This release contains fixes for GHSA-ccxc-vr6p-4858, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858
What's Changed
- add changelog for 1.5.1 release by @cpanato in #1376
- Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 by @dependabot in #1382
- Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 by @dependabot in #1383
- Fix double
timeimport in e2e tests by @saschagrunert in #1388 - Add
--timeoutsupport tosigncommand by @saschagrunert in #1379 - Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 by @dependabot in #1386
- Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 by @dependabot in #1391
- Fix comparison in replace option for attestation by @bburky in #1366
- Add Cosign logo to README by @nsmith5 in #1395
- Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
- Fix a link of SECURITY.md by @knqyf263 in #1399
- update cosign and cross-build image for the release job by @cpanato in #1400
- Bump cuelang.org/go from 0.4.1 to 0.4.2 by @dependabot in #1401
- Bump google.golang.org/api from 0.66.0 to 0.67.0 by @dependabot in #1402
- feat: login command by @developer-guy in #1398
- TUF: Add root status output by @asraa in #1404
- Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 by @dependabot in #1403
- Add a newline after password input by @knqyf263 in #1407
- make imageRef lowercase before parsing by @bobcallaway in #1409
- Improve error message when image is not found in registry by @imjasonh in #1410
- Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 by @dependabot in #1412
- Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 by @dependabot in #1411
- Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
- Fix incorrect error check when verifying SCT by @haydentherapper in #1422
- Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
- Allow
PassFuncto benilby @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
- Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
- Add docs on API stability and deprecation table by @priyawadhwa in #1429
- Bump google.golang.org/api from 0.67.0 to 0.68.0 by @dependabot in #1434
- update cross-build image which adds goimports by @cpanato in #1435
- feat: enhance clean cmd capability by @developer-guy in #1430
- use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
- Improve log lines to match with implementation by @marcofranssen in #1432
- Bump go-containerregistry, pick up new features by @imjasonh in #1442
- feat: fig autocomplete feature by @developer-guy in #1360
- update cross-build to use go 1.17.7 by @cpanato in #1446
- Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
- feat: add -buildid= to ldflags by @developer-guy in #1451
- Streamline
SignBlobCmdAPI withSignCmdby @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
- Bump webhook timeout. by @dlorenc in #1465
- Fix tkn link in readme by @Yongxuanzhang in #1459
- Bump the gitlab library and add a nil opt for the API change. by @dlorenc in #1466
- Print message when verifying with old TUF targets by @haydentherapper in #1468
- Bump google.golang.org/api from 0.68.0 to 0.69.0 by @dependabot in #1469
- fix(sign): refactor unsupported provider log by @Dentrax in #1464
- tests:
/bin/bash->/usr/bin/env bashby @znewman01 in #1470 - Double goreleaser timeout by @znewman01 in #1472
- increase timeout for goreleaser snapshot by @cpanato in #1473
- fix(sign): kms unspported message by @Dentrax in #1475
- refactor release cloudbuild job by @cpanato in #1476
- Bump sigstore/sigstore to pick up the kms change and the monkey-patch… by @dlorenc in #1479
- Fix wording on attach attestation help by @luhring in #1480
- update go-tuf and simplify TUF client code by @asraa in #1455
- add initial changelog for 1.5.2 by @cpanato in #1483
- Fix linter error on main by @priyawadhwa in #1484
- Update Changelog for Security Advisory by @cpanato in #1485
- Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 by @dependabot in #1481
- chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
- Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
- feat: support other types in copy cmd by @developer-guy in #1493
- Pick up some of the shared workflows by @mattmoor in #1490
- Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 by @dependabot in #1499
- Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 by @dependabot in #1498
- Bump actions/github-script from 4.1.1 to 6 by @dependabot in #1497
- Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 by @dependabot in #1496
- feat: nominate Dentrax as codeowner by @developer-guy in #1492
- Bump google.golang.org/api from 0.69.0 to 0.70.0 by @dependabot in #1500
- Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.4 by @dependabot in #1502
- Bump google-github-actions/auth from 0.4.4 to 0.6.0 by @dependabot in #1501
- add correct layer media type to cosign attach attestation by @spiffcs in #1503
- Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in #1495
- This sets up the scaffolding for the
cosignedCRD types. by @mattmoor in #1504 - Bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #1509
- Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 by @dependabot in #1507
- Bump mikefarah/yq from 4.16.2 to 4.20.2 by @dependabot in #1510
- use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
- Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in #1512
- Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
- Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in #1516
- bug fix: import ed25519 keys and fix error handling by @asraa in #1518
- optimize codeql speed by using caching and tracing by @bobcallaway in #1519
- Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
- Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
- chore(ci): add artifact hub support by @Dentrax in #1522
- Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.0 to 0.3.1 by @dependabot in #1524
- Bump mikefarah/yq from 4.20.2 to 4.21.1 by @dependabot in #1525
- Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 by @dependabot in #1526
- Bump actions/setup-go from 2 to 3 by @dependabot in #1527
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.11 to 2.0.0-beta.12 by @dependabot in #1528
- Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529
- Add codecov as github action, set permissions to read content only by @k4leung4 in #1530
- Bump actions/checkout from 2 to 3 by @dependabot in #1531
- images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533
- Quay OCI Support in README by @sabre1041 in #1539
- update github.com/hashicorp/vault/sdk, codegen and go module to 1.17 by @cpanato in #1536
- add rpm,deb and apks for cosign packages by @strongjz in #1537
- Bump github.com/xanzy/go-gitlab from 0.55.1 to 0.56.0 by @dependabot in #1538
- Consistent parenthesis use in Makefile by @k4leung4 in #1541
- add changelog for 1.6.0 by @cpanato in #1535
- update golang cross image by @cpanato in #1543
- Add fields in policy CRD by @kkavitha in #1540
- Disable for now due some issues when downloading the knative module by @cpanato in #1546
New Contributors
- @saschagrunert made their first contribution in #1388
- @bburky made their first contribution in #1366
- @nsmith5 made their first contribution in #1395
- @knqyf263 made their first contribution in #1399
- @marcofranssen made their first contribution in #1432
- @k4leung4 made their first contribution in #1453
- @Yongxuanzhang made their first contribution in #1459
- @spiffcs made their first contribution in #1503
- @ckotzbauer made their first contribution in #1515
- @strongjz made their first contribution in #1537
- @kkavitha made their first contribution in #1540
Full Changelog: v1.5.1...v1.6.0