github sigstore/cosign v1.4.0

latest releases: v2.4.1, v2.4.0, v2.3.0...
2 years ago

Highlights

  • BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (#1127)
  • BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (#1083)
  • cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (#1052)
  • Releases are now additionally signed using the keyless workflow (#1073, #1111)

Enhancements

  • Validate the whole attestation statement, not just the predicate (#1035)
  • Added the options to replace attestations using cosign attest --replace (#1039)
  • Added URI to cosign verify-blob output (#1047)
  • Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (#1016, #1093, #1066, #1095)
  • [cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (#1040, #1096)
  • [cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (#1084)
  • Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071)
  • Builds should now be reproducible (#1053)
  • Allows base64 files as --cert in cosign verify-blob (#1088)
  • Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
  • Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (#1094)
  • cosign sign will no longer fail to sign private images in keyless mode without --force (#1116)
  • cosign verify now supports signatures stored in files and remote URLs with --signature (#1068)
  • cosign verify now supports certs stored in files (#1095)
  • Added support for syft format in cosign attach sbom (#1137)

Bug Fixes

  • Fixed verification of Rekor bundles for InToto attestations (#1030)
  • Fixed a potential memory leak when signing and verifying with security keys (#1113)

Contributors

Changelog

Thanks for all contributors!

Don't miss a new cosign release

NewReleases is sending notifications on new releases.