github sigstore/cosign v3.0.1
on GitHub

5 hours ago

v3.0.1

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • update goreleaser config for v3.0.0 release (#4446)

v3.0.0

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent
releases on by default, but will still allow you to disable them if you need the older functionality.
These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots
of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config),
and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See
the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent
changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

  • Default to using the new protobuf format (#4318)
  • Fetch service URLs from the TUF PGI signing config by default (#4428)
  • Bump module version to v3 for Cosign v3.0 (#4427)
Check out latest releases or
releases around sigstore/cosign v3.0.1

Don't miss a new cosign release

NewReleases is sending notifications on new releases.

Get notifications