Spin 2.4.3
This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh
Fix: ed8a665
Verifying the Release Signature 🔏
After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.
The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:
cosign verify-blob \
--signature spin.sig \
--certificate crt.pem \
--certificate-identity vaughn.dice@fermyon.com \
--certificate-oidc-issuer https://github.com/login/oauth \
spin
Full Changelog: v2.4.2...v2.4.3