Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security
cosign
cosign.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File cosign.changes of Package cosign
------------------------------------------------------------------- Tue Aug 20 19:14:06 UTC 2024 - Sarah Kriesch <sarah.kriesch@opensuse.org> - Set CGO_ENABLED=1 for fixing s390x failed build ------------------------------------------------------------------- Wed Jul 24 15:22:12 UTC 2024 - Marcus Meissner <meissner@suse.com> - update to 2.3.0 (jsc#SLE-23879) * Features - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693) - add registry options to cosign save (#3645) - Add debug providers command. (#3728) - Make config layers in ociremote mountable (#3741) - adds tsa cert chain check for env var or tuf targets. (#3600) - add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464) - add handling of keyless verification for all verify commands (#3761) * Bug Fixes - fix: close attestationFile (#3679) - Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745) * Documentation - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776) ------------------------------------------------------------------- Fri May 31 07:48:36 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de> - add completion subpackages (bash, fish, zsh) ------------------------------------------------------------------- Mon Apr 15 12:48:16 UTC 2024 - Marcus Meissner <meissner@suse.com> - updated to 2.2.4 (jsc#SLE-23879) * Bug Fixes * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661) - CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835) - CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837) * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526) * fix semgrep issues for dgryski.semgrep-go ruleset (#3541) * Honor creation timestamp for signatures again (#3549) * Features * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578) * Documentation * add oci bundle spec (#3622) * Correct help text of triangulate cmd (#3551) * Correct help text of verify-attestation policy argument (#3527) * feat: add OVHcloud MPR registry tested with cosign (#3639) ------------------------------------------------------------------- Fri Feb 2 10:17:12 UTC 2024 - Marcus Meissner <meissner@suse.com> - updated to 2.2.3 (jsc#SLE-23879) Bug Fixes: * Fix race condition on verification with multiple signatures attached to image (#3486) * fix(clean): Fix clean cmd for private registries (#3446) * Fixed BYO PKI verification (#3427) Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) * Add support for OpenVEX predicate type (#3405) Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) * add examples for cosign attach signature cmd (#3468) Misc: * Remove CertSubject function (#3467) * Use local rekor and fulcio instances in e2e tests (#3478) - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) ------------------------------------------------------------------- Tue Dec 12 10:18:40 UTC 2023 - Marcos Bjoerkelund <marcos.bjoerkelund@suse.com> - updated to 2.2.2 (jsc#SLE-23879) v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure. Bug Fixes: * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS * Don't require CT log keys if using a key/sk (#3415) * Fix copy without any flag set (#3409) * Update cosign generate cmd to not include newline (#3393) * Fix idempotency error with signing (#3371) Features: * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383) * Use the timeout flag value in verify* commands. (#3391) * add --private-infrastructure flag (#3369) Container Updates: * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373) Documentation: * Update SBOM_SPEC.md (#3358) ------------------------------------------------------------------- Tue Nov 7 13:49:48 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.2.1 (jsc#SLE-23879) This release comes with a fix for CVE-2023-46737 / bsc#1216933 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Enhancements: * feat: Support basic auth and bearer auth login to registry (#3310) * add support for ignoring certificates with pkcs11 (#3334) * Support ReplaceOp in Signatures (#3315) * feat: added ability to get image digest back via triangulate (#3255) * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) * feat: add support attaching a Rekor bundle to a container (#3246) * feat: add support outputting rekor response on signing (#3248) * feat: improve dockerfile verify subcommand (#3264) * Add guard flag for experimental OCI 1.1 verify. (#3272) * Deprecate SBOM attachments (#3256) * feat: dedent line in cosign copy doc (#3244) * feat: add platform flag to cosign copy command (#3234) * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) * attest: pass OCI remote opts to att resolver. (#3225) Bug Fixes: * Merge pull request from GHSA-vfp6-jrw2-99g9 * fix: allow cosign download sbom when image is absent (#3245) * ci: add a OCI registry test for referrers support (#3253) * Fix ReplaceSignatures (#3292) * Stop using deprecated in_toto.ProvenanceStatement (#3243) * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237) * fix: update error in `SignedEntity` to be more descriptive (#3233) * Fail timestamp verification if no root is provided (#3224) Documentation: * Add some docs about verifying in an air-gapped environment (#3321) * Update CONTRIBUTING.md (#3268) * docs: improves the Contribution guidelines (#3257) * Remove security policy (#3230) Others: * Set go to min 1.21 and update dependencies (#3327) * Update contact for code of conduct (#3266) * Update .ko.yaml (#3240) ------------------------------------------------------------------- Fri Sep 1 08:45:59 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.2.0 (jsc#SLE-23879) - Enhancements * switch to uploading DSSE types to rekor instead of intoto (#3113) * add 'cosign sign' command-line parameters for mTLS (#3052) * improve error messages around bundle != payload hash (#3146) * make VerifyImageAttestation function public (#3156) * Switch to cryptoutils function for SANS (#3185) * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) - Bug Fixes * Fix nondeterminsitic timestamps (#3121) - Documentation * doc: Add example of sign-blob with key in env var (#3152) * add deprecation notice for cosign-releases GCS bucket (#3148) * update doc links (#3186) ------------------------------------------------------------------- Tue Jun 27 09:33:07 UTC 2023 - Marcus Meissner <meissner@suse.com> - updated to 2.1.1 (jsc#SLE-23879) - Bug Fixes - wait for the workers become available again to continue the execution (#3084) - fix help text when in a container (#3082) - updated to 2.1.0 (jsc#SLE-23879) - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. - Enhancements - Verify sigs and attestations in parallel (#3066) - Deep inspect attestations when filtering download (#3031) - refactor bundle validation code, add support for DSSE rekor type (#3016) - Allow overriding remote options (#3049) - feat: adds no cert found on sig exit code (#3038) - Make predicate a required flag in attest commands (#3033) - Added support for attaching Time stamp authority Response in attach command (#3001) - Add sign --sign-container-identity CLI (#2984) - Feature: Allow cosign to sign digests before they are uploaded. (#2959) - accepts attachment-tag-prefix for cosign copy (#3014) - Feature: adds '--allow-insecure-registry' for cosign load (#3000) - download attestation: support --platform flag (#2980) - Cleanup: Add Digest to the SignedEntity interface. (#2960) - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845) - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069) - Bug Fixes - Fix pkg/cosign/errors (#3050) - Fix: update doc to refer to github-actions oidc provider (#3040) - Fix: prefer GitHub OIDC provider if enabled (#3044) - Fix --sig-only in cosign copy (#3074) - Documentation - Fix links to sigstore/docs in markdown files (#3064) ------------------------------------------------------------------- Sun May 7 11:58:02 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.2 (jsc#SLE-23879) Enhancements - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891) - feat: Make cosign copy faster (#2901) - remove sget (#2885) - Require a payload to be provided with a signature (#2785) Bug Fixes - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876) - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878) Documentation - Remove experimental warning from Fulcio flags (#2923) - add missing oidc provider (#2922) - Add zot as a supported registry (#2920) - deprecates kms_support docs (#2900) - chore(docs) deprecate note for usage docs (#2906) - adds note of deprecation for examples.md docs (#2899) ------------------------------------------------------------------- Mon Apr 17 07:56:14 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.1 (jsc#SLE-23879) Enhancements - Add environment variable token provider (#2864) - Remove cosign policy command (#2846) - Allow customising 'go' executable with GOEXE var (#2841) - Consistent tlog warnings during verification (#2840) - Add riscv64 arch (#2821) - Default generated PEM labels to SIGSTORE (#2735) - Update privacy statement and confirmation (#2797) - Add exit codes for verify errors (#2766) - Add Buildkite provider (#2779) - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746) Bug Fixes - PKCS11 sessions are now opened read only (#2853) - Makefile: date format of log should not show signatures (#2835) - Add missing flags to cosign verify dockerfile/manifest (#2830) - Add a warning to remember how to configure a custom Gitlab host (#2816) - Remove tag warning message from save/copy commands (#2799) - Mark keyless pem files with b64 (#2671) ------------------------------------------------------------------- Tue Apr 4 20:02:41 UTC 2023 - Dirk Müller <dmueller@suse.com> - fix buildtags - build against a maintained golang version (upstream uses go1.20) ------------------------------------------------------------------- Mon Feb 27 12:31:33 UTC 2023 - Marcus Meissner <meissner@suse.com> - update to 2.0.0 (jsc#SLE-23879) Breaking Changes: * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620) * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411) Enhancements: * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544) * Allow users to pass in a path for the --identity-token flag (#2538) * Breaking change: Respect tlog-upload=false, default to true (#2505) * Support outputing a certificate without uploading to the tlog (#2506) * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464) * respect tlog-upload flag with TSA (#2474) * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449) * Support TSA and Rekor verifications (#2463) * add support for tsa signing and verification of images (#2460) * cosign policy sign: remove experimental flag and make keyless signing default (#2459) * Remove experimental mode from cosign attest and verify-attestation (#2458) * Remove experimental mode from sign-blob and verify-blob (#2457) * Add --offline flag to force offline verification (#2427) * Air gap support (#2299) * Breaking change: Change SCT verification behavior to default to enforcement (#2400) * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399) * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397) * Remove experimental flag from cosign sign and cosign verify (#2387) * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362) * Add warning to use digest instead of tags to other cosign commands (#2650) * Fix up UI messages (#2629) * Remove hardcoded Fulcio from output (#2621) * Fix missing privacy statement, print in multiple locations (#2622) * feat: allows custom key names for import-key-pair (#2587) * feat: support keyless verification for verify-blob-attestation (#2525) * attest-blob: add functionality for keyless signing (#2515) * Rego: add support for custom error/warning messages when evaluating rego rules (#2577) * feat: add debug information to cert validation error (#2579) * Support non-Sigstore TSA requests (#2708) * Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684) * Output certificate in bundle when entry is not uploaded to Rekor (#2715) * attach signature and attach sbom must use STDIN to upload raw string (#2637) * add generate-key-pair GitHub Enterprise server support (#2676) * add in format string for warning (#2699) * Support for fetching Fulcio certs with self-managed key (#2532) * 2476 predicate type download (#2484) Bug Fixes: * Fix the file existence check. (#2552) * Fix timestamp verification, add verify-blob tests (#2527) * Fix(verify): Consolidate certificate expiry logic (#2504) * Updates to Timestamp signing and verification (#2499) * Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498) * Fix path for e2e-tests badge (#2490) * Fix spdx json media type (#2479) * Fix sct verificaction (#2426) * Fix: panic with unsigned local image (#2656) * Make sure a cert passed in via --cert matches the bundle cert (#2652) * Fix: fix github oidc post submit test (#2594) * Fix: add enhanced error messages for failing verification with TUF targets (#2589) * Fix: Add missing schemes to cosign predicate types. (#2717) * Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718) * Fix prompts with Windows line endings (#2674) ------------------------------------------------------------------- Tue Oct 18 12:37:41 UTC 2022 - Marcus Meissner <meissner@suse.com> - update to 1.13.1: * verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341) * Nits for #2337 (#2342) * Add verify-blob-attestation command and tests (#2337) * Update warning when users sign images by tag. (#2313) * Remove experimental flags from attest-blob and refactor (#2338) * Add --output-attestation flag to attest-blob and remove experimental signing (#2332) * Add attest-blob command (#2286) * Add '--cert-identity' flag to support subject alternate names for ver… (#2278) * Update Dockerfile section of README (#2323) * Fix option description: "sign" --> "verify" (#2306) - update to 1.13.0: * feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269 * feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268 * use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280 * fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282 * Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284 * Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285 * Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287 * Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283 * Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291 * fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297 * Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308 * Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311 * Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188 * replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314 * update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315 ------------------------------------------------------------------- Tue Sep 27 12:05:43 UTC 2022 - Dirk Müller <dmueller@suse.com> - update to 1.12.1: * fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). * fix: fix cert chain validation for verify-blob in non-experimental mode * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba * Fix BYO-root with intermediate to fetch intermediates from annotation * fix: fixing breaking changes in rekor v1.12.0 upgrade - use go-modules service to generate the vendor.tar and use zstd ------------------------------------------------------------------- Thu Sep 15 12:14:37 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.12.0 (jsc#SLE-23879) - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203 - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008 - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205 - Clarify error when KMS provider fails to load by @znewman01 in #2220 - feat: set annotations to generate additional bash completion information by @dirien in #2221 - Add deprecation warning for sget CLI and packages by @imjasonh in #2019 - upgrade setup-ko to point to new repo by @imjasonh in #2225 - Temp fix for e2e test by @haydentherapper in #2247 - update kind to use release v0.15.0 and some version comments by @cpanato in #2246 - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248 - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249 - updated to 1.11.1 - add stale workflow using the workflow template by @cpanato in #2175 - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177 - add release cadence section in the readme by @cpanato in #2179 - feat: Rework fig autocomplete command by @dirien in #2187 - fix: fix typo that caused attestation verification failure by @asraa in #2199 - updated to 1.11.0 - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139 - Add notes to clarify registry use. by @bendory in #2145 - Use TUF from scaffolding for validating cosign. by @vaikas in #2146 - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152 - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157 - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118 - fix handling of verify-attestation types for URIs by @otms61 in #2159 - fix oidc post-merge job by @cpanato in #2164 - Remove third_party by @imjasonh in #2166 - use updated device flow logic with PKCE by @bobcallaway in #2163 - fix: rekor get tlog entry with uuid by @asraa in #2058 - update e2e job to run only when push to main by @cpanato in #2169 - fix: add env cmd to root by @developer-guy in #2171 - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162 ------------------------------------------------------------------- Fri Aug 5 14:03:51 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.10.1 (jsc#SLE-23879) - CVE-2022-35929: Fixed that cosign verify-attestaton --type can report a false positive if any attestation exists (GHSA-vjxv-45g9-9296 (bsc#1202157) - What else changed: - add flag to allow skipping upload to transparency log by @k4leung4 in #2089 - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101 - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096 - Fix field names in the vulnerability attestation by @otms61 in #2099 - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105 - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109 - Resolves #522 set Created date to time of execution by @Lerentis in #2108 - Introduce a custom error type to classify errors. by @mattmoor in #2114 - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085 - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119 - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124 - Correct the type used for attest by @mattmoor in #2128 ------------------------------------------------------------------- Wed Jul 27 13:41:54 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.10.0 - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961 - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956 - tuf: improve TUF client concurrency and caching by @asraa in #1953 - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966 - feat(fulcioroots): singleton error pattern by @developer-guy in #1965 - Drop tuf client dependency on GCS client library by @imjasonh in #1967 - Add spdxjson predicate type for attestations by @jdolitsky in #1974 - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976 - cleanup: unexport kubernetes.Client method by @imjasonh in #1973 - cleanup ci job and remove policy-controller references by @cpanato in #1981 - fix/update post build job by @cpanato in #1983 - docs: updated Azure kms commands. by @JBrejnholt in #1972 - Add cyclonedx predicate type for attestations by @jdolitsky in #1977 - Route deprecated -version to version subcommand by @puerco in #1854 - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986 - Add --platform flag to cosign sbom download by @puerco in #1975 - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866 - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998 - encrypt values to create the github action secret by @cpanato in #1990 - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016 - Attempt to clean up pkg/cosign by @imjasonh in #2018 - public-key: fix command description by @Dentrax in #2024 - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030 - feat: cert-extensions verify by @developer-guy in #1626 - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014 - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039 - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040 - Fix OIDC test by @cpanato in #2050 - Add env subcommand. by @wlynch in #2051 - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055 - update ct/otel and etcd by @cpanato in #2054 - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067 - Remove replace directives in go.mod. by @wlynch in #2070 - update design doc link by @bobcallaway in #2077 - Remove hack/tools.go by @imjasonh in #2080 - fix missing quote by @cpanato in #2090 - removed cosigned and webhook ------------------------------------------------------------------- Sat Jun 18 14:16:31 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.9.0 - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815 - [Cosigned] Add signature pull secrets by @DennyHoang in #1805 - feat: add rego policy support by @hectorj2f in #1817 - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818 - cosigned: Test unsupported KMS providers by @imjasonh in #1820 - chore(deps): Included dependency review by @naveensrinivasan in #1792 - Add auth flow option to KeyOpts. by @wlynch in #1827 - Document Staging instance usage with Keyless by @k4leung4 in #1824 - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832 - Validate tlog entry when verifying signature via public key. by @wlynch in #1833 - Add function to explicitly request a certain provider by @priyawadhwa in #1837 - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841 - remove exclude from go.mod by @cpanato in #1846 - [Cosigned] Glob matching improvement by @DennyHoang in #1842 - sget: Enable KMS providers for sget by @imjasonh in #1852 - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850 - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856 - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859 - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860 - Normalize certificate flag names by @haydentherapper in #1868 - Check certificate policy flags with only a certificate by @haydentherapper in #1869 - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861 - Point git commmit FUN.md to gitsign! by @wlynch in #1874 - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873 - go.mod: format go.mod by @zchee in #1879 - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887 - tree: only report artifacts that are present by @ribbybibby in #1872 - update README with ebpf modules by @EItanya in #1888 - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 - v1beta1 API for cosigned by @vaikas in #1890 - tree: support --attachment-tag-prefix by @ribbybibby in #1900 - [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896 - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894 - The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901 - [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893 - Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910 - Add support for "**" in image glob matching by @imjasonh in #1914 - Add privacy statement for PII storage by @haydentherapper in #1909 - Do not push to public rekor. by @vaikas in #1931 - fix: fix fetching updated targets from TUF root by @asraa in #1921 - fix: fix #1930 for AWS KMS formats by @vaikas in #1946 - update cross-builder image to use go1.17.11 by @cpanato in #1950 - remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952 - add changelog for v1.9.0 by @cpanato in #1955 - add parallelism for goreleaser by @cpanato in #1957 ------------------------------------------------------------------- Sat May 21 13:07:53 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.8.0 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736 - Refactor policy related code, add support for vuln verify by @vaikas in #1747 - Use bundle log ID to find verification key by @haydentherapper in #1748 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750 - Implement identities, fix bug in webhook validation. by @vaikas in #1759 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761 - chore: add warning when attaching sBOMs by @hectorj2f in #1756 - Verify embedded SCTs by @haydentherapper in #1731 - chore: add warning when downloading a sBOM by @hectorj2f in #1763 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757 - Break the CIP action tests into a sh script. by @vaikas in #1767 - tuf: add debug info if tuf update fails by @asraa in #1766 - cosigned: add support for rsa keys by @hectorj2f in #1768 - Cosigned validate against remote sig src by @DennyHoang in #1754 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774 - fix: more informative error by @ybelMekk in #1778 - Run update-codegen. by @wlynch in #1789 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788 - test: add cue unit tests by @hectorj2f in #1791 - Attestations + policy in cip. by @vaikas in #1772 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787 - Add parallelization for processing policies / authorities. by @vaikas in #1795 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796 - Fix a bug where an error would send duplicate results. by @vaikas in #1797 - Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798 - cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793 - Don't fail open in VerifyBundle by @mtrmac in #1648 - Load in intermediate cert pool from TUF by @haydentherapper in #1804 - Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806 ------------------------------------------------------------------- Tue Apr 26 09:50:07 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.7.2 - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719 - fix: add permissions to patch events by @hectorj2f in #1722 - Make public all types required to use ValidatePolicy by @jdolitsky in #1727 - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728 - Remove newline from download sbom output by @ribbybibby in #1732 - Fix packages name and binary in the packages by @cpanato in #1734 - Fix fulcioroots test and linter error by @haydentherapper in #1741 - Support non-ECDSA public keys in certificates by @haydentherapper in #1740 - bug: remove old fulcio root and fix fallback target code by @asraa in #1738 - updated to 1.7.1 - pkcs11: fix build instructions by @rgerganov in #1550 - add definition for artifact hub to verify the ownership by @cpanato in #1563 - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564 - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562 - Support deletion of ClusterImagePolicy by @vaikas in #1580 - 1417 policy validations by @kkavitha in #1548 - Don't lowercase input image refs, just fail by @imjasonh in #1586 - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584 - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590 - Fix #1592 move authorities as siblings of images. by @vaikas in #1593 - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595 - Fix copy/paste mistake in repo name. by @k4leung4 in #1600 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599 - Add public key validation by @kkavitha in #1598 - Validate a public key in a secret is valid. by @vaikas in #1602 - Ensure entry is removed from CM on secret error. by @vaikas in #1605 - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610 - Init entity from ociremote when signing a digest ref by @puerco in #1616 - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617 - improve cosigned validation error messages by @cpanato in #1618 - Use latest knative/pkg's configmap informer by @tcnghia in #1615 - Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628 - FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633 - update crane to v0.8.0 release by @cpanato in #1635 - push latest tag when building a release by @cpanato in #1636 - Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637 - Document Elastic container registry support by @mgreau in #1641 - Validate authority keys by @coyote240 in #1623 - feat: tree command utility by @developer-guy in #1603 - fix build date format for version command by @cpanato in #1644 - Add support for intermediate certificates when verifiying by @haydentherapper in #1631 - Prompt user before running cosign clean by @priyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650 - KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661 - Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657 - Add support for certificate chain to verify certificate by @haydentherapper in #1659 - First batch of followups to #1650 by @vaikas in #1664 - Add certificate chain flag for signing by @haydentherapper in #1656 - [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663 - update font when output the cosign version by @cpanato in #1668 - feat: add ability to override registry keychain by @noamichael in #1666 - remove replace directive by @cpanato in #1669 - Refactor based on discussions in #1650 by @vaikas in #1674 - Find all valid entries in verify-blob by @priyawadhwa in #1673 - Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677 - Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671 - Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678 - Make cosign copy copy metadata attached to child images. by @mattmoor in #1682 - change file_name_template to PackageName by @strongjz in #1683 - Update error message for verify/verify attestation by @haydentherapper in #1686 - cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687 - verify: add leaf hash verification for tlog entries by @asraa in #1688 - Fix handling of policy in verify-attestation by @lcarva in #1672 - Add e2e test for attest / verify-attestation by @vaikas in #1685 - verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694 - Remove the hardcoded sigstore audience by @mattmoor in #1698 - Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676 - Use the github actions from sigstore/scaffolding. by @vaikas in #1699 - sign: set the oidc redirect uri by @hectorj2f in #1675 - add back the go mod proxy by @cpanato in #1701 - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702 - Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704 - Make CLI flag for OIDC client secret take a path by @znewman01 in #1705 - cosigned: read the public key from the kms authority by @hectorj2f in #1706 - fix latest tag when running a release job by @cpanato in #1707 - [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681 - Dont overwrite token set in keyOpts by @puerco in #1709 - refactor release job by @cpanato in #1710 ------------------------------------------------------------------- Fri Apr 1 14:46:30 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.6.0 - Fix double time import in e2e tests by @saschagrunert in #1388 - Add --timeout support to sign command by @saschagrunert in #1379 - Fix comparison in replace option for attestation by @bburky in #1366 - Add Cosign logo to README by @nsmith5 in #1395 - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396 - Fix a link of SECURITY.md by @knqyf263 in #1399 - update cosign and cross-build image for the release job by @cpanato in #1400 - feat: login command by @developer-guy in #1398 - TUF: Add root status output by @asraa in #1404 - Add a newline after password input by @knqyf263 in #1407 - make imageRef lowercase before parsing by @bobcallaway in #1409 - Improve error message when image is not found in registry by @imjasonh in #1410 - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421 - Fix incorrect error check when verifying SCT by @haydentherapper in #1422 - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415 - Allow PassFunc to be nil by @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427 - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428 - Add docs on API stability and deprecation table by @priyawadhwa in #1429 - update cross-build image which adds goimports by @cpanato in #1435 - feat: enhance clean cmd capability by @developer-guy in #1430 - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413 - Improve log lines to match with implementation by @marcofranssen in #1432 - feat: fig autocomplete feature by @developer-guy in #1360 - update cross-build to use go 1.17.7 by @cpanato in #1446 - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423 - feat: add -buildid= to ldflags by @developer-guy in #1451 - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453 - Fix tkn link in readme by @Yongxuanzhang in #1459 - Print message when verifying with old TUF targets by @haydentherapper in #1468 - fix(sign): refactor unsupported provider log by @Dentrax in #1464 - tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470 - Double goreleaser timeout by @znewman01 in #1472 - increase timeout for goreleaser snapshot by @cpanato in #1473 - fix(sign): kms unspported message by @Dentrax in #1475 - refactor release cloudbuild job by @cpanato in #1476 - Fix wording on attach attestation help by @luhring in #1480 - update go-tuf and simplify TUF client code by @asraa in #1455 - add initial changelog for 1.5.2 by @cpanato in #1483 - Fix linter error on main by @priyawadhwa in #1484 - Update Changelog for Security Advisory by @cpanato in #1485 - chore(makefile): use kocache, convert publish to build by @developer-guy in #1488 - Pick up a change to quiet ECR-login logging. by @mattmoor in #1491 - feat: support other types in copy cmd by @developer-guy in #1493 - Pick up some of the shared workflows by @mattmoor in #1490 - feat: nominate Dentrax as codeowner by @developer-guy in #1492 - add correct layer media type to cosign attach attestation by @spiffcs in #1503 - This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504 - use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511 - Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513 - bug fix: import ed25519 keys and fix error handling by @asraa in #1518 - optimize codeql speed by using caching and tracing by @bobcallaway in #1519 - Add a dummy.go file to allow vendoring config by @jdolitsky in #1520 - Add CertExtensions func to extract all extensions by @ckotzbauer in #1515 - chore(ci): add artifact hub support by @Dentrax in #1522 - Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529 - Add codecov as github action, set permissions to read content only by @k4leung4 in #1530 - images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533 - Quay OCI Support in README by @sabre1041 in #1539 - add rpm,deb and apks for cosign packages by @strongjz in #1537 - Consistent parenthesis use in Makefile by @k4leung4 in #1541 - add changelog for 1.6.0 by @cpanato in #1535 - update golang cross image by @cpanato in #1543 - Add fields in policy CRD by @kkavitha in #1540 - Disable for now due some issues when downloading the knative module by @cpanato in #1546 ------------------------------------------------------------------- Mon Feb 21 12:28:25 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239) - updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353) ------------------------------------------------------------------- Tue Jan 25 12:39:54 UTC 2022 - Marcus Meissner <meissner@suse.com> - updated to 1.5.0 ## Highlights * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261) * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260) * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253) * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237) * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168) * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236) * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) ## Enhancements * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279) * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334) * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267) * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310) * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306) * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308) * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318) * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316) * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305) * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294) * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300) * add error message (https://github.com/sigstore/cosign/pull/1296) * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295) * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286) * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268) * refactor common utilities (https://github.com/sigstore/cosign/pull/1266) * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050) * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255) * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256) * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251) * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241) * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243) * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230) * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225) * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221) * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213) * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199) * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209) * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200) * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201) * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) ## Bug Fixes * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328) * fix missing goimports (https://github.com/sigstore/cosign/pull/1327) * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320) * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287) * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280) * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270) * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264) * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250) * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249) * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248) - vendor.tar.bz2: go mod vendor ------------------------------------------------------------------- Tue Jan 25 09:05:54 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com> - Fix BUILD_DATE for reproducible build results (boo#1047218) ------------------------------------------------------------------- Thu Jan 6 14:49:19 UTC 2022 - Marcus Meissner <meissner@suse.com> - cosign 1.4.1 release, initial import - provides signing / verification support for sigstore
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor