v2.0.3

What's Changed

v2.0.3 fixes GHSA-4qg8-fj49-pxjh.

Full Changelog: v2.0.2...v2.0.3

v2.0.2

v2.0.2

This release bumps the Go version to 1.25.

v2.0.1

v2.0.1

This release is identical to v2.0.0, as it only contains a fix for the release pipeline.

v2.0.0 changes the default HTTP response code to 200 for timestamp responses,
which matches all other well-known TSA implementations. Sigstore clients already
handle both 200 and 201 response codes, so no changes are needed to clients.

If you need backwards compatibility, you can deploy the service with
--use-http-201.

This release also changes the format of the binary and container signature,
which is now a Sigstore bundle.
To verify a release, use the latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Features

• changes default HTTP response code to 200 for timestamp responses (#1202)
• feat: add configurable max request body size for TSA server (#1176)

Testing

• test: Add a K6 loadtest

Documentation

• Minor improvements to documentation (#1169)

Misc

• (fix): minor gosec issues under x509.go (#1201)

Full Changelog: v1.2.9...v2.0.1

v1.2.9

What's Changed

• fix panic in cosign verify-attestation in #1099
• add documentation for AWS KMS example in #1094
• add feature to disable intermediate cert EKU enforcement in #1146
• logging: Don't use Error when logging 4xx responses in #1159

Full Changelog: v1.2.8...v1.2.9

v1.2.8

v1.2.8

Features

• Allow full issuing chain in response (#1082)
• Relax EKU chaining rules verification for intermediate certs (#1078)

Full Changelog: v1.2.7...v1.2.8

v1.2.7

What's Changed

• swap yaml library to k8s fork by @bobcallaway in #1049
• Fix --http-ping-only flag to not affect https listener by @mktgbnk in #1051
• Bump Tink to v2, use shared KeyHandle converter by @haydentherapper in #1053
• fetch-tsa-certs: Add "--org-name" by @jku in #1056
• Fix: Disallow timestamp requests where digest length is inconsistent with hash algorithm by @aaronlew02 in #1066

Full Changelog: v1.2.6...v1.2.7

v1.2.6

What's Changed

• allow operators to customize customize HTTP request correlation IDs by @bobcallaway in #1026
• Do not assume leaf certificate is first in chain by @haydentherapper in #1040

Full Changelog: v1.2.5...v1.2.6

v1.2.5

Changelog

• 8b8975c add changelog for v1.2.5 release (#1025)

v1.2.4

What's Changed

• Fix timestamp as GMT in #847
• chore: relax go directive to permit 1.22.x by @dnwe in #927

Full Changelog: v1.2.3...v1.2.4

v1.2.3

What's Changed

• Bump go.step.sm/crypto from 0.43.0 to 0.43.1 by @dependabot in #639
• Bump actions/dependency-review-action from 4.1.0 to 4.1.1 by @dependabot in #640
• Bump actions/dependency-review-action from 4.1.1 to 4.1.2 by @dependabot in #641
• Bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #643
• Bump actions/dependency-review-action from 4.1.2 to 4.1.3 by @dependabot in #642
• Don't mark hash argument as required. by @kommendorkapten in #644
• Bump codecov/codecov-action from 4.0.1 to 4.1.0 by @dependabot in #646
• Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in #652
• Bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.1 to 1.8.2 by @dependabot in #648
• Bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.1 to 1.8.2 by @dependabot in #649
• Bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.1 to 1.8.2 by @dependabot in #650
• Bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.1 to 1.8.2 by @dependabot in #651
• Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @dependabot in #653
• Bump github.com/go-openapi/strfmt from 0.22.0 to 0.22.1 by @dependabot in #654
• Bump github.com/go-openapi/spec from 0.20.14 to 0.20.15 by @dependabot in #656
• Bump github.com/go-openapi/loads from 0.21.5 to 0.21.6 by @dependabot in #657
• Bump github.com/go-playground/validator/v10 from 10.18.0 to 10.19.0 by @dependabot in #660
• Bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #655
• Bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #662
• Bump github.com/go-openapi/runtime from 0.27.1 to 0.27.2 by @dependabot in #661
• Bump github.com/golang/protobuf from 1.5.3 to 1.5.4 by @dependabot in #663
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #664
• Bump anchore/sbom-action from 0.15.8 to 0.15.9 by @dependabot in #666
• Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 by @dependabot in #668
• Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @dependabot in #667
• Bump github.com/go-openapi/runtime from 0.27.2 to 0.28.0 by @dependabot in #673
• Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #674
• Bump cloud.google.com/go/security from 1.15.5 to 1.15.6 by @dependabot in #675
• Bump go.step.sm/crypto from 0.43.1 to 0.44.0 by @dependabot in #677
• Bump go.step.sm/crypto from 0.44.0 to 0.44.1 by @dependabot in #681
• Bump actions/dependency-review-action from 4.1.3 to 4.2.3 by @dependabot in #678
• Bump dependabot/fetch-metadata from 1.6.0 to 2.0.0 by @dependabot in #680
• Bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 by @dependabot in #679
• Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #676
• Bump actions/dependency-review-action from 4.2.3 to 4.2.4 by @dependabot in #682
• Bump actions/dependency-review-action from 4.2.4 to 4.2.5 by @dependabot in #683
• Bump anchore/sbom-action from 0.15.9 to 0.15.10 by @dependabot in #684
• Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #685
• Bump go.step.sm/crypto from 0.44.1 to 0.44.2 by @dependabot in #686
• Bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.2 to 1.8.3 by @dependabot in #691
• Bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.2 to 1.8.3 by @dependabot in #687
• Bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.2 to 1.8.3 by @dependabot in #688
• Bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.2 to 1.8.3 by @dependabot in #689
• Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #690
• Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.0 by @dependabot in #692
• Bump codecov/codecov-action from 4.1.1 to 4.2.0 by @dependabot in #695
• Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #693
• Bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in #696
• Bump sigs.k8s.io/release-utils from 0.8.0 to 0.8.1 by @dependabot in #697
• Bump codecov/codecov-action from 4.2.0 to 4.3.0 by @dependabot in #698
• Bump go.step.sm/crypto from 0.44.2 to 0.44.3 by @dependabot in #699
• Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @dependabot in #700
• Bump go.step.sm/crypto from 0.44.3 to 0.44.5 by @dependabot in #702
• Bump cloud.google.com/go/security from 1.15.6 to 1.16.0 by @dependabot in #701
• Bump go.step.sm/crypto from 0.44.5 to 0.44.6 by @dependabot in #703
• Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #704
• Bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #705
• Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #706
• Bump go.step.sm/crypto from 0.44.6 to 0.44.7 by @dependabot in #708
• Bump github.com/rs/cors from 1.10.1 to 1.11.0 by @dependabot in #709
• Bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #712
• Bump dependabot/fetch-metadata from 2.0.0 to 2.1.0 by @dependabot in #711
• Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @dependabot in #710
• Bump go.step.sm/crypto from 0.44.7 to 0.44.8 by @dependabot in #714
• Bump anchore/sbom-action from 0.15.10 to 0.15.11 by @dependabot in #713
• Bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 by @dependabot in #715
• Bump actions/dependency-review-action from 4.2.5 to 4.3.1 by @dependabot in #716
• Bump github.com/go-playground/validator/v10 from 10.19.0 to 10.20.0 by @dependabot in #717
• Bump google.golang.org/protobuf from 1.33.0 to 1.34.0 by @dependabot in #718
• Bump actions/dependency-review-action from 4.3.1 to 4.3.2 by @dependabot in #719
• Bump codecov/codecov-action from 4.3.0 to 4.3.1 by @dependabot in #720
• Bump cloud.google.com/go/security from 1.16.0 to 1.16.1 by @dependabot in #721
• Bump github.com/beevik/ntp from 1.3.1 to 1.4.1 by @dependabot in #724
• Bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #723
• Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 by @dependabot in #707
• Bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 by @dependabot in http...