- updated to 1.6.0
  - Fix double time import in e2e tests by @saschagrunert in #1388
  - Add --timeout support to sign command by @saschagrunert in #1379
  - Fix comparison in replace option for attestation by @bburky in #1366
  - Add Cosign logo to README by @nsmith5 in #1395
  - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
  - Fix a link of SECURITY.md by @knqyf263 in #1399
  - update cosign and cross-build image for the release job by @cpanato in #1400
  - feat: login command by @developer-guy in #1398
  - TUF: Add root status output by @asraa in #1404
  - Add a newline after password input by @knqyf263 in #1407
  - make imageRef lowercase before parsing by @bobcallaway in #1409
  - Improve error message when image is not found in registry by @imjasonh in #1410
  - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
  - Fix incorrect error check when verifying SCT by @haydentherapper in #1422
  - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
  - Allow PassFunc to be nil by @saschagrunert in #1426
  - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
  - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
  - Add docs on API stability and deprecation table by @priyawadhwa in #1429
  - update cross-build image which adds goimports by @cpanato in #1435
  - feat: enhance clean cmd capability by @developer-guy in #1430
  - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
  - Improve log lines to match with implementation by @marcofranssen in #1432
  - feat: fig autocomplete feature by @developer-guy in #1360
  - update cross-build to use go 1.17.7 by @cpanato in #1446
  - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
  - feat: add -buildid= to ldflags by @developer-guy in #1451
  - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
  - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453 (forwarded request 966616 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.5.2:
  - This release contains fixes for CVE-2022-23649, affecting signature
    validations with Rekor. Only validation is affected, it is not necessary
    to re-sign any artifacts. (bsc#1196239)
- updated to 1.5.1:
  - Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
  - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
  - expose dafaults fulcio, rekor, oidc issuer urls (#1368)
  - add check to make sure the go modules are in sync (#1369)
  - README: fix link to race conditions (#1367)
  - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
  - docs: verify-attestation cue and rego policy doc (#1362)
  - Update verify-blob to support DSSEs (#1355)
  - organize, update select deps (#1358)
  - Bump go-containerregistry to pick up ACR keychain fix (#1357)
  - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
  - sync go modules (#1353) (forwarded request 956474 from msmeissn)

• Files Changed
• Browse Source

- updated to 1.5.0
  ## Highlights
  * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
  * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
  * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
  * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
  * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
  * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
  * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
  * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
  * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
  ## Enhancements
  * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
  * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
  * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
  * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
  * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
  * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
  * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
  * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
  * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
  * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
  * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
  * add error message (https://github.com/sigstore/cosign/pull/1296)
  * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
  * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
  * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
  * refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
  * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
  * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) (forwarded request 949014 from msmeissn)

• Files Changed
• Browse Source

add to factory

• Browse Source