baserev update by copy to link target

• Files Changed
• Browse Source

- update to 1.3.5 (jsc#SLE-23476):
  - Additional unique index correction
  - Remove timestamp from checkpoint
  - Drop conditional when verifying entry checkpoint
  - Fix panic for DSSE canonicalization
  - Change Redis value for locking mechanism
  - give log timestamps nanosecond precision
  - output trace in slog and override correlation header name
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to 1.3.4:
  * add mysql indexstorage backend
  * add s3 storage for attestations
  * fix: Do not check for pubsub.topics.get on initialization
  * fix optional field in cose schema
  * Update ranges.go
  * update indexstorage interface to reduce roundtrips
  * use a single validator library in rekor-cli
  * Remove go-playground/validator dependency from pkg/pki

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.3.3 (jsc#SLE-23476):
  - Update signer flag description
  - update trillian to 1.5.3
  - adds redis_auth
  - Add method to get artifact hash for an entry
  - make e2e tests more usable with docker-compose
  - install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
  New Features:
  - enable GCP cloud profiling on rekor-server (#1746)
  - move index storage into interface (#1741)
  - add info to readme to denote additional documentation sources (#1722)
  - Add type of ed25519 key for TUF (#1677)
  - Allow parsing base64-encoded TUF metadata and root content (#1671)
  Quality Enhancements:
  - disable quota in trillian in test harness (#1680)
  Bug Fixes:
  - Update contact for code of conduct (#1720)
  - Fix panic when parsing SSH SK pubkeys (#1712)
  - Correct index creation (#1708)
  - docs: fixzes a small typo on the readme (#1686)
  - chore: fix backfill-redis Makefile target (#1685)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.3.0 (jsc#SLE-23476):
  - Update openapi.yaml (#1655)
  - pass transient errors through retrieveLogEntry (#1653)
  - return full entryID on HTTP 409 responses (#1650)
  - feat: Support publishing new log entries to Pub/Sub topics (#1580)
  - Change values of Identity.Raw, add fingerprints (#1628)
  - Extract all subjects from SANs for x509 verifier (#1632)
  - Fix type comment for Identity struct (#1619)
  - Refactor Identities API (#1611)
  - Refactor Verifiers to return multiple keys (#1601)
  - Update checkpoint link (#1597)
  - Use correct log index in inclusion proof (#1599)
  - remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
  - pass down error with message instead of nil
  - swap killswitch for 'docker-compose restart'

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.2.1 (jsc#SLE-23476):
  Security fix:
  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
  Functional Enhancements
  - add client method to generate TLE struct (#1498)
  - add dsse type (#1487)
  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
  - Add concurrency to backfill-redis (#1504)
  - omit informational message if machine-parseable output has been requested (#1486)
  - Publish stable checkpoint periodically to Redis (#1461)
  - Add intoto v0.0.2 to backfill script (#1500)
  - add new method to test insertability of proposed entries into log (#1410)
  Quality Enhancements
  - use t.Skip() in fuzzers (#1506)
  - improve fuzzing coverage (#1499)
  - Remove watcher script (#1484)
  Bug Fixes
  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
  - fix lint errors, bump linter up to 1.52 (#1485)
  - Remove dependencies from pkg/util (#1469)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

  Security fixes:
  - CVE-2023-30551: Fixed a potential denial of service (out of memory)
    when processing JAR META-INF files or .SIGN/.PKINFO files in APK files.
    (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.1.1 (jsc#SLE-23476):
  Functional Enhancements
  - Refactor Trillian client with exported methods (#1454)
  - Switch to official redis-go client (#1459)
  - Remove replace in go.mod (#1444)
  - Add Rekor OID info. (#1390)
  Quality Enhancements
  - remove legacy encrypted cosign key (#1446)
  - swap cjson dependency (#1441)
  - Update release readme (#1456)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.1.0 (jsc#SLE-23476):
  Functional Enhancements
  - improve validation on intoto v0.0.2 type (#1351)
  - add feature to limit HTTP request body length to process (#1334)
  - add information about the file size limit (#1313)
  - Add script to backfill Redis from Rekor (#1163)
  - Feature: add search support for sha512 (#1142)
  Quality Enhancements
  - various fuzzing fixes
  Bug Fixes
  - remove goroutine usage from SearchLogQuery (#1407)
  - drop log messages regarding attestation storage to debug (#1408)
  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
  - fix: fix regex for multi-digit counts (#1321)
  - return NotFound if treesize is 0 rather than calling trillian (#1311)
  - enumerate slice to get sugared logs (#1312)
  - put a reasonable size limit on ssh key reader (#1288)
  - CLIENT: Fix Custom Host and Path Issue (#1306)
  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
  - correctly handle invalid or missing pki format (#1281)
  - Add Verifier to get public key/cert and identities for entry type (#1210)
  - fix goroutine leak in client; add insecure TLS option (#1238)
  - Fix - Remove the force-recreate flag (#1179)
  - trim whitespace around public keys before parsing (#1175)
  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
  - remove double encoding of payload and signature fields for intoto (#1150)
  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
  - Remove pem-certificate-chain from client (#1138)
  - fix flag type for operator in search (#1136)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.0.1 (jsc#SLE-23476):
  - stop inserting envelope hash for intoto:0.0.2 types into index

- updated to rekor 1.0.0 (jsc#SLE-23476):

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- updated to rekor 1.0.0 (sc#SLE-23476):
  - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073
  - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071
  - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074
  - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083
  - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082
  - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092
  - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080
  - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096
  - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098
  - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102
  - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101
  - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103
  - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097
  - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106

• Files Changed
• Browse Source