github sigstore/cosign v1.10.1
on GitHub

latest releases: v2.4.0, v2.3.0, v2.2.4...
2 years ago

This release fixes a security issue

cosign verify-attestaton --type can report a false positive if any attestation exists
GHSA-vjxv-45g9-9296

What's Changed

  • Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #2088
  • Remove knative/pkg deps by @imjasonh in #2092
  • add flag to allow skipping upload to transparency log by @k4leung4 in #2089
  • Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #2100
  • Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
  • Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
  • Fix field names in the vulnerability attestation by @otms61 in #2099
  • Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @dependabot in #2103
  • remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
  • Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #2107
  • Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in #2106
  • ✨ Enable Scorecard badge by @azeemshaikh38 in #2109
  • Resolves #522 set Created date to time of execution by @Lerentis in #2108
  • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #2110
  • Introduce a custom error type to classify errors. by @mattmoor in #2114
  • Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #2112
  • Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in #2111
  • feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
  • Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by @dependabot in #2115
  • Bump mikefarah/yq from 4.26.1 to 4.27.2 by @dependabot in #2116
  • update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
  • Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by @dependabot in #2120
  • chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
  • Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in #2125
  • Correct the type used for attest by @mattmoor in #2128

New Contributors

Full Changelog: v1.10.0...v1.10.1

Thanks to all contributors!

Check out latest releases or
releases around sigstore/cosign v1.10.1

Don't miss a new cosign release

NewReleases is sending notifications on new releases.

Get notifications