Revisions of cosign
buildservice-autocommit
accepted
request 1167811
from
Marcus Meissner (msmeissn)
(revision 39)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1167810
from
Marcus Meissner (msmeissn)
(revision 38)
- updated to 2.2.4 (jsc#SLE-23879) * Bug Fixes * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835) - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837) * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526) * fix semgrep issues for dgryski.semgrep-go ruleset (#3541) * Honor creation timestamp for signatures again (#3549) * Features * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578) * Documentation * add oci bundle spec (#3622) * Correct help text of triangulate cmd (#3551) * Correct help text of verify-attestation policy argument (#3527) * feat: add OVHcloud MPR registry tested with cosign (#3639)
buildservice-autocommit
accepted
request 1143630
from
Marcus Meissner (msmeissn)
(revision 37)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1143629
from
Marcus Meissner (msmeissn)
(revision 36)
- updated to 2.2.3 (jsc#SLE-23879) Bug Fixes: * Fix race condition on verification with multiple signatures attached to image (#3486) * fix(clean): Fix clean cmd for private registries (#3446) * Fixed BYO PKI verification (#3427) Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) * Add support for OpenVEX predicate type (#3405) Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) * add examples for cosign attach signature cmd (#3468) Misc: * Remove CertSubject function (#3467) * Use local rekor and fulcio instances in e2e tests (#3478) - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
buildservice-autocommit
accepted
request 1132694
from
Wolfgang Frisch (wfrisch)
(revision 35)
baserev update by copy to link target
Wolfgang Frisch (wfrisch)
accepted
request 1132643
from
Marcos Bjoerkelund (mbjoerkelund)
(revision 34)
- updated to 2.2.2 (jsc#SLE-23879) v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure. Bug Fixes: * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS * Don't require CT log keys if using a key/sk (#3415) * Fix copy without any flag set (#3409) * Update cosign generate cmd to not include newline (#3393) * Fix idempotency error with signing (#3371) Features: * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383) * Use the timeout flag value in verify* commands. (#3391) * add --private-infrastructure flag (#3369) Container Updates: * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373) Documentation: * Update SBOM_SPEC.md (#3358)
buildservice-autocommit
accepted
request 1124000
from
Marcus Meissner (msmeissn)
(revision 33)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1123989
from
Marcus Meissner (msmeissn)
(revision 32)
- updated to 2.2.1 (jsc#SLE-23879) This release comes with a fix for CVE-2023-46737 / bsc#1216933 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Enhancements: * feat: Support basic auth and bearer auth login to registry (#3310) * add support for ignoring certificates with pkcs11 (#3334) * Support ReplaceOp in Signatures (#3315) * feat: added ability to get image digest back via triangulate (#3255) * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) * feat: add support attaching a Rekor bundle to a container (#3246) * feat: add support outputting rekor response on signing (#3248) * feat: improve dockerfile verify subcommand (#3264) * Add guard flag for experimental OCI 1.1 verify. (#3272) * Deprecate SBOM attachments (#3256) * feat: dedent line in cosign copy doc (#3244) * feat: add platform flag to cosign copy command (#3234) * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) * attest: pass OCI remote opts to att resolver. (#3225) Bug Fixes: * Merge pull request from GHSA-vfp6-jrw2-99g9 * fix: allow cosign download sbom when image is absent (#3245) * ci: add a OCI registry test for referrers support (#3253) * Fix ReplaceSignatures (#3292) * Stop using deprecated in_toto.ProvenanceStatement (#3243) * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237) * fix: update error in `SignedEntity` to be more descriptive (#3233) * Fail timestamp verification if no root is provided (#3224) Documentation: * Add some docs about verifying in an air-gapped environment (#3321)
buildservice-autocommit
accepted
request 1108432
from
Marcus Meissner (msmeissn)
(revision 31)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1108431
from
Marcus Meissner (msmeissn)
(revision 30)
- updated to 2.2.0 (jsc#SLE-23879) - Enhancements * switch to uploading DSSE types to rekor instead of intoto (#3113) * add 'cosign sign' command-line parameters for mTLS (#3052) * improve error messages around bundle != payload hash (#3146) * make VerifyImageAttestation function public (#3156) * Switch to cryptoutils function for SANS (#3185) * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) - Bug Fixes * Fix nondeterminsitic timestamps (#3121) - Documentation * doc: Add example of sign-blob with key in env var (#3152) * add deprecation notice for cosign-releases GCS bucket (#3148) * update doc links (#3186) - updated to 2.1.1 (jsc#SLE-23879) - Bug Fixes - wait for the workers become available again to continue the execution (#3084) - fix help text when in a container (#3082) - updated to 2.1.0 (jsc#SLE-23879) - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. - Enhancements - Verify sigs and attestations in parallel (#3066) - Deep inspect attestations when filtering download (#3031) - refactor bundle validation code, add support for DSSE rekor type (#3016) - Allow overriding remote options (#3049) - feat: adds no cert found on sig exit code (#3038) - Make predicate a required flag in attest commands (#3033) - Added support for attaching Time stamp authority Response in attach command (#3001) - Add sign --sign-container-identity CLI (#2984)
buildservice-autocommit
accepted
request 1079859
from
Marcus Meissner (msmeissn)
(revision 29)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1079858
from
Marcus Meissner (msmeissn)
(revision 28)
- update to 2.0.1 (jsc#SLE-23879) Enhancements - Add environment variable token provider (#2864) - Remove cosign policy command (#2846) - Allow customising 'go' executable with GOEXE var (#2841) - Consistent tlog warnings during verification (#2840) - Add riscv64 arch (#2821) - Default generated PEM labels to SIGSTORE (#2735) - Update privacy statement and confirmation (#2797) - Add exit codes for verify errors (#2766) - Add Buildkite provider (#2779) - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746) Bug Fixes - PKCS11 sessions are now opened read only (#2853) - Makefile: date format of log should not show signatures (#2835) - Add missing flags to cosign verify dockerfile/manifest (#2830) - Add a warning to remember how to configure a custom Gitlab host (#2816) - Remove tag warning message from save/copy commands (#2799) - Mark keyless pem files with b64 (#2671)
buildservice-autocommit
accepted
request 1077439
from
Marcus Meissner (msmeissn)
(revision 27)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1077363
from
Dirk Mueller (dirkmueller)
(revision 26)
- fix buildtags - build against a maintained golang version (upstream uses go1.20)
buildservice-autocommit
accepted
request 1067999
from
Marcus Meissner (msmeissn)
(revision 25)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1067997
from
Marcus Meissner (msmeissn)
(revision 24)
- update to 2.0.0 (jsc#SLE-23879) Breaking Changes: * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620) * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411) Enhancements: * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544) * Allow users to pass in a path for the --identity-token flag (#2538) * Breaking change: Respect tlog-upload=false, default to true (#2505) * Support outputing a certificate without uploading to the tlog (#2506) * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464) * respect tlog-upload flag with TSA (#2474) * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449) * Support TSA and Rekor verifications (#2463) * add support for tsa signing and verification of images (#2460) * cosign policy sign: remove experimental flag and make keyless signing default (#2459) * Remove experimental mode from cosign attest and verify-attestation (#2458) * Remove experimental mode from sign-blob and verify-blob (#2457) * Add --offline flag to force offline verification (#2427) * Air gap support (#2299) * Breaking change: Change SCT verification behavior to default to enforcement (#2400) * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399) * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397) * Remove experimental flag from cosign sign and cosign verify (#2387) * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362) * Add warning to use digest instead of tags to other cosign commands (#2650) * Fix up UI messages (#2629) * Remove hardcoded Fulcio from output (#2621) * Fix missing privacy statement, print in multiple locations (#2622) * feat: allows custom key names for import-key-pair (#2587) * feat: support keyless verification for verify-blob-attestation (#2525)
buildservice-autocommit
accepted
request 1029810
from
Marcus Meissner (msmeissn)
(revision 23)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1029749
from
Marcus Meissner (msmeissn)
(revision 22)
- update to 1.13.1: * verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341) * Nits for #2337 (#2342) * Add verify-blob-attestation command and tests (#2337) * Update warning when users sign images by tag. (#2313) * Remove experimental flags from attest-blob and refactor (#2338) * Add --output-attestation flag to attest-blob and remove experimental signing (#2332) * Add attest-blob command (#2286) * Add '--cert-identity' flag to support subject alternate names for ver… (#2278) * Update Dockerfile section of README (#2323) * Fix option description: "sign" --> "verify" (#2306) - update to 1.13.0: * feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269 * feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268 * use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280 * fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282 * Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284 * Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285 * Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287 * Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283 * Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291 * fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297 * Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308 * Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311 * Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188 * replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314 * update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315
buildservice-autocommit
accepted
request 1006386
from
Marcus Meissner (msmeissn)
(revision 21)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1006385
from
Dirk Mueller (dirkmueller)
(revision 20)
- update to 1.12.1: * fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). * fix: fix cert chain validation for verify-blob in non-experimental mode * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba * Fix BYO-root with intermediate to fetch intermediates from annotation * fix: fixing breaking changes in rekor v1.12.0 upgrade - use go-modules service to generate the vendor.tar and use zstd
Displaying revisions 1 - 20 of 39