cosign
https://github.com/sigstore/cosign
Cosign aims to make signatures invisible infrastructure.
Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in
- Developed at security
- Sources inherited from project openSUSE:Factory
-
1
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout openSUSE:Factory:zSystems/cosign && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
_service | 0000000127 127 Bytes | |
cosign-1.12.1.tar.gz | 0006638172 6.33 MB | |
cosign.changes | 0000030966 30.2 KB | |
cosign.spec | 0000002345 2.29 KB | |
vendor.tar.zst | 0013986813 13.3 MB |
Revision 11 (latest revision is 21)
Richard Brown (RBrownFactory)
accepted
request 1006386
from
Marcus Meissner (msmeissn)
(revision 11)
- update to 1.12.1: * fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). * fix: fix cert chain validation for verify-blob in non-experimental mode * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba * Fix BYO-root with intermediate to fetch intermediates from annotation * fix: fixing breaking changes in rekor v1.12.0 upgrade - use go-modules service to generate the vendor.tar and use zstd (forwarded request 1006385 from dirkmueller)
Comments 0