cosign
https://github.com/sigstore/cosign
Cosign aims to make signatures invisible infrastructure.
Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in
- Developed at security
- Sources inherited from project openSUSE:Factory
-
2
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout openSUSE:Factory:zSystems/cosign && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| _service | 0000000127 127 Bytes | |
| cosign-1.12.1.tar.gz | 0006638172 6.33 MB | |
| cosign.changes | 0000030966 30.2 KB | |
| cosign.spec | 0000002345 2.29 KB | |
| vendor.tar.zst | 0013986813 13.3 MB |
Revision 11 (latest revision is 20)
Richard Brown (RBrownFactory)
accepted
request 1006386
from
Marcus Meissner (msmeissn)
(revision 11)
- update to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd (forwarded request 1006385 from dirkmueller)
Comments 0