This is the second release of cosign! If you came for puns, check out yesterday's Twitter thread.
The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. This release is now cross-platform, so be careful with installer scripts! You can find that here:
$ gsutil ls gs://cosign-releases/v0.2.0/
gs://cosign-releases/v0.2.0/cosign-darwin-amd64
gs://cosign-releases/v0.2.0/cosign-darwin-amd64.sig
gs://cosign-releases/v0.2.0/cosign-linux-amd64
gs://cosign-releases/v0.2.0/cosign-linux-amd64.sig
Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:
This is the second release of cosign!
We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied.
Enhancements
- The password for private keys can now be passed via the
COSIGN_PASSWORD - KMS keys can now be used to sign and verify blobs
- The
versioncommand can now be used to return the release version - The
public-keycommand can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORYenvironment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
Bug Fixes
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
Contributors
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders