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415 - Allow PassFunc to be nil by @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427 - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428 - Add docs on API stability and deprecation table by @priyawadhwa in #1429 - update cross-build image which adds goimports by @cpanato in #1435 - feat: enhance clean cmd capability by @developer-guy in #1430 - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413 - Improve log lines to match with implementation by @marcofranssen in #1432 - feat: fig autocomplete feature by @developer-guy in #1360 - update cross-build to use go 1.17.7 by @cpanato in #1446 - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423 - feat: add -buildid= to ldflags by @developer-guy in #1451 - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453 (forwarded request 966616 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 956475
from
Marcus Meissner (msmeissn)
(revision 3)
- updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239) - updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353) (forwarded request 956474 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 949015
from
Marcus Meissner (msmeissn)
(revision 2)
- updated to 1.5.0 ## Highlights * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261) * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260) * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253) * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237) * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168) * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236) * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) ## Enhancements * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279) * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334) * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267) * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310) * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306) * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308) * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318) * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316) * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305) * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294) * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300) * add error message (https://github.com/sigstore/cosign/pull/1296) * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295) * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286) * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268) * refactor common utilities (https://github.com/sigstore/cosign/pull/1266) * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050) * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) (forwarded request 949014 from msmeissn)
Dominique Leuenberger (dimstar_suse)
accepted
request 944678
from
Marcus Meissner (msmeissn)
(revision 1)
add to factory
Displaying all 20 revisions