v1.9.0

What's Changed

• Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 by @dependabot in #1808
• update changelog for 1.8.0 by @cpanato in #1807
• Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in #1809
• Bump google.golang.org/api from 0.75.0 to 0.76.0 by @dependabot in #1810
• Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in #1814
• Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in #1813
• Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
• [Cosigned] Add signature pull secrets by @DennyHoang in #1805
• feat: add rego policy support by @hectorj2f in #1817
• Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
• cosigned: Test unsupported KMS providers by @imjasonh in #1820
• chore(deps): Included dependency review by @naveensrinivasan in #1792
• Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 by @dependabot in #1828
• Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in #1830
• Add auth flow option to KeyOpts. by @wlynch in #1827
• Bump google.golang.org/api from 0.76.0 to 0.77.0 by @dependabot in #1829
• Bump mikefarah/yq from 4.24.5 to 4.25.1 by @dependabot in #1831
• Document Staging instance usage with Keyless by @k4leung4 in #1824
• New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
• Validate tlog entry when verifying signature via public key. by @wlynch in #1833
• Add function to explicitly request a certain provider by @priyawadhwa in #1837
• cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
• Bump google.golang.org/api from 0.77.0 to 0.78.0 by @dependabot in #1838
• Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 by @dependabot in #1843
• remove exclude from go.mod by @cpanato in #1846
• [Cosigned] Glob matching improvement by @DennyHoang in #1842
• Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @dependabot in #1851
• sget: Enable KMS providers for sget by @imjasonh in #1852
• Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
• Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
• Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 by @dependabot in #1857
• Bump google.golang.org/api from 0.78.0 to 0.79.0 by @dependabot in #1858
• If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
• Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
• Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in #1864
• Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in #1863
• Normalize certificate flag names by @haydentherapper in #1868
• Check certificate policy flags with only a certificate by @haydentherapper in #1869
• Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
• Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #1870
• Point git commmit FUN.md to gitsign! by @wlynch in #1874
• Bump actions/github-script from 6.0.0 to 6.1.0 by @dependabot in #1876
• Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in #1875
• [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
• go.mod: format go.mod by @zchee in #1879
• Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in #1886
• Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in #1884
• Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
• tree: only report artifacts that are present by @ribbybibby in #1872
• update README with ebpf modules by @EItanya in #1888
• Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
• Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in #1891
• v1beta1 API for cosigned by @vaikas in #1890
• Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in #1898
• Bump google.golang.org/api from 0.79.0 to 0.80.0 by @dependabot in #1897
• tree: support --attachment-tag-prefix by @ribbybibby in #1900
• [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
• GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
• The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
• Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in #1907
• Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 by @dependabot in #1906
• [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
• Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 by @dependabot in #1883
• Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 by @dependabot in #1902
• Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
• Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 by @dependabot in #1913
• Add support for "**" in image glob matching by @imjasonh in #1914
• Add privacy statement for PII storage by @haydentherapper in #1909
• Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 by @dependabot in #1920
• Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 by @dependabot in #1919
• Bump google.golang.org/api from 0.80.0 to 0.81.0 by @dependabot in #1918
• Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in #1922
• Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in #1916
• Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in #1915
• Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #1927
• Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 by @dependabot in #1926
• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #1924
• Do not push to public rekor. by @vaikas in #1931
• Bump mikefarah/yq from 4.25.1 to 4.25.2 by @dependabot in #1933
• Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1937
• fix: fix fetching updated targets from TUF root by @asraa in #1921
• Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in #1944
• Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in #1945
• fix: fix #1930 for AWS KMS formats by @vaikas in #1946
• update cross-builder image to use go1.17.11 by @cpanato in #1950
• Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 by @dependabot in #1949
• remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
• add cha...

v1.8.0

⚠️ NOTE: If you use Fulcio to issue certificates you will need to use this release.

What's Changed

• Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.3 to 0.1.4 by @dependabot in #1620
• Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 by @dependabot in #1745
• Bump mikefarah/yq from 4.24.2 to 4.24.4 by @dependabot in #1746
• Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
• [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
• Refactor policy related code, add support for vuln verify by @vaikas in #1747
• Use bundle log ID to find verification key by @haydentherapper in #1748
• [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
• Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
• Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in #1751
• test: create fake TUF test root and create test SETs for verification by @asraa in #1750
• update go builder and cosign images by @cpanato in #1755
• Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in #1752
• Implement identities, fix bug in webhook validation. by @vaikas in #1759
• Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
• chore: add warning when attaching sBOMs by @hectorj2f in #1756
• Verify embedded SCTs by @haydentherapper in #1731
• chore: add warning when downloading a sBOM by @hectorj2f in #1763
• [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
• Bump mikefarah/yq from 4.24.4 to 4.24.5 by @dependabot in #1765
• Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in #1764
• Break the CIP action tests into a sh script. by @vaikas in #1767
• tuf: add debug info if tuf update fails by @asraa in #1766
• cosigned: add support for rsa keys by @hectorj2f in #1768
• Cosigned validate against remote sig src by @DennyHoang in #1754
• Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
• Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in #1784
• fix: more informative error by @ybelMekk in #1778
• Bump cuelang.org/go from 0.4.2 to 0.4.3 by @dependabot in #1779
• Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in #1780
• Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in #1781
• Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 by @dependabot in #1782
• Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in #1783
• Run update-codegen. by @wlynch in #1789
• Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
• Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
• test: add cue unit tests by @hectorj2f in #1791
• Attestations + policy in cip. by @vaikas in #1772
• chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
• Add parallelization for processing policies / authorities. by @vaikas in #1795
• Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
• Handle context cancelled properly + tests. by @vaikas in #1796
• Fix a bug where an error would send duplicate results. by @vaikas in #1797
• Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
• Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 by @dependabot in #1799
• Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in #1800
• Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in #1801
• Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 by @dependabot in #1758
• cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
• Don't fail open in VerifyBundle by @mtrmac in #1648
• Load in intermediate cert pool from TUF by @haydentherapper in #1804
• add changelog for release v1.8.0 by @cpanato in #1803
• Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806

New Contributors

• @vpnachev made their first contribution in #1726
• @ybelMekk made their first contribution in #1778
• @wlynch made their first contribution in #1789
• @mtrmac made their first contribution in #1648

Full Changelog: v1.7.2...v1.8.0

Thanks to all contributors!

v1.7.2

What's Changed

• Bump codecov/codecov-action from 2.1.0 to 3 by @dependabot in #1714
• Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in #1713
• Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in #1712
• Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 by @dependabot in #1711
• Makefile: fix directory not found error by @hectorj2f in #1718
• Update release job by @cpanato in #1720
• [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
• fix: add permissions to patch events by @hectorj2f in #1722
• Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 by @dependabot in #1723
• Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 by @dependabot in #1721
• Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in #1725
• Make public all types required to use ValidatePolicy by @jdolitsky in #1727
• Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
• Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 by @dependabot in #1724
• Remove newline from download sbom output by @ribbybibby in #1732
• Fix packages name and binary in the packages by @cpanato in #1734
• Fix fulcioroots test and linter error by @haydentherapper in #1741
• Support non-ECDSA public keys in certificates by @haydentherapper in #1740
• bug: remove old fulcio root and fix fallback target code by @asraa in #1738
• Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in #1737
• add changelog for v1.7.2 by @cpanato in #1735

Full Changelog: v1.7.1...v1.7.2

Thanks to all contributors!

v1.7.1

What's Changed

• commenting out the copy from gcr to ghcr due issues on github side by @cpanato in #1715
• Update images for release job by @cpanato in #1551
• pkcs11: fix build instructions by @rgerganov in #1550
• Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in #1553
• Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 by @dependabot in #1552
• Mirror signed release images from GCR to GHCR as part of release with… by @k4leung4 in #1547
• Update hashicorp/parseutil to v0.1.3. by @dlorenc in #1557
• Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 by @dependabot in #1560
• Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 by @dependabot in #1559
• Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in #1561
• add definition for artifact hub to verify the ownership by @cpanato in #1563
• Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in #1565
• Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
• Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
• Bump google.golang.org/api from 0.70.0 to 0.71.0 by @dependabot in #1577
• Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 by @dependabot in #1576
• Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 by @dependabot in #1578
• Support deletion of ClusterImagePolicy by @vaikas in #1580
• Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 by @dependabot in #1579
• 1417 policy validations by @kkavitha in #1548
• Don't lowercase input image refs, just fail by @imjasonh in #1586
• Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
• Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #1588
• Bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in #1587
• Bump mikefarah/yq from 4.21.1 to 4.22.1 by @dependabot in #1589
• Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
• Fix #1592 move authorities as siblings of images. by @vaikas in #1593
• Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 by @dependabot in #1597
• Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
• Fix copy/paste mistake in repo name. by @k4leung4 in #1600
• Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
• Add public key validation by @kkavitha in #1598
• Validate a public key in a secret is valid. by @vaikas in #1602
• Ensure entry is removed from CM on secret error. by @vaikas in #1605
• Bump google.golang.org/api from 0.71.0 to 0.72.0 by @dependabot in #1612
• Bump to knative pkg 1.3 by @mattmoor in #1614
• Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
• Init entity from ociremote when signing a digest ref by @puerco in #1616
• rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
• improve cosigned validation error messages by @cpanato in #1618
• Bump ecr-login to pick up WithLogger rename by @mattmoor in #1624
• Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in #1622
• Bump google.golang.org/api from 0.72.0 to 0.73.0 by @dependabot in #1619
• Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in #1621
• Use latest knative/pkg's configmap informer by @tcnghia in #1615
• Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
• Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 by @dependabot in #1634
• FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
• update crane to v0.8.0 release by @cpanato in #1635
• push latest tag when building a release by @cpanato in #1636
• Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
• Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 by @dependabot in #1638
• Bump actions/cache from 2.1.7 to 3 by @dependabot in #1640
• Document Elastic container registry support by @mgreau in #1641
• Bump mikefarah/yq from 4.22.1 to 4.23.1 by @dependabot in #1639
• Validate authority keys by @coyote240 in #1623
• feat: tree command utility by @developer-guy in #1603
• fix build date format for version command by @cpanato in #1644
• Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in #1646
• Add support for intermediate certificates when verifiying by @haydentherapper in #1631
• Prompt user before running cosign clean by @priyawadhwa in #1649
• Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
• KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
• Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
• Add support for certificate chain to verify certificate by @haydentherapper in #1659
• First batch of followups to #1650 by @vaikas in #1664
• Add certificate chain flag for signing by @haydentherapper in #1656
• [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
• update font when output the cosign version by @cpanato in #1668
• feat: add ability to override registry keychain by @noamichael in #1666
• remove replace directive by @cpanato in #1669
• Bump mikefarah/yq from 4.23.1 to 4.24.2 by @dependabot in #1670
• Refactor based on discussions in #1650 by @vaikas in #1674
• Find all valid entries in verify-blob by @priyawadhwa in #1673
• Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
• Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
• Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
• Make cosign copy copy metadata attached to child images. by @mattmoor in #1682
• change file_name_template to PackageName by @strongjz in #1683
• Update error message for verify/verify attestation by @haydentherapper in #1686
• cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
• verify: add leaf hash verification for tlog entries by @asraa in #1688
• Fix handling of policy in verify-attestation by @lcarva in #1672
• Add e2e test for attest / verify-attestation by @vaikas in #1685
• Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in #1689
• Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in #1690
• Bump google.golang.org/api from 0.73.0 to 0.74.0 by @dependabot in #1695
• verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
• Remove the hardcoded sigstore audience by @mattmoor in...

v1.6.0

This release contains fixes for GHSA-ccxc-vr6p-4858, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858

What's Changed

• add changelog for 1.5.1 release by @cpanato in #1376
• Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 by @dependabot in #1382
• Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 by @dependabot in #1383
• Fix double time import in e2e tests by @saschagrunert in #1388
• Add --timeout support to sign command by @saschagrunert in #1379
• Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 by @dependabot in #1386
• Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 by @dependabot in #1391
• Fix comparison in replace option for attestation by @bburky in #1366
• Add Cosign logo to README by @nsmith5 in #1395
• Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
• Fix a link of SECURITY.md by @knqyf263 in #1399
• update cosign and cross-build image for the release job by @cpanato in #1400
• Bump cuelang.org/go from 0.4.1 to 0.4.2 by @dependabot in #1401
• Bump google.golang.org/api from 0.66.0 to 0.67.0 by @dependabot in #1402
• feat: login command by @developer-guy in #1398
• TUF: Add root status output by @asraa in #1404
• Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 by @dependabot in #1403
• Add a newline after password input by @knqyf263 in #1407
• make imageRef lowercase before parsing by @bobcallaway in #1409
• Improve error message when image is not found in registry by @imjasonh in #1410
• Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 by @dependabot in #1412
• Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 by @dependabot in #1411
• Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
• Fix incorrect error check when verifying SCT by @haydentherapper in #1422
• Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
• Allow PassFunc to be nil by @saschagrunert in #1426
• Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
• Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
• Add docs on API stability and deprecation table by @priyawadhwa in #1429
• Bump google.golang.org/api from 0.67.0 to 0.68.0 by @dependabot in #1434
• update cross-build image which adds goimports by @cpanato in #1435
• feat: enhance clean cmd capability by @developer-guy in #1430
• use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
• Improve log lines to match with implementation by @marcofranssen in #1432
• Bump go-containerregistry, pick up new features by @imjasonh in #1442
• feat: fig autocomplete feature by @developer-guy in #1360
• update cross-build to use go 1.17.7 by @cpanato in #1446
• Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
• feat: add -buildid= to ldflags by @developer-guy in #1451
• Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
• convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
• Bump webhook timeout. by @dlorenc in #1465
• Fix tkn link in readme by @Yongxuanzhang in #1459
• Bump the gitlab library and add a nil opt for the API change. by @dlorenc in #1466
• Print message when verifying with old TUF targets by @haydentherapper in #1468
• Bump google.golang.org/api from 0.68.0 to 0.69.0 by @dependabot in #1469
• fix(sign): refactor unsupported provider log by @Dentrax in #1464
• tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470
• Double goreleaser timeout by @znewman01 in #1472
• increase timeout for goreleaser snapshot by @cpanato in #1473
• fix(sign): kms unspported message by @Dentrax in #1475
• refactor release cloudbuild job by @cpanato in #1476
• Bump sigstore/sigstore to pick up the kms change and the monkey-patch… by @dlorenc in #1479
• Fix wording on attach attestation help by @luhring in #1480
• update go-tuf and simplify TUF client code by @asraa in #1455
• add initial changelog for 1.5.2 by @cpanato in #1483
• Fix linter error on main by @priyawadhwa in #1484
• Update Changelog for Security Advisory by @cpanato in #1485
• Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 by @dependabot in #1481
• chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
• Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
• feat: support other types in copy cmd by @developer-guy in #1493
• Pick up some of the shared workflows by @mattmoor in #1490
• Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 by @dependabot in #1499
• Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 by @dependabot in #1498
• Bump actions/github-script from 4.1.1 to 6 by @dependabot in #1497
• Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 by @dependabot in #1496
• feat: nominate Dentrax as codeowner by @developer-guy in #1492
• Bump google.golang.org/api from 0.69.0 to 0.70.0 by @dependabot in #1500
• Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.4 by @dependabot in #1502
• Bump google-github-actions/auth from 0.4.4 to 0.6.0 by @dependabot in #1501
• add correct layer media type to cosign attach attestation by @spiffcs in #1503
• Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in #1495
• This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504
• Bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #1509
• Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 by @dependabot in #1507
• Bump mikefarah/yq from 4.16.2 to 4.20.2 by @dependabot in #1510
• use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
• Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in #1512
• Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
• Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in #1516
• bug fix: import ed25519 keys and fix error handling by @asraa in #1518
• optimize codeql speed by using caching and tracing by @bobcallaway in #1519
• Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
• Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
• chore(ci): add artifact hub support by @Dentrax in #1522
• Bump github.com/secure-systems-lab/go-securesystemsli...

v1.5.2 - CVE-2022-23649

This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858

Changelog

• 8ffcd12 Cherry-pick release notes for 1.5.1 and 1.5.2 (#1487)
• c09e04a Cherry pick vulnerability PRs to release-1.5 (#1486)
• 52164f2 cherry picks to release-1.5 branch (#1482)

Thanks for all contributors!

v1.5.1

Changelog

• c3e4d8b Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
• 8b77279 Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
• d2781b8 expose dafaults fulcio, rekor, oidc issuer urls (#1368)
• 4921aa7 add check to make sure the go modules are in sync (#1369)
• 6575648 README: fix link to race conditions (#1367)
• e3024f4 Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
• e1e0153 docs: verify-attestation cue and rego policy doc (#1362)
• 21e6b80 Update verify-blob to support DSSEs (#1355)
• 79012c3 organize, update select deps (#1358)
• cd49449 Bump go-containerregistry to pick up ACR keychain fix (#1357)
• 239d4c4 Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
• 44de8d1 sync go modules (#1353)

Thanks to all contributors!

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Changelog

• 7572520 add ascii art when using the version command (#1349)
• 4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
• 03a2778 Add vaikas to CODEOWNERS (#1347)
• f186ee3 add changelog for v1.5.0 (#1345)
• 9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
• e534409 Fix minor typo (a missing verb) in README (#1346)
• 22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
• a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
• 1a92b50 Bump recommended Go development version in README (#1340)
• 1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
• bca7ba6 Export function to verify individual signature (#1334)
• b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
• a7838c5 update go-github to v42 release (#1335)
• b0848d1 install latest release for ko instead of head of main branch (#1333)
• 2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
• fbf8dcb update gcp setup for the GH action (#1330)
• 888b392 fix: cosign verify for vault (#1328)
• e64cc10 update some dependencies (#1326)
• 461b032 fix missing goimports (#1327)
• 78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
• 0532601 Take OIDC client secret into account (#1310)
• 475c99d Verify checksum of downloaded utilities during CI (#1322)
• 97509b9 pin github actions by digest (#1319)
• 4592c23 Fix TestSignBlobBundle (#1320)
• bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
• 079e28d Add flag to verify OIDC issuer in certificate (#1308)
• 2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
• 24914ac add OSSF scorecard action (#1318)
• 244c07a Add TUF timestamp to attestation bundle (#1316)
• 46cf94b Provide certificate flags to all verify commands (#1305)
• d58fc63 Bundle TUF timestamp with signature on signing (#1294)
• c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
• 754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
• aa0b8c1 add error message (#1296)
• a7bd67c Move bundle out of oci and into bundle package (#1295)
• 9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
• ef380f0 update import documentation (#1290)
• e671216 Fix a couple bugs in cert verification for blobs (#1287)
• 76e691b Fix a few bugs in cosign initialize (#1280)
• b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
• 419be8a update release image to use go 1.17.6 (#1284)
• 809b091 Bump google.golang.org/api. (#1283)
• 4376cca Bump opa and go-gitlab. (#1281)
• b6aaddc Update SBOM spec to indicate compat for syft (#1278)
• f19f4f7 Update signature spec with timestamp annotation (#1274)
• 7f54a8f Bump miekg/pkcs11 (#1275)
• 36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
• 6af964c Fix the unit tests with expired TUF metadata. (#1270)
• 242f586 One-to-one mapping of invocation to scan result (#1268)
• 1a7f9d6 refactor common utilities (#1266)
• d89eb8e Fix output-file flag. (#1264)
• 9a27e1f Importing RSA and EC keypairs (#1050)
• 8194edd enable sbom generation when releasing (#1261)
• 0a4a68a feat: log error to stderr (#1260)
• 591601c feat: support attach attestation (#1253)
• 2e99320 Refactor the tuf client code. (#1252)
• dfc0347 Moved certificate output before checking for upload during signing (#1255)
• c09d682 Remove remaining ioutil usage (#1256)
• 894a3bc Update the embedded TUF metadata. (#1251)
• 645c259 Bump sigstore/sigstore. (#1247)
• 4ecb43d fix: typo in the error message (#1250)
• 1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
• f32c1d7 Fix semantic bug in DSSE specification. (#1248)
• 4e4bbf6 Spelling (#1246)
• 7e5abbf feat: resolve --cert from URL (#1245)
• c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
• 6f41b4b Log the proper remote repo for the signatures on verify (#1243)
• 24d43bd feat: generate/upload sbom for cosign projects (#1237)
• b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
• 47d936c update codeowners list with miissing codeowners (#1238)
• 3dd690e feat: vuln attest support (#1168)
• 6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
• 1104dfd feat: generate/upload sbom for cosign projects (#1236)
• 0c25819 update build images for release and bump cosign in the release job (#1234)
• ac8a7e9 feat: implement cosign download attestation (#1216)
• d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
• 9da74c9 update deps (#1222)
• b2d6393 nit: add comments to Signer interface (#1228)
• f2e034d clean up references to 'keyless' in ephemeral.Signer (#1225)
• acf5900 create DSSEAttestor interface, payload.DSSEAttestor implementation (#1221)
• ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
• 1feacab use mutate.Signature in the new Signers (#1213)
• 28b03f7 create mutate functions for oci.Signature (#1199)
• 500cd40 update snapshot and timestamp (#1211)
• cbdc1b3 add a writeable $HOME for the nonroot cosigned user (#1209)
• 4d4c830 signing attestation should private key (#1200)
• 6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
• 008f860 create KeylessSigner (#1189)
• 2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
• 3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
• cfd981e nit: drop every section title down a level (#1188)

Thanks for all contributors!

v1.4.1

A whole buncha bugfixes!

Enhancements

• Files created with --output-signature and --output-certificate now created with 0600 permissions (#1151)
• Added cosign verify-attestation --local-image for verifying signed images with attestations from disk (#1174)
• Added the ability to fetch the TUF root over HTTP with cosign initialize --mirror (#1185)

Bug Fixes

• Fixed saving and loading a signed image index to disk (#1147)
• Fixed sign-blob --output-certificate writing an empty file (#1149)
• Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)

Contributors

• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Jake Sanders (@dekkagaijin)
• Matt Moore (@mattmoor)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)

Changelog

• 934567a add 1.4.1 relnotes (#1186)
• fe3a030 Allow fetching TUF root from HTTP (#1185)
• d8e1795 update golang cross image to use go1.17.5 (#1184)
• 2e9d3d8 add e2e tests for Windows + PowerShell (#1177)
• 4c473e5 add tests for cosign initialize (#1182)
• b113e30 update go-tuf and use the newly exposed Close() (#1181)
• 5a5914f Add option to verify attestations from local image (#1174)
• d0d91ab add test for interactive private key password prompt (#1176)
• e5056ed enable e2e-test coverage for Win & OSX (#1166)
• dc744ea use a different repo for each e2e test against the registry (#1175)
• 4652b36 re-enable windows in e2e-with-binary, fix issues (#1172)
• 75e3d62 Bump GGCR to latest. (#1169)
• 287bb27 disable broken Windows e2e-with-binary (#1167)
• 8644a7a use sync.Once to init the global tuf root (#1163)
• 10b7f9d Add option to verify local image (#1159)
• bd8b7d5 bump k8s versions used for kind-e2e-cosigned (#1164)
• 1510379 Add make target for doc generation (#1162)
• 79a843b expand CI testing to Windows and OSX, fix issues uncovered (#1158)
• 9394f85 Pull in the new Fulcio client code. (#1126)
• dd53292 return error when rekor pub cannot be retrieved, fix file path construction (#1157)
• a684c45 add job to run some e2e tests to sing a artifcat and check the outputs (#1154)
• 96c02ba fix: improve perms, error handling (#1151)
• ab632c8 update crane (#1150)
• b454d08 cosigned: add version to cosigned (#1139)
• 26c99d8 fix: --output-certificate not working properly (#1149)
• 430080f Fix bug when saving and loading an image index (#1147)
• 39e6540 sign-blob --output -> --output-signature (#1148)

Thanks for all contributors!

v1.4.0

Highlights

• BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (#1127)
• BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (#1083)
• cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (#1052)
• Releases are now additionally signed using the keyless workflow (#1073, #1111)

Enhancements

• Validate the whole attestation statement, not just the predicate (#1035)
• Added the options to replace attestations using cosign attest --replace (#1039)
• Added URI to cosign verify-blob output (#1047)
• Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (#1016, #1093, #1066, #1095)
• [cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (#1040, #1096)
• [cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (#1084)
• Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071)
• Builds should now be reproducible (#1053)
• Allows base64 files as --cert in cosign verify-blob (#1088)
• Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
• Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (#1094)
• cosign sign will no longer fail to sign private images in keyless mode without --force (#1116)
• cosign verify now supports signatures stored in files and remote URLs with --signature (#1068)
• cosign verify now supports certs stored in files (#1095)
• Added support for syft format in cosign attach sbom (#1137)

Bug Fixes

• Fixed verification of Rekor bundles for InToto attestations (#1030)
• Fixed a potential memory leak when signing and verifying with security keys (#1113)

Contributors

• Ashley Davis (@SgtCoDFish)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Brandon Philips (@philips)
• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Christian Rebischke (@shibumi)
• Dan Lorenc (@dlorenc)
• Erkan Zileli (@erkanzileli)
• Furkan Türkal (@Dentrax)
• garantir-km (@garantir-km)
• Jake Sanders (@dekkagaijin)
• jbpratt (@jbpratt)
• Matt Moore (@mattmoor)
• Mikey Strauss (@houdini91)
• Naveen Srinivasan (@naveensrinivasan)
• Priya Wadhwa (@priyawadhwa)
• Sambhav Kothari (@samj1912)

Changelog

• 50315fc remove obsolete --output flag (#1146)
• a1efb18 add relnotes for v1.4.0 (#1145)
• a47a835 feat: enable --check flag of addlicense (#1135)
• e48db5a Add support for syft json type to cosign (#1137)
• 7de7387 Use --recursive flag in sign example (#1143)
• 6d8cec1 Fixed a typo in README.md (#1142)
• 63e9342 cjson - Move to go-securesystemslib (#1141)
• e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
• a05dc7b Bump deps (#1132)
• 7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
• dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
• 9076d71 feat: sign --output-certificate and verify --cert (#1095)
• 034e946 Update output to note when signatures are pushed (#1117)
• 54fb569 feat: support signature file in verify cmd (#1068)
• ec00f69 Make the transparency log upload non-fatal. (#1116)
• 1da6742 have rekor.NewSigner accept a *client.Rekor instead of a URL (#1115)
• ac7e33c call Close() on security keys before returning error (#1113)
• 2294fd4 Add Fulcio v1 root to the cosign (#1112)
• 304c2b2 continued sign refacc (#1098)
• a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
• 9555f33 use hashed rekord type for tlog upload (#1081)
• 6fc942b plumb context through to tlog requests (#1103)
• fcc8256 minor: supply ShouldUploadToTlog with context (#1104)
• 690853e Bump non-k8s deps (#1102)
• 040ed3d feat(ci): Add Gofish support (#996)
• 79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
• 2dc6e4f Add support for storing attestations in oci/layout (#1096)
• 98cf544 Update slsa-provenance predicate to v0.2 (#1054)
• 7ec91a4 Add cosign save and cosign load commands (#1094)
• e1141af refactoring signature logic (#1065)
• 4274149 fix: alias output to output-signature on sign-blob (#1093)
• 86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
• 2cc9c9a Bump client-go and viper. (#1089)
• aff2e37 feat: verify-blob --cert base64 (#1088)
• 5586790 fix: reproducible builds (#1053)
• 1974064 Add flag for manually specifying a hash algo when verifying (#1071)
• 90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
• eed3e12 Add mutate.AttachFileTo* for attaching SBOMs. (#1084)
• e1acd18 Drop strfmt.Base64 from pkg/oci. (#1083)
• f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
• 9cf8c3f Bump some deps that dependabot missed. (#1079)
• 18318ba implement output-signature and output-certificate flags (#1016)
• 857d9a5 adding keyless (#1073)
• 01b6c8f sync go mod (#1072)
• 943e824 feat: add output flag for signCmd (#1066)
• d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
• 413d06e fix root path (#1062)
• e868a54 cmd: update triangulate help command (#1061)
• d48fe25 verify-blob: add URI to verify-blob output (#1047)
• c5e3393 cmd: update clean command help (#1058)
• bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
• 3e43108 Remove img field from sigLayer (#1042)
• ccc4468 feat: replace option for same attestation (#1039)
• 5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
• fe00315 README: simplify the install section (#1049)
• cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
• 6ed55d6 split private signature and attestation verification fns (#1043)
• c338616 PKCS11: Fix certificate check (#1041)
• f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
• 89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
• c85db3a release: update cosign to 1.3.1 (#1038)
• 84c94b6 feat: validate whole statement not just predicate part (#1035)

Thanks for all contributors!