sigstore/cosign v1.4.1

on GitHub

A whole buncha bugfixes!

Enhancements

• Files created with --output-signature and --output-certificate now created with 0600 permissions (#1151)
• Added cosign verify-attestation --local-image for verifying signed images with attestations from disk (#1174)
• Added the ability to fetch the TUF root over HTTP with cosign initialize --mirror (#1185)

Bug Fixes

• Fixed saving and loading a signed image index to disk (#1147)
• Fixed sign-blob --output-certificate writing an empty file (#1149)
• Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)

Contributors

• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Jake Sanders (@dekkagaijin)
• Matt Moore (@mattmoor)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)

Changelog

• 934567a add 1.4.1 relnotes (#1186)
• fe3a030 Allow fetching TUF root from HTTP (#1185)
• d8e1795 update golang cross image to use go1.17.5 (#1184)
• 2e9d3d8 add e2e tests for Windows + PowerShell (#1177)
• 4c473e5 add tests for cosign initialize (#1182)
• b113e30 update go-tuf and use the newly exposed Close() (#1181)
• 5a5914f Add option to verify attestations from local image (#1174)
• d0d91ab add test for interactive private key password prompt (#1176)
• e5056ed enable e2e-test coverage for Win & OSX (#1166)
• dc744ea use a different repo for each e2e test against the registry (#1175)
• 4652b36 re-enable windows in e2e-with-binary, fix issues (#1172)
• 75e3d62 Bump GGCR to latest. (#1169)
• 287bb27 disable broken Windows e2e-with-binary (#1167)
• 8644a7a use sync.Once to init the global tuf root (#1163)
• 10b7f9d Add option to verify local image (#1159)
• bd8b7d5 bump k8s versions used for kind-e2e-cosigned (#1164)
• 1510379 Add make target for doc generation (#1162)
• 79a843b expand CI testing to Windows and OSX, fix issues uncovered (#1158)
• 9394f85 Pull in the new Fulcio client code. (#1126)
• dd53292 return error when rekor pub cannot be retrieved, fix file path construction (#1157)
• a684c45 add job to run some e2e tests to sing a artifcat and check the outputs (#1154)
• 96c02ba fix: improve perms, error handling (#1151)
• ab632c8 update crane (#1150)
• b454d08 cosigned: add version to cosigned (#1139)
• 26c99d8 fix: --output-certificate not working properly (#1149)
• 430080f Fix bug when saving and loading an image index (#1147)
• 39e6540 sign-blob --output -> --output-signature (#1148)

Thanks for all contributors!