baserev update by copy to link target

• Files Changed
• Browse Source

- update to 1.12.1:
  * fix: Pulls Fulcio root and intermediate when --certificate-chain is not
    passed into verify-blob command. The v1.12.0 release introduced a
    regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
    check a --certificate (without a --certificate-chain provided) against the
    operating system root CA bundle. In this release, Cosign checks the
    certificate against Fulcio's CA root instead (restoring the earlier
    behavior).
  * fix: fix cert chain validation for verify-blob in non-experimental mode
  * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
  * Fix BYO-root with intermediate to fetch intermediates from annotation
  * fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.12.0 (jsc#SLE-23879)
  - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
  - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
  - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
  - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
  - Clarify error when KMS provider fails to load by @znewman01 in #2220
  - feat: set annotations to generate additional bash completion information by @dirien in #2221
  - Add deprecation warning for sget CLI and packages by @imjasonh in #2019
  - upgrade setup-ko to point to new repo by @imjasonh in #2225
  - Temp fix for e2e test by @haydentherapper in #2247
  - update kind to use release v0.15.0 and some version comments by @cpanato in #2246
  - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
  - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
- updated to 1.11.1
  - add stale workflow using the workflow template by @cpanato in #2175
  - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
  - add release cadence section in the readme by @cpanato in #2179
  - feat: Rework fig autocomplete command by @dirien in #2187
  - fix: fix typo that caused attestation verification failure by @asraa in #2199
- updated to 1.11.0
  - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
  - Add notes to clarify registry use. by @bendory in #2145
  - Use TUF from scaffolding for validating cosign. by @vaikas in #2146
  - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
  - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
  - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
  - fix handling of verify-attestation types for URIs by @otms61 in #2159
  - fix oidc post-merge job by @cpanato in #2164
  - Remove third_party by @imjasonh in #2166
  - use updated device flow logic with PKCE by @bobcallaway in #2163

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.10.1 (jsc#SLE-23879)
  - CVE-2022-35929: Fixed that cosign verify-attestaton --type can
    report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
    (bsc#1202157)
- What else changed:
  - add flag to allow skipping upload to transparency log by @k4leung4 in #2089
  - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
  - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
  - Fix field names in the vulnerability attestation by @otms61 in #2099
  - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
  - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
  - Resolves #522 set Created date to time of execution by @Lerentis in #2108
  - Introduce a custom error type to classify errors. by @mattmoor in #2114
  - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
  - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
  - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
  - Correct the type used for attest by @mattmoor in #2128

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.10.0
  - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
  - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
  - tuf: improve TUF client concurrency and caching by @asraa in #1953
  - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
  - feat(fulcioroots): singleton error pattern by @developer-guy in #1965
  - Drop tuf client dependency on GCS client library by @imjasonh in #1967
  - Add spdxjson predicate type for attestations by @jdolitsky in #1974
  - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
  - cleanup: unexport kubernetes.Client method by @imjasonh in #1973
  - cleanup ci job and remove policy-controller references by @cpanato in #1981
  - fix/update post build job by @cpanato in #1983
  - docs: updated Azure kms commands. by @JBrejnholt in #1972
  - Add cyclonedx predicate type for attestations by @jdolitsky in #1977
  - Route deprecated -version to version subcommand by @puerco in #1854
  - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
  - Add --platform flag to cosign sbom download by @puerco in #1975
  - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
  - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
  - encrypt values to create the github action secret by @cpanato in #1990
  - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
  - Attempt to clean up pkg/cosign by @imjasonh in #2018
  - public-key: fix command description by @Dentrax in #2024
  - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
  - feat: cert-extensions verify by @developer-guy in #1626
  - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
  - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
  - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
  - Fix OIDC test by @cpanato in #2050
  - Add env subcommand. by @wlynch in #2051

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.9.0
  - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
  - [Cosigned] Add signature pull secrets by @DennyHoang in #1805
  - feat: add rego policy support by @hectorj2f in #1817
  - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
  - cosigned: Test unsupported KMS providers by @imjasonh in #1820
  - chore(deps): Included dependency review by @naveensrinivasan in #1792
  - Add auth flow option to KeyOpts. by @wlynch in #1827
  - Document Staging instance usage with Keyless by @k4leung4 in #1824
  - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
  - Validate tlog entry when verifying signature via public key. by @wlynch in #1833
  - Add function to explicitly request a certain provider by @priyawadhwa in #1837
  - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
  - remove exclude from go.mod by @cpanato in #1846
  - [Cosigned] Glob matching improvement by @DennyHoang in #1842
  - sget: Enable KMS providers for sget by @imjasonh in #1852
  - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
  - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
  - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
  - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
  - Normalize certificate flag names by @haydentherapper in #1868
  - Check certificate policy flags with only a certificate by @haydentherapper in #1869
  - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
  - Point git commmit FUN.md to gitsign! by @wlynch in #1874
  - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
  - go.mod: format go.mod by @zchee in #1879
  - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
  - tree: only report artifacts that are present by @ribbybibby in #1872
  - update README with ebpf modules by @EItanya in #1888
  - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.8.0
 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
 - Refactor policy related code, add support for vuln verify by @vaikas in #1747
 - Use bundle log ID to find verification key by @haydentherapper in #1748
 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750
 - Implement identities, fix bug in webhook validation. by @vaikas in #1759
 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
 - chore: add warning when attaching sBOMs by @hectorj2f in #1756
 - Verify embedded SCTs by @haydentherapper in #1731
 - chore: add warning when downloading a sBOM by @hectorj2f in #1763
 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
 - Break the CIP action tests into a sh script. by @vaikas in #1767
 - tuf: add debug info if tuf update fails by @asraa in #1766
 - cosigned: add support for rsa keys by @hectorj2f in #1768
 - Cosigned validate against remote sig src by @DennyHoang in #1754
 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
 - fix: more informative error by @ybelMekk in #1778
 - Run update-codegen. by @wlynch in #1789
 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
 - test: add cue unit tests by @hectorj2f in #1791
 - Attestations + policy in cip. by @vaikas in #1772
 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
 - Add parallelization for processing policies / authorities. by @vaikas in #1795
 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
 - Handle context cancelled properly + tests. by @vaikas in #1796
 - Fix a bug where an error would send duplicate results. by @vaikas in #1797

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.7.2
  - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
  - fix: add permissions to patch events by @hectorj2f in #1722
  - Make public all types required to use ValidatePolicy by @jdolitsky in #1727
  - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
  - Remove newline from download sbom output by @ribbybibby in #1732
  - Fix packages name and binary in the packages by @cpanato in #1734
  - Fix fulcioroots test and linter error by @haydentherapper in #1741
  - Support non-ECDSA public keys in certificates by @haydentherapper in #1740
  - bug: remove old fulcio root and fix fallback target code by @asraa in #1738
- updated to 1.7.1
  - pkcs11: fix build instructions by @rgerganov in #1550
  - add definition for artifact hub to verify the ownership by @cpanato in #1563
  - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
  - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
  - Support deletion of ClusterImagePolicy by @vaikas in #1580
  - 1417 policy validations by @kkavitha in #1548
  - Don't lowercase input image refs, just fail by @imjasonh in #1586
  - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
  - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
  - Fix #1592 move authorities as siblings of images. by @vaikas in #1593
  - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
  - Fix copy/paste mistake in repo name. by @k4leung4 in #1600
  - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
  - Add public key validation by @kkavitha in #1598
  - Validate a public key in a secret is valid. by @vaikas in #1602
  - Ensure entry is removed from CM on secret error. by @vaikas in #1605
  - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
  - Init entity from ociremote when signing a digest ref by @puerco in #1616
  - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to 1.6.0
  - Fix double time import in e2e tests by @saschagrunert in #1388
  - Add --timeout support to sign command by @saschagrunert in #1379
  - Fix comparison in replace option for attestation by @bburky in #1366
  - Add Cosign logo to README by @nsmith5 in #1395
  - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
  - Fix a link of SECURITY.md by @knqyf263 in #1399
  - update cosign and cross-build image for the release job by @cpanato in #1400
  - feat: login command by @developer-guy in #1398
  - TUF: Add root status output by @asraa in #1404
  - Add a newline after password input by @knqyf263 in #1407
  - make imageRef lowercase before parsing by @bobcallaway in #1409
  - Improve error message when image is not found in registry by @imjasonh in #1410
  - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
  - Fix incorrect error check when verifying SCT by @haydentherapper in #1422
  - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
  - Allow PassFunc to be nil by @saschagrunert in #1426
  - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
  - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
  - Add docs on API stability and deprecation table by @priyawadhwa in #1429
  - update cross-build image which adds goimports by @cpanato in #1435
  - feat: enhance clean cmd capability by @developer-guy in #1430
  - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
  - Improve log lines to match with implementation by @marcofranssen in #1432
  - feat: fig autocomplete feature by @developer-guy in #1360
  - update cross-build to use go 1.17.7 by @cpanato in #1446
  - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
  - feat: add -buildid= to ldflags by @developer-guy in #1451
  - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
  - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453

• Files Changed
• Browse Source

- updated to 1.5.2:
  - This release contains fixes for CVE-2022-23649, affecting signature
    validations with Rekor. Only validation is affected, it is not necessary
    to re-sign any artifacts. (bsc#1196239)
- updated to 1.5.1:
  - Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
  - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
  - expose dafaults fulcio, rekor, oidc issuer urls (#1368)
  - add check to make sure the go modules are in sync (#1369)
  - README: fix link to race conditions (#1367)
  - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
  - docs: verify-attestation cue and rego policy doc (#1362)
  - Update verify-blob to support DSSEs (#1355)
  - organize, update select deps (#1358)
  - Bump go-containerregistry to pick up ACR keychain fix (#1357)
  - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
  - sync go modules (#1353)

• Files Changed
• Browse Source

- updated to 1.5.0
  ## Highlights
  * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
  * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
  * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
  * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
  * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
  * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
  * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
  * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
  * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
  ## Enhancements
  * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
  * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
  * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
  * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
  * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
  * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
  * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
  * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
  * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
  * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
  * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
  * add error message (https://github.com/sigstore/cosign/pull/1296)
  * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
  * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
  * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
  * refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
  * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
  * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)

• Files Changed
• Browse Source

Fix BUILD_DATE for reproducible build results (boo#1047218)

• Files Changed
• Browse Source

initialized devel package after accepting 944678

• Files Changed
• Browse Source