Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
cosign
cosign.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File cosign.changes of Package cosign
------------------------------------------------------------------- Wed Oct 2 15:34:01 UTC 2024 - Marcus Meissner <meissner@suse.com> - update to 2.4.0 (jsc#SLE-23879) - Add new bundle support to verify-blob and verify-blob-attestation (#3796) - Adding protobuf bundle support to sign-blob and attest-blob (#3752) - Bump sigstore/sigstore to support email_verified as string or boolean (#3819) - Conformance testing for cosign (#3806) - move incremental builds per commit to GHCR instead of GCR (#3808) - Add support for recording creation timestamp for cosign attest (#3797) - Include SCT verification failure details in error message (#3799) ------------------------------------------------------------------- Tue Aug 20 19:14:06 UTC 2024 - Sarah Kriesch <sarah.kriesch@opensuse.org> - Set CGO_ENABLED=1 for fixing s390x failed build ------------------------------------------------------------------- Wed Jul 24 15:22:12 UTC 2024 - Marcus Meissner <meissner@suse.com> - update to 2.3.0 (jsc#SLE-23879) * Features - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693) - add registry options to cosign save (#3645) - Add debug providers command. (#3728) - Make config layers in ociremote mountable (#3741) - adds tsa cert chain check for env var or tuf targets. (#3600) - add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464) - add handling of keyless verification for all verify commands (#3761) * Bug Fixes - fix: close attestationFile (#3679) - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745) * Documentation - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776) ------------------------------------------------------------------- Fri May 31 07:48:36 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de> - add completion subpackages (bash, fish, zsh) ------------------------------------------------------------------- Mon Apr 15 12:48:16 UTC 2024 - Marcus Meissner <meissner@suse.com> - updated to 2.2.4 (jsc#SLE-23879) * Bug Fixes * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835) - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837) * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526) * fix semgrep issues for dgryski.semgrep-go ruleset (#3541) * Honor creation timestamp for signatures again (#3549) * Features * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578) * Documentation * add oci bundle spec (#3622) * Correct help text of triangulate cmd (#3551) * Correct help text of verify-attestation policy argument (#3527) * feat: add OVHcloud MPR registry tested with cosign (#3639) ------------------------------------------------------------------- Fri Feb 2 10:17:12 UTC 2024 - Marcus Meissner <meissner@suse.com> - updated to 2.2.3 (jsc#SLE-23879) Bug Fixes: * Fix race condition on verification with multiple signatures attached to image (#3486) * fix(clean): Fix clean cmd for private registries (#3446) * Fixed BYO PKI verification (#3427) Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) * Add support for OpenVEX predicate type (#3405) Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) * add examples for cosign attach signature cmd (#3468) Misc: * Remove CertSubject function (#3467) * Use local rekor and fulcio instances in e2e tests (#3478) - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) ------------------------------------------------------------------- Tue Dec 12 10:18:40 UTC 2023 - Marcos Bjoerkelund <marcos.bjoerkelund@suse.com> - updated to 2.2.2 (jsc#SLE-23879) v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure. Bug Fixes: * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS * Don't require CT log keys if using a key/sk (#3415) * Fix copy without any flag set (#3409) * Update cosign generate cmd to not include newline (#3393) * Fix idempotency error with signing (#3371) Features: * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383) * Use the timeout flag value in verify* commands. (#3391) * add --private-infrastructure flag (#3369) Container Updates: * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373) Documentation: * Update SBOM_SPEC.md (#3358) ------------------------------------------------------------------- Tue Nov 7 13:49:48 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.2.1 (jsc#SLE-23879) This release comes with a fix for CVE-2023-46737 / bsc#1216933 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Enhancements: * feat: Support basic auth and bearer auth login to registry (#3310) * add support for ignoring certificates with pkcs11 (#3334) * Support ReplaceOp in Signatures (#3315) * feat: added ability to get image digest back via triangulate (#3255) * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) * feat: add support attaching a Rekor bundle to a container (#3246) * feat: add support outputting rekor response on signing (#3248) * feat: improve dockerfile verify subcommand (#3264) * Add guard flag for experimental OCI 1.1 verify. (#3272) * Deprecate SBOM attachments (#3256) * feat: dedent line in cosign copy doc (#3244) * feat: add platform flag to cosign copy command (#3234) * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) * attest: pass OCI remote opts to att resolver. (#3225) Bug Fixes: * Merge pull request from GHSA-vfp6-jrw2-99g9 * fix: allow cosign download sbom when image is absent (#3245) * ci: add a OCI registry test for referrers support (#3253) * Fix ReplaceSignatures (#3292) * Stop using deprecated in_toto.ProvenanceStatement (#3243) * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237) * fix: update error in `SignedEntity` to be more descriptive (#3233) * Fail timestamp verification if no root is provided (#3224) Documentation: * Add some docs about verifying in an air-gapped environment (#3321) * Update CONTRIBUTING.md (#3268) * docs: improves the Contribution guidelines (#3257) * Remove security policy (#3230) Others: * Set go to min 1.21 and update dependencies (#3327) * Update contact for code of conduct (#3266) * Update .ko.yaml (#3240) ------------------------------------------------------------------- Fri Sep 1 08:45:59 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.2.0 (jsc#SLE-23879) - Enhancements * switch to uploading DSSE types to rekor instead of intoto (#3113) * add 'cosign sign' command-line parameters for mTLS (#3052) * improve error messages around bundle != payload hash (#3146) * make VerifyImageAttestation function public (#3156) * Switch to cryptoutils function for SANS (#3185) * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) - Bug Fixes * Fix nondeterminsitic timestamps (#3121) - Documentation * doc: Add example of sign-blob with key in env var (#3152) * add deprecation notice for cosign-releases GCS bucket (#3148) * update doc links (#3186) ------------------------------------------------------------------- Tue Jun 27 09:33:07 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.1.1 (jsc#SLE-23879) - Bug Fixes - wait for the workers become available again to continue the execution (#3084) - fix help text when in a container (#3082) - updated to 2.1.0 (jsc#SLE-23879) - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. - Enhancements - Verify sigs and attestations in parallel (#3066) - Deep inspect attestations when filtering download (#3031) - refactor bundle validation code, add support for DSSE rekor type (#3016) - Allow overriding remote options (#3049) - feat: adds no cert found on sig exit code (#3038) - Make predicate a required flag in attest commands (#3033) - Added support for attaching Time stamp authority Response in attach command (#3001) - Add sign --sign-container-identity CLI (#2984) - Feature: Allow cosign to sign digests before they are uploaded. (#2959) - accepts attachment-tag-prefix for cosign copy (#3014) - Feature: adds '--allow-insecure-registry' for cosign load (#3000) - download attestation: support --platform flag (#2980) - Cleanup: Add Digest to the SignedEntity interface. (#2960) - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845) - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069) - Bug Fixes - Fix pkg/cosign/errors (#3050) - Fix: update doc to refer to github-actions oidc provider (#3040) - Fix: prefer GitHub OIDC provider if enabled (#3044) - Fix --sig-only in cosign copy (#3074) - Documentation - Fix links to sigstore/docs in markdown files (#3064) ------------------------------------------------------------------- Sun May 7 11:58:02 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.2 (jsc#SLE-23879) Enhancements - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891) - feat: Make cosign copy faster (#2901) - remove sget (#2885) - Require a payload to be provided with a signature (#2785) Bug Fixes - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876) - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878) Documentation - Remove experimental warning from Fulcio flags (#2923) - add missing oidc provider (#2922) - Add zot as a supported registry (#2920) - deprecates kms_support docs (#2900) - chore(docs) deprecate note for usage docs (#2906) - adds note of deprecation for examples.md docs (#2899) ------------------------------------------------------------------- Mon Apr 17 07:56:14 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.1 (jsc#SLE-23879) Enhancements - Add environment variable token provider (#2864) - Remove cosign policy command (#2846) - Allow customising 'go' executable with GOEXE var (#2841) - Consistent tlog warnings during verification (#2840) - Add riscv64 arch (#2821) - Default generated PEM labels to SIGSTORE (#2735) - Update privacy statement and confirmation (#2797) - Add exit codes for verify errors (#2766) - Add Buildkite provider (#2779) - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746) Bug Fixes - PKCS11 sessions are now opened read only (#2853) - Makefile: date format of log should not show signatures (#2835) - Add missing flags to cosign verify dockerfile/manifest (#2830) - Add a warning to remember how to configure a custom Gitlab host (#2816) - Remove tag warning message from save/copy commands (#2799) - Mark keyless pem files with b64 (#2671) ------------------------------------------------------------------- Tue Apr 4 20:02:41 UTC 2023 - Dirk Müller <dmueller@suse.com> - fix buildtags - build against a maintained golang version (upstream uses go1.20) ------------------------------------------------------------------- Mon Feb 27 12:31:33 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.0 (jsc#SLE-23879) Breaking Changes: * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620) * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411) Enhancements: * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544) * Allow users to pass in a path for the --identity-token flag (#2538) * Breaking change: Respect tlog-upload=false, default to true (#2505) * Support outputing a certificate without uploading to the tlog (#2506) * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464) * respect tlog-upload flag with TSA (#2474) * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449) * Support TSA and Rekor verifications (#2463) * add support for tsa signing and verification of images (#2460) * cosign policy sign: remove experimental flag and make keyless signing default (#2459) * Remove experimental mode from cosign attest and verify-attestation (#2458) * Remove experimental mode from sign-blob and verify-blob (#2457) * Add --offline flag to force offline verification (#2427) * Air gap support (#2299) * Breaking change: Change SCT verification behavior to default to enforcement (#2400) * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399) * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397) * Remove experimental flag from cosign sign and cosign verify (#2387) * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362) * Add warning to use digest instead of tags to other cosign commands (#2650) * Fix up UI messages (#2629) * Remove hardcoded Fulcio from output (#2621) * Fix missing privacy statement, print in multiple locations (#2622) * feat: allows custom key names for import-key-pair (#2587) * feat: support keyless verification for verify-blob-attestation (#2525) * attest-blob: add functionality for keyless signing (#2515) * Rego: add support for custom error/warning messages when evaluating rego rules (#2577) * feat: add debug information to cert validation error (#2579) * Support non-Sigstore TSA requests (#2708) * Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684) * Output certificate in bundle when entry is not uploaded to Rekor (#2715) * attach signature and attach sbom must use STDIN to upload raw string (#2637) * add generate-key-pair GitHub Enterprise server support (#2676) * add in format string for warning (#2699) * Support for fetching Fulcio certs with self-managed key (#2532) * 2476 predicate type download (#2484) Bug Fixes: * Fix the file existence check. (#2552) * Fix timestamp verification, add verify-blob tests (#2527) * Fix(verify): Consolidate certificate expiry logic (#2504) * Updates to Timestamp signing and verification (#2499) * Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498) * Fix path for e2e-tests badge (#2490) * Fix spdx json media type (#2479) * Fix sct verificaction (#2426) * Fix: panic with unsigned local image (#2656) * Make sure a cert passed in via --cert matches the bundle cert (#2652) * Fix: fix github oidc post submit test (#2594) * Fix: add enhanced error messages for failing verification with TUF targets (#2589) * Fix: Add missing schemes to cosign predicate types. (#2717) * Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718) * Fix prompts with Windows line endings (#2674) ------------------------------------------------------------------- Tue Oct 18 12:37:41 UTC 2022 - Marcus Meissner <meissner@suse.com> - update to 1.13.1: * verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341) * Nits for #2337 (#2342) * Add verify-blob-attestation command and tests (#2337) * Update warning when users sign images by tag. (#2313) * Remove experimental flags from attest-blob and refactor (#2338) * Add --output-attestation flag to attest-blob and remove experimental signing (#2332) * Add attest-blob command (#2286) * Add '--cert-identity' flag to support subject alternate names for ver… (#2278) * Update Dockerfile section of README (#2323) * Fix option description: "sign" --> "verify" (#2306) - update to 1.13.0: * feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269 * feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268 * use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280 * fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282 * Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284 * Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285 * Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287 * Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283 * Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291 * fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297 * Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308 * Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311 * Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188 * replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314 * update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315 ------------------------------------------------------------------- Tue Sep 27 12:05:43 UTC 2022 - Dirk Müller <dmueller@suse.com> - update to 1.12.1: * fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). * fix: fix cert chain validation for verify-blob in non-experimental mode * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba * Fix BYO-root with intermediate to fetch intermediates from annotation * fix: fixing breaking changes in rekor v1.12.0 upgrade - use go-modules service to generate the vendor.tar and use zstd ------------------------------------------------------------------- Thu Sep 15 12:14:37 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.12.0 (jsc#SLE-23879) - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203 - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008 - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205 - Clarify error when KMS provider fails to load by @znewman01 in #2220 - feat: set annotations to generate additional bash completion information by @dirien in #2221 - Add deprecation warning for sget CLI and packages by @imjasonh in #2019 - upgrade setup-ko to point to new repo by @imjasonh in #2225 - Temp fix for e2e test by @haydentherapper in #2247 - update kind to use release v0.15.0 and some version comments by @cpanato in #2246 - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248 - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249 - updated to 1.11.1 - add stale workflow using the workflow template by @cpanato in #2175 - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177 - add release cadence section in the readme by @cpanato in #2179 - feat: Rework fig autocomplete command by @dirien in #2187 - fix: fix typo that caused attestation verification failure by @asraa in #2199 - updated to 1.11.0 - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139 - Add notes to clarify registry use. by @bendory in #2145 - Use TUF from scaffolding for validating cosign. by @vaikas in #2146 - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152 - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157 - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118 - fix handling of verify-attestation types for URIs by @otms61 in #2159 - fix oidc post-merge job by @cpanato in #2164 - Remove third_party by @imjasonh in #2166 - use updated device flow logic with PKCE by @bobcallaway in #2163 - fix: rekor get tlog entry with uuid by @asraa in #2058 - update e2e job to run only when push to main by @cpanato in #2169 - fix: add env cmd to root by @developer-guy in #2171 - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162 ------------------------------------------------------------------- Fri Aug 5 14:03:51 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.10.1 (jsc#SLE-23879) - CVE-2022-35929: Fixed that cosign verify-attestaton --type can report a false positive if any attestation exists (GHSA-vjxv-45g9-9296 (bsc#1202157) - What else changed: - add flag to allow skipping upload to transparency log by @k4leung4 in #2089 - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101 - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096 - Fix field names in the vulnerability attestation by @otms61 in #2099 - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105 - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109 - Resolves #522 set Created date to time of execution by @Lerentis in #2108 - Introduce a custom error type to classify errors. by @mattmoor in #2114 - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085 - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119 - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124 - Correct the type used for attest by @mattmoor in #2128 ------------------------------------------------------------------- Wed Jul 27 13:41:54 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.10.0 - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961 - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956 - tuf: improve TUF client concurrency and caching by @asraa in #1953 - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966 - feat(fulcioroots): singleton error pattern by @developer-guy in #1965 - Drop tuf client dependency on GCS client library by @imjasonh in #1967 - Add spdxjson predicate type for attestations by @jdolitsky in #1974 - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976 - cleanup: unexport kubernetes.Client method by @imjasonh in #1973 - cleanup ci job and remove policy-controller references by @cpanato in #1981 - fix/update post build job by @cpanato in #1983 - docs: updated Azure kms commands. by @JBrejnholt in #1972 - Add cyclonedx predicate type for attestations by @jdolitsky in #1977 - Route deprecated -version to version subcommand by @puerco in #1854 - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986 - Add --platform flag to cosign sbom download by @puerco in #1975 - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866 - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998 - encrypt values to create the github action secret by @cpanato in #1990 - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016 - Attempt to clean up pkg/cosign by @imjasonh in #2018 - public-key: fix command description by @Dentrax in #2024 - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030 - feat: cert-extensions verify by @developer-guy in #1626 - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014 - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039 - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040 - Fix OIDC test by @cpanato in #2050 - Add env subcommand. by @wlynch in #2051 - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055 - update ct/otel and etcd by @cpanato in #2054 - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067 - Remove replace directives in go.mod. by @wlynch in #2070 - update design doc link by @bobcallaway in #2077 - Remove hack/tools.go by @imjasonh in #2080 - fix missing quote by @cpanato in #2090 - removed cosigned and webhook ------------------------------------------------------------------- Sat Jun 18 14:16:31 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.9.0 - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815 - [Cosigned] Add signature pull secrets by @DennyHoang in #1805 - feat: add rego policy support by @hectorj2f in #1817 - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818 - cosigned: Test unsupported KMS providers by @imjasonh in #1820 - chore(deps): Included dependency review by @naveensrinivasan in #1792 - Add auth flow option to KeyOpts. by @wlynch in #1827 - Document Staging instance usage with Keyless by @k4leung4 in #1824 - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832 - Validate tlog entry when verifying signature via public key. by @wlynch in #1833 - Add function to explicitly request a certain provider by @priyawadhwa in #1837 - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841 - remove exclude from go.mod by @cpanato in #1846 - [Cosigned] Glob matching improvement by @DennyHoang in #1842 - sget: Enable KMS providers for sget by @imjasonh in #1852 - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850 - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856 - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859 - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860 - Normalize certificate flag names by @haydentherapper in #1868 - Check certificate policy flags with only a certificate by @haydentherapper in #1869 - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861 - Point git commmit FUN.md to gitsign! by @wlynch in #1874 - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873 - go.mod: format go.mod by @zchee in #1879 - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887 - tree: only report artifacts that are present by @ribbybibby in #1872 - update README with ebpf modules by @EItanya in #1888 - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 - v1beta1 API for cosigned by @vaikas in #1890 - tree: support --attachment-tag-prefix by @ribbybibby in #1900 - [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896 - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894 - The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901 - [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893 - Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910 - Add support for "**" in image glob matching by @imjasonh in #1914 - Add privacy statement for PII storage by @haydentherapper in #1909 - Do not push to public rekor. by @vaikas in #1931 - fix: fix fetching updated targets from TUF root by @asraa in #1921 - fix: fix #1930 for AWS KMS formats by @vaikas in #1946 - update cross-builder image to use go1.17.11 by @cpanato in #1950 - remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952 - add changelog for v1.9.0 by @cpanato in #1955 - add parallelism for goreleaser by @cpanato in #1957 ------------------------------------------------------------------- Sat May 21 13:07:53 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.8.0 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736 - Refactor policy related code, add support for vuln verify by @vaikas in #1747 - Use bundle log ID to find verification key by @haydentherapper in #1748 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750 - Implement identities, fix bug in webhook validation. by @vaikas in #1759 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761 - chore: add warning when attaching sBOMs by @hectorj2f in #1756 - Verify embedded SCTs by @haydentherapper in #1731 - chore: add warning when downloading a sBOM by @hectorj2f in #1763 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757 - Break the CIP action tests into a sh script. by @vaikas in #1767 - tuf: add debug info if tuf update fails by @asraa in #1766 - cosigned: add support for rsa keys by @hectorj2f in #1768 - Cosigned validate against remote sig src by @DennyHoang in #1754 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774 - fix: more informative error by @ybelMekk in #1778 - Run update-codegen. by @wlynch in #1789 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788 - test: add cue unit tests by @hectorj2f in #1791 - Attestations + policy in cip. by @vaikas in #1772 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787 - Add parallelization for processing policies / authorities. by @vaikas in #1795 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796 - Fix a bug where an error would send duplicate results. by @vaikas in #1797 - Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798 - cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793 - Don't fail open in VerifyBundle by @mtrmac in #1648 - Load in intermediate cert pool from TUF by @haydentherapper in #1804 - Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806 ------------------------------------------------------------------- Tue Apr 26 09:50:07 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.7.2 - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719 - fix: add permissions to patch events by @hectorj2f in #1722 - Make public all types required to use ValidatePolicy by @jdolitsky in #1727 - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728 - Remove newline from download sbom output by @ribbybibby in #1732 - Fix packages name and binary in the packages by @cpanato in #1734 - Fix fulcioroots test and linter error by @haydentherapper in #1741 - Support non-ECDSA public keys in certificates by @haydentherapper in #1740 - bug: remove old fulcio root and fix fallback target code by @asraa in #1738 - updated to 1.7.1 - pkcs11: fix build instructions by @rgerganov in #1550 - add definition for artifact hub to verify the ownership by @cpanato in #1563 - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564 - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562 - Support deletion of ClusterImagePolicy by @vaikas in #1580 - 1417 policy validations by @kkavitha in #1548 - Don't lowercase input image refs, just fail by @imjasonh in #1586 - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584 - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590 - Fix #1592 move authorities as siblings of images. by @vaikas in #1593 - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595 - Fix copy/paste mistake in repo name. by @k4leung4 in #1600 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599 - Add public key validation by @kkavitha in #1598 - Validate a public key in a secret is valid. by @vaikas in #1602 - Ensure entry is removed from CM on secret error. by @vaikas in #1605 - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610 - Init entity from ociremote when signing a digest ref by @puerco in #1616 - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617 - improve cosigned validation error messages by @cpanato in #1618 - Use latest knative/pkg's configmap informer by @tcnghia in #1615 - Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628 - FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633 - update crane to v0.8.0 release by @cpanato in #1635 - push latest tag when building a release by @cpanato in #1636 - Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637 - Document Elastic container registry support by @mgreau in #1641 - Validate authority keys by @coyote240 in #1623 - feat: tree command utility by @developer-guy in #1603 - fix build date format for version command by @cpanato in #1644 - Add support for intermediate certificates when verifiying by @haydentherapper in #1631 - Prompt user before running cosign clean by @priyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650 - KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661 - Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657 - Add support for certificate chain to verify certificate by @haydentherapper in #1659 - First batch of followups to #1650 by @vaikas in #1664 - Add certificate chain flag for signing by @haydentherapper in #1656 - [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663 - update font when output the cosign version by @cpanato in #1668 - feat: add ability to override registry keychain by @noamichael in #1666 - remove replace directive by @cpanato in #1669 - Refactor based on discussions in #1650 by @vaikas in #1674 - Find all valid entries in verify-blob by @priyawadhwa in #1673 - Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677 - Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671 - Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678 - Make cosign copy copy metadata attached to child images. by @mattmoor in #1682 - change file_name_template to PackageName by @strongjz in #1683 - Update error message for verify/verify attestation by @haydentherapper in #1686 - cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687 - verify: add leaf hash verification for tlog entries by @asraa in #1688 - Fix handling of policy in verify-attestation by @lcarva in #1672 - Add e2e test for attest / verify-attestation by @vaikas in #1685 - verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694 - Remove the hardcoded sigstore audience by @mattmoor in #1698 - Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676 - Use the github actions from sigstore/scaffolding. by @vaikas in #1699 - sign: set the oidc redirect uri by @hectorj2f in #1675 - add back the go mod proxy by @cpanato in #1701 - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702 - Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704 - Make CLI flag for OIDC client secret take a path by @znewman01 in #1705 - cosigned: read the public key from the kms authority by @hectorj2f in #1706 - fix latest tag when running a release job by @cpanato in #1707 - [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681 - Dont overwrite token set in keyOpts by @puerco in #1709 - refactor release job by @cpanato in #1710 ------------------------------------------------------------------- Fri Apr 1 14:46:30 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.6.0 - Fix double time import in e2e tests by @saschagrunert in #1388 - Add --timeout support to sign command by @saschagrunert in #1379 - Fix comparison in replace option for attestation by @bburky in #1366 - Add Cosign logo to README by @nsmith5 in #1395 - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396 - Fix a link of SECURITY.md by @knqyf263 in #1399 - update cosign and cross-build image for the release job by @cpanato in #1400 - feat: login command by @developer-guy in #1398 - TUF: Add root status output by @asraa in #1404 - Add a newline after password input by @knqyf263 in #1407 - make imageRef lowercase before parsing by @bobcallaway in #1409 - Improve error message when image is not found in registry by @imjasonh in #1410 - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421 - Fix incorrect error check when verifying SCT by @haydentherapper in #1422 - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415 - Allow PassFunc to be nil by @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427 - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428 - Add docs on API stability and deprecation table by @priyawadhwa in #1429 - update cross-build image which adds goimports by @cpanato in #1435 - feat: enhance clean cmd capability by @developer-guy in #1430 - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413 - Improve log lines to match with implementation by @marcofranssen in #1432 - feat: fig autocomplete feature by @developer-guy in #1360 - update cross-build to use go 1.17.7 by @cpanato in #1446 - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423 - feat: add -buildid= to ldflags by @developer-guy in #1451 - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453 - Fix tkn link in readme by @Yongxuanzhang in #1459 - Print message when verifying with old TUF targets by @haydentherapper in #1468 - fix(sign): refactor unsupported provider log by @Dentrax in #1464 - tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470 - Double goreleaser timeout by @znewman01 in #1472 - increase timeout for goreleaser snapshot by @cpanato in #1473 - fix(sign): kms unspported message by @Dentrax in #1475 - refactor release cloudbuild job by @cpanato in #1476 - Fix wording on attach attestation help by @luhring in #1480 - update go-tuf and simplify TUF client code by @asraa in #1455 - add initial changelog for 1.5.2 by @cpanato in #1483 - Fix linter error on main by @priyawadhwa in #1484 - Update Changelog for Security Advisory by @cpanato in #1485 - chore(makefile): use kocache, convert publish to build by @developer-guy in #1488 - Pick up a change to quiet ECR-login logging. by @mattmoor in #1491 - feat: support other types in copy cmd by @developer-guy in #1493 - Pick up some of the shared workflows by @mattmoor in #1490 - feat: nominate Dentrax as codeowner by @developer-guy in #1492 - add correct layer media type to cosign attach attestation by @spiffcs in #1503 - This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504 - use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511 - Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513 - bug fix: import ed25519 keys and fix error handling by @asraa in #1518 - optimize codeql speed by using caching and tracing by @bobcallaway in #1519 - Add a dummy.go file to allow vendoring config by @jdolitsky in #1520 - Add CertExtensions func to extract all extensions by @ckotzbauer in #1515 - chore(ci): add artifact hub support by @Dentrax in #1522 - Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529 - Add codecov as github action, set permissions to read content only by @k4leung4 in #1530 - images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533 - Quay OCI Support in README by @sabre1041 in #1539 - add rpm,deb and apks for cosign packages by @strongjz in #1537 - Consistent parenthesis use in Makefile by @k4leung4 in #1541 - add changelog for 1.6.0 by @cpanato in #1535 - update golang cross image by @cpanato in #1543 - Add fields in policy CRD by @kkavitha in #1540 - Disable for now due some issues when downloading the knative module by @cpanato in #1546 ------------------------------------------------------------------- Mon Feb 21 12:28:25 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239) - updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353) ------------------------------------------------------------------- Tue Jan 25 12:39:54 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.5.0 ## Highlights * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261) * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260) * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253) * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237) * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168) * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236) * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) ## Enhancements * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279) * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334) * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267) * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310) * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306) * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308) * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318) * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316) * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305) * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294) * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300) * add error message (https://github.com/sigstore/cosign/pull/1296) * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295) * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286) * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268) * refactor common utilities (https://github.com/sigstore/cosign/pull/1266) * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050) * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255) * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256) * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251) * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241) * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243) * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230) * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225) * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221) * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213) * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199) * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209) * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200) * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201) * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) ## Bug Fixes * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328) * fix missing goimports (https://github.com/sigstore/cosign/pull/1327) * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320) * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287) * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280) * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270) * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264) * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250) * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249) * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248) - vendor.tar.bz2: go mod vendor ------------------------------------------------------------------- Tue Jan 25 09:05:54 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com> - Fix BUILD_DATE for reproducible build results (boo#1047218) ------------------------------------------------------------------- Thu Jan 6 14:49:19 UTC 2022 - Marcus Meissner <meissner@suse.com> - cosign 1.4.1 release, initial import - provides signing / verification support for sigstore
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor