New Features
Added support for Cosign Artifact Signing and Verification
This release introduces support for Sigstore/Cosign as the artifact signing and verification provider in Harbor. Cosign signs OCI artifacts and pushes the generated signature into Harbor. This signature is stored as an artifact accessory along side the signed artifact. Harbor manages a link between the signed artifact and cosign signature, allowing you to apply things like tag retention rules and immutable rules to a signed artifact, and it will extend to both the signed artifact and the signature. This allows you to use Harbor's built in functionality to manage signed artifacts and Cosign signature accessories. Cosign signatures are also subject to Harbor's replication rules and will be replicated at the same time as their signed artifact.
Additional Features
- Improved performance for concurrent pull requests.
- Improved failure tolerance for garbage collection which is now able to continue deleting subsequent artifacts when an errors occurs trying to removing the current artifact.
- Replication now supports skipping artifacts in a proxy cache project.
- Activated distribution upload purging to remove orphaned files from the upload directories.
- Harbor is now built using Golang v1.17.7.
- Harbor now uses Distribution v2.8.0 and Trivy v0.22.0.
Breaking Changes
- As of Harbor v2.5, only PostgreSQL >= 10 is supported for external databases. Before upgrading, you should make sure that your external databases are using a supported version of PostgreSQL.
Deprecations
- The Harbor team is planning for the deprecation of Chartmuseum in a future release. You should consider using Helm v3.8+ to work with Harbor to manage the OCI compatible charts. Please note that Chartmuseum related feature request or bug reports may not be prioritized going forward. For more information about this deprecation see this GitHub discussion topic.