sigstore/cosign v1.0.0

on GitHub

Cosign 1.0!

This is the first production ready, non-pre-release version of the cosign tool!

Huge thanks to the entire sigstore community!

Enhancements

• BREAKING: The default HSM key slot is now "signature" instead of "authentication" (#450)
• BREAKING: --fulcio-server is now --fulcio-url (#471)
• Added -cert flag to sign to allow the explicit addition of a signature certificate (#451)
• Added the attest command (#458)
• Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (#462)
• cosign will now send its version string as part of the user-agent when interacting with a container registry (#479)
• Files containing certificates for custom Fulcio endpoints can now be specified via the COSIGN_ROOT environment variable (#477)

Bug Fixes

• Fixed a situation where lower-case as would break verify-dockerfile (Complements to @Dentrax #433)

Verification

The releases are signed using cosign, and can be verified with a previous release or openssl. The key used is currently stored in this repository (at the commit the build was done) in the release/release-cosign.pub file.

Each binary is signed, and the corresponding.sig file is uploaded here. For darwin-amd64, using openssl:

$ openssl dgst -sha256 -verify release/release-cosign.pub -signature <(cat cosign-darwin-amd64.sig | base64 -D) cosign-darwin-amd64
Verified OK

With cosign:

$ cosign verify-blob -key release/release-cosign.pub -signature cosign-darwin-amd64.sig cosign-darwin-amd64
Verified OK

Full Changelog

33973d0 Allow multiple files per archive. (#497)
302c339 v1.0.0 relnotes (#493)
90efb9f cloudbuild: remove not needed dependency library (#495)
cdd92da Add missing code of conduct (stock sigstore one) (#496)
14d1d0a Allow custom root PEM (#477)
1a660a2 Avoid remote.Gets when the ref contains a digest (#487)
ade62cd Update the docs to be explicit around 1.0! (#489)
edd65a8 Only run codeql post-merge. (#488)
d0d11ee Minor update to README.md (#486)
1f9d3d9 Chore fixes (#476)
6f42979 move fulcio utils out of pkg (#482)
4155550 Unexport pkg/cosign/remote.StaticLayer (#483)
c076106 use Fulcio's client creation utility (#480)
94d54b8 Add cosign/ to useragent for remote calls (#479)
5a426a5 add additional KMS use cases of cosign (#473)
364cadc Add "cosign attest" command! (#458)
d401496 fulcio-server -> fulcio-url, pkg/fulcio refactoring (#471)
5bb088d refactor attached image code (#470)
49a4227 fix sget (#468)
7068357 Infra flags for fulcio / rekor / oidc values (#462)
647606b release: update builder container to use go 1.16.6 (#466)
a7f1ef6 more refactoring to use cryptoutils (#465)
840f9a6 Fix/verify dockerfile parser (#433)
981d702 cosign.LoadCerts -> cryptoutils.LoadCertificatesFromPEM (#464)
da50a67 Do a few more cleanups to reuse sigstore/sigstore and refactor verification. (#463)
7393e96 Refactor to use sigstore/sigstore crypto utilities (#460)
b385d1b Refactor the verification logic a bit to support more verification types. (#459)
fe1a39e Refactor the way certs are handled. (#457)
d08c803 Drop the dupe detector, this isn't needed anymore with the new interfaces (#456)
9c0eb2e Refactor signing options a bit between blob/image. (#455)
2af7bd0 Fix USAGE.md link (#454)
9ef97c2 Reduce some of the noise in e2e tests by hiding the SBOM output unless the test fails. (#453)
9adaad5 cmd/sign: Add -cert flag (#451)
fd17d7f Update sigtore dependency to include Azure KMS (#452)
607a5fe pivkey: Change default slot to Signature (9c) (#450)
48a2f82 Readme fixes and improvements (#448)
9c61577 update sigstore modules, tidy (#447)
2123698 Bump k8s.io/client-go from 0.21.2 to 0.21.3 (#445)
dbf506e Bump k8s.io/api from 0.21.2 to 0.21.3 (#444)
268ce57 Move the specs to their own directory. (#440)
d0684ec Update the readme a bit. (#441)
7e256fd added Hashicorp Vault KMS support to the description of public-key sub-command (#438)
e6d91a7 make base image an arg, use distroless/static for releases (#436)
e68da41 update deps, run go mod tidy (#432)
f79accb update workflows (other than release) to go 1.16.6 (#431)
82d49dc Numerous updates to .goreleaser.yml & associated scripts

Container image available as well gcr.io/projectsigstore/cosign:v1.0.0@sha256:5e88d8f6162c04da4fa7d63b032bac34d8c906b48e88057263d67b059ace7de4

Thanks for all contributors!

For this 1.0 release, let's thank everyone that committed!

• Dan Lorenc (dlorenc)
• Jake Sanders (dekkagaijin)
• Priya Wadhwa (priyawadhwa)
• Carlos Tadeu Panato Junior (cpanato)
• Batuhan Apaydın (developer-guy)
• Luke Hinds (lukehinds)
• Ivan Font (font)
• Jason Hall (imjasonh)
• Naveen (naveensrinivasan)
• Chris Norman (chrnorm)
• Asra Ali (asraa)
• Christian Pearce (pearcec)
• Jon Johnson (jonjohnsonjr)
• Bob Callaway (bobcallaway)
• Appu (loosebazooka)
• James Alseth (jalseth)
• rjbrown57 (rjbrown57)
• Ahmet Alp Balkan (ahmetb)
• rotem-cider (rotem-cider)
• Balazs Zachar (Cajga)
• Cody Soyland (codysoyland)
• Dan POP (danpopSD)
• Dino Dai Zovi (ddz)
• Eminks (eminks)
• Furkan Türkal (Dentrax)
• Hector Fernandez (hectorj2f)
• João Pereira (joaodrp)
• Kim Lewandowski (kimsterv)
• Mark Bestavros (mbestavros)
• Paris Z (zuBux)
• Ross Timson (rosstimson)
• Rémy Greinhofer (rgreinho)
• Tom Hennen (TomHennen)