sigstore/cosign v1.10.0-rc.1

on GitHub

Thanks to all contributors!

What's Changed

• Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in #1948
• Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in #1951
• replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
• Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @dependabot in #1958
• Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in #1943
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #1963
• Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
• tuf: improve TUF client concurrency and caching by @asraa in #1953
• Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
• feat(fulcioroots): singleton error pattern by @developer-guy in #1965
• Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @dependabot in #1968
• Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #1970
• Drop tuf client dependency on GCS client library by @imjasonh in #1967
• Add spdxjson predicate type for attestations by @jdolitsky in #1974
• Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #1980
• Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
• cleanup: unexport kubernetes.Client method by @imjasonh in #1973
• Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #1979
• cleanup ci job and remove policy-controller references by @cpanato in #1981
• fix typos by @cpanato in #1982
• fix/update post build job by @cpanato in #1983
• docs: updated Azure kms commands. by @JBrejnholt in #1972
• Add cyclonedx predicate type for attestations by @jdolitsky in #1977
• Route deprecated -version to version subcommand by @puerco in #1854
• docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
• Add --platform flag to cosign sbom download by @puerco in #1975
• Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @dependabot in #1988
• Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
• Bump sigstore/sigstore to HEAD by @puerco in #1995
• Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
• Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in #1999
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #2000
• Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @dependabot in #1996
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #2001
• encrypt values to create the github action secret by @cpanato in #1990
• Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in #2009
• Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #2013
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in #2012
• Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @dependabot in #2011
• Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in #2010
• Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in #2015
• sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
• Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #2022
• Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #2021
• Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #2023
• Attempt to clean up pkg/cosign by @imjasonh in #2018
• public-key: fix command description by @Dentrax in #2024
• Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #2026
• Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 by @dependabot in #2029
• [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #2033
• feat: cert-extensions verify by @developer-guy in #1626
• Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #2035
• Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in #2036
• Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #2038
• Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in #2037
• Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
• Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #2032
• Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
• chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
• Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #2042
• Fix OIDC test by @cpanato in #2050
• Add env subcommand. by @wlynch in #2051
• remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
• update ct/otel and etcd by @cpanato in #2054
• Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 by @dependabot in #2046
• update to go 1.18 by @asraa in #2059
• Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #2066
• Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #2065
• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #2060
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #2062
• Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 by @dependabot in #2063
• chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
• Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in #2064
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #2073
• Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 by @dependabot in #2075
• Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #2076
• Remove replace directives in go.mod. by @wlynch in #2070
• update design doc link by @bobcallaway in #2077
• Remove hack/tools.go by @imjasonh in #2080
• Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in #2081
• Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #2078
• Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 by @dependabot in #2079
• update builder image to use go1.18.4 by @cpanato in #2086
• add changelog for v1.10.0 release by @cpanato in #2087

New Contributors

• @ciaracarey made their first contribution in #1966
• @JBrejnholt made their first contribution in #1972
• @woodruffw made their first contribution in #2030
• @Syquel made their first contribution in #2014
• @masahiro331 made their first contribution in #2067

Full Changelog: v1.9.0...v1.10.0-rc.1