Releases: tektoncd/chains
Release list
v0.9.0
🎉 v0.9.0 🎉
-Docs @ v0.9.0
-Examples @ v0.9.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yamlAttestation
The Rekor UUID for this release is b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
Obtain the attestation:
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jqVerify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.9.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
- Specify provider and oidc issuer when requesting fulcio cert (#440)
- Add support for Grafeas storage backend (#389)
- Add support for PubSub storage backend (#386)
- Adding Spire OIDC for Vault authentication (#369)
Deprecation Notices
tekton-provenance format has officially been removed in this release
Please switch to the in-toto format by running:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
- Remove tekton-provenance format (#439)
In current release:
Fixes
- Fix flaky grafeas unit test (#427)
Misc
- Fix nightly builds (#422)
- Use sigstore/scaffolding github actions now that it's out there. (#409)
- Revert default fulcio URL to fulcio.sigstore.dev (#388)
Docs
- Add docs for secrets based on existing credentials (#430)
- Add godoc documentation (#414)
- Add community tutorial subsection (#379)
- Fix default fulcio addr in docs (#365)
Thanks
Thanks to these contributors who contributed to v0.9.0!
- ❤️ @Yongxuanzhang
- ❤️ @chuangw6
- ❤️ @concaf
- ❤️ @dependabot[bot]
- ❤️ @imjasonh
- ❤️ @lcarva
- ❤️ @loosebazooka
- ❤️ @piyush-garg
- ❤️ @priyawadhwa
- ❤️ @rgreinho
- ❤️ @sudo-bmitch
- ❤️ @tcnghia
- ❤️ @vaikas
- ❤️ @wlynch
Extra shout-out for awesome release notes:
- 😍 @Yongxuanzhang
- 😍 @chuangw6
- 😍 @concaf
- 😍 @dependabot[bot]
- 😍 @imjasonh
- 😍 @lcarva
- 😍 @loosebazooka
- 😍 @piyush-garg
- 😍 @priyawadhwa
- 😍 @rgreinho
- 😍 @sudo-bmitch
- 😍 @tcnghia
- 😍 @vaikas
- 😍 @wlynch
v0.8.0
🎉 v0.8.0 🎉
-Docs @ v0.8.0
-Examples @ v0.8.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml
Verify the Release
The Rekor UUID for this release is 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735
Obtain the attestation:
rekor-cli get --uuid 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735 --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml
REKOR_UUID=03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.8.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Features
- Add
chains-infoConfigMap with version info (#338)
Deprecation Notices
- This release marks a new default value for
signers.x509.fulcio.address. The default value was previouslyhttps://fulcio.sigstore.dev, and it is nowhttps://v1.fulcio.sigstore.devto match the default in cosign. The old value can still be set by running:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"signers.x509.fulcio.address": "https://fulcio.sigstore.dev"}}'
Fixes
- Bump go-containerregistry and k8schain to pick up new cred helpers (#364)
- Pass in authentication when getting remote image (#361)
- Change default Fulcio URL to match cosign's (#360)
- Add securityContext to controller pod (#346)
Misc
- Remove un-used options from
artifacts.oci.formatandartifacts.oci.storage(#334)
Docs
- Fix namespace typo (#357)
Thanks
Thanks to these contributors who contributed to v0.8.0!
- ❤️ @concaf
- ❤️ @dependabot[bot]
- ❤️ @imjasonh
- ❤️ @priyawadhwa
- ❤️ @pxp928
- ❤️ @rgreinho
- ❤️ @tcnghia
Extra shout-out for awesome release notes:
- 😍 @concaf
- 😍 @dependabot[bot]
- 😍 @imjasonh
- 😍 @priyawadhwa
- 😍 @pxp928
- 😍 @rgreinho
- 😍 @tcnghia
v0.7.0
🎉 v0.7.0 🎉
-Docs @ v0.7.0
-Examples @ v0.7.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml
Verify the Release
The Rekor UUID for this release is 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef
Obtain the attestation:
rekor-cli get --uuid 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml
REKOR_UUID=95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.7.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Features
- Add support for all of cosign's ambient credentials. (#319)
- Allow IMAGES result to be separated by newlines (#315)
- added multi-backend support (#302)
- Implement missing features to OCI backend (#284)
Deprecation Notices
- 🚨 - Deprecate the
tekton-provenancepredicate format (#292)
This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
Fixes
- Make builder id for SLSA provenance valid URI (#331)
- Make SLSA provenance v0.2 invocation.parameters compliant with spec (#307)
- Fix bugs in provenance implementation for materials.digest (#310)
- Fix bug in uploading signatures to OCI (#298)
Docs
- Fix in-toto chains docs typos (#337)
- Add installation instructions for OpenShift (#335)
- Use cosign flags with 2 hyphens (#327)
Thanks
Thanks to these contributors who contributed to v0.7.0!
- ❤️ @concaf
- ❤️ @loosebazooka
- ❤️ @mattmoor
- ❤️ @mlieberman85
- ❤️ @priyawadhwa
- ❤️ @pxp928
- ❤️ @rgreinho
- ❤️ @sublimino
Extra shout-out for awesome release notes:
- 😍 @concaf
- 😍 @loosebazooka
- 😍 @mattmoor
- 😍 @mlieberman85
- 😍 @priyawadhwa
- 😍 @pxp928
- 😍 @rgreinho
- 😍 @sublimino
v0.6.1
🎉 v0.6.1 🎉
-Docs @ v0.6.1
-Examples @ v0.6.1
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml
Verify the Release
The Rekor UUID for this release is a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a
Obtain the attestation:
rekor-cli get --uuid a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.1/release.yaml
REKOR_UUID=a22059b0b4950faa7dedc36d8bfd998eefbf200f5ac7f1575ed812691021413a
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.6.1@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Fixes
- Fix bug in uploading signatures to OCI (#298)
Thanks
Thanks to these contributors who contributed to v0.6.1!
- ❤️ @priyawadhwa
Extra shout-out for awesome release notes:
v0.6.0
🎉 v0.6.0 🎉
Note: This release has a known bug uploading signatures and attestations to OCI. A point release with a fix should be out soon!
-Docs @ v0.6.0
-Examples @ v0.6.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.6.0/release.yaml
Changes
Features
- Capture step information in
recipe.argumentsfor in-toto/slsa Provenance (#272) - Upgrade slsa-provenance format to v0.2 (#291)
- Add new signing and storage features (#245)
Deprecation Notices
- 🚨 - Deprecate the
tekton-provenancepredicate format (#292)
This feature will be removed in v0.8.0. To switch to the in-toto format which is now the preferred format, please run:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
Fixes
- fix: look for materials/git metadata in taskrun results too (#263)
- Fix bug uploading slsa-provenance attestations to oci (#255)
Docs
- 📖 Add front matter to docs (#285)
Thanks
Thanks to these contributors who contributed to v0.6.0!
- ❤️ @adityasaky
- ❤️ @afrittoli
- ❤️ @bobcallaway
- ❤️ @csullivannet
- ❤️ @loosebazooka
- ❤️ @mtcolman
- ❤️ @priyawadhwa
- ❤️ @pxp928
- ❤️ @rgreinho
- ❤️ @sbose78
Extra shout-out for awesome release notes:
- 😍 @adityasaky
- 😍 @afrittoli
- 😍 @bobcallaway
- 😍 @csullivannet
- 😍 @loosebazooka
- 😍 @mtcolman
- 😍 @priyawadhwa
- 😍 @pxp928
- 😍 @rgreinho
- 😍 @sbose78
Tekton Chains v0.5.0
🎉 v0.5.0 🎉
-Docs @ v0.5.0
-Examples @ v0.5.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml
Fixes
- Fix _type field in in-toto provenance generation (#235)
- Fix bug in transparency log uploads (#233)
- Fix another bug in materials and add integration test (#230)
- Check task status params to create materials for provenance (#229)
- Fix bug in storing attestations in OCI registry (#227)
- fix incorrect cd (#223)
- Fix some bugs in uploading attestations (#220)
Misc
- Simplify looking up the RekorAnnotation, add Unit Test for HandleRetry failure (#232)
- Bump in-toto dependency. (#226)
- Bump most dependencies (outside of the k8s codegen and client-go). (#222)
- Switch the linter from golint to revive. (#219)
- 🔨 Bump Pipeline, Knative, K8s deps (#218)
Docs
Verify the Release
The Rekor UUID for this release is 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f
Obtain the attestation:
rekor-cli get --uuid 3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.5.0/release.yaml
REKOR_UUID=3a62d47dcbe0727513ac2e2dcc3a41bfd413ebc128bb661ed4f115d4db83200f
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.5.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation -key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Thanks
Thanks to these contributors who contributed to v0.5.0!
- ❤️ @danielhelfand
- ❤️ @dlorenc
- ❤️ @lukehinds
- ❤️ @mattmoor
- ❤️ @priyawadhwa
- ❤️ @vaikas
Extra shout-out for awesome release notes:
- 😍 @danielhelfand
- 😍 @dlorenc
- 😍 @lukehinds
- 😍 @mattmoor
- 😍 @priyawadhwa
- 😍 @vaikas
Tekton Chains v0.4.0
🎉 Chains v0.4.0 🎉
-Docs @ v0.4.0
-Examples @ v0.4.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.4.0/release.yaml
Changes
Features
- Add KeyID (public key fingerprint) to signature (#209)
- Add support for uploading attestations to OCI registries (#208)
- Add chains finalizer to taskruns. (#185)
- Explicitly pass in URL for provenance materials (#177)
- Add manual option for uploads to transparency log (#175)
Backwards incompatible changes
Fixes
- 🐛 Drop GCS storage backend from unit testing. (#215)
- Fix GIT_URL in release Pipeline (#216)
- Fix TestGCSStorage test (#214)
- Try to sign a TaskRun a maximum of 3 times (#207)
- Only upload to the tlog once! (#202)
- Doc-removed gen x509 Keypair ,fixed cosign gen (#200)
- add missing recipe_uri in JSON (#182)
Misc
- 🔨 Pull in the latest tektoncd/pipeline codegen (and knative/pkg) (#201 )
- Implemented license header check (#189)
- Bump github.com/tektoncd/pipeline from 0.25.0 to 0.26.0 (#186)
- Configure release to include materials section in provenance (#176)
Docs
- Removed the link to broken README.md within test (#197)
Thanks
Thanks to these contributors who contributed to v0.4.0!
- ❤️ @codysoyland
- ❤️ @dependabot[bot]
- ❤️ @developer-guy
- ❤️ @dlorenc
- ❤️ @mattmoor
- ❤️ @naveensrinivasan
- ❤️ @priyawadhwa
Extra shout-out for awesome release notes:
- 😍 @codysoyland
- 😍 @dependabot[bot]
- 😍 @developer-guy
- 😍 @dlorenc
- 😍 @mattmoor
- 😍 @naveensrinivasan
- 😍 @priyawadhwa
)
v0.3.0
🎉 Chains v0.3.0 🎉
Docs @ v0.3.0
Examples @ v0.3.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.3.0/release.yaml
Changes
Features
- Add IMAGES results type, to be used for releases (#153)
- Add support for uploading certs to rekor (#148)
- Fulcio signing in Chains (#147)
- Bump sigstore deps to pick up AWS KMS support. (#142)
- Add support for hinting multiple images as results (#129)
- Container native provenance predicate (#128)
- Support AWS DynamoDB in docdb package (#125)
- Transparency log uploads in chains! (#121)
- Support the ITE-5 signing spec (#109)
Deprecation Notices
- Remove PGP signing! (#144)
Fixes
- Fix docdb behavior on retries (#126)
- Fix format directive. (#160)
- Fix auth bug for pushing images in release pipeline (#170)
- Store cert/chain when wrapping payloads (#169)
- Don't require prefix when image hinting (#134)
Misc
- Change the ServiceAccount identity used for OCI storage backend. (#163)
- Update in-toto to pick up the new SSL/DSSE spec. (#127)
Docs
- Add some details to the roadmap (#136)
Thanks
Thanks to these contributors who contributed to v0.3.0!
- ❤️ @bobcatfish
- ❤️ @dlorenc
- ❤️ @mattmoor
- ❤️ @priyawadhwa
- ❤️ @trevrosen
Extra shout-out for awesome release notes:
- 😍 @bobcatfish
- 😍 @dlorenc
- 😍 @mattmoor
- 😍 @priyawadhwa
- 😍 @trevrosen
Tekton Chains release v0.2.0 "Tekton Chains"
🎉 v0.2.0 Release 🎉
-Docs @ v0.2.0
-Examples @ v0.2.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.2.0/release.yaml
Features
- in-toto attestations (ITE-6) as a formatter. (#89)
Docs
Thanks
Thanks to these contributors who contributed to v0.2.0!
- ❤️ @dlorenc
- ❤️ @kommendorkapten
- ❤️ @lukehinds
- ❤️ @priyawadhwa
Extra shout-out for awesome release notes:
v0.1.0
Tekton Chains v0.1.0 Release
This is the first release of tekton chains! Note, this is not a production ready release, rather just a release to make sure our release process is working as expected 😄
Stay tuned for the v0.2.0 release, which should have a bunch of a cool new features!
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.1.0/release.yaml
Thank you to our contributors!
- Dan Lorenc
- Ivan Font
- Christie Wilson
- Luke Hinds
- sbwsg@
- Priya Wadhwa