Releases: sigstore/cosign
Releases · sigstore/cosign
v2.3.0
v2.3.0
Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- upgrade to go1.22 (#3739)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
Bug Fixes
- fix: close attestationFile (#3679)
- Set
bundleVerified
to true after Rekor verification (Resolves #3740) (#3745)
Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
Testing
- Refactor KMS E2E tests (#3684)
- Remove sign_blob_test.sh test (#3707)
- Remove KMS E2E test script (#3702)
- Refactor insecure registry E2E tests (#3701)
Contributors
- Billy Lynch
- bminahan73
- Bob Callaway
- Carlos Tadeu Panato Junior
- Cody Soyland
- Colleen Murphy
- Dmitry Savintsev
- guangwu
- Hayden B
- Hector Fernandez
- ian hundere
- Jason Power
- Jon Johnson
- Max Lambrecht
- Meeki1l
Full Changelog: v2.2.4...v2.3.0
v2.2.4
v2.2.4
Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
- fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
- Honor creation timestamp for signatures again (#3549)
Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
Documentation
- add oci bundle spec (#3622)
- Correct help text of triangulate cmd (#3551)
- Correct help text of verify-attestation policy argument (#3527)
- feat: add OVHcloud MPR registry tested with cosign (#3639)
Testing
- Refactor e2e-tests.yml workflow (#3627)
- Clean up and clarify e2e scripts (#3628)
- Don't ignore transparency log in tests if possible (#3528)
- Make E2E tests hermetic (#3499)
- add e2e test for pkcs11 token signing (#3495)
Full Changelog: v2.2.3...v2.2.4
v1.13.6
v2.2.3
v2.2.3
Bug Fixes
- Fix race condition on verification with multiple signatures attached to image (#3486)
- fix(clean): Fix clean cmd for private registries (#3446)
- Fixed BYO PKI verification (#3427)
Features
- Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
- Add support for OpenVEX predicate type (#3405)
Documentation
- Resolves #3088:
version
sub-command expected behaviour documentation and testing (#3447) - add examples for cosign attach signature cmd (#3468)
Misc
Full Changelog: v2.2.2...v2.2.3
v2.2.2
v2.2.2
v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev
, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z
without a shell.
For private deployments, we have also added an alias for --insecure-skip-log
, --private-infrastructure
.
Bug Fixes
- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk (#3415)
- Fix copy without any flag set (#3409)
- Update cosign generate cmd to not include newline (#3393)
- Fix idempotency error with signing (#3371)
Features
- Add
--yes
flagcosign import-key-pair
to skip the overwrite confirmation. (#3383) - Use the timeout flag value in verify* commands. (#3391)
- add --private-infrastructure flag (#3369)
Container Updates
- Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation
- Update SBOM_SPEC.md (#3358)
Contributors
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Hayden B
- Lily Sturmann
- Nikos Fotiou
- Yonghe Zhao
Full Changelog: v2.2.1...v2.2.2
v1.13.2
What's Changed
- [release-1.13] update builder image that uses go 1.19.4 by @cpanato in #2521
- Backport GHSA-vfp6-jrw2-99g9 by @cpanato in #3364
Full Changelog: v1.13.1...v1.13.2
v2.2.1
Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- feat: Support basic auth and bearer auth login to registry (#3310)
- add support for ignoring certificates with pkcs11 (#3334)
- Support ReplaceOp in Signatures (#3315)
- feat: added ability to get image digest back via triangulate (#3255)
- feat: add
--only
flag incosign copy
to copy sign, att & sbom (#3247) - feat: add support attaching a Rekor bundle to a container (#3246)
- feat: add support outputting rekor response on signing (#3248)
- feat: improve dockerfile verify subcommand (#3264)
- Add guard flag for experimental OCI 1.1 verify. (#3272)
- Deprecate SBOM attachments (#3256)
- feat: dedent line in cosign copy doc (#3244)
- feat: add platform flag to cosign copy command (#3234)
- Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
- attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent (#3245)
- ci: add a OCI registry test for referrers support (#3253)
- Fix ReplaceSignatures (#3292)
- Stop using deprecated in_toto.ProvenanceStatement (#3243)
- Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
- fix: update error in
SignedEntity
to be more descriptive (#3233) - Fail timestamp verification if no root is provided (#3224)
Documentation
- Add some docs about verifying in an air-gapped environment (#3321)
- Update CONTRIBUTING.md (#3268)
- docs: improves the Contribution guidelines (#3257)
- Remove security policy (#3230)
Others
- Set go to min 1.21 and update dependencies (#3327)
- Update contact for code of conduct (#3266)
- Update .ko.yaml (#3240)
Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Gareth Healy
- Hayden B
- John Kjell
- Jon Johnson
- jonvnadelberg
- Luiz Carvalho
- Priya Wadhwa
- Ramkumar Chinchani
- Tosone
- Ville Aikas
- Vishal Choudhary
- ziel
New Contributors
- @vishal-chdhry made their first contribution in #3233
- @jkjell made their first contribution in #3237
- @ziel made their first contribution in #3219
- @andresgalante made their first contribution in #3257
- @BobyMCbobs made their first contribution in #3264
- @garethahealy made their first contribution in #3255
- @jonvnadelberg made their first contribution in #3268
- @dylrich made their first contribution in #3334
- @tosone made their first contribution in #3310
Full Changelog: v2.2.0...v2.2.1
v2.2.0
v2.2.0
Enhancements
- switch to uploading DSSE types to rekor instead of intoto (#3113)
- add 'cosign sign' command-line parameters for mTLS (#3052)
- improve error messages around bundle != payload hash (#3146)
- make VerifyImageAttestation function public (#3156)
- Switch to cryptoutils function for SANS (#3185)
- Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
Bug Fixes
- Fix nondeterminsitic timestamps (#3121)
Documentation
- doc: Add example of sign-blob with key in env var (#3152)
- add deprecation notice for cosign-releases GCS bucket (#3148)
- update doc links (#3186)
Others
v2.1.1
v2.1.0
v2.1.0
Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add
sign --sign-container-identity
CLI (#2984) - Feature: Allow cosign to sign digests before they are uploaded. (#2959)
- accepts
attachment-tag-prefix
forcosign copy
(#3014) - Feature: adds '--allow-insecure-registry' for cosign load (#3000)
- download attestation: support --platform flag (#2980)
- Cleanup: Add
Digest
to theSignedEntity
interface. (#2960) - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
- verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
Bug Fixes
- Fix pkg/cosign/errors (#3050)
- fix: update doc to refer to github-actions oidc provider (#3040)
- fix: prefer GitHub OIDC provider if enabled (#3044)
- Fix --sig-only in cosign copy (#3074)
Documentation
Thanks to all contributors!
- Bob Callaway
- Carlos Tadeu Panato Junior
- Chok Yip Lau
- Chris Burns
- Dmitry Savintsev
- Enyinna Ochulor
- Hayden B
- Hector Fernandez
- Jakub Hrozek
- Jason Hall
- Jon Johnson
- Luiz Carvalho
- Matt Moore
- Mritunjay Kumar Sharma
- Mukuls77
- Ramkumar Chinchani
- Sascha Grunert
- Yolanda Robla Mota
- priyawadhwa