baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.4.0 (jsc#SLE-23879)
  - Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  - Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  - Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  - Conformance testing for cosign (#3806)
  - move incremental builds per commit to GHCR instead of GCR (#3808)
  - Add support for recording creation timestamp for cosign attest (#3797)
  - Include SCT verification failure details in error message (#3799)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Set CGO_ENABLED=1 for fixing s390x failed build 

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.3.0 (jsc#SLE-23879)
  * Features
    - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
    - add registry options to cosign save (#3645)
    - Add debug providers command. (#3728)
    - Make config layers in ociremote mountable (#3741)
    - adds tsa cert chain check for env var or tuf targets. (#3600)
    - add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
    - add handling of keyless verification for all verify commands (#3761)
  * Bug Fixes
    - fix: close attestationFile (#3679)
    - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
  * Documentation
    - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

add completion subpackages (bash, fish, zsh)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 2.2.4 (jsc#SLE-23879)
  * Bug Fixes
    * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
      - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
      - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
    * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
    * fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
    * Honor creation timestamp for signatures again (#3549)
  * Features
    * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
  * Documentation
    * add oci bundle spec (#3622)
    * Correct help text of triangulate cmd (#3551)
    * Correct help text of verify-attestation policy argument (#3527)
    * feat: add OVHcloud MPR registry tested with cosign (#3639)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 2.2.3 (jsc#SLE-23879)
  Bug Fixes:
    * Fix race condition on verification with multiple signatures attached to image (#3486)
    * fix(clean): Fix clean cmd for private registries (#3446)
    * Fixed BYO PKI verification (#3427)
  Features:
    * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
    * Add support for OpenVEX predicate type (#3405)
  Documentation:
    * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
    * add examples for cosign attach signature cmd (#3468)
  Misc:
    * Remove CertSubject function (#3467)
    * Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 2.2.2 (jsc#SLE-23879)
  v2.2.2 adds a new container with a shell,
  gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
  container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
  For private deployments, we have also added an alias for
  --insecure-skip-log, --private-infrastructure.
  Bug Fixes:
  * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
  * Don't require CT log keys if using a key/sk (#3415)
  * Fix copy without any flag set (#3409)
  * Update cosign generate cmd to not include newline (#3393)
  * Fix idempotency error with signing (#3371)
  Features:
  * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
  * Use the timeout flag value in verify* commands. (#3391)
  * add --private-infrastructure flag (#3369)
  Container Updates:
  * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
  Documentation:
  * Update SBOM_SPEC.md (#3358)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 2.2.1 (jsc#SLE-23879)
  This release comes with a fix for
  CVE-2023-46737 / bsc#1216933 described in this [Github Security
  Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
  Enhancements:
  * feat: Support basic auth and bearer auth login to registry (#3310)
  * add support for ignoring certificates with pkcs11 (#3334)
  * Support ReplaceOp in Signatures (#3315)
  * feat: added ability to get image digest back via triangulate (#3255)
  * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
  * feat: add support attaching a Rekor bundle to a container (#3246)
  * feat: add support outputting rekor response on signing (#3248)
  * feat: improve dockerfile verify subcommand (#3264)
  * Add guard flag for experimental OCI 1.1 verify. (#3272)
  * Deprecate SBOM attachments (#3256)
  * feat: dedent line in cosign copy doc (#3244)
  * feat: add platform flag to cosign copy command (#3234)
  * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
  * attest: pass OCI remote opts to att resolver. (#3225)
  Bug Fixes:
  * Merge pull request from GHSA-vfp6-jrw2-99g9
  * fix: allow cosign download sbom when image is absent (#3245)
  * ci: add a OCI registry test for referrers support (#3253)
  * Fix ReplaceSignatures (#3292)
  * Stop using deprecated in_toto.ProvenanceStatement (#3243)
  * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
  * fix: update error in `SignedEntity` to be more descriptive (#3233)
  * Fail timestamp verification if no root is provided (#3224)
  Documentation:
  * Add some docs about verifying in an air-gapped environment (#3321)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 2.2.0 (jsc#SLE-23879)
  - Enhancements
    * switch to uploading DSSE types to rekor instead of intoto (#3113)
    * add 'cosign sign' command-line parameters for mTLS (#3052)
    * improve error messages around bundle != payload hash (#3146)
    * make VerifyImageAttestation function public (#3156)
    * Switch to cryptoutils function for SANS (#3185)
    * Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
  - Bug Fixes
    * Fix nondeterminsitic timestamps (#3121)
  - Documentation
    * doc: Add example of sign-blob with key in env var (#3152)
    * add deprecation notice for cosign-releases GCS bucket (#3148)
    * update doc links (#3186)

- updated to 2.1.1 (jsc#SLE-23879)
  - Bug Fixes
    - wait for the workers become available again to continue the execution (#3084)
    - fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
  - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
  - Enhancements
    - Verify sigs and attestations in parallel (#3066)
    - Deep inspect attestations when filtering download (#3031)
    - refactor bundle validation code, add support for DSSE rekor type (#3016)
    - Allow overriding remote options (#3049)
    - feat: adds no cert found on sig exit code (#3038)
    - Make predicate a required flag in attest commands (#3033)
    - Added support for attaching Time stamp authority Response in attach command (#3001)
    - Add sign --sign-container-identity CLI (#2984)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.0.1 (jsc#SLE-23879)
  Enhancements
  - Add environment variable token provider (#2864)
  - Remove cosign policy command (#2846)
  - Allow customising 'go' executable with GOEXE var (#2841)
  - Consistent tlog warnings during verification (#2840)
  - Add riscv64 arch (#2821)
  - Default generated PEM labels to SIGSTORE (#2735)
  - Update privacy statement and confirmation (#2797)
  - Add exit codes for verify errors (#2766)
  - Add Buildkite provider (#2779)
  - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
  Bug Fixes
  - PKCS11 sessions are now opened read only (#2853)
  - Makefile: date format of log should not show signatures (#2835)
  - Add missing flags to cosign verify dockerfile/manifest (#2830)
  - Add a warning to remember how to configure a custom Gitlab host (#2816)
  - Remove tag warning message from save/copy commands (#2799)
  - Mark keyless pem files with b64 (#2671)

• Files Changed
• Browse Source