v3.0.3

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by
the community along with adding compatibility for the new bundle format and attestation
storage in OCI to additional commands. We're continuing to work on compatibility with
the remaining commands and will have a new release shortly. If you run into any problems,
please file an issue

Changes

• 4554: Closes 4554 - Add warning when --output* is used (#4556)
• Protobuf bundle support for subcommand clean (#4539)
• Add staging flag to initialize with staging TUF metadata
• Updating sign-blob to also support signing with a certificate (#4547)
• Protobuf bundle support for subcommands save and load (#4538)
• Fix cert attachment for new bundle with signing config
• Fix OCI verification with local cert - old bundle
• Deprecate tlog-upload flag (#4458)
• fix: Use signal context for sign cli package.
• update offline verification directions (#4526)
• Fix signing/verifying annotations for new bundle
• Add support to download and attach for protobuf bundles (#4477)
• Add --signing-algorithm flag (#3497)
• Refactor signcommon bundle helpers
• Add --bundle and fix --upload for new bundle
• Pass insecure registry flags through to referrers
• Add protobuf bundle support for tree subcommand (#4491)
• Remove stale embed import (#4492)
• Support multiple container identities
• Fix segfault when no attestations are found (#4472)
• Use overridden repository for new bundle format (#4473)
• Remove --out flag from cosign initialize (#4462)
• Deprecate offline flag (#4457)
• Deduplicate code in sign/attest* and verify* commands (#4449)
• Cache signing config when calling initialize (#4456)

Full Changelog: v3.0.2...v3.0.3