github sigstore/cosign v1.2.0
on GitHub

latest releases: v2.2.4, v1.13.6, v1.13.5...
2 years ago

v1.2.0

Enhancements

  • BREAKING: move verify-dockerfile to dockerfile verify (#662)
  • Have the keyless cosign sign flow use a single 3LO. (#665)
  • Allow to verify-blob from urls (#646)
  • Support GCP environments without workload identity (GCB). (#652)
  • Switch the release cosign container to debug. (#649)
  • Add logic to detect and use ambient OIDC from exec envs. (#644)
  • Add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
  • Add support for downloading signature from remote (#629)
  • Add sbom and attestations to triangulate (#628)
  • Add cosign attachment signing and verification (#615)
  • Embed CT log public key (#607)
  • Verify SCTs returned by fulcio (#600)
  • Add extra replacement variables and GCP's role identifier (#597)
  • Store attestations in the layer (payload) rather than the annotation. (#579)
  • Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (#583)
  • Upgrade in-toto-golang to adapt SLSA Provenance (#582)

Bug Fixes

  • Fix verify-dockerfile to allow lowercase FROM (#643)
  • Fix signing for the cosigned image. (#634)
  • Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
  • helm/ci: update helm repo before installing the dependency (#598)
  • Set the correct predicate type/URI for each supported predicate type. (#592)
  • Warnings on admissionregistration version (#581)
  • Remove unnecessary COSIGN_PASSWORD (#572)

Contributors

  • Batuhan Apaydın
  • Ben Walding
  • Carlos Alexandro Becker
  • Carlos Tadeu Panato Junior
  • Erkan Zileli
  • Hector Fernandez
  • Jake Sanders
  • Jason Hall
  • Matt Moore
  • Michael Lieberman
  • Naveen Srinivasan
  • Pradeep Chhetri
  • Sambhav Kothari
  • dlorenc
  • priyawadhwa

Thank you to all our contributors!!

Changelog

aa5d23b CHANGELOG for cosign 1.2 (#668)
1b1cafc move verify-dockerfile to dockerfile verify (#662)
275e015 Have the keyless cosign sign flow use a single 3LO. (#665)
152eefb Move LoadEcdsa... into pkg/cosign/keys.go (#667)
c37c20e feat: allow to verify-blob from urls (#646)
b1e7ca2 Extract a types package for media and payload types. (#664)
e14b69d small typo (#663)
e055194 Provide a mechanism for downstream folks to avoid _ imports. (#661)
b27c63a Split apart fulcioverifier for transparency log verification. (#660)
de598c1 Send log statement to STDERR (#659)
696a46a Remove unnecessary space after 'with index:' (#656)
3f83940 Support GCP environments without workload identity (GCB). (#652)
118399c Revert "Consistently use STDERR for output. (#647)" (#650)
60cf6b8 Refactor verification output. (#632)
f2a1276 Switch the release cosign container to debug. (#649)
f8f2e7a Pinned the dockerfile to sha256 (#619)
fefa881 Consistently use STDERR for output. (#647)
fb04df8 Refactor cosigned to take advantage of duck typing. (#637)
739947d Add logic to detect and use ambient OIDC from exec envs. (#644)
cb310df Fix verify-dockerfile to allow lowercase FROM (#643)
6d2fc54 docs: add remote url example for verify_blog cmd (#640)
248f849 add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
59be0ee Break off a fulcioroot package. (#639)
56d7d96 Use a nonroot base image for ko-based images (#638)
efde83c Fix signing for the cosigned image. (#634)
508cc59 Drop the unused apiReader (#636)
6a1e1b5 Drop the distinction between Create/Update. (#635)
8d550b3 feat: add support for downloading signature from remote (#629)
cb0c46a Add ko targets for the webhook image. (#630)
53fbe01 Something changed in go 1.17 to make this a failure now. (#631)
a05fb65 Add sbom and attestations to triangulate (#628)
ff28387 Bump opa to v0.32.0 (#625)
b0e5c74 Bump k8s controller-runtime to v0.10.0. (#626)
de600d2 chore: cleanup Makefile targers (#627)
5abd51e Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
40830f1 Modify golangci-lint installation (#624)
79fa380 Add cosign attachment signing and verification (#615)
de3f9d6 Bump go/storage. (#614)
c35f311 verify_blob: add missing help option to use teh pub kwy from a remote (#616)
9906181 helm/cosigned: remove helm charts (#609)
842a81a Embed CT log public key (#607)
54c956c Actually bump dependencies and get healthy on go 1.17. (#606)
cb9f980 Verify SCTs returned by fulcio (#600)
c79ba73 Add extra replacement variables and GCP's role identifier (#597)
c875b79 helm/ci: update helm repo before installing the dependency (#598)
b41d57f Set the correct predicate type/URI for each supported predicate type. (#592)
584e63f chore: add a new CODEOWNER (#593)
b1c033d Make the warning around TUF roots a little less scary. (#590)

Check out latest releases or
releases around sigstore/cosign v1.2.0

Don't miss a new cosign release

NewReleases is sending notifications on new releases.

Get notifications