Highlights

fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).

What's Changed

• fix: fix cert chain validation for verify-blob in non-experimental mode by @asraa in #2256
• fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba by @developer-guy in #2254
• Fix BYO-root with intermediate to fetch intermediates from annotation by @haydentherapper in #2244
• fix: fixing breaking changes in rekor v1.12.0 upgrade by @developer-guy in #2260

New Contributors

• @n3k0m4 made their first contribution in #2263

Full Changelog: v1.12.0...v1.12.1