- update to 2.4.0 (jsc#SLE-23879)
  - Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  - Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  - Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  - Conformance testing for cosign (#3806)
  - move incremental builds per commit to GHCR instead of GCR (#3808)
  - Add support for recording creation timestamp for cosign attest (#3797)
  - Include SCT verification failure details in error message (#3799) (forwarded request 1205245 from msmeissn)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 2.3.0 (jsc#SLE-23879)
  * Features
    - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
    - add registry options to cosign save (#3645)
    - Add debug providers command. (#3728)
    - Make config layers in ociremote mountable (#3741)
    - adds tsa cert chain check for env var or tuf targets. (#3600)
    - add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
    - add handling of keyless verification for all verify commands (#3761)
  * Bug Fixes
    - fix: close attestationFile (#3679)
    - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
  * Documentation
    - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776) (forwarded request 1189438 from msmeissn)

• Files Changed
• Browse Source

add completion subpackages (bash, fish, zsh) (forwarded request 1177857 from ojkastl_buildservice)

• Files Changed
• Browse Source

- updated to 2.2.4 (jsc#SLE-23879)
  * Bug Fixes
    * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
      - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
      - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
    * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
    * fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
    * Honor creation timestamp for signatures again (#3549)
  * Features
    * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
  * Documentation
    * add oci bundle spec (#3622)
    * Correct help text of triangulate cmd (#3551)
    * Correct help text of verify-attestation policy argument (#3527)
    * feat: add OVHcloud MPR registry tested with cosign (#3639) (forwarded request 1167810 from msmeissn)

• Files Changed
• Browse Source

- updated to 2.2.3 (jsc#SLE-23879)
  Bug Fixes:
    * Fix race condition on verification with multiple signatures attached to image (#3486)
    * fix(clean): Fix clean cmd for private registries (#3446)
    * Fixed BYO PKI verification (#3427)
  Features:
    * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
    * Add support for OpenVEX predicate type (#3405)
  Documentation:
    * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
    * add examples for cosign attach signature cmd (#3468)
  Misc:
    * Remove CertSubject function (#3467)
    * Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) (forwarded request 1143629 from msmeissn)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- updated to 2.2.1 (jsc#SLE-23879)
  This release comes with a fix for
  CVE-2023-46737 / bsc#1216933 described in this [Github Security
  Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
  Enhancements:
  * feat: Support basic auth and bearer auth login to registry (#3310)
  * add support for ignoring certificates with pkcs11 (#3334)
  * Support ReplaceOp in Signatures (#3315)
  * feat: added ability to get image digest back via triangulate (#3255)
  * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
  * feat: add support attaching a Rekor bundle to a container (#3246)
  * feat: add support outputting rekor response on signing (#3248)
  * feat: improve dockerfile verify subcommand (#3264)
  * Add guard flag for experimental OCI 1.1 verify. (#3272)
  * Deprecate SBOM attachments (#3256)
  * feat: dedent line in cosign copy doc (#3244)
  * feat: add platform flag to cosign copy command (#3234)
  * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
  * attest: pass OCI remote opts to att resolver. (#3225)
  Bug Fixes:
  * Merge pull request from GHSA-vfp6-jrw2-99g9
  * fix: allow cosign download sbom when image is absent (#3245)
  * ci: add a OCI registry test for referrers support (#3253)
  * Fix ReplaceSignatures (#3292)
  * Stop using deprecated in_toto.ProvenanceStatement (#3243)
  * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
  * fix: update error in `SignedEntity` to be more descriptive (#3233)
  * Fail timestamp verification if no root is provided (#3224)
  Documentation:
  * Add some docs about verifying in an air-gapped environment (#3321) (forwarded request 1123989 from msmeissn)

• Files Changed
• Browse Source

- updated to 2.2.0 (jsc#SLE-23879)
  - Enhancements
    * switch to uploading DSSE types to rekor instead of intoto (#3113)
    * add 'cosign sign' command-line parameters for mTLS (#3052)
    * improve error messages around bundle != payload hash (#3146)
    * make VerifyImageAttestation function public (#3156)
    * Switch to cryptoutils function for SANS (#3185)
    * Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
  - Bug Fixes
    * Fix nondeterminsitic timestamps (#3121)
  - Documentation
    * doc: Add example of sign-blob with key in env var (#3152)
    * add deprecation notice for cosign-releases GCS bucket (#3148)
    * update doc links (#3186)

- updated to 2.1.1 (jsc#SLE-23879)
  - Bug Fixes
    - wait for the workers become available again to continue the execution (#3084)
    - fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
  - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
  - Enhancements
    - Verify sigs and attestations in parallel (#3066)
    - Deep inspect attestations when filtering download (#3031)
    - refactor bundle validation code, add support for DSSE rekor type (#3016)
    - Allow overriding remote options (#3049)
    - feat: adds no cert found on sig exit code (#3038)
    - Make predicate a required flag in attest commands (#3033)
    - Added support for attaching Time stamp authority Response in attach command (#3001)
    - Add sign --sign-container-identity CLI (#2984) (forwarded request 1108431 from msmeissn)

• Files Changed
• Browse Source

- update to 2.0.1 (jsc#SLE-23879)
  Enhancements
  - Add environment variable token provider (#2864)
  - Remove cosign policy command (#2846)
  - Allow customising 'go' executable with GOEXE var (#2841)
  - Consistent tlog warnings during verification (#2840)
  - Add riscv64 arch (#2821)
  - Default generated PEM labels to SIGSTORE (#2735)
  - Update privacy statement and confirmation (#2797)
  - Add exit codes for verify errors (#2766)
  - Add Buildkite provider (#2779)
  - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
  Bug Fixes
  - PKCS11 sessions are now opened read only (#2853)
  - Makefile: date format of log should not show signatures (#2835)
  - Add missing flags to cosign verify dockerfile/manifest (#2830)
  - Add a warning to remember how to configure a custom Gitlab host (#2816)
  - Remove tag warning message from save/copy commands (#2799)
  - Mark keyless pem files with b64 (#2671) (forwarded request 1079858 from msmeissn)

• Files Changed
• Browse Source

- fix buildtags
- build against a maintained golang version (upstream uses go1.20) (forwarded request 1077363 from dirkmueller)

• Files Changed
• Browse Source

- update to 2.0.0 (jsc#SLE-23879)
  Breaking Changes:
  * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
  * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
  Enhancements:
  * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
  * Allow users to pass in a path for the --identity-token flag (#2538)
  * Breaking change: Respect tlog-upload=false, default to true (#2505)
  * Support outputing a certificate without uploading to the tlog (#2506)
  * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
  * respect tlog-upload flag with TSA (#2474)
  * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
  * Support TSA and Rekor verifications (#2463)
  * add support for tsa signing and verification of images (#2460)
  * cosign policy sign: remove experimental flag and make keyless signing default (#2459)
  * Remove experimental mode from cosign attest and verify-attestation (#2458)
  * Remove experimental mode from sign-blob and verify-blob (#2457)
  * Add --offline flag to force offline verification (#2427)
  * Air gap support (#2299)
  * Breaking change: Change SCT verification behavior to default to enforcement (#2400)
  * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
  * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
  * Remove experimental flag from cosign sign and cosign verify (#2387)
  * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
  * Add warning to use digest instead of tags to other cosign commands (#2650)
  * Fix up UI messages (#2629)
  * Remove hardcoded Fulcio from output (#2621)
  * Fix missing privacy statement, print in multiple locations (#2622)
  * feat: allows custom key names for import-key-pair (#2587)
  * feat: support keyless verification for verify-blob-attestation (#2525) (forwarded request 1067997 from msmeissn)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 1.12.1:
  * fix: Pulls Fulcio root and intermediate when --certificate-chain is not
    passed into verify-blob command. The v1.12.0 release introduced a
    regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
    check a --certificate (without a --certificate-chain provided) against the
    operating system root CA bundle. In this release, Cosign checks the
    certificate against Fulcio's CA root instead (restoring the earlier
    behavior).
  * fix: fix cert chain validation for verify-blob in non-experimental mode
  * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
  * Fix BYO-root with intermediate to fetch intermediates from annotation
  * fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd (forwarded request 1006385 from dirkmueller)

• Files Changed
• Browse Source

- updated to 1.12.0 (jsc#SLE-23879)
  - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
  - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
  - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
  - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
  - Clarify error when KMS provider fails to load by @znewman01 in #2220
  - feat: set annotations to generate additional bash completion information by @dirien in #2221
  - Add deprecation warning for sget CLI and packages by @imjasonh in #2019
  - upgrade setup-ko to point to new repo by @imjasonh in #2225
  - Temp fix for e2e test by @haydentherapper in #2247
  - update kind to use release v0.15.0 and some version comments by @cpanato in #2246
  - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
  - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
- updated to 1.11.1
  - add stale workflow using the workflow template by @cpanato in #2175
  - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
  - add release cadence section in the readme by @cpanato in #2179
  - feat: Rework fig autocomplete command by @dirien in #2187
  - fix: fix typo that caused attestation verification failure by @asraa in #2199
- updated to 1.11.0
  - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
  - Add notes to clarify registry use. by @bendory in #2145
  - Use TUF from scaffolding for validating cosign. by @vaikas in #2146
  - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
  - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
  - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
  - fix handling of verify-attestation types for URIs by @otms61 in #2159
  - fix oidc post-merge job by @cpanato in #2164
  - Remove third_party by @imjasonh in #2166
  - use updated device flow logic with PKCE by @bobcallaway in #2163 (forwarded request 1003867 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.10.1 (jsc#SLE-23879)
  - CVE-2022-35929: Fixed that cosign verify-attestaton --type can
    report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
    (bsc#1202157)
- What else changed:
  - add flag to allow skipping upload to transparency log by @k4leung4 in #2089
  - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
  - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
  - Fix field names in the vulnerability attestation by @otms61 in #2099
  - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
  - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
  - Resolves #522 set Created date to time of execution by @Lerentis in #2108
  - Introduce a custom error type to classify errors. by @mattmoor in #2114
  - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
  - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
  - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
  - Correct the type used for attest by @mattmoor in #2128 (forwarded request 993341 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.10.0
  - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
  - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
  - tuf: improve TUF client concurrency and caching by @asraa in #1953
  - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
  - feat(fulcioroots): singleton error pattern by @developer-guy in #1965
  - Drop tuf client dependency on GCS client library by @imjasonh in #1967
  - Add spdxjson predicate type for attestations by @jdolitsky in #1974
  - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
  - cleanup: unexport kubernetes.Client method by @imjasonh in #1973
  - cleanup ci job and remove policy-controller references by @cpanato in #1981
  - fix/update post build job by @cpanato in #1983
  - docs: updated Azure kms commands. by @JBrejnholt in #1972
  - Add cyclonedx predicate type for attestations by @jdolitsky in #1977
  - Route deprecated -version to version subcommand by @puerco in #1854
  - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
  - Add --platform flag to cosign sbom download by @puerco in #1975
  - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
  - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
  - encrypt values to create the github action secret by @cpanato in #1990
  - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
  - Attempt to clean up pkg/cosign by @imjasonh in #2018
  - public-key: fix command description by @Dentrax in #2024
  - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
  - feat: cert-extensions verify by @developer-guy in #1626
  - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
  - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
  - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
  - Fix OIDC test by @cpanato in #2050
  - Add env subcommand. by @wlynch in #2051 (forwarded request 991559 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.9.0
  - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
  - [Cosigned] Add signature pull secrets by @DennyHoang in #1805
  - feat: add rego policy support by @hectorj2f in #1817
  - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
  - cosigned: Test unsupported KMS providers by @imjasonh in #1820
  - chore(deps): Included dependency review by @naveensrinivasan in #1792
  - Add auth flow option to KeyOpts. by @wlynch in #1827
  - Document Staging instance usage with Keyless by @k4leung4 in #1824
  - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
  - Validate tlog entry when verifying signature via public key. by @wlynch in #1833
  - Add function to explicitly request a certain provider by @priyawadhwa in #1837
  - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
  - remove exclude from go.mod by @cpanato in #1846
  - [Cosigned] Glob matching improvement by @DennyHoang in #1842
  - sget: Enable KMS providers for sget by @imjasonh in #1852
  - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
  - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
  - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
  - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
  - Normalize certificate flag names by @haydentherapper in #1868
  - Check certificate policy flags with only a certificate by @haydentherapper in #1869
  - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
  - Point git commmit FUN.md to gitsign! by @wlynch in #1874
  - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
  - go.mod: format go.mod by @zchee in #1879
  - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
  - tree: only report artifacts that are present by @ribbybibby in #1872
  - update README with ebpf modules by @EItanya in #1888
  - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 (forwarded request 983635 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.8.0
 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
 - Refactor policy related code, add support for vuln verify by @vaikas in #1747
 - Use bundle log ID to find verification key by @haydentherapper in #1748
 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750
 - Implement identities, fix bug in webhook validation. by @vaikas in #1759
 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
 - chore: add warning when attaching sBOMs by @hectorj2f in #1756
 - Verify embedded SCTs by @haydentherapper in #1731
 - chore: add warning when downloading a sBOM by @hectorj2f in #1763
 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
 - Break the CIP action tests into a sh script. by @vaikas in #1767
 - tuf: add debug info if tuf update fails by @asraa in #1766
 - cosigned: add support for rsa keys by @hectorj2f in #1768
 - Cosigned validate against remote sig src by @DennyHoang in #1754
 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
 - fix: more informative error by @ybelMekk in #1778
 - Run update-codegen. by @wlynch in #1789
 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
 - test: add cue unit tests by @hectorj2f in #1791
 - Attestations + policy in cip. by @vaikas in #1772
 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
 - Add parallelization for processing policies / authorities. by @vaikas in #1795
 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
 - Handle context cancelled properly + tests. by @vaikas in #1796
 - Fix a bug where an error would send duplicate results. by @vaikas in #1797

• Files Changed
• Browse Source

- updated to 1.7.2
  - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
  - fix: add permissions to patch events by @hectorj2f in #1722
  - Make public all types required to use ValidatePolicy by @jdolitsky in #1727
  - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
  - Remove newline from download sbom output by @ribbybibby in #1732
  - Fix packages name and binary in the packages by @cpanato in #1734
  - Fix fulcioroots test and linter error by @haydentherapper in #1741
  - Support non-ECDSA public keys in certificates by @haydentherapper in #1740
  - bug: remove old fulcio root and fix fallback target code by @asraa in #1738
- updated to 1.7.1
  - pkcs11: fix build instructions by @rgerganov in #1550
  - add definition for artifact hub to verify the ownership by @cpanato in #1563
  - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
  - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
  - Support deletion of ClusterImagePolicy by @vaikas in #1580
  - 1417 policy validations by @kkavitha in #1548
  - Don't lowercase input image refs, just fail by @imjasonh in #1586
  - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
  - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
  - Fix #1592 move authorities as siblings of images. by @vaikas in #1593
  - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
  - Fix copy/paste mistake in repo name. by @k4leung4 in #1600
  - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
  - Add public key validation by @kkavitha in #1598
  - Validate a public key in a secret is valid. by @vaikas in #1602
  - Ensure entry is removed from CM on secret error. by @vaikas in #1605
  - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
  - Init entity from ociremote when signing a digest ref by @puerco in #1616
  - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617 (forwarded request 972815 from msmeissn)

• Files Changed
• Browse Source