sigstore/cosign v1.5.0

on GitHub

Changelog

• 7572520 add ascii art when using the version command (#1349)
• 4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
• 03a2778 Add vaikas to CODEOWNERS (#1347)
• f186ee3 add changelog for v1.5.0 (#1345)
• 9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
• e534409 Fix minor typo (a missing verb) in README (#1346)
• 22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
• a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
• 1a92b50 Bump recommended Go development version in README (#1340)
• 1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
• bca7ba6 Export function to verify individual signature (#1334)
• b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
• a7838c5 update go-github to v42 release (#1335)
• b0848d1 install latest release for ko instead of head of main branch (#1333)
• 2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
• fbf8dcb update gcp setup for the GH action (#1330)
• 888b392 fix: cosign verify for vault (#1328)
• e64cc10 update some dependencies (#1326)
• 461b032 fix missing goimports (#1327)
• 78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
• 0532601 Take OIDC client secret into account (#1310)
• 475c99d Verify checksum of downloaded utilities during CI (#1322)
• 97509b9 pin github actions by digest (#1319)
• 4592c23 Fix TestSignBlobBundle (#1320)
• bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
• 079e28d Add flag to verify OIDC issuer in certificate (#1308)
• 2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
• 24914ac add OSSF scorecard action (#1318)
• 244c07a Add TUF timestamp to attestation bundle (#1316)
• 46cf94b Provide certificate flags to all verify commands (#1305)
• d58fc63 Bundle TUF timestamp with signature on signing (#1294)
• c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
• 754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
• aa0b8c1 add error message (#1296)
• a7bd67c Move bundle out of oci and into bundle package (#1295)
• 9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
• ef380f0 update import documentation (#1290)
• e671216 Fix a couple bugs in cert verification for blobs (#1287)
• 76e691b Fix a few bugs in cosign initialize (#1280)
• b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
• 419be8a update release image to use go 1.17.6 (#1284)
• 809b091 Bump google.golang.org/api. (#1283)
• 4376cca Bump opa and go-gitlab. (#1281)
• b6aaddc Update SBOM spec to indicate compat for syft (#1278)
• f19f4f7 Update signature spec with timestamp annotation (#1274)
• 7f54a8f Bump miekg/pkcs11 (#1275)
• 36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
• 6af964c Fix the unit tests with expired TUF metadata. (#1270)
• 242f586 One-to-one mapping of invocation to scan result (#1268)
• 1a7f9d6 refactor common utilities (#1266)
• d89eb8e Fix output-file flag. (#1264)
• 9a27e1f Importing RSA and EC keypairs (#1050)
• 8194edd enable sbom generation when releasing (#1261)
• 0a4a68a feat: log error to stderr (#1260)
• 591601c feat: support attach attestation (#1253)
• 2e99320 Refactor the tuf client code. (#1252)
• dfc0347 Moved certificate output before checking for upload during signing (#1255)
• c09d682 Remove remaining ioutil usage (#1256)
• 894a3bc Update the embedded TUF metadata. (#1251)
• 645c259 Bump sigstore/sigstore. (#1247)
• 4ecb43d fix: typo in the error message (#1250)
• 1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
• f32c1d7 Fix semantic bug in DSSE specification. (#1248)
• 4e4bbf6 Spelling (#1246)
• 7e5abbf feat: resolve --cert from URL (#1245)
• c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
• 6f41b4b Log the proper remote repo for the signatures on verify (#1243)
• 24d43bd feat: generate/upload sbom for cosign projects (#1237)
• b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
• 47d936c update codeowners list with miissing codeowners (#1238)
• 3dd690e feat: vuln attest support (#1168)
• 6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
• 1104dfd feat: generate/upload sbom for cosign projects (#1236)
• 0c25819 update build images for release and bump cosign in the release job (#1234)
• ac8a7e9 feat: implement cosign download attestation (#1216)
• d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
• 9da74c9 update deps (#1222)
• b2d6393 nit: add comments to Signer interface (#1228)
• f2e034d clean up references to 'keyless' in ephemeral.Signer (#1225)
• acf5900 create DSSEAttestor interface, payload.DSSEAttestor implementation (#1221)
• ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
• 1feacab use mutate.Signature in the new Signers (#1213)
• 28b03f7 create mutate functions for oci.Signature (#1199)
• 500cd40 update snapshot and timestamp (#1211)
• cbdc1b3 add a writeable $HOME for the nonroot cosigned user (#1209)
• 4d4c830 signing attestation should private key (#1200)
• 6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
• 008f860 create KeylessSigner (#1189)
• 2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
• 3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
• cfd981e nit: drop every section title down a level (#1188)

Thanks for all contributors!