File _patchinfo of Package patchinfo.28895
<patchinfo incident="28895">
<issue tracker="jsc" id="SLE-23879"/>
<packager>msmeissn</packager>
<rating>moderate</rating>
<category>recommended</category>
<summary>Recommended update for cosign</summary>
<description>This update for cosign fixes the following issues:
cosign was updated to 2.0.1 (jsc#SLE-23879)
- Enhancements
- Add environment variable token provider (#2864)
- Remove cosign policy command (#2846)
- Allow customising 'go' executable with GOEXE var (#2841)
- Consistent tlog warnings during verification (#2840)
- Add riscv64 arch (#2821)
- Default generated PEM labels to SIGSTORE (#2735)
- Update privacy statement and confirmation (#2797)
- Add exit codes for verify errors (#2766)
- Add Buildkite provider (#2779)
- verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
- Bug Fixes
- PKCS11 sessions are now opened read only (#2853)
- Makefile: date format of log should not show signatures (#2835)
- Add missing flags to cosign verify dockerfile/manifest (#2830)
- Add a warning to remember how to configure a custom Gitlab host (#2816)
- Remove tag warning message from save/copy commands (#2799)
- Mark keyless pem files with b64 (#2671)
- build against a maintained golang version (upstream uses go1.20)
cosign was updated to 2.0.0 (jsc#SLE-23879)
- Breaking Changes:
- insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
- Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
- Enhancements:
- Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
- Allow users to pass in a path for the --identity-token flag (#2538)
- Breaking change: Respect tlog-upload=false, default to true (#2505)
- Support outputing a certificate without uploading to the tlog (#2506)
- Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
- respect tlog-upload flag with TSA (#2474)
- Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
- Support TSA and Rekor verifications (#2463)
- add support for tsa signing and verification of images (#2460)
- cosign policy sign: remove experimental flag and make keyless signing default (#2459)
- Remove experimental mode from cosign attest and verify-attestation (#2458)
- Remove experimental mode from sign-blob and verify-blob (#2457)
- Add --offline flag to force offline verification (#2427)
- Air gap support (#2299)
- Breaking change: Change SCT verification behavior to default to enforcement (#2400)
- Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
- Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
- Remove experimental flag from cosign sign and cosign verify (#2387)
- verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
- Add warning to use digest instead of tags to other cosign commands (#2650)
- Fix up UI messages (#2629)
- Remove hardcoded Fulcio from output (#2621)
- Fix missing privacy statement, print in multiple locations (#2622)
- feat: allows custom key names for import-key-pair (#2587)
- feat: support keyless verification for verify-blob-attestation (#2525)
- attest-blob: add functionality for keyless signing (#2515)
- Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
- feat: add debug information to cert validation error (#2579)
- Support non-Sigstore TSA requests (#2708)
- Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
- Output certificate in bundle when entry is not uploaded to Rekor (#2715)
- attach signature and attach sbom must use STDIN to upload raw string (#2637)
- add generate-key-pair GitHub Enterprise server support (#2676)
- add in format string for warning (#2699)
- Support for fetching Fulcio certs with self-managed key (#2532)
- 2476 predicate type download (#2484)
- Bug Fixes:
- Fix the file existence check. (#2552)
- Fix timestamp verification, add verify-blob tests (#2527)
- Fix(verify): Consolidate certificate expiry logic (#2504)
- Updates to Timestamp signing and verification (#2499)
- Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
- Fix path for e2e-tests badge (#2490)
- Fix spdx json media type (#2479)
- Fix sct verificaction (#2426)
- Fix: panic with unsigned local image (#2656)
- Make sure a cert passed in via --cert matches the bundle cert (#2652)
- Fix: fix github oidc post submit test (#2594)
- Fix: add enhanced error messages for failing verification with TUF targets (#2589)
- Fix: Add missing schemes to cosign predicate types. (#2717)
- Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
- Fix prompts with Windows line endings (#2674)
cosing was update to 1.13.1:
- verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
- Nits for #2337 (#2342)
- Add verify-blob-attestation command and tests (#2337)
- Update warning when users sign images by tag. (#2313)
- Remove experimental flags from attest-blob and refactor (#2338)
- Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
- Add attest-blob command (#2286)
- Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
- Update Dockerfile section of README (#2323)
- Fix option description: "sign" --> "verify" (#2306)
cosign was updated to 1.13.0:
- feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269
- feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268
- use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280
- fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282
- Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284
- Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285
- Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287
- Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283
- Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291
- fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297
- Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308
- Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311
- Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188
- replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314
- update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315
cosign was updated to 1.12.1:
- fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
- fix: fix cert chain validation for verify-blob in non-experimental mode
- fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
- Fix BYO-root with intermediate to fetch intermediates from annotation
- fix: fixing breaking changes in rekor v1.12.0 upgrade
</description>
</patchinfo>
