Releases: sigstore/cosign
Releases · sigstore/cosign
v2.4.1
Changelog
- 9a4cfe1 update changelog for v2.4.1 (#3896)
- 0bd0d91 chore(deps): bump actions/checkout in the actions group (#3893)
- 66af64e chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#3895)
- 677a262 bump scaffolding release to v0.7.11 (#3887)
- 77f71e0 Update README.md (#3886)
- 4393313 Fix bug in attest-blob when using a timestamp authority with new bundles (#3877)
- 081dea1 fix: documentation link for installation guide (#3884)
- 780780b chore(deps): bump github.com/xanzy/go-gitlab from 0.108.0 to 0.109.0 (#3867)
- dee0b23 chore(deps): bump github.com/buildkite/agent/v3 from 3.79.0 to 3.81.0 (#3874)
- 4ffbf5f update to use go1.22.7 and golangci-lint (#3864)
- 4c35ffc chore(deps): bump github.com/sigstore/sigstore-go from 0.6.0 to 0.6.1 (#3863)
- 081ad98 use go1.22.6 to build cosign (#3862)
- f90977c chore(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0 (#3861)
- c1e5085 chore(deps): bump google.golang.org/api from 0.194.0 to 0.195.0 (#3860)
- 42fd5f2 chore(deps): bump github.com/mozillazg/docker-credential-acr-helper (#3859)
- 4beb7f4 chore(deps): bump github.com/buildkite/agent/v3 from 3.78.0 to 3.79.0 (#3858)
- 247c9dc chore(deps): bump go.step.sm/crypto in the gomod group (#3857)
- 842d3cc chore(deps): bump actions/upload-artifact in the actions group (#3856)
- 8defb0e chore(deps): bump google.golang.org/api from 0.192.0 to 0.194.0 (#3852)
- fe71244 chore(deps): bump github.com/xanzy/go-gitlab from 0.107.0 to 0.108.0 (#3851)
- 84e979d chore(deps): bump the actions group across 1 directory with 3 updates (#3853)
- 198b8e4 chore(deps): bump github.com/buildkite/agent/v3 from 3.77.0 to 3.78.0 (#3850)
- 2820709 chore(deps): bump github.com/sigstore/fulcio in the gomod group (#3848)
- d712844 add oss-fuzz build script, seeds and dictionaries (#3843)
- 8a4f390 chore(deps): bump github.com/sigstore/fulcio from 1.5.1 to 1.6.2 (#3839)
- be4cdc2 chore(deps): bump google.golang.org/api from 0.191.0 to 0.192.0 (#3837)
- 30c1d0f chore(deps): bump github.com/sigstore/sigstore-go from 0.5.1 to 0.6.0 (#3840)
- 9c0c81c fuzzing: add fuzzers for multiple packages (#3834)
- 3694644 chore(deps): bump the gomod group with 2 updates (#3824)
- 182f64b chore(deps): bump github.com/buildkite/agent/v3 from 3.76.2 to 3.77.0 (#3828)
- fa12845 chore(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#3825)
- cddce0f chore(deps): bump google.golang.org/api from 0.190.0 to 0.191.0 (#3830)
- e99c1a5 chore(deps): bump github.com/docker/docker (#3823)
- b23586d Add changelog for v2.4.0 (#3821)
- cb338e9 Add missing permission to push containers (#3822)
Thanks to all contributors!
v2.4.0
v2.4.0
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.4.0 begins the modernization of the Cosign client, which includes:
- Support for the newer Sigstore specification-compliant bundle format
- Support for providing trust roots (e.g. Fulcio certificates, Rekor keys)
through a trust root file, instead of many different flags - Conformance test suite integration to verify signing and verification behavior
In future updates, we'll include:
- General support for the trust root file, instead of only when using the bundle
format during verification - Simplification of trust root flags and deprecation of the
Cosign-specific bundle format - Bundle support with container signing
We have also moved nightly Cosign container builds to GHCR instead of GCR.
Features
- Add new bundle support to
verify-blobandverify-blob-attestation(#3796) - Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support
email_verifiedas string or boolean (#3819) - Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799)
Contributors
- Bob Callaway
- Hayden B
- Slavek Kabrda
- Zach Steindler
- Zsolt Horvath
Full Changelog: v2.3.0...v2.4.0
v2.3.0
v2.3.0
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.3.0
Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- upgrade to go1.22 (#3739)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
Bug Fixes
- fix: close attestationFile (#3679)
- Set
bundleVerifiedto true after Rekor verification (Resolves #3740) (#3745)
Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
Testing
- Refactor KMS E2E tests (#3684)
- Remove sign_blob_test.sh test (#3707)
- Remove KMS E2E test script (#3702)
- Refactor insecure registry E2E tests (#3701)
Contributors
- Billy Lynch
- bminahan73
- Bob Callaway
- Carlos Tadeu Panato Junior
- Cody Soyland
- Colleen Murphy
- Dmitry Savintsev
- guangwu
- Hayden B
- Hector Fernandez
- ian hundere
- Jason Power
- Jon Johnson
- Max Lambrecht
- Meeki1l
Full Changelog: v2.2.4...v2.3.0
v2.2.4
v2.2.4
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.2.4
Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
- fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
- Honor creation timestamp for signatures again (#3549)
Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
Documentation
- add oci bundle spec (#3622)
- Correct help text of triangulate cmd (#3551)
- Correct help text of verify-attestation policy argument (#3527)
- feat: add OVHcloud MPR registry tested with cosign (#3639)
Testing
- Refactor e2e-tests.yml workflow (#3627)
- Clean up and clarify e2e scripts (#3628)
- Don't ignore transparency log in tests if possible (#3528)
- Make E2E tests hermetic (#3499)
- add e2e test for pkcs11 token signing (#3495)
Full Changelog: v2.2.3...v2.2.4
v1.13.6
v1.13.6
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.2.3
v2.2.3
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.2.3
Bug Fixes
- Fix race condition on verification with multiple signatures attached to image (#3486)
- fix(clean): Fix clean cmd for private registries (#3446)
- Fixed BYO PKI verification (#3427)
Features
- Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
- Add support for OpenVEX predicate type (#3405)
Documentation
- Resolves #3088:
versionsub-command expected behaviour documentation and testing (#3447) - add examples for cosign attach signature cmd (#3468)
Misc
Full Changelog: v2.2.2...v2.2.3
v2.2.2
v2.2.2
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.2.2
v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.
Bug Fixes
- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk (#3415)
- Fix copy without any flag set (#3409)
- Update cosign generate cmd to not include newline (#3393)
- Fix idempotency error with signing (#3371)
Features
- Add
--yesflagcosign import-key-pairto skip the overwrite confirmation. (#3383) - Use the timeout flag value in verify* commands. (#3391)
- add --private-infrastructure flag (#3369)
Container Updates
- Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation
- Update SBOM_SPEC.md (#3358)
Contributors
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Hayden B
- Lily Sturmann
- Nikos Fotiou
- Yonghe Zhao
Full Changelog: v2.2.1...v2.2.2
v1.13.2
What's Changed
- [release-1.13] update builder image that uses go 1.19.4 by @cpanato in #2521
- Backport GHSA-vfp6-jrw2-99g9 by @cpanato in #3364
Full Changelog: v1.13.1...v1.13.2
Contributors
cpanato
Assets 136
v2.2.1
Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- feat: Support basic auth and bearer auth login to registry (#3310)
- add support for ignoring certificates with pkcs11 (#3334)
- Support ReplaceOp in Signatures (#3315)
- feat: added ability to get image digest back via triangulate (#3255)
- feat: add
--onlyflag incosign copyto copy sign, att & sbom (#3247) - feat: add support attaching a Rekor bundle to a container (#3246)
- feat: add support outputting rekor response on signing (#3248)
- feat: improve dockerfile verify subcommand (#3264)
- Add guard flag for experimental OCI 1.1 verify. (#3272)
- Deprecate SBOM attachments (#3256)
- feat: dedent line in cosign copy doc (#3244)
- feat: add platform flag to cosign copy command (#3234)
- Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
- attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent (#3245)
- ci: add a OCI registry test for referrers support (#3253)
- Fix ReplaceSignatures (#3292)
- Stop using deprecated in_toto.ProvenanceStatement (#3243)
- Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
- fix: update error in
SignedEntityto be more descriptive (#3233) - Fail timestamp verification if no root is provided (#3224)
Documentation
- Add some docs about verifying in an air-gapped environment (#3321)
- Update CONTRIBUTING.md (#3268)
- docs: improves the Contribution guidelines (#3257)
- Remove security policy (#3230)
Others
- Set go to min 1.21 and update dependencies (#3327)
- Update contact for code of conduct (#3266)
- Update .ko.yaml (#3240)
Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Gareth Healy
- Hayden B
- John Kjell
- Jon Johnson
- jonvnadelberg
- Luiz Carvalho
- Priya Wadhwa
- Ramkumar Chinchani
- Tosone
- Ville Aikas
- Vishal Choudhary
- ziel
New Contributors
- @vishal-chdhry made their first contribution in #3233
- @jkjell made their first contribution in #3237
- @ziel made their first contribution in #3219
- @andresgalante made their first contribution in #3257
- @BobyMCbobs made their first contribution in #3264
- @garethahealy made their first contribution in #3255
- @jonvnadelberg made their first contribution in #3268
- @dylrich made their first contribution in #3334
- @tosone made their first contribution in #3310
Full Changelog: v2.2.0...v2.2.1
Contributors
jkjell, ziel, and 7 other contributors
Assets 115
v2.2.0
v2.2.0
This tag was signed with the committer’s verified signature.
haydentherapper
Hayden B
v2.2.0
Enhancements
- switch to uploading DSSE types to rekor instead of intoto (#3113)
- add 'cosign sign' command-line parameters for mTLS (#3052)
- improve error messages around bundle != payload hash (#3146)
- make VerifyImageAttestation function public (#3156)
- Switch to cryptoutils function for SANS (#3185)
- Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
Bug Fixes
- Fix nondeterminsitic timestamps (#3121)
Documentation
- doc: Add example of sign-blob with key in env var (#3152)
- add deprecation notice for cosign-releases GCS bucket (#3148)
- update doc links (#3186)