Patch release — first signed Terrapod release.
Security
- Signed release artifacts (#549) — every container image and the Helm chart are now keyless-signed with cosign (Sigstore, GitHub OIDC — no long-lived key, logged in Rekor), and each image carries a SLSA build-provenance attestation. Verify with
cosign verify/gh attestation verify— see docs/supply-chain-verification.md.
Note: the on-image SBOM attestation in this release is attached via cosign's legacy tag scheme and is not discoverable via the documented
cosign verify-attestationcommand; this is corrected in v0.49.2 (SBOM attached as an OCI referrer). SPDX SBOMs are also attached to this release as files.
Full Changelog: v0.49.0...v0.49.1