v0.10.0

What's Changed

• chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @dependabot[bot] in #232
• Update maintainers and governance by @adityasaky in #233
• chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot[bot] in #234
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.3 to 2.1.5 by @dependabot[bot] in #235
• chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot[bot] in #236
• Fix expired signature in test by @adityasaky in #241
• chore(deps): bump golang.org/x/sys from 0.8.0 to 0.9.0 by @dependabot[bot] in #240
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.5 to 2.1.6 by @dependabot[bot] in #239
• chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 by @dependabot[bot] in #242
• chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.1 by @dependabot[bot] in #243
• Update GitHub Actions workflows by @adityasaky in #246
• chore(deps): bump golang.org/x/sys from 0.9.0 to 0.10.0 by @dependabot[bot] in #245
• remove linters that are no longer supported and add to make file by @pxp928 in #249
• Add match products feature by @adityasaky in #237
• Remove unfinished link on record stop by @PradyumnaKrishna in #248
• chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.56.2 by @dependabot[bot] in #250
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.6.0 to 0.7.0 by @dependabot[bot] in #251
• chore(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 by @dependabot[bot] in #255
• Add tests for coverage in envelope.go by @adityasaky in #256
• chore(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 by @dependabot[bot] in #257
• chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot[bot] in #258
• chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #259
• Fixes filepath pattern matching in windows by @PradyumnaKrishna in #254
• chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot[bot] in #261
• chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot[bot] in #262
• chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 by @dependabot[bot] in #263
• chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.0 by @dependabot[bot] in #264
• chore(deps): bump google.golang.org/grpc from 1.58.0 to 1.58.1 by @dependabot[bot] in #266
• Deprecate Provenance v1 struct in favor of /attestation protobufs by @marcelamelara in #267
• chore(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 by @dependabot[bot] in #269
• chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot[bot] in #270
• Drop use of any for hash objects by @adityasaky in #238
• chore(deps): bump golang.org/x/sys from 0.12.0 to 0.13.0 by @dependabot[bot] in #271
• chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot[bot] in #273
• chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot[bot] in #272
• chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 by @dependabot[bot] in #274
• chore(deps): bump google.golang.org/grpc from 1.58.3 to 1.59.0 by @dependabot[bot] in #275
• chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot[bot] in #276
• Trigger workflow on pushes only to master branch by @adityasaky in #280
• chore(deps): bump golang.org/x/sys from 0.13.0 to 0.14.0 by @dependabot[bot] in #278
• chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot[bot] in #277
• add openssf scorecard by @viveksahu26 in #281
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot[bot] in #282
• Fix coveralls, use action by @adityasaky in #285
• Secure System Lab Sign/Verify by @Forrin in #279
• chore(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 by @dependabot[bot] in #287
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot[bot] in #289
• chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.60.0 by @dependabot[bot] in #290
• chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot[bot] in #291
• chore(deps): bump google.golang.org/grpc from 1.60.0 to 1.60.1 by @dependabot[bot] in #292
• chore(deps): bump github.com/in-toto/attestation from 0.1.1-0.20230828220013-11b7a1a4ca51 to 1.0.1 by @dependabot[bot] in #294
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 by @dependabot[bot] in #293
• chore(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0 by @dependabot[bot] in #295
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 by @dependabot[bot] in #296
• chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot[bot] in #298
• chore(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0 by @dependabot[bot] in #299
• chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 3.7.1 by @dependabot[bot] in #300
• chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @dependabot[bot] in #301
• chore(deps): bump google.golang.org/grpc from 1.61.1 to 1.62.0 by @dependabot[bot] in #302
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot[bot] in #303
• chore(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 by @dependabot[bot] in #304
• chore(deps): bump google.golang.org/grpc from 1.62.0 to 1.62.1 by @dependabot[bot] in #305
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot[bot] in #306
• chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot[bot] in #307
• chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot[bot] in #308
• chore(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.0 by @dependabot[bot] in #310
• chore(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 by @dependabot[bot] in #311
• chore(deps): bump google.golang.org/grpc from 1.63.0 to 1.63.2 by @dependabot[bot] in #312
• chore(deps): bump github.com/in-toto/attestation from 1.0.1 to 1.0.2 by @dependabot[bot] in #313
• Bump Go versions by @adityasaky in #314
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 by @dependabot[bot] in #309
• chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 by @dependabot[bot] in #317
• chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @dependabot[bot] in #318
• chore(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 by @dependabot[bot] in #319
• chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 by @de...

v0.9.0

• Added support for DSSE envelopes in InTotoRun, InTotoRecord, and InTotoVerify (#228)
• Removed use of io/ioutil (#229)
• Source reorganization / clean up, removed DSSESigner in favour of EnvelopeSigner in go-securesystemslib (#228)
• Dependency bump (#231)

v0.8.0

This release includes:

• Support for SLSA Provenance v1 (courtesy @asraa, @chuangw6)
• --verify flag to the sign subcommand
• Updates to tested Go versions, various minor code fixes
• Dependency updates

v0.7.1

This update adds type aliases for SLSA Provenance v0.2 fields (courtesy @wlynch) and includes various dependency updates.

v0.7.0

NOTE: This release changes the interface of DSSESigner.SignPayload and DSSESigner.Verify due to a change in go-securesystemslib.

For more information, see #206 and secure-systems-lab/go-securesystemslib#34.

v0.6.0

• Updates symlink handling to more closely mirror Python implementation (#194), adds parameter to InTotoRun and InTotoRecord APIs
• Various dependency updates
• Clean up of readme

v0.5.0

Since v0.4.0, we've welcomed Parth Patel (@pxp928) as a maintainer of in-toto-golang!

• Adds Godoc documentation for SLSA Provenance v0.2 fields (@wlynch)
• Updates CycloneDX predicate type (@lehors)
• Adds ability to use InTotoRun without a command (@shibumi, @adityasaky)

v0.4.0

This release includes the changes introduced in v0.4.0-prerelease and some more changes. The changelog includes all the changes since v0.3.3.

• Removes DSSE code and moves it to https://github.com/secure-systems-lab/go-securesystemslib (@shibumi)
• Uses go-securesystemslib for canonical JSON
• Adds SPIFFE integration (@pxp928, @mikhailswift)
• Re-organizes SLSA provenance formats based on versioning, adds v0.2 (@priyawadhwa), makes provenance API version explicit (@chuangw6)
• Adds CycloneDX predicate (@puerco)

v0.4.0-prerelease

This is a prerelease of v0.4.0, cut from the next branch. v0.4.0 will follow when some next-only features are merged into master.

• Removes DSSE code and moves it to https://github.com/secure-systems-lab/go-securesystemslib (@shibumi)
• Adds SPIFFE integration (@pxp928, @mikhailswift)
• Re-organizes SLSA provenance formats based on versioning, adds v0.2 (@priyawadhwa)

v0.3.3

This release enables Windows support / testing again.

• Adds a linter in the CI for new changes, courtesy of @kevholmes
• Fixes a bug where left-stripping two artifacts with different prefixes could have resulted in a collision in the resultant paths with no warning, courtesy of @kadern0
• Fixes to error strings formatting to follow best practices, courtesy of @adityasaky
• Adds auto completion to CLI, courtesy of @developer-guy
• Adds CLI docs, courtesy of @developer-guy
• Changes in how cobra is organized so as to follow the standard template, courtesy of @lukehinds
• Re-enables line normalization feature that was disabled in v0.3.2 as an option, courtesy of @alanssitis