Enhancements

• BREAKING: The -attestation flag has been renamed to -predicate in attest (#500)
• Added verify-manifest command (#490)
• Added the ability to specify and validate well-known attestation types in attest with the -type flag (#504)
• Added cosign init command to setup the trusted local repository of SigStore's TUF root metadata (#520)
• Added timestamps to Cosign's custom In-Toto predicate (#533)
• verify now always verifies that the image exists (even when referenced by digest) before verification (#543)

Bug Fixes

• verify-dockerfile no longer fails on FROM scratch (#509)
• Fixed reading from STDIN with attach sbom (#517)
• Fixed broken documentation and implementation of -output for verify and verify-attestation (#546)
• Fixed nil pointer error when calling upload blob without specifying -f (#563)

Contributors

• Adolfo García Veytia (@puerco)
• Anton Semjonov (@ansemjo)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Dan Lorenc (@dlorenc)
• @gkovan
• Hector Fernandez (@hectorj2f)
• Jake Sanders (@dekkagaijin)
• Jim Bugwadia (@JimBugwadia)
• Jose Donizetti (@josedonizetti)
• Joshua Hansen (@joshes)
• Jason Hall (@imjasonh)
• Li Yi (@denverdino)
• Priya Wadhwa (@priyawadhwa)
• Russell Brown (@rjbrown57)
• Stephan Renatus (@srenatus)

Full Changelog

67934a6 remove unnecessary COSIGN_PASSWORD (#572)
7b5e931 add v1.1.0 relnotes (#571)
764a237 release: update golang-cross image to use go 1.17 (#569)
2f805aa update Go to 1.17.0 (#568)
7b08e21 Pin k8s.io dependencies to v0.20.7 (#567)
0783cc9 Make payload types public (#564)
8ce7d29 fix nil pointer deref in cli/upload.BlobCmd (#563)
92ce88e Fix some bugs in the attestation support and add a formal spec. (#561)
9479578 Bump k8s to 0.22.1. (#560)
4326cc1 Add a commented out list of OWNERS for transparency. (#558)
5c70fc4 fix: lint warning (#557)
5267dfd Add example of openssl signing. (#554)
6db6a90 Move the prompting/confirmation down into the password implementations. (#552)
3733e69 Fix verify and verify-attestation output flag (#546)
001d55f Improve Kubernetes examples in docs and commands (#551)
0d93915 Update google.golang.org/api (#544)
969aa80 always check remote image (#543)
4c755ad Refactor to avoid not necessary conversion (#539)
e2cafee Don't run e2e tests on PRs (#540)
3b5c238 Fix CI issues for forked repos (#537)
b2c649f Improve docs for keyless SA signing (#536)
03f3f4d Refactor upload-blob to use File interface (#535)
de056ab Bump google.golang.org/api from 0.52.0 to 0.53.0 (#534)
61b103b Add support for timestamps in the cosign custom predicate, and document it. (#533)
4c76ff3 'cosign init' minor enhancements (file or URL root, write to $HOME/.sigstore) (#530)
a7aff49 update go mods, tidy (#531)
9018c86 Explicitly disable auth for the sigstore-tuf-root. (#528)
bfd42e5 Add cosign init to initialize the SigStore root metadata (#520)
f83218b version: add way to display a version when using go get or go install (#526)
07bf0f2 Add Alibaba Cloud Container Registry (#524)
ce1648e update k8s deps for 1.22 release. Update sigstore. Tidy (#523)
c0f7371 add usage of the COSIGN_PASSWORD env var (#521)
6e535ce add Go Report Card badge to README (#518)
ef05414 lazy init fulcio root (#519)
fbc9831 fix for reading sbom file from stdin (#517)
749cd29 SIGNATURE_SPEC.md: fix typo (#516)
685f1a3 Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 (#515)
b505bb4 fix in-toto.io link (#513)
4877fbb Verify-dockerfile Ignore scratch images (#509)
f3cf4a2 fixing typos in the documentation of SBOM specification (#511)
1e4b330 verify-manifest: decode and use kubernetes resources (#510)
0fdfaa9 Add cosign verify-manifest command (#490)
7e9cdfb add well-known attestation specs support to the attest command (#504)
53f7cd4 some more readme updates (#505)
e42c08e SBOM specification! (#439)
03b1eda add installation via GitHub Action to README (#503)

Thanks for all contributors!