Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP
Highlights
BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some
verify-blobcommands that used to work may not anymore. In particular:
- When using
verify-blobwith signatures created with keyless mode, we require eitherCOSIGN_EXPERIMENTAL=1or a valid Rekor bundle for offline verification passed with--bundle.If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.
What's Changed
- use scaffolding v0.4.6. by @vaikas in #2201
- Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
- feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
- remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
- Upgrade to go1.19 by @cpanato in #2213
- Clarify error when KMS provider fails to load by @znewman01 in #2220
- feat: set annotations to generate additional bash completion information by @dirien in #2221
- Add deprecation warning for sget CLI and packages by @imjasonh in #2019
- upgrade setup-ko to point to new repo by @imjasonh in #2225
- update go builder to go1.19.1 by @cpanato in #2241
- Temp fix for e2e test by @haydentherapper in #2247
- update kind to use release v0.15.0 and some version comments by @cpanato in #2246
- Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
- fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
New Contributors
- @mozillazg made their first contribution in #2008
Full Changelog: v1.11.1...v1.12.0