File cosign.changes of Package cosign
-------------------------------------------------------------------
Wed Oct 2 15:34:01 UTC 2024 - Marcus Meissner <meissner@suse.com>
- update to 2.4.0 (jsc#SLE-23879)
- Add new bundle support to verify-blob and verify-blob-attestation (#3796)
- Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
- Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799)
-------------------------------------------------------------------
Tue Aug 20 19:14:06 UTC 2024 - Sarah Kriesch <sarah.kriesch@opensuse.org>
- Set CGO_ENABLED=1 for fixing s390x failed build
-------------------------------------------------------------------
Wed Jul 24 15:22:12 UTC 2024 - Marcus Meissner <meissner@suse.com>
- update to 2.3.0 (jsc#SLE-23879)
* Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
- fix: close attestationFile (#3679)
- Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
* Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
-------------------------------------------------------------------
Fri May 31 07:48:36 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add completion subpackages (bash, fish, zsh)
-------------------------------------------------------------------
Mon Apr 15 12:48:16 UTC 2024 - Marcus Meissner <meissner@suse.com>
- updated to 2.2.4 (jsc#SLE-23879)
* Bug Fixes
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
- CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
* Documentation
* add oci bundle spec (#3622)
* Correct help text of triangulate cmd (#3551)
* Correct help text of verify-attestation policy argument (#3527)
* feat: add OVHcloud MPR registry tested with cosign (#3639)
-------------------------------------------------------------------
Fri Feb 2 10:17:12 UTC 2024 - Marcus Meissner <meissner@suse.com>
- updated to 2.2.3 (jsc#SLE-23879)
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
-------------------------------------------------------------------
Tue Dec 12 10:18:40 UTC 2023 - Marcos Bjoerkelund <marcos.bjoerkelund@suse.com>
- updated to 2.2.2 (jsc#SLE-23879)
v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for
--insecure-skip-log, --private-infrastructure.
Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)
Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)
Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation:
* Update SBOM_SPEC.md (#3358)
-------------------------------------------------------------------
Tue Nov 7 13:49:48 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to 2.2.1 (jsc#SLE-23879)
This release comes with a fix for
CVE-2023-46737 / bsc#1216933 described in this [Github Security
Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Enhancements:
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224)
Documentation:
* Add some docs about verifying in an air-gapped environment (#3321)
* Update CONTRIBUTING.md (#3268)
* docs: improves the Contribution guidelines (#3257)
* Remove security policy (#3230)
Others:
* Set go to min 1.21 and update dependencies (#3327)
* Update contact for code of conduct (#3266)
* Update .ko.yaml (#3240)
-------------------------------------------------------------------
Fri Sep 1 08:45:59 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to 2.2.0 (jsc#SLE-23879)
- Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add 'cosign sign' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
- Bug Fixes
* Fix nondeterminsitic timestamps (#3121)
- Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
-------------------------------------------------------------------
Tue Jun 27 09:33:07 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to 2.1.1 (jsc#SLE-23879)
- Bug Fixes
- wait for the workers become available again to continue the execution (#3084)
- fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
- Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
- Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add sign --sign-container-identity CLI (#2984)
- Feature: Allow cosign to sign digests before they are uploaded. (#2959)
- accepts attachment-tag-prefix for cosign copy (#3014)
- Feature: adds '--allow-insecure-registry' for cosign load (#3000)
- download attestation: support --platform flag (#2980)
- Cleanup: Add Digest to the SignedEntity interface. (#2960)
- verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
- verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
- Bug Fixes
- Fix pkg/cosign/errors (#3050)
- Fix: update doc to refer to github-actions oidc provider (#3040)
- Fix: prefer GitHub OIDC provider if enabled (#3044)
- Fix --sig-only in cosign copy (#3074)
- Documentation
- Fix links to sigstore/docs in markdown files (#3064)
-------------------------------------------------------------------
Sun May 7 11:58:02 UTC 2023 - Marcus Meissner <meissner@suse.com>
- update to 2.0.2 (jsc#SLE-23879)
Enhancements
- Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
- feat: Make cosign copy faster (#2901)
- remove sget (#2885)
- Require a payload to be provided with a signature (#2785)
Bug Fixes
- cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
- Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
Documentation
- Remove experimental warning from Fulcio flags (#2923)
- add missing oidc provider (#2922)
- Add zot as a supported registry (#2920)
- deprecates kms_support docs (#2900)
- chore(docs) deprecate note for usage docs (#2906)
- adds note of deprecation for examples.md docs (#2899)
-------------------------------------------------------------------
Mon Apr 17 07:56:14 UTC 2023 - Marcus Meissner <meissner@suse.com>
- update to 2.0.1 (jsc#SLE-23879)
Enhancements
- Add environment variable token provider (#2864)
- Remove cosign policy command (#2846)
- Allow customising 'go' executable with GOEXE var (#2841)
- Consistent tlog warnings during verification (#2840)
- Add riscv64 arch (#2821)
- Default generated PEM labels to SIGSTORE (#2735)
- Update privacy statement and confirmation (#2797)
- Add exit codes for verify errors (#2766)
- Add Buildkite provider (#2779)
- verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
Bug Fixes
- PKCS11 sessions are now opened read only (#2853)
- Makefile: date format of log should not show signatures (#2835)
- Add missing flags to cosign verify dockerfile/manifest (#2830)
- Add a warning to remember how to configure a custom Gitlab host (#2816)
- Remove tag warning message from save/copy commands (#2799)
- Mark keyless pem files with b64 (#2671)
-------------------------------------------------------------------
Tue Apr 4 20:02:41 UTC 2023 - Dirk Müller <dmueller@suse.com>
- fix buildtags
- build against a maintained golang version (upstream uses go1.20)
-------------------------------------------------------------------
Mon Feb 27 12:31:33 UTC 2023 - Marcus Meissner <meissner@suse.com>
- update to 2.0.0 (jsc#SLE-23879)
Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525)
* attest-blob: add functionality for keyless signing (#2515)
* Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
* feat: add debug information to cert validation error (#2579)
* Support non-Sigstore TSA requests (#2708)
* Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
* Output certificate in bundle when entry is not uploaded to Rekor (#2715)
* attach signature and attach sbom must use STDIN to upload raw string (#2637)
* add generate-key-pair GitHub Enterprise server support (#2676)
* add in format string for warning (#2699)
* Support for fetching Fulcio certs with self-managed key (#2532)
* 2476 predicate type download (#2484)
Bug Fixes:
* Fix the file existence check. (#2552)
* Fix timestamp verification, add verify-blob tests (#2527)
* Fix(verify): Consolidate certificate expiry logic (#2504)
* Updates to Timestamp signing and verification (#2499)
* Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
* Fix path for e2e-tests badge (#2490)
* Fix spdx json media type (#2479)
* Fix sct verificaction (#2426)
* Fix: panic with unsigned local image (#2656)
* Make sure a cert passed in via --cert matches the bundle cert (#2652)
* Fix: fix github oidc post submit test (#2594)
* Fix: add enhanced error messages for failing verification with TUF targets (#2589)
* Fix: Add missing schemes to cosign predicate types. (#2717)
* Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
* Fix prompts with Windows line endings (#2674)
-------------------------------------------------------------------
Tue Oct 18 12:37:41 UTC 2022 - Marcus Meissner <meissner@suse.com>
- update to 1.13.1:
* verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
* Nits for #2337 (#2342)
* Add verify-blob-attestation command and tests (#2337)
* Update warning when users sign images by tag. (#2313)
* Remove experimental flags from attest-blob and refactor (#2338)
* Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
* Add attest-blob command (#2286)
* Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
* Update Dockerfile section of README (#2323)
* Fix option description: "sign" --> "verify" (#2306)
- update to 1.13.0:
* feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269
* feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268
* use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280
* fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282
* Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284
* Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285
* Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287
* Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283
* Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291
* fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297
* Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308
* Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311
* Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188
* replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314
* update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315
-------------------------------------------------------------------
Tue Sep 27 12:05:43 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd
-------------------------------------------------------------------
Thu Sep 15 12:14:37 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.12.0 (jsc#SLE-23879)
- CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
- Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
- feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
- remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
- Clarify error when KMS provider fails to load by @znewman01 in #2220
- feat: set annotations to generate additional bash completion information by @dirien in #2221
- Add deprecation warning for sget CLI and packages by @imjasonh in #2019
- upgrade setup-ko to point to new repo by @imjasonh in #2225
- Temp fix for e2e test by @haydentherapper in #2247
- update kind to use release v0.15.0 and some version comments by @cpanato in #2246
- Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
- fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
- updated to 1.11.1
- add stale workflow using the workflow template by @cpanato in #2175
- Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
- add release cadence section in the readme by @cpanato in #2179
- feat: Rework fig autocomplete command by @dirien in #2187
- fix: fix typo that caused attestation verification failure by @asraa in #2199
- updated to 1.11.0
- Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
- Add notes to clarify registry use. by @bendory in #2145
- Use TUF from scaffolding for validating cosign. by @vaikas in #2146
- docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
- fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
- fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
- fix handling of verify-attestation types for URIs by @otms61 in #2159
- fix oidc post-merge job by @cpanato in #2164
- Remove third_party by @imjasonh in #2166
- use updated device flow logic with PKCE by @bobcallaway in #2163
- fix: rekor get tlog entry with uuid by @asraa in #2058
- update e2e job to run only when push to main by @cpanato in #2169
- fix: add env cmd to root by @developer-guy in #2171
- fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162
-------------------------------------------------------------------
Fri Aug 5 14:03:51 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.10.1 (jsc#SLE-23879)
- CVE-2022-35929: Fixed that cosign verify-attestaton --type can
report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
(bsc#1202157)
- What else changed:
- add flag to allow skipping upload to transparency log by @k4leung4 in #2089
- Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
- Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
- Fix field names in the vulnerability attestation by @otms61 in #2099
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
- sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
- Resolves #522 set Created date to time of execution by @Lerentis in #2108
- Introduce a custom error type to classify errors. by @mattmoor in #2114
- feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
- update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
- chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
- Correct the type used for attest by @mattmoor in #2128
-------------------------------------------------------------------
Wed Jul 27 13:41:54 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.10.0
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- encrypt values to create the github action secret by @cpanato in #1990
- sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- feat: cert-extensions verify by @developer-guy in #1626
- Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
- remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
- update ct/otel and etcd by @cpanato in #2054
- chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
- Remove replace directives in go.mod. by @wlynch in #2070
- update design doc link by @bobcallaway in #2077
- Remove hack/tools.go by @imjasonh in #2080
- fix missing quote by @cpanato in #2090
- removed cosigned and webhook
-------------------------------------------------------------------
Sat Jun 18 14:16:31 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.9.0
- Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
- [Cosigned] Add signature pull secrets by @DennyHoang in #1805
- feat: add rego policy support by @hectorj2f in #1817
- Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
- cosigned: Test unsupported KMS providers by @imjasonh in #1820
- chore(deps): Included dependency review by @naveensrinivasan in #1792
- Add auth flow option to KeyOpts. by @wlynch in #1827
- Document Staging instance usage with Keyless by @k4leung4 in #1824
- New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
- Validate tlog entry when verifying signature via public key. by @wlynch in #1833
- Add function to explicitly request a certain provider by @priyawadhwa in #1837
- cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
- remove exclude from go.mod by @cpanato in #1846
- [Cosigned] Glob matching improvement by @DennyHoang in #1842
- sget: Enable KMS providers for sget by @imjasonh in #1852
- Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
- Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
- If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
- Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
- Normalize certificate flag names by @haydentherapper in #1868
- Check certificate policy flags with only a certificate by @haydentherapper in #1869
- Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
- Point git commmit FUN.md to gitsign! by @wlynch in #1874
- [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
- go.mod: format go.mod by @zchee in #1879
- Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
- tree: only report artifacts that are present by @ribbybibby in #1872
- update README with ebpf modules by @EItanya in #1888
- Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
- v1beta1 API for cosigned by @vaikas in #1890
- tree: support --attachment-tag-prefix by @ribbybibby in #1900
- [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
- GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
- The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
- [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
- Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
- Add support for "**" in image glob matching by @imjasonh in #1914
- Add privacy statement for PII storage by @haydentherapper in #1909
- Do not push to public rekor. by @vaikas in #1931
- fix: fix fetching updated targets from TUF root by @asraa in #1921
- fix: fix #1930 for AWS KMS formats by @vaikas in #1946
- update cross-builder image to use go1.17.11 by @cpanato in #1950
- remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
- add changelog for v1.9.0 by @cpanato in #1955
- add parallelism for goreleaser by @cpanato in #1957
-------------------------------------------------------------------
Sat May 21 13:07:53 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.8.0
- Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
- [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
- Refactor policy related code, add support for vuln verify by @vaikas in #1747
- Use bundle log ID to find verification key by @haydentherapper in #1748
- [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
- Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
- test: create fake TUF test root and create test SETs for verification by @asraa in #1750
- Implement identities, fix bug in webhook validation. by @vaikas in #1759
- Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
- chore: add warning when attaching sBOMs by @hectorj2f in #1756
- Verify embedded SCTs by @haydentherapper in #1731
- chore: add warning when downloading a sBOM by @hectorj2f in #1763
- [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
- Break the CIP action tests into a sh script. by @vaikas in #1767
- tuf: add debug info if tuf update fails by @asraa in #1766
- cosigned: add support for rsa keys by @hectorj2f in #1768
- Cosigned validate against remote sig src by @DennyHoang in #1754
- Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
- fix: more informative error by @ybelMekk in #1778
- Run update-codegen. by @wlynch in #1789
- Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
- Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
- test: add cue unit tests by @hectorj2f in #1791
- Attestations + policy in cip. by @vaikas in #1772
- chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
- Add parallelization for processing policies / authorities. by @vaikas in #1795
- Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
- Handle context cancelled properly + tests. by @vaikas in #1796
- Fix a bug where an error would send duplicate results. by @vaikas in #1797
- Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
- cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
- Don't fail open in VerifyBundle by @mtrmac in #1648
- Load in intermediate cert pool from TUF by @haydentherapper in #1804
- Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806
-------------------------------------------------------------------
Tue Apr 26 09:50:07 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.7.2
- [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
- fix: add permissions to patch events by @hectorj2f in #1722
- Make public all types required to use ValidatePolicy by @jdolitsky in #1727
- Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
- Remove newline from download sbom output by @ribbybibby in #1732
- Fix packages name and binary in the packages by @cpanato in #1734
- Fix fulcioroots test and linter error by @haydentherapper in #1741
- Support non-ECDSA public keys in certificates by @haydentherapper in #1740
- bug: remove old fulcio root and fix fallback target code by @asraa in #1738
- updated to 1.7.1
- pkcs11: fix build instructions by @rgerganov in #1550
- add definition for artifact hub to verify the ownership by @cpanato in #1563
- Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
- Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
- Support deletion of ClusterImagePolicy by @vaikas in #1580
- 1417 policy validations by @kkavitha in #1548
- Don't lowercase input image refs, just fail by @imjasonh in #1586
- Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
- Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
- Fix #1592 move authorities as siblings of images. by @vaikas in #1593
- Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
- Fix copy/paste mistake in repo name. by @k4leung4 in #1600
- Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
- Add public key validation by @kkavitha in #1598
- Validate a public key in a secret is valid. by @vaikas in #1602
- Ensure entry is removed from CM on secret error. by @vaikas in #1605
- Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
- Init entity from ociremote when signing a digest ref by @puerco in #1616
- rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
- improve cosigned validation error messages by @cpanato in #1618
- Use latest knative/pkg's configmap informer by @tcnghia in #1615
- Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
- FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
- update crane to v0.8.0 release by @cpanato in #1635
- push latest tag when building a release by @cpanato in #1636
- Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
- Document Elastic container registry support by @mgreau in #1641
- Validate authority keys by @coyote240 in #1623
- feat: tree command utility by @developer-guy in #1603
- fix build date format for version command by @cpanato in #1644
- Add support for intermediate certificates when verifiying by @haydentherapper in #1631
- Prompt user before running cosign clean by @priyawadhwa in #1649
- Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
- KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
- Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
- Add support for certificate chain to verify certificate by @haydentherapper in #1659
- First batch of followups to #1650 by @vaikas in #1664
- Add certificate chain flag for signing by @haydentherapper in #1656
- [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
- update font when output the cosign version by @cpanato in #1668
- feat: add ability to override registry keychain by @noamichael in #1666
- remove replace directive by @cpanato in #1669
- Refactor based on discussions in #1650 by @vaikas in #1674
- Find all valid entries in verify-blob by @priyawadhwa in #1673
- Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
- Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
- Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
- Make cosign copy copy metadata attached to child images. by @mattmoor in #1682
- change file_name_template to PackageName by @strongjz in #1683
- Update error message for verify/verify attestation by @haydentherapper in #1686
- cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
- verify: add leaf hash verification for tlog entries by @asraa in #1688
- Fix handling of policy in verify-attestation by @lcarva in #1672
- Add e2e test for attest / verify-attestation by @vaikas in #1685
- verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
- Remove the hardcoded sigstore audience by @mattmoor in #1698
- Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676
- Use the github actions from sigstore/scaffolding. by @vaikas in #1699
- sign: set the oidc redirect uri by @hectorj2f in #1675
- add back the go mod proxy by @cpanato in #1701
- enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702
- Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704
- Make CLI flag for OIDC client secret take a path by @znewman01 in #1705
- cosigned: read the public key from the kms authority by @hectorj2f in #1706
- fix latest tag when running a release job by @cpanato in #1707
- [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681
- Dont overwrite token set in keyOpts by @puerco in #1709
- refactor release job by @cpanato in #1710
-------------------------------------------------------------------
Fri Apr 1 14:46:30 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.6.0
- Fix double time import in e2e tests by @saschagrunert in #1388
- Add --timeout support to sign command by @saschagrunert in #1379
- Fix comparison in replace option for attestation by @bburky in #1366
- Add Cosign logo to README by @nsmith5 in #1395
- Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
- Fix a link of SECURITY.md by @knqyf263 in #1399
- update cosign and cross-build image for the release job by @cpanato in #1400
- feat: login command by @developer-guy in #1398
- TUF: Add root status output by @asraa in #1404
- Add a newline after password input by @knqyf263 in #1407
- make imageRef lowercase before parsing by @bobcallaway in #1409
- Improve error message when image is not found in registry by @imjasonh in #1410
- Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
- Fix incorrect error check when verifying SCT by @haydentherapper in #1422
- Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
- Allow PassFunc to be nil by @saschagrunert in #1426
- Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
- Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
- Add docs on API stability and deprecation table by @priyawadhwa in #1429
- update cross-build image which adds goimports by @cpanato in #1435
- feat: enhance clean cmd capability by @developer-guy in #1430
- use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
- Improve log lines to match with implementation by @marcofranssen in #1432
- feat: fig autocomplete feature by @developer-guy in #1360
- update cross-build to use go 1.17.7 by @cpanato in #1446
- Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
- feat: add -buildid= to ldflags by @developer-guy in #1451
- Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
- convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
- Fix tkn link in readme by @Yongxuanzhang in #1459
- Print message when verifying with old TUF targets by @haydentherapper in #1468
- fix(sign): refactor unsupported provider log by @Dentrax in #1464
- tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470
- Double goreleaser timeout by @znewman01 in #1472
- increase timeout for goreleaser snapshot by @cpanato in #1473
- fix(sign): kms unspported message by @Dentrax in #1475
- refactor release cloudbuild job by @cpanato in #1476
- Fix wording on attach attestation help by @luhring in #1480
- update go-tuf and simplify TUF client code by @asraa in #1455
- add initial changelog for 1.5.2 by @cpanato in #1483
- Fix linter error on main by @priyawadhwa in #1484
- Update Changelog for Security Advisory by @cpanato in #1485
- chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
- Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
- feat: support other types in copy cmd by @developer-guy in #1493
- Pick up some of the shared workflows by @mattmoor in #1490
- feat: nominate Dentrax as codeowner by @developer-guy in #1492
- add correct layer media type to cosign attach attestation by @spiffcs in #1503
- This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504
- use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
- Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
- bug fix: import ed25519 keys and fix error handling by @asraa in #1518
- optimize codeql speed by using caching and tracing by @bobcallaway in #1519
- Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
- Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
- chore(ci): add artifact hub support by @Dentrax in #1522
- Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529
- Add codecov as github action, set permissions to read content only by @k4leung4 in #1530
- images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533
- Quay OCI Support in README by @sabre1041 in #1539
- add rpm,deb and apks for cosign packages by @strongjz in #1537
- Consistent parenthesis use in Makefile by @k4leung4 in #1541
- add changelog for 1.6.0 by @cpanato in #1535
- update golang cross image by @cpanato in #1543
- Add fields in policy CRD by @kkavitha in #1540
- Disable for now due some issues when downloading the knative module by @cpanato in #1546
-------------------------------------------------------------------
Mon Feb 21 12:28:25 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.5.2:
- This release contains fixes for CVE-2022-23649, affecting signature
validations with Rekor. Only validation is affected, it is not necessary
to re-sign any artifacts. (bsc#1196239)
- updated to 1.5.1:
- Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
- Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
- expose dafaults fulcio, rekor, oidc issuer urls (#1368)
- add check to make sure the go modules are in sync (#1369)
- README: fix link to race conditions (#1367)
- Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
- docs: verify-attestation cue and rego policy doc (#1362)
- Update verify-blob to support DSSEs (#1355)
- organize, update select deps (#1358)
- Bump go-containerregistry to pick up ACR keychain fix (#1357)
- Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
- sync go modules (#1353)
-------------------------------------------------------------------
Tue Jan 25 12:39:54 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 1.5.0
## Highlights
* enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
* feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
* feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
* feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
* feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
* feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
* feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
## Enhancements
* Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
* Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
* Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
* Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
* Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
* Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
* add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
* Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
* Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
* Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
* Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
* add error message (https://github.com/sigstore/cosign/pull/1296)
* Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
* Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
* One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
* refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
* Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
* Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
* Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
* Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
* Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
* Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
* Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
* Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
* clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
* create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
* use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
* create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
* add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
* signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
* Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
* create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
## Bug Fixes
* fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
* fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
* Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
* Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
* Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
* Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
* Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
* fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
* Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
* Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
- vendor.tar.bz2: go mod vendor
-------------------------------------------------------------------
Tue Jan 25 09:05:54 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
- Fix BUILD_DATE for reproducible build results (boo#1047218)
-------------------------------------------------------------------
Thu Jan 6 14:49:19 UTC 2022 - Marcus Meissner <meissner@suse.com>
- cosign 1.4.1 release, initial import
- provides signing / verification support for sigstore
