v1.8.3

Changelog

v1.8.3 fixes GHSA-f83f-xpx7-ffpw

• 3622f6e update changelog for v1.8.3 release (#2234)
• 765a0e5 Merge commit from fork (#2233)
• 90f8520 build(deps): bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 (#2225)
• d885841 build(deps): bump the all group across 1 directory with 6 updates (#2232)
• a387888 build(deps): bump the all group with 4 updates (#2226)
• 7b0c1a1 build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#2227)
• f0a0d05 build(deps): bump golang from e68f6a0 to 6981837 (#2222)
• 4ed0ea1 Switch docker env from ct_server to TesseraCT (#2210)
• e902cf8 feat: Add support for skipping email_verified claim requirement per issuer (#2220)
• c0fc26c Add basic E2E tests (#2230)
• a4ee860 build(deps): bump sigstore/scaffolding/trillian_log_signer (#2228)
• 51d916e build(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#2216)
• bd3a515 add meta-issuer circleci block (#2215)
• c4d4789 add circleci info to fulcio (#2192)

Thanks for all contributors!

v1.8.2

v1.8.2

This release also changes the format of the binary and container signature, which is now a
Sigstore bundle. To verify a release, use the
latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Testing

• make email address in test cases rfc822 conformant (#2205)

v1.8.1

v1.8.1

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#2111)
• fix: vault for enterprise expects only the key name (#2117)
• fix(config): respect cacert on oidc-issuers (#2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#2046)

Features

• feat: adds cert loading and key-match validation. (#2173)
• expose gcp kms retry and timeout options (#2132)
• server: Use warning log level for client errors (#2147)
• Add workflow to periodically validate OIDC issuers (#2188)
• Add Chainguard issuer (#2078)
• Add logging for template error (#2194)
• Add extension for deployment environment (#2190)

Removal

• Remove cmd/create_tink_keyset (#2096)

Full Changelog: v1.7.1...v1.8.1

v1.7.1

v1.7.1 contains a bug fix for extensions for CI providers where the OIDC claims
include HTML escape characters. If a client attempted to verify an extension value,
verification would fail unless an HTML-escaped string was used in the comparison.
Extension values will no longer be escaped.

Bug Fixes:

• Do not HTML-escape extension values (#2023)

v1.7.0

v1.7.0

v1.7.0 includes a change to how proof of possession signatures are verified.
Fulcio has updated the expected hashing algorithm for ECDSA P-384 and P-521
signatures to be SHA-384 and SHA-512, in line with CSR signature verification.
Cosign is actively being updated to support this for when signing with a
managed key and requesting a certificate.

Features

• Allow configurable client signing algorithms (#1938)
• Use different hash in proof of possession based on key (#1959)
• Tls verification on OIDC issuers (#1932)
• feat: adds cert-utility. (#1870)
• feat: makes leaf optional and other changes. (#1931)

Bug Fixes

• Remove err impossible condition: nil != nil (#1934)
• mark principal and issuer class under pkg/identity as deprecated (#1980)

v1.6.6

v1.6.6

Features

• Configure additional certificate extensions for Buildkite (#1903)
• Relax gomod (#1909)
• update builder to use go1.23.4 (#1883)
• config: Add IBM OIDC provider (#1892)
• Add Kaggle identity provider (#1850)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• James Healy
• Stefan Berger
• Trishank Karthik Kuppusamy

v1.6.5

v1.6.5

Features

• use go1.23.2 (#1834)
• fallback to json default cfg path if yaml does not exist (#1810)
• Include IDP type and subject domain in configuration API response (#1824)

Documentation

• Update OIDC claim mapping table to reflect the current state (#1801)

Contributors

• Aditya Sirish
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Nina
• Richard Fan

v1.6.4

Features

• use go1.22.6 to build fulcio (#1793)

Bugs

• Revert "If custom server url exists, use that instead of the default one." (#1791)

Contributors

• Carlos Tadeu Panato Junior
• Fredrik Skogman

Full Changelog: v1.6.3...v1.6.4

v1.6.3

v1.6.3

Features

• If custom server url exists, use that instead of the default one. (#1776)

Contributors

• Fredrik Skogman
• Javan Lacerda

v1.6.2

Changelog

• 8acbceb fix: adding ci provider for meta-issuers (#1767)

Thanks for all contributors!