What's Changed
- commenting out the copy from gcr to ghcr due issues on github side by @cpanato in #1715
- Update images for release job by @cpanato in #1551
- pkcs11: fix build instructions by @rgerganov in #1550
- Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in #1553
- Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 by @dependabot in #1552
- Mirror signed release images from GCR to GHCR as part of release with… by @k4leung4 in #1547
- Update hashicorp/parseutil to v0.1.3. by @dlorenc in #1557
- Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 by @dependabot in #1560
- Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 by @dependabot in #1559
- Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in #1561
- add definition for artifact hub to verify the ownership by @cpanato in #1563
- Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in #1565
- Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
- Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
- Bump google.golang.org/api from 0.70.0 to 0.71.0 by @dependabot in #1577
- Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 by @dependabot in #1576
- Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 by @dependabot in #1578
- Support deletion of ClusterImagePolicy by @vaikas in #1580
- Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 by @dependabot in #1579
- 1417 policy validations by @kkavitha in #1548
- Don't lowercase input image refs, just fail by @imjasonh in #1586
- Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
- Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #1588
- Bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in #1587
- Bump mikefarah/yq from 4.21.1 to 4.22.1 by @dependabot in #1589
- Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
- Fix #1592 move authorities as siblings of images. by @vaikas in #1593
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 by @dependabot in #1597
- Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
- Fix copy/paste mistake in repo name. by @k4leung4 in #1600
- Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
- Add public key validation by @kkavitha in #1598
- Validate a public key in a secret is valid. by @vaikas in #1602
- Ensure entry is removed from CM on secret error. by @vaikas in #1605
- Bump google.golang.org/api from 0.71.0 to 0.72.0 by @dependabot in #1612
- Bump to knative pkg 1.3 by @mattmoor in #1614
- Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
- Init entity from ociremote when signing a digest ref by @puerco in #1616
- rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
- improve cosigned validation error messages by @cpanato in #1618
- Bump ecr-login to pick up WithLogger rename by @mattmoor in #1624
- Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in #1622
- Bump google.golang.org/api from 0.72.0 to 0.73.0 by @dependabot in #1619
- Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in #1621
- Use latest knative/pkg's configmap informer by @tcnghia in #1615
- Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
- Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 by @dependabot in #1634
- FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
- update crane to v0.8.0 release by @cpanato in #1635
- push latest tag when building a release by @cpanato in #1636
- Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
- Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 by @dependabot in #1638
- Bump actions/cache from 2.1.7 to 3 by @dependabot in #1640
- Document Elastic container registry support by @mgreau in #1641
- Bump mikefarah/yq from 4.22.1 to 4.23.1 by @dependabot in #1639
- Validate authority keys by @coyote240 in #1623
- feat: tree command utility by @developer-guy in #1603
- fix build date format for version command by @cpanato in #1644
- Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in #1646
- Add support for intermediate certificates when verifiying by @haydentherapper in #1631
- Prompt user before running
cosign cleanby @priyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
- KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
- Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
- Add support for certificate chain to verify certificate by @haydentherapper in #1659
- First batch of followups to #1650 by @vaikas in #1664
- Add certificate chain flag for signing by @haydentherapper in #1656
- [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
- update font when output the cosign version by @cpanato in #1668
- feat: add ability to override registry keychain by @noamichael in #1666
- remove replace directive by @cpanato in #1669
- Bump mikefarah/yq from 4.23.1 to 4.24.2 by @dependabot in #1670
- Refactor based on discussions in #1650 by @vaikas in #1674
- Find all valid entries in verify-blob by @priyawadhwa in #1673
- Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
- Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
- Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
- Make
cosign copycopy metadata attached to child images. by @mattmoor in #1682 - change file_name_template to PackageName by @strongjz in #1683
- Update error message for verify/verify attestation by @haydentherapper in #1686
- cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
- verify: add leaf hash verification for tlog entries by @asraa in #1688
- Fix handling of policy in verify-attestation by @lcarva in #1672
- Add e2e test for attest / verify-attestation by @vaikas in #1685
- Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in #1689
- Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in #1690
- Bump google.golang.org/api from 0.73.0 to 0.74.0 by @dependabot in #1695
- verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
- Remove the hardcoded sigstore audience by @mattmoor in #1698
- Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676
- Use the github actions from sigstore/scaffolding. by @vaikas in #1699
- sign: set the oidc redirect uri by @hectorj2f in #1675
- add back the go mod proxy by @cpanato in #1701
- enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702
- Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704
- Make CLI flag for OIDC client secret take a path by @znewman01 in #1705
- add changelog for 1.7.0 by @cpanato in #1700
- cosigned: read the public key from the kms authority by @hectorj2f in #1706
- fix latest tag when running a release job by @cpanato in #1707
- [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681
- Bump github.com/xanzy/go-gitlab from 0.60.0 to 0.61.0 by @dependabot in #1708
- Dont overwrite token set in keyOpts by @puerco in #1709
- refactor release job by @cpanato in #1710
New Contributors
- @davivcgarcia made their first contribution in #1564
- @tcnghia made their first contribution in #1615
- @MitchellJThomas made their first contribution in #1633
- @mgreau made their first contribution in #1641
- @coyote240 made their first contribution in #1623
- @tstromberg made their first contribution in #1661
- @mdp made their first contribution in #1657
- @noamichael made their first contribution in #1666
- @lcarva made their first contribution in #1672
- @DennyHoang made their first contribution in #1681
Full Changelog: v1.6.0...v1.7.1