Highlights
- BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosign
releases will generate signatures that do not validate in older versions ofcosign
. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.dev
when signing payloads (#1127) - BREAKING [cosign/pkg]:
SignedEntryTimestamp
is now of type[]byte
. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)
(#1083) cosign-linux-pivkey-amd64
releases are now of the formcosign-linux-pivkey-pkcs11key-amd64
(#1052)- Releases are now additionally signed using the keyless workflow (#1073, #1111)
Enhancements
- Validate the whole attestation statement, not just the predicate (#1035)
- Added the options to replace attestations using
cosign attest --replace
(#1039) - Added URI to
cosign verify-blob
output (#1047) - Signatures and certificates created by
cosign sign
andcosign sign-blob
can be output to file using the--output-signature
and--output-certificate
flags, respectively (#1016, #1093, #1066, #1095) - [cosign/pkg] Added the
pkg/oci/layout
package for storing signatures and attestations on disk (#1040, #1096) - [cosign/pkg] Added
mutate
methods to attachoci.File
s tooci.Signed*
objects (#1084) - Added the
--signature-digest-algorithm
flag tocosign verify
, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071) - Builds should now be reproducible (#1053)
- Allows base64 files as
--cert
incosign verify-blob
(#1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
- Added
cosign save
andcosign load
commands to save and upload container images and associated signatures to disk (#1094) cosign sign
will no longer fail to sign private images in keyless mode without--force
(#1116)cosign verify
now supports signatures stored in files and remote URLs with--signature
(#1068)cosign verify
now supports certs stored in files (#1095)- Added support for
syft
format incosign attach sbom
(#1137)
Bug Fixes
- Fixed verification of Rekor bundles for InToto attestations (#1030)
- Fixed a potential memory leak when signing and verifying with security keys (#1113)
Contributors
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
Changelog
- 50315fc remove obsolete
--output
flag (#1146) - a1efb18 add relnotes for v1.4.0 (#1145)
- a47a835 feat: enable --check flag of addlicense (#1135)
- e48db5a Add support for syft json type to cosign (#1137)
- 7de7387 Use --recursive flag in sign example (#1143)
- 6d8cec1 Fixed a typo in README.md (#1142)
- 63e9342 cjson - Move to go-securesystemslib (#1141)
- e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
- a05dc7b Bump deps (#1132)
- 7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
- dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
- 9076d71 feat: sign --output-certificate and verify --cert (#1095)
- 034e946 Update output to note when signatures are pushed (#1117)
- 54fb569 feat: support signature file in verify cmd (#1068)
- ec00f69 Make the transparency log upload non-fatal. (#1116)
- 1da6742 have
rekor.NewSigner
accept a*client.Rekor
instead of a URL (#1115) - ac7e33c call Close() on security keys before returning error (#1113)
- 2294fd4 Add Fulcio v1 root to the cosign (#1112)
- 304c2b2 continued sign refacc (#1098)
- a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
- 9555f33 use hashed rekord type for tlog upload (#1081)
- 6fc942b plumb context through to tlog requests (#1103)
- fcc8256 minor: supply
ShouldUploadToTlog
with context (#1104) - 690853e Bump non-k8s deps (#1102)
- 040ed3d feat(ci): Add Gofish support (#996)
- 79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
- 2dc6e4f Add support for storing attestations in
oci/layout
(#1096) - 98cf544 Update slsa-provenance predicate to v0.2 (#1054)
- 7ec91a4 Add
cosign save
andcosign load
commands (#1094) - e1141af refactoring signature logic (#1065)
- 4274149 fix: alias output to output-signature on sign-blob (#1093)
- 86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
- 2cc9c9a Bump client-go and viper. (#1089)
- aff2e37 feat: verify-blob --cert base64 (#1088)
- 5586790 fix: reproducible builds (#1053)
- 1974064 Add flag for manually specifying a hash algo when verifying (#1071)
- 90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
- eed3e12 Add
mutate.AttachFileTo*
for attaching SBOMs. (#1084) - e1acd18 Drop
strfmt.Base64
frompkg/oci
. (#1083) - f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
- 9cf8c3f Bump some deps that dependabot missed. (#1079)
- 18318ba implement output-signature and output-certificate flags (#1016)
- 857d9a5 adding keyless (#1073)
- 01b6c8f sync go mod (#1072)
- 943e824 feat: add output flag for signCmd (#1066)
- d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
- 413d06e fix root path (#1062)
- e868a54 cmd: update triangulate help command (#1061)
- d48fe25 verify-blob: add URI to verify-blob output (#1047)
- c5e3393 cmd: update clean command help (#1058)
- bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
- 3e43108 Remove img field from sigLayer (#1042)
- ccc4468 feat: replace option for same attestation (#1039)
- 5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
- fe00315 README: simplify the install section (#1049)
- cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
- 6ed55d6 split private signature and attestation verification fns (#1043)
- c338616 PKCS11: Fix certificate check (#1041)
- f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
- 89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
- c85db3a release: update cosign to 1.3.1 (#1038)
- 84c94b6 feat: validate whole statement not just predicate part (#1035)
Thanks for all contributors!