Skip to content

Latest commit

 

History

History
2620 lines (2114 loc) · 128 KB

CHANGELOG.md

File metadata and controls

2620 lines (2114 loc) · 128 KB

v3.0.3

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional commands. We're continuing to work on compatibility with the remaining commands and will have a new release shortly. If you run into any problems, please file an issue

Changes

  • 4554: Closes 4554 - Add warning when --output* is used (#4556)
  • Protobuf bundle support for subcommand clean (#4539)
  • Add staging flag to initialize with staging TUF metadata
  • Updating sign-blob to also support signing with a certificate (#4547)
  • Protobuf bundle support for subcommands save and load (#4538)
  • Fix cert attachment for new bundle with signing config
  • Fix OCI verification with local cert - old bundle
  • Deprecate tlog-upload flag (#4458)
  • fix: Use signal context for sign cli package.
  • update offline verification directions (#4526)
  • Fix signing/verifying annotations for new bundle
  • Add support to download and attach for protobuf bundles (#4477)
  • Add --signing-algorithm flag (#3497)
  • Refactor signcommon bundle helpers
  • Add --bundle and fix --upload for new bundle
  • Pass insecure registry flags through to referrers
  • Add protobuf bundle support for tree subcommand (#4491)
  • Remove stale embed import (#4492)
  • Support multiple container identities
  • Fix segfault when no attestations are found (#4472)
  • Use overridden repository for new bundle format (#4473)
  • Remove --out flag from cosign initialize (#4462)
  • Deprecate offline flag (#4457)
  • Deduplicate code in sign/attest* and verify* commands (#4449)
  • Cache signing config when calling initialize (#4456)

v3.0.2

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • choose different signature filename for KMS-signed release signatures (#4448)
  • Update rekor-tiles version path (#4450)

v3.0.1

v3.0.1 is an equivalent release to v3.0.0, which was never published due to a failure in our CI workflows.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

Changes

  • update goreleaser config for v3.0.0 release (#4446)

v3.0.0

Announcing the next major release of Cosign!

Cosign v3 is a minor change from Cosign v2.6.x, with all of the new capabilities of recent releases on by default, but will still allow you to disable them if you need the older functionality. These new features include support for the standardized bundle format (--new-bundle-fomat), providing roots of trust for verification and service URLs for signing via one file (--trusted-root, --signing-config), and container signatures stored as an OCI Image 1.1 referring artifact.

Learn more on our v3 announcement blog post! See the changelogs for v2.6.0, v2.5.0, and v2.4.0 for more information on recent changes.

If you have any feedback, please reach out on Slack or file an issue on GitHub.

Changes

  • Default to using the new protobuf format (#4318)
  • Fetch service URLs from the TUF PGI signing config by default (#4428)
  • Bump module version to v3 for Cosign v3.0 (#4427)

v2.6.1

Bug Fixes

  • Partially populate the output of cosign verify when working with new bundles (#4416)
  • Bump sigstore-go, move conformance back to tagged release (#4426)

v2.6.0

v2.6.0 introduces a number of new features, including:

  • Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#4306)
  • Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #3927 (#4316)
  • Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

Features

  • Add to attest-blob the ability to supply a complete in-toto statement, and add to verify-blob-attestation the ability to verify with just a digest (#4306)
  • Have cosign sign support bundle format (#4316)
  • Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)
  • Add support for SigningConfig in sign/attest (#4371)
  • Support self-managed keys when signing with sigstore-go (#4368)
  • Don't require timestamps when verifying with a key (#4337)
  • Don't load content from TUF if trusted root path is specified (#4347)
  • Add a terminal spinner while signing with sigstore-go (#4402)
  • Require exclusively a SigningConfig or service URLs when signing (#4403)
  • Remove SHA256 assumption in sign-blob/verify-blob (#4050)
  • Bump sigstore-go, support alternative hash algorithms with keys (#4386)

Breaking API Changes

  • sign.SignerFromKeyOpts no longer generates a key. Instead, it returns whether or not the client needs to generate a key, and if so, clients should call sign.KeylessSigner. This allows clients to more easily manage key generation.

Bug Fixes

  • Verify subject with bundle only when checking claims (#4320)
  • Fixes to cosign sign / verify for the new bundle format (#4346)

v2.5.3

Features

  • Add signing-config create command (#4280)
  • Allow multiple services to be specified for trusted-root create (#4285)
  • feat: Add OCI 1.1+ experimental support to tree (#4205)
  • Add validity period end for trusted-root create (#4271)

Bug Fixes

  • Fix cert verification logic for trusted-root/SCTs (#4294)
  • force when copying the latest image to overwrite (#4298)
  • avoid double-loading trustedroot from file (#4264)

v2.5.2

Bug Fixes

  • Do not load trusted root when CT env key is set

Documentation

  • docs: improve doc for --no-upload option (#4206)

v2.5.1

Features

  • Add Rekor v2 support for trusted-root create (#4242)
  • Add baseUrl and Uri to trusted-root create command
  • Upgrade to TUF v2 client with trusted root
  • Don't verify SCT for a private PKI cert (#4225)
  • Bump TSA library to relax EKU chain validation rules (#4219)

Bug Fixes

  • Bump sigstore-go to pick up log index=0 fix (#4162)
  • remove unused recursive flag on attest command (#4187)

Docs

  • Fix indentation in verify-blob cmd examples (#4160)

Releases

  • ensure we copy the latest tags on each release (#4157)

Contributors

  • arthurus-rex
  • Babak K. Shandiz
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Colleen Murphy
  • Dmitry Savintsev
  • Emmanuel Ferdman
  • Hayden B
  • Ville Skyttä

v2.5.0

v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the --new-bundle-format flag when running cosign attest.

Features

  • Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
  • Feat/non filename completions (#4115)
  • Add TSA certificate related flags and fields for cosign attest (#4079)

Fixes

  • cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
  • Fix replace with compliant image mediatype (#4077)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Ramon Petgrave
  • Riccardo Schirone
  • Stef Graces
  • Ville Skyttä

v2.4.3

Features

  • Bump sigstore/sigstore to support KMS plugins (#4073)
  • Enable fetching signatures without remote get. (#4047)
  • Feat/file flag completion improvements (#4028)
  • Update builder to use go1.23.6 (#4052)

Bug Fixes

  • fix parsing error in --only for cosign copy (#4049)

Cleanup

  • Refactor verifyNewBundle into library function (#4013)
  • fix comment typo and imports order (#4061)
  • sync comment with parameter name in function signature (#4063)
  • sort properly Go imports (#4071)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Tomasz Janiszewski
  • Ville Skyttä

v2.4.2

Features

  • Updated open-policy-agent to 1.1.0 library (#4036)
    • Note that only Rego v0 policies are supported at this time
  • Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
  • Add support for verifying root checksum in cosign initialize (#3953)
  • Detect if user supplied a valid protobuf bundle (#3931)
  • Add a log message if user doesn't provide --trusted-root (#3933)
  • Support mTLS towards container registry (#3922)
  • Add bundle create helper command (#3901)
  • Add trusted-root create helper command (#3876)

Bug Fixes

  • fix: set tls config while retaining other fields from default http transport (#4007)
  • policy fuzzer: ignore known panics (#3993)
  • Fix for multiple WithRemote options (#3982)
  • Add nightly conformance test workflow (#3979)
  • Fix copy --only for signatures + update/align docs (#3904)

Documentation

  • Remove usage.md from spec, point to client spec (#3918)
  • move reference from gcr to ghcr (#3897)

Contributors

  • AdamKorcz
  • Aditya Sirish
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Hayden B
  • Jussi Kukkonen
  • Marco Franssen
  • Nianyu Shen
  • Slavek Kabrda
  • Søren Juul
  • Warren Hodgkinson
  • Zach Steindler

v2.4.1

v2.4.1 largely contains bug fixes and updates dependencies.

Features

  • Added fuzzing coverage to multiple packages

Bug Fixes

  • Fix bug in attest-blob when using a timestamp authority with new bundles (#3877)
  • fix: documentation link for installation guide (#3884)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Hayden B
  • Hemil K
  • Sota Sugiura
  • Zach Steindler

v2.4.0

v2.4.0 begins the modernization of the Cosign client, which includes:

  • Support for the newer Sigstore specification-compliant bundle format
  • Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags
  • Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

  • General support for the trust root file, instead of only when using the bundle format during verification
  • Simplification of trust root flags and deprecation of the Cosign-specific bundle format
  • Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

  • Add new bundle support to verify-blob and verify-blob-attestation (#3796)
  • Adding protobuf bundle support to sign-blob and attest-blob (#3752)
  • Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
  • Conformance testing for cosign (#3806)
  • move incremental builds per commit to GHCR instead of GCR (#3808)
  • Add support for recording creation timestamp for cosign attest (#3797)
  • Include SCT verification failure details in error message (#3799)

Contributors

  • Bob Callaway
  • Hayden B
  • Slavek Kabrda
  • Zach Steindler
  • Zsolt Horvath

v2.3.0

Features

  • Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
  • add registry options to cosign save (#3645)
  • Add debug providers command. (#3728)
  • Make config layers in ociremote mountable (#3741)
  • upgrade to go1.22 (#3739)
  • adds tsa cert chain check for env var or tuf targets. (#3600)
  • add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
  • add handling of keyless verification for all verify commands (#3761)

Bug Fixes

  • fix: close attestationFile (#3679)
  • Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)

Documentation

  • Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)

Testing

  • Refactor KMS E2E tests (#3684)
  • Remove sign_blob_test.sh test (#3707)
  • Remove KMS E2E test script (#3702)
  • Refactor insecure registry E2E tests (#3701)

Contributors

  • Billy Lynch
  • bminahan73
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Dmitry Savintsev
  • guangwu
  • Hayden B
  • Hector Fernandez
  • ian hundere
  • Jason Power
  • Jon Johnson
  • Max Lambrecht
  • Meeki1l

v2.2.4

Bug Fixes

  • Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
  • ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
  • fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
  • Honor creation timestamp for signatures again (#3549)

Features

  • Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)

Documentation

  • add oci bundle spec (#3622)
  • Correct help text of triangulate cmd (#3551)
  • Correct help text of verify-attestation policy argument (#3527)
  • feat: add OVHcloud MPR registry tested with cosign (#3639)

Testing

  • Refactor e2e-tests.yml workflow (#3627)
  • Clean up and clarify e2e scripts (#3628)
  • Don't ignore transparency log in tests if possible (#3528)
  • Make E2E tests hermetic (#3499)
  • add e2e test for pkcs11 token signing (#3495)

v2.2.3

Bug Fixes

  • Fix race condition on verification with multiple signatures attached to image (#3486)
  • fix(clean): Fix clean cmd for private registries (#3446)
  • Fixed BYO PKI verification (#3427)

Features

  • Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
  • Add support for OpenVEX predicate type (#3405)

Documentation

  • Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
  • add examples for cosign attach signature cmd (#3468)

Misc

  • Remove CertSubject function (#3467)
  • Use local rekor and fulcio instances in e2e tests (#3478)

Contributors

  • aalsabag
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Colleen Murphy
  • Hayden B
  • Mukuls77
  • Omri Bornstein
  • Puerco
  • vivek kumar sahu

v2.2.2

v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.

Bug Fixes

  • chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
  • Don't require CT log keys if using a key/sk (#3415)
  • Fix copy without any flag set (#3409)
  • Update cosign generate cmd to not include newline (#3393)
  • Fix idempotency error with signing (#3371)

Features

  • Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
  • Use the timeout flag value in verify* commands. (#3391)
  • add --private-infrastructure flag (#3369)

Container Updates

  • Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)

Documentation

  • Update SBOM_SPEC.md (#3358)

Contributors

  • Carlos Tadeu Panato Junior
  • Dylan Richardson
  • Hayden B
  • Lily Sturmann
  • Nikos Fotiou
  • Yonghe Zhao

v2.2.1

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

  • feat: Support basic auth and bearer auth login to registry (#3310)
  • add support for ignoring certificates with pkcs11 (#3334)
  • Support ReplaceOp in Signatures (#3315)
  • feat: added ability to get image digest back via triangulate (#3255)
  • feat: add --only flag in cosign copy to copy sign, att & sbom (#3247)
  • feat: add support attaching a Rekor bundle to a container (#3246)
  • feat: add support outputting rekor response on signing (#3248)
  • feat: improve dockerfile verify subcommand (#3264)
  • Add guard flag for experimental OCI 1.1 verify. (#3272)
  • Deprecate SBOM attachments (#3256)
  • feat: dedent line in cosign copy doc (#3244)
  • feat: add platform flag to cosign copy command (#3234)
  • Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
  • attest: pass OCI remote opts to att resolver. (#3225)

Bug Fixes

  • Merge pull request from GHSA-vfp6-jrw2-99g9
  • fix: allow cosign download sbom when image is absent (#3245)
  • ci: add a OCI registry test for referrers support (#3253)
  • Fix ReplaceSignatures (#3292)
  • Stop using deprecated in_toto.ProvenanceStatement (#3243)
  • Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
  • fix: update error in SignedEntity to be more descriptive (#3233)
  • Fail timestamp verification if no root is provided (#3224)

Documentation

  • Add some docs about verifying in an air-gapped environment (#3321)
  • Update CONTRIBUTING.md (#3268)
  • docs: improves the Contribution guidelines (#3257)
  • Remove security policy (#3230)

Others

  • Set go to min 1.21 and update dependencies (#3327)
  • Update contact for code of conduct (#3266)
  • Update .ko.yaml (#3240)

Contributors

  • AdamKorcz
  • Andres Galante
  • Appu
  • Billy Lynch
  • Bob Callaway
  • Caleb Woodbine
  • Carlos Tadeu Panato Junior
  • Dylan Richardson
  • Gareth Healy
  • Hayden B
  • John Kjell
  • Jon Johnson
  • jonvnadelberg
  • Luiz Carvalho
  • Priya Wadhwa
  • Ramkumar Chinchani
  • Tosone
  • Ville Aikas
  • Vishal Choudhary
  • ziel

v2.2.0

Enhancements

  • switch to uploading DSSE types to rekor instead of intoto (#3113)
  • add 'cosign sign' command-line parameters for mTLS (#3052)
  • improve error messages around bundle != payload hash (#3146)
  • make VerifyImageAttestation function public (#3156)
  • Switch to cryptoutils function for SANS (#3185)
  • Handle HTTP_1_1_REQUIRED errors in github provider (#3172)

Bug Fixes

  • Fix nondeterminsitic timestamps (#3121)

Documentation

  • doc: Add example of sign-blob with key in env var (#3152)
  • add deprecation notice for cosign-releases GCS bucket (#3148)
  • update doc links (#3186)

Others

  • Upgrade to go1.21 (#3188)
  • Updates ci tests (#3142)
  • test using latest release of scaffolding (#3187)
  • ci: free up disk space for the gh runner (#3169)
  • update go-github to v53 (#3116)
  • call e2e test for cosign attach (#3112)
  • bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Dmitry Savintsev
  • Hayden B
  • Hector Fernandez
  • Jason Hall
  • Jon Johnson
  • Jubril Oyetunji
  • Paulo Gomes
  • Priya Wadhwa
  • 张志强

v2.1.1

Bug Fixes

  • wait for the workers become available again to continue the execution (#3084)
  • fix help text when in a container (#3082)

Documentation

  • update changelog (#3080)
  • DNM: Add CHANGELOG for v2.1.0 (#3068)

Contributors

  • Carlos Tadeu Panato Junior
  • priyawadhwa

v2.1.0

Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.

Enhancements

  • Verify sigs and attestations in parallel (#3066)
  • Deep inspect attestations when filtering download (#3031)
  • refactor bundle validation code, add support for DSSE rekor type (#3016)
  • Allow overriding remote options (#3049)
  • feat: adds no cert found on sig exit code (#3038)
  • Make predicate a required flag in attest commands (#3033)
  • Added support for attaching Time stamp authority Response in attach command (#3001)
  • Add sign --sign-container-identity CLI (#2984)
  • Feature: Allow cosign to sign digests before they are uploaded. (#2959)
  • accepts attachment-tag-prefix for cosign copy (#3014)
  • Feature: adds '--allow-insecure-registry' for cosign load (#3000)
  • download attestation: support --platform flag (#2980)
  • Cleanup: Add Digest to the SignedEntity interface. (#2960)
  • verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
  • verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)

Bug Fixes

  • Fix pkg/cosign/errors (#3050)
  • fix: update doc to refer to github-actions oidc provider (#3040)
  • fix: prefer GitHub OIDC provider if enabled (#3044)
  • Fix --sig-only in cosign copy (#3074)

Documentation

  • Fix links to sigstore/docs in markdown files (#3064)
  • Update release readme (#2942)

Contributors

Thank you to our contributors!

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Chok Yip Lau
  • Chris Burns
  • Dmitry Savintsev
  • Enyinna Ochulor
  • Hayden B
  • Hector Fernandez
  • Jakub Hrozek
  • Jason Hall
  • Jon Johnson
  • Luiz Carvalho
  • Matt Moore
  • Mritunjay Kumar Sharma
  • Mukuls77
  • Ramkumar Chinchani
  • Sascha Grunert
  • Yolanda Robla Mota
  • priyawadhwa

v2.0.2

Enhancements

  • Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
  • feat: Make cosign copy faster (#2901)
  • remove sget (#2885)
  • Require a payload to be provided with a signature (#2785)

Bug Fixes

  • cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
  • Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)

Documentation

  • Remove experimental warning from Fulcio flags (#2923)
  • add missing oidc provider (#2922)
  • Add zot as a supported registry (#2920)
  • deprecates kms_support docs (#2900)
  • chore(docs) deprecate note for usage docs (#2906)
  • adds note of deprecation for examples.md docs (#2899)

Contributors

  • Carlos Tadeu Panato Junior
  • Chris Burns
  • Dmitry Savintsev
  • eiffel-fl
  • Hayden B
  • Hector Fernandez
  • Jon Johnson
  • Miloslav Trmač
  • priyawadhwa
  • Ramkumar Chinchani

v2.0.1

Enhancements

  • Add environment variable token provider (#2864)
  • Remove cosign policy command (#2846)
  • Allow customising 'go' executable with GOEXE var (#2841)
  • Consistent tlog warnings during verification (#2840)
  • Add riscv64 arch (#2821)
  • Default generated PEM labels to SIGSTORE (#2735)
  • Update privacy statement and confirmation (#2797)
  • Add exit codes for verify errors (#2766)
  • Add Buildkite provider (#2779)
  • verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)

Bug Fixes

  • PKCS11 sessions are now opened read only (#2853)
  • Makefile: date format of log should not show signatures (#2835)
  • Add missing flags to cosign verify dockerfile/manifest (#2830)
  • Add a warning to remember how to configure a custom Gitlab host (#2816)
  • Remove tag warning message from save/copy commands (#2799)
  • Mark keyless pem files with b64 (#2671)

Contributors

  • Aleksandr Razumov
  • Batuhan Apaydın
  • Billy Lynch
  • Carlos Tadeu Panato Junior
  • Chris Burns
  • Derek Burdick
  • Dmitry Savintsev
  • favonia
  • Hayden B
  • Hector Fernandez
  • Ivana Atanasova
  • joe miller
  • Luiz Carvalho
  • Paolo Mainardi
  • priyawadhwa
  • Radoslav Dimitrov
  • Steve Winslow
  • Vincent Batts
  • Zack Newman

v2.0.0

This is the official 2.0.0 release of cosign! There are many new features and breaking changes from version 1.x, for a full explanation please read the Cosign 2.0 blog post.

Breaking Changes

  • COSIGN_EXPERIMENTAL=1 is no longer required to have identity-based ("keyless") signing and transparency.
  • By default, artifact signatures will be uploaded to Rekor, for both key-based and identity-based signing. To not upload to Rekor, include --tlog-upload=false.
    • You must also include --insecure-ignore-tlog=true when verifying an artifact that was not uploaded to Rekor.
    • Examples of when you may want to skip uploading to the transparency log are if you have a private Sigstore deployment that does not use transparency or a private artifact.
    • We strongly encourage all other use-cases to upload artifact signatures to Rekor. Transparency is a critical component of supply chain security, to allow artifact maintainers and consumers to monitor a public log for their artifacts and signing identities.
  • Verification now requires identity flags, --certificate-identity and --certificate-oidc-issuer. Like verifying a signature with a public key, it's critical to specify who you trust to generate a signature for identity-based signing. See sigstore#2056 for more discussion on this change.
  • --certificate-email has been removed. Use --certificate-identity, which supports not only email verification but also any identity specified in a certificate, including SPIFFE, GitHub Actions, or service account identities.
  • Cosign no longer supports providing a certificate that does not conform to the Fulcio certificate profile, which includes setting the SubjectAlternativeName and OIDC Issuer OID. To verify with a non-conformant certificate, extract the public key from the certificate and verify with cosign verify --key <key.pem>. We are actively working on more support for custom certificates for those who want to bring their existing PKI.
  • Signing OCI images by tag prints a warning and is strongly discouraged, e.g. cosign sign container.registry.io/foo:tag. This is considered insecure since tags are mutable. If you want to specify a particular image, you are recommended to do so by digest.
  • SCT verification, a proof of inclusion in a certificate transparency log, is now on by default for verifying Fulcio certificates. For private deployments without certificate transparency, use --insecure-ignore-sct=true to skip this check.
  • DSSE support in verify-blob has been removed. You can now verify attestations using verify-blob-attestation.
  • Environment variable SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY has been removed. For private deployments, if you would like to set the Rekor public key to verify transparency log entries, use either a TUF setup or set SIGSTORE_REKOR_PUBLIC_KEY with the PEM of the custom Rekor public key..
  • verify-blob no longer searches for a certificate. You must provide one with either --certificate or --bundle.
  • cosign attest --type {custom|vuln} (and cosign verify-attestation) will now use the RFC 3986 compliant URIs, adding https://, so that these predicate types are compliant with the in-toto specification.
  • The CosignPredicate envelope that wraps the predicates of SPDX and CycloneDX attestations has been removed, which was a violation of the schema specified via the predicateType field (more information).
  • --force has been removed. To skip any prompts, use --yes.

Improvements

  • Blob attestation and verification is now supported with cosign attest-blob and cosign verify-blob-attestation.
  • You can now set flags via environment variables, for example instead of --certificate-identity=email, you can set an environment variable for COSIGN_CERTIFICATE_IDENTITY=email.
  • --offline=true removes the fallback to the Rekor log when verifying an artifact. Previously, if you did not provide a bundle (a persisted response from Rekor), Cosign would fallback to querying Rekor. You can now skip this fallback for offline environments. Note that if the bundle fails to verify, Cosign will not fallback and will fail early.
  • A Fulcio certificate can now be issued for self-managed keys by providing --issue-certificate=true with a key, --key, or security key, --sk. This is useful when adopting Sigstore incrementally.
  • Experimental support for trusted timestamping has been added. Timestamping leverages a third party to provide the timestamp that will be used to verify short-lived Fulcio certificates, which distributes trust. We will be writing more about this in an upcoming blog post!
    • To use a timestamp when signing a container, use cosign sign --timestamp-server-url=<url> <container>, such as https://freetsa.org/tsr, and to verify, cosign verify --timestamp-certificate-chain=<path-to-PEM-encodeded-chain> <other flags> <artifact>.
    • To use a timestamp when signing a blob, use cosign sign-blob --timestamp-server-url=<url> --rfc3161-timestamp=<output-path> --bundle=<output-path> <blob>, and to verify, cosign verify-blob --rfc3161-timestamp=<output-path> --timestamp-certificate-chain=<path-to-PEM-encoded-chain> --bundle=<output-path> <other flags> <blob>.

For specific PRs representing enhancements, bug fixes, documentation, and breaking changes, please see the sections below for prereleases v2.0.0-rc.0, v2.0.0-rc.1, v2.0.0-rc.2, and v2.0.0-rc.3.

Thanks to all contributors!

  • Anish Shah
  • Arnaud J Le Hors
  • Arthur Lutz
  • Batuhan Apaydın
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Chris Burns
  • Christian Loos
  • Emmanuel T Odeke
  • Hayden B
  • Hector Fernandez
  • Huang Huang
  • Jan Wozniak
  • Josh Dolitsky
  • Josh Wolf
  • Kenny Leung
  • Marko Mudrinić
  • Matt Moore
  • Matthias Glastra
  • Miloslav Trmač
  • Mukuls77
  • Priya Wadhwa
  • Puerco
  • Stefan Zhelyazkov
  • Tim Seagren
  • Tom Meadows
  • Ville Aikas
  • Zack Newman
  • asraa
  • kpk47
  • priyawadhwa

v2.0.0-rc.3

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Enhancements

  • Support non-Sigstore TSA requests (#2708)
  • Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
  • Output certificate in bundle when entry is not uploaded to Rekor (#2715)
  • attach signature and attach sbom must use STDIN to upload raw string (#2637)

Bug Fixes

  • Fix: Add missing schemes to cosign predicate types. (#2717)
  • Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)

Documentation

  • Adds deprecation note for keyless docs (#2716)

v2.0.0-rc.2

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Enhancements

  • add generate-key-pair GitHub Enterprise server support (#2676)
  • add in format string for warning (#2699)
  • Support for fetching Fulcio certs with self-managed key (#2532)
  • 2476 predicate type download (#2484)
  • Upgrade to go1.20 (#2689)

Bug Fixes

  • Fix prompts with Windows line endings (#2674)

Documentation

  • docs(README): verify example failing on latest (#2694)

Contributors

  • Anish Shah
  • Arthur Lutz
  • Carlos Tadeu Panato Junior
  • Christian Loos
  • Tim Seagren
  • Zack Newman
  • priyawadhwa

v2.0.0-rc.1

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Critical breaking changes include:

  • Certificate issuer and subject are now required on cosign verify

Breaking Changes

  • insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
  • Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)

Enhancements

  • Add warning to use digest instead of tags to other cosign commands (#2650)
  • Fix up UI messages (#2629)
  • Remove hardcoded Fulcio from output (#2621)
  • Fix missing privacy statement, print in multiple locations (#2622)
  • feat: allows custom key names for import-key-pair (#2587)
  • feat: support keyless verification for verify-blob-attestation (#2525)
  • attest-blob: add functionality for keyless signing (#2515)
  • Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
  • feat: add debug information to cert validation error (#2579)

Bug Fixes

  • fix: panic with unsigned local image (#2656)
  • Make sure a cert passed in via --cert matches the bundle cert (#2652)
  • fix: fix github oidc post submit test (#2594)
  • fix: add enhanced error messages for failing verification with TUF targets (#2589)

Contributors

  • Carlos Tadeu Panato Junior
  • Chris Burns
  • Hayden B
  • Hector Fernandez
  • Huang Huang
  • Kenny Leung
  • Priya Wadhwa
  • Stefan Zhelyazkov
  • Ville Aikas
  • Zack Newman
  • asraa
  • dependabot[bot]
  • kpk47
  • priyawadhwa

v2.0.0-rc.0

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Critical breaking changes include:

  • Removing the COSIGN_EXPERIMENTAL environment variable, so the default signing method is now keyless signing with Fulcio
  • By default Cosign will now always upload to Rekor, this can be toggled with the --tlog-upload flag (defaults to true)

Breaking Changes

  • Breaking change: Change SCT verification behavior to default to enforcement (#2400)
  • Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
  • Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)

Enhancements

  • Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
  • Allow users to pass in a path for the --identity-token flag (#2538)
  • Breaking change: Respect tlog-upload=false, default to true (#2505)
  • Support outputing a certificate without uploading to the tlog (#2506)
  • Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
  • respect tlog-upload flag with TSA (#2474)
  • Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
  • Support TSA and Rekor verifications (#2463)
  • add support for tsa signing and verification of images (#2460)
  • cosign policy sign: remove experimental flag and make keyless signing default (#2459)
  • Remove experimental mode from cosign attest and verify-attestation (#2458)
  • Remove experimental mode from sign-blob and verify-blob (#2457)
  • Add --offline flag to force offline verification (#2427)
  • Air gap support (#2299)
  • Remove experimental flag from cosign sign and cosign verify (#2387)
  • verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)

Bug Fixes

  • Fix the file existence check. (#2552)
  • Fix timestamp verification, add verify-blob tests (#2527)
  • fix(verify): Consolidate certificate expiry logic (#2504)
  • Updates to Timestamp signing and verification (#2499)
  • fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
  • Fix path for e2e-tests badge (#2490)
  • Fix spdx json media type (#2479)
  • fix sct verificaction (#2426)

Others

  • update builder image that uses go 1.19.4 (#2520)

Contributors

  • Anish Shah
  • Arnaud J Le Hors
  • Batuhan Apaydın
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Emmanuel T Odeke
  • Hayden B
  • Hector Fernandez
  • Jan Wozniak
  • Matthias Glastra
  • Miloslav Trmač
  • Puerco
  • Tom Meadows
  • Ville Aikas
  • Zack Newman
  • asraa
  • priyawadhwa

v1.13.6

Note: v1.13.3, .4, and .5 were skipped due to issues in the release pipeline

This release backports support for the latest TUF specification. We encourage users to upgrade to Cosign v2.

Updates

  • V1 go tuf update (#3598)
  • Update cloud build script to latest for v1.13.x (#3615)

v1.13.2

This release backports a security fix. We encourage users to upgrade to Cosign v2.

Updates

  • [release-1.13] update builder image that uses go 1.19.4 (#2521)
  • Backport GHSA-vfp6-jrw2-99g9 in (#3364)

v1.13.1

Enhancements

  • verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
  • Add verify-blob-attestation command and tests (#2337)
  • Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
  • Add attest-blob command (#2286)
  • Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
  • Update Dockerfile section of README (#2323)

Bug Fixes

  • Update warning when users sign images by tag. (#2313)

Others

  • Remove experimental flags from attest-blob and refactor (#2338)

Contributors

  • Alex Cameron
  • Ville Aikas
  • Zack Newman
  • asraa
  • kpk47
  • priyawadhwa

v1.13.0

Highlights

  • For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

Enhancements

Bug Fixes

  • fix: make tlog entry lookups for online verification shard-aware (sigstore#2297)
  • Fix: Create a static copy of signatures as part of verification. (sigstore#2287)
  • Fix: Remove an extra registry request from verification path. (sigstore#2285)
  • fix pivtool generate key touch policy (sigstore#2282)

Others

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Hayden Blauzvern (@haydentherapper)
  • Matt Moore (@mattmoor)
  • Ross Tannenbaum (@RTann)
  • Ville Aikas (@vaikas)

v1.12.1

Highlights

  • Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).

Bug Fixes

  • fix: fixing breaking changes in rekor v1.12.0 upgrade (sigstore#2260)
  • Fixed bug where intermediate certificates were not automatically read from the OCI chain annotation (sigstore#2244)
  • fix: add COSIGN_EXPERIMENTAL=1 for verify-blob (sigstore#2254)
  • fix: fix cert chain validation for verify-blob in non-experimental mode (sigstore#2256)
  • fix: fix secret test, non-experimental bundle should pass (sigstore#2249)
  • Fix e2e test failure, add test for local bundle without rekor bundle (sigstore#2248)

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Hayden Blauzvern (@haydentherapper)
  • n3k0m4 (@n3k0m4)

v1.12.0

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

  • When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

Enhancements

  • Add deprecation warning for sget CLI and packages (sigstore#2019)
  • feat: set annotations to generate additional bash completion information (sigstore#2221)
  • feat: integrate Alibaba Cloud Container Registry cred helper (sigstore#2008)
  • Support non-ECDSA key types for verify-blob (sigstore#2203)
  • Bump github.com/theupdateframework/go-tuf from 0.3.1 to 0.5.0 (sigstore#2232)
    • feat: Add support for verifying ECDSA PEM-encoded keys. Continues deprecated hex-encoded keys for backward compatibility

Bug Fixes

  • fix: fix secret test, non-experimental bundle should pass (sigstore#2249)
  • Fix e2e test failure, add test for local bundle without rekor bundle (sigstore#2248)
  • Clarify error when KMS provider fails to load (sigstore#2220)

Others

Contributors

  • Asra Ali (@asraa)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Engin Diri (@dirien)
  • Hayden Blauzvern (@haydentherapper)
  • Huang Huang (@mozillazg)
  • Jason Hall (@imjasonh)
  • Priya Wadhwa (@priyawadhwa)
  • Ville Aikas (@vaikas)
  • Zack Newman (@znewman01)

v1.11.1

Enhancements

Bug Fixes

  • fix: fix typo that caused attestation verification failure (sigstore#2199)

Documention

Others

Contributors

  • Asra Ali (@asraa)
  • Azeem Shaikh (@azeemshaikh38)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Engin Diri (@dirien)
  • Kenny Leung (@k4leung4)

v1.11.0

Enhancements

Bug Fixes

Documention

  • docs: clarify wording in spec about usage of certificate chain (sigstore#2152)
  • Add notes to clarify registry use. (sigstore#2145)

Others

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • David Bendory (@bendory)
  • Jason Hall (@imjasonh)
  • Kazuma Watanabe (@wata727)
  • Matt Moore (@mattmoor)
  • Noah Kreiger (@nkreiger)
  • Priya Wadhwa (@priyawadhwa)
  • Samsondeen (@dsa0x)
  • Ville Aikas (@vaikas)
  • saso (@otms61)

v1.10.1

Note: This release comes with a fix for CVE-2022-35929 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

  • update cross-builder to go1.18.5 and cosign image to 1.10.0 (sigstore#2119)
  • feat: attach: attestation: allow passing multiple payloads (sigstore#2085)
  • Resolves #522 set Created date to time of execution (sigstore#2108)
  • Fix field names in the vulnerability attestation (sigstore#2099)
  • Change Result in Vulnerability Attestation to interface{} (sigstore#2096)
  • Improve error message when no sigs/atts are found for an image (sigstore#2101)
  • add flag to allow skipping upload to transparency log (sigstore#2089)

Documention

Bug Fixes

  • Merge pull request from GHSA-vjxv-45g9-9296
  • Correct the type used for attest (sigstore#2128)

Others

  • Bump mikefarah/yq from 4.26.1 to 4.27.2 (sigstore#2116)
  • Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (sigstore#2115)
  • Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (sigstore#2120)
  • Bump google.golang.org/api from 0.90.0 to 0.91.0 (sigstore#2125)
  • Bump google.golang.org/api from 0.89.0 to 0.90.0 (sigstore#2111)
  • Bump github/codeql-action from 2.1.16 to 2.1.17 (sigstore#2112)
  • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (sigstore#2110)
  • Bump google.golang.org/api from 0.88.0 to 0.89.0 (sigstore#2106)
  • Bump imjasonh/setup-ko from 0.4 to 0.5 (sigstore#2107)
  • Introduce a custom error type to classify errors. (sigstore#2114)
  • Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (sigstore#2103)
  • remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (sigstore#2105)
  • Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (sigstore#2100)
  • Remove knative/pkg deps (sigstore#2092)

Contributors

  • Asra Ali (@asraa)
  • Azeem Shaikh (@azeemshaikh38)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Furkan Türkal (@Dentrax)
  • Jason Hall (@imjasonh)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Teppei Fukuda (@knqyf263)
  • Tobias Trabelsi (@Lerentis)
  • saso (@otms61)

v1.10.0

Enhancements

Documention

Bug Fixes

Others

  • Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 (sigstore#2079)
  • Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (sigstore#2078)
  • Bump google.golang.org/api from 0.87.0 to 0.88.0 (sigstore#2081)
  • Remove hack/tools.go (sigstore#2080)
  • Remove replace directives in go.mod. (sigstore#2070)
  • Bump mikefarah/yq from 4.25.3 to 4.26.1 (sigstore#2076)
  • Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 (sigstore#2075)
  • Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (sigstore#2073)
  • Bump google.golang.org/api from 0.86.0 to 0.87.0 (sigstore#2064)
  • chore(deps): CycloneDX PredicateType changed to use in-toto-golang (sigstore#2067)
  • Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 (sigstore#2063)
  • Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (sigstore#2062)
  • Bump actions/setup-go from 3.2.0 to 3.2.1 (sigstore#2060)
  • Bump github/codeql-action from 2.1.15 to 2.1.16 (sigstore#2065)
  • Bump actions/cache from 3.0.4 to 3.0.5 (sigstore#2066)
  • update to go 1.18 (sigstore#2059)
  • Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 (sigstore#2046)
  • update ct/otel and etcd (sigstore#2054)
  • remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 (sigstore#2055)
  • Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (sigstore#2042)
  • Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 (sigstore#2032)
  • Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 (sigstore#2037)
  • Bump github/codeql-action from 2.1.14 to 2.1.15 (sigstore#2038)
  • Bump google.golang.org/api from 0.85.0 to 0.86.0 (sigstore#2036)
  • Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (sigstore#2035)
  • Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (sigstore#2033)
  • Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 (sigstore#2029)
  • Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (sigstore#2026)
  • Attempt to clean up pkg/cosign (sigstore#2018)
  • Bump github/codeql-action from 2.1.13 to 2.1.14 (sigstore#2023)
  • Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 (sigstore#2021)
  • Bump mikefarah/yq from 4.25.2 to 4.25.3 (sigstore#2022)
  • Bump google.golang.org/api from 0.84.0 to 0.85.0 (sigstore#2015)
  • Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 (sigstore#2010)
  • Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 (sigstore#2011)
  • Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#2012)
  • Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#2013)
  • Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 (sigstore#2009)
  • Bump actions/dependency-review-action from 2.0.1 to 2.0.2 (sigstore#2001)
  • Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 (sigstore#1996)
  • Bump actions/dependency-review-action from 1.0.2 to 2.0.1 (sigstore#2000)
  • Bump google.golang.org/api from 0.83.0 to 0.84.0 (sigstore#1999)
  • Bump sigstore/sigstore to HEAD (sigstore#1995)
  • Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 (sigstore#1988)
  • cleanup ci job and remove policy-controller references (sigstore#1981)
  • Bump google.golang.org/api from 0.82.0 to 0.83.0 (sigstore#1979)
  • cleanup: unexport kubernetes.Client method (sigstore#1973)
  • Remove policy-controller now that it lives in sigstore/policy-controller (sigstore#1976)
  • Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (sigstore#1980)
  • Bump actions/cache from 3.0.3 to 3.0.4 (sigstore#1970)
  • Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 (sigstore#1968)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (sigstore#1963)
  • Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (sigstore#1943)
  • Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 (sigstore#1958)
  • replace gcr.io/distroless/ to use ghcr.io/distroless/ (sigstore#1961)
  • Bump github/codeql-action from 2.1.11 to 2.1.12 (sigstore#1951)
  • Bump google.golang.org/api from 0.81.0 to 0.82.0 (sigstore#1948)

Contributors

  • Adolfo García Veytia (@puerco)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Billy Lynch (@wlynch)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Ciara Carey (@ciaracarey)
  • Frederik Boster (@Syquel)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Jason Hall (@imjasonh)
  • Jinhong Brejnholt (@JBrejnholt)
  • Josh Dolitsky (@jdolitsky)
  • Masahiro331 (@masahiro331)
  • Priya Wadhwa (@priyawadhwa)
  • Ville Aikas (@vaikas)
  • William Woodruff (@woodruffw)

v1.9.0

Enhancements

Documention

Bug Fixes

Others

  • remove deprecation (sigstore#1952)
  • Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (sigstore#1949)
  • update cross-builder image to use go1.17.11 (sigstore#1950)
  • Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (sigstore#1945)
  • Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#1944)
  • Bump actions/cache from 3.0.2 to 3.0.3 (sigstore#1937)
  • Bump mikefarah/yq from 4.25.1 to 4.25.2 (sigstore#1933)
  • Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (sigstore#1924)
  • Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 (sigstore#1926)
  • Bump actions/setup-go from 3.1.0 to 3.2.0 (sigstore#1927)
  • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (sigstore#1915)
  • Bump google-github-actions/auth from 0.7.3 to 0.8.0 (sigstore#1916)
  • Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (sigstore#1922)
  • Bump google.golang.org/api from 0.80.0 to 0.81.0 (sigstore#1918)
  • Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 (sigstore#1919)
  • Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 (sigstore#1920)
  • Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 (sigstore#1913)
  • Move deprecated dependency: google/trillian/merkle to transparency-dev (sigstore#1910)
  • Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 (sigstore#1902)
  • Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 (sigstore#1883)
  • Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 (sigstore#1906)
  • Bump actions/upload-artifact from 3.0.0 to 3.1.0 (sigstore#1907)
  • The timeout arg in golangci-lint has been moved to the generic args param. (sigstore#1901)
  • Update go-tuf (sigstore#1894)
  • Bump google.golang.org/api from 0.79.0 to 0.80.0 (sigstore#1897)
  • Bump google-github-actions/auth from 0.7.2 to 0.7.3 (sigstore#1898)
  • Bump github/codeql-action from 2.1.10 to 2.1.11 (sigstore#1891)
  • Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d (sigstore#1889)
  • Remove dependency on deprecated github.com/pkg/errors (sigstore#1887)
  • Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (sigstore#1884)
  • Bump google-github-actions/auth from 0.7.1 to 0.7.2 (sigstore#1886)
  • go.mod: format go.mod (sigstore#1879)
  • chore: remove regex from image pattern (sigstore#1873)
  • Bump actions/dependency-review-action (sigstore#1875)
  • Bump actions/github-script from 6.0.0 to 6.1.0 (sigstore#1876)
  • Bump actions/setup-go from 3.0.0 to 3.1.0 (sigstore#1870)
  • Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go (sigstore#1861)
  • Bump github/codeql-action from 2.1.9 to 2.1.10 (sigstore#1863)
  • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (sigstore#1864)
  • Bump google.golang.org/api from 0.78.0 to 0.79.0 (sigstore#1858)
  • Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 (sigstore#1857)
  • Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (sigstore#1851)
  • remove exclude from go.mod (sigstore#1846)
  • Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 (sigstore#1843)
  • Bump google.golang.org/api from 0.77.0 to 0.78.0 (sigstore#1838)
  • Bump mikefarah/yq from 4.24.5 to 4.25.1 (sigstore#1831)
  • Bump google.golang.org/api from 0.76.0 to 0.77.0 (sigstore#1829)
  • Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (sigstore#1830)
  • Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 (sigstore#1828)
  • chore(deps): Included dependency review (sigstore#1792)
  • Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (sigstore#1813)
  • Bump github/codeql-action from 2.1.8 to 2.1.9 (sigstore#1814)
  • Bump google.golang.org/api from 0.75.0 to 0.76.0 (sigstore#1810)
  • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (sigstore#1809)
  • Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 (sigstore#1808)

Contributors

  • Asra Ali (@asraa)
  • Adolfo García Veytia (@puerco)
  • Andrés Torres (@elfotografo007)
  • Billy Lynch (@wlynch)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Denny (@DennyHoang)
  • Eitan Yarmush (@EItanya)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Jack Baines (@bainsy88)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Kenny Leung (@k4leung4)
  • Koichi Shiraishi (@zchee)
  • Naveen Srinivasan (@naveensrinivasan)
  • Neal McBurnett (@nealmcb)
  • Priya Wadhwa (@priyawadhwa)
  • Rob Best (@ribbybibby)
  • Tomasz Janiszewski (@janisz)
  • Ville Aikas (@vaikas)
  • Vladimir Nachev (@vpnachev)

v1.8.0

NOTE: If you use Fulcio to issue certificates you will need to use this release.

Enhancements

  • Support PKCS1 encoded and non-ECDSA CT log public keys (sigstore#1806)
  • Load in intermediate cert pool from TUF (sigstore#1804)
  • Don't fail open in VerifyBundle (sigstore#1648)
  • Handle context cancelled properly + tests. (sigstore#1796)
  • Allow passing keys via environment variables (env:// refs) (sigstore#1794)
  • Add parallelization for processing policies / authorities. (sigstore#1795)
  • Attestations + policy in cip. (sigstore#1772)
  • Refactor fulcio signer to take in KeyOpts. (sigstore#1788)
  • Remove the dependency on v1alpha1.Identity which brings in (sigstore#1790)
  • Add Fulcio intermediate CA certificate to intermediate pool (sigstore#1774)
  • Cosigned validate against remote sig src (sigstore#1754)
  • tuf: add debug info if tuf update fails (sigstore#1766)
  • Break the CIP action tests into a sh script. (sigstore#1767)
  • [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags (sigstore#1757)
  • Verify embedded SCTs (sigstore#1731)
  • Validate issuer/subject regexp in validate webhook. (sigstore#1761)
  • Add intermediate CA certificate pool for Fulcio (sigstore#1749)
  • [cosigned] The webhook name is now configurable via --webhook-name flag (sigstore#1726)
  • Use bundle log ID to find verification key (sigstore#1748)
  • Refactor policy related code, add support for vuln verify (sigstore#1747)
  • Create convert functions for internal CIP (sigstore#1736)
  • Move the KMS integration imports into the binary entrypoints (sigstore#1744)

Bug Fixes

Others

Contributors

  • Asra Ali (@asraa)
  • Billy Lynch (@wlynch)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Denny (@DennyHoang)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Matt Moore (@mattmoor)
  • Ville Aikas (@vaikas)
  • Vladimir Nachev (@vpnachev)
  • Youssef Bel Mekki (@ybelMekk)
  • Zack Newman (@znewman01)

v1.7.2

Bug Fixes

Others

  • Remove newline from download sbom output (sigstore#1732)
  • Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 (sigstore#1724)
  • Add unit tests for IntotoAttestation verifier. (sigstore#1728)
  • Bump github/codeql-action from 2.1.7 to 2.1.8 (sigstore#1725)
  • Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 (sigstore#1721)
  • Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (sigstore#1723)
  • Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 (sigstore#1711)
  • Bump google-github-actions/auth from 0.6.0 to 0.7.0 (sigstore#1712)
  • Bump github/codeql-action from 2.1.6 to 2.1.7 (sigstore#1713)
  • Bump codecov/codecov-action from 2.1.0 to 3 (sigstore#1714)

Contributors

  • Carlos Tadeu Panato Junior (@cpanato)
  • Denny (@DennyHoang)
  • Hector Fernandez (@hectorj2f)
  • Josh Dolitsky (@jdolitsky)
  • Rob Best (@ribbybibby)
  • Ville Aikas (@vaikas)

v1.7.1

Bug Fixes

  • commenting out the copy from gcr to ghcr due issues on github side (sigstore#1715)

v1.7.0

Enhancements

Bug Fixes

Documention

  • Document Elastic container registry support (sigstore#1641)
  • FUN.md broke when RecordObj changed to HashedRecordObj (sigstore#1633)
  • Add example using AWS Key Management Service (KMS) (sigstore#1564)

Others

Contributors

  • Adam A.G. Shamblin (@coyote240)
  • Adolfo García Veytia (@puerco)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Davi Garcia (@davivcgarcia)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • James Strong (@strongjz)
  • Jason Hall (@imjasonh)
  • Kavitha (@kkavitha)
  • Kenny Leung (@k4leung4)
  • Luiz Carvalho (@lcarva)
  • Marco Franssen (@marcofranssen)
  • Mark Percival (@mdp)
  • Matt Moore (@mattmoor)
  • Maxime Gréau (@mgreau)
  • Mitch Thomas (@MitchellJThomas)
  • Naveen Srinivasan (@naveensrinivasan)
  • Nghia Tran (@tcnghia)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Thomas Strömberg (@tstromberg)
  • Ville Aikas (@vaikas)
  • noamichael (@noamichael)

v1.6.0

Security Fixes

  • CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified

Enhancements

Bug Fixes

Documention

Others

Contributors

  • Andrew Block (@sabre1041)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Blake Burkhart (@bburky)
  • Bob Callaway (@bobcallaway)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Christian Kotzbauer (@ckotzbauer)
  • Christopher Angelo Phillips (@spiffcs)
  • Dan Lorenc (@dlorenc)
  • Dan Luhring (@luhring)
  • Furkan Türkal (@Dentrax)
  • Hayden Blauzvern (@haydentherapper)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Marco Franssen (@marcofranssen)
  • Nathan Smith (@nsmith5)
  • Priya Wadhwa (@priyawadhwa)
  • Sascha Grunert (@saschagrunert)
  • Scott Nichols (@n3wscott)
  • Teppei Fukuda (@knqyf263)
  • Ville Aikas (@vaikas)
  • Yongxuan Zhang (@Yongxuanzhang)
  • Zack Newman (@znewman01)

v1.5.2

Security Fixes

  • CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified

Others

Contributors

  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Kenny Leung (@k4leung4)
  • Matt Moore (@mattmoor)
  • Nathan Smith (@nsmith5)
  • Priya Wadhwa (@priyawadhwa)
  • Zack Newman (@znewman01)

v1.5.1

Bug Fixes

Documention

Others

Contributors

  • Batuhan Apaydın (@developer-guy)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Mark Lodato (@MarkLodato)
  • Rémy Greinhofer (@rgreinho)

v1.5.0

Highlights

Enhancements

Bug Fixes

Others

Contributors

  • Andrew Block (@sabre1041)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Bob Callaway (@bobcallaway)
  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Tadeu Panato Junior (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Hayden Blauzvern (@haydentherapper)
  • Hector Fernandez (@hectorj2f)
  • Itxaka (@Itxaka)
  • Ivan Wallis (@venafi-iw)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Josh Dolitsky (@jdolitsky)
  • Josh Soref (@jsoref)
  • Matt Moore (@mattmoor)
  • Morten Linderud (@Foxboron)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Rob Best (@ribbybibby)
  • Sambhav Kothari (@samj1912)
  • Ville Aikas (@vaikas)
  • Zack Newman (@znewman01)

v1.4.1

Highlights

A whole buncha bugfixes!

Enhancements

Bug Fixes

Contributors

  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Panato (@cpanato)
  • Hayden Blauzvern (@haydentherapper)
  • Jake Sanders (@dekkagaijin)
  • Matt Moore (@mattmoor)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)

v1.4.0

Highlights

Enhancements

Bug Fixes

Contributors

  • Ashley Davis (@SgtCoDFish)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Brandon Philips (@philips)
  • Carlos Alexandro Becker (@caarlos0)
  • Carlos Panato (@cpanato)
  • Christian Rebischke (@shibumi)
  • Dan Lorenc (@dlorenc)
  • Erkan Zileli (@erkanzileli)
  • Furkan Türkal (@Dentrax)
  • garantir-km (@garantir-km)
  • Jake Sanders (@dekkagaijin)
  • jbpratt (@jbpratt)
  • Matt Moore (@mattmoor)
  • Mikey Strauss (@houdini91)
  • Naveen Srinivasan (@naveensrinivasan)
  • Priya Wadhwa (@priyawadhwa)
  • Sambhav Kothari (@samj1912)

v1.3.1

Enhancements

Bug Fixes

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Dennis Leon (@DennisDenuto)
  • Erkan Zileli (@erkanzileli)
  • Furkan Türkal (@Dentrax)
  • garantir-km (@garantir-km)
  • Jake Sanders (@dekkagaijin)
  • Naveen (@naveensrinivasan)

v1.3.0

Enhancements

Bug Fixes

Contributors

  • Aditya Sirish (@adityasaky)
  • Asra Ali (@asraa)
  • Axel Simon (@axelsimon)
  • Batuhan Apaydın (@developer-guy)
  • Brandon Mitchell (@sudo-bmitch)
  • Carlos Panato (@cpanato)
  • Chao Lin (@blackcat-lin)
  • Dan Lorenc (@dlorenc)
  • Dan Luhring (@luhring)
  • Eng Zer Jun (@Juneezee)
  • Erkan Zileli (@erkanzileli)
  • Félix Saparelli (@passcod)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Ivan Font (@font)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Jim Bugwadia (@JimBugwadia)
  • Joel Kamp (@mrjoelkamp)
  • Luke Hinds (@lukehinds)
  • Matt Moore (@mattmoor)
  • Naveen (@naveensrinivasan)
  • Olivier Gaumond (@oliviergaumond)
  • Priya Wadhwa (@priyawadhwa)
  • Radoslav Gerganov (@rgerganov)
  • Ramkumar Chinchani (@rchincha)
  • Rémy Greinhofer (@rgreinho)
  • Scott Nichols (@n3wscott)
  • Shubham Palriwala (@ShubhamPalriwala)
  • Viacheslav Vasilyev (@avoidik)
  • Ville Aikas (@vaikas)

v1.2.0

Enhancements

Bug Fixes

Contributors

  • Batuhan Apaydın
  • Ben Walding
  • Carlos Alexandro Becker
  • Carlos Tadeu Panato Junior
  • Erkan Zileli
  • Hector Fernandez
  • Jake Sanders
  • Jason Hall
  • Matt Moore
  • Michael Lieberman
  • Naveen Srinivasan
  • Pradeep Chhetri
  • Sambhav Kothari
  • dlorenc
  • priyawadhwa

v1.1.0

Enhancements

Bug Fixes

Contributors

  • Adolfo García Veytia (@puerco)
  • Anton Semjonov (@ansemjo)
  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • @gkovan
  • Hector Fernandez (@hectorj2f)
  • Jake Sanders (@dekkagaijin)
  • Jim Bugwadia (@JimBugwadia)
  • Jose Donizetti (@josedonizetti)
  • Joshua Hansen (@joshes)
  • Jason Hall (@imjasonh)
  • Priya Wadhwa (@priyawadhwa)
  • Russell Brown (@rjbrown57)
  • Stephan Renatus (@srenatus)
  • Li Yi (@denverdino)

v1.0.0

Enhancements

Bug Fixes

Contributors

  • Appu Goundan (@loosebazooka)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Dan Lorenc (@dlorenc)
  • Furkan Türkal (@Dentrax)
  • Hector Fernandez (@hectorj2f)
  • Jake Sanders (@dekkagaijin)
  • James Alseth (@jalseth)
  • Jason Hall (@imjasonh)
  • João Pereira (@joaodrp)
  • Luke Hinds (@lukehinds)
  • Tom Hennen (@TomHennen)

v0.6.0

Enhancements

Bug Fixes

Contributors

  • Asra Ali (@asraa)
  • Batuhan Apaydın (@developer-guy)
  • Carlos Panato (@cpanato)
  • Cody Soyland (@codysoyland)
  • Dan Lorenc (@dlorenc)
  • Dino A. Dai Zovi (@ddz)
  • Furkan Türkal (@Dentrax)
  • Jake Sanders (@dekkagaijin)
  • Jason Hall (@imjasonh)
  • Paris Zoumpouloglou (@zuBux)
  • Priya Wadhwa (@priyawadhwa)
  • Rémy Greinhofer (@rgreinho)
  • Russell Brown (@rjbrown57)

v0.5.0

Enhancements

Bug Fixes

Contributors

  • Balazs Zachar (@Cajga)
  • Batuhan Apaydın (@developer-guy)
  • Dan Lorenc (@dlorenc)
  • Furkan Turkal (@Dentrax)
  • Jake Sanders (@dekkagaijin)
  • Jon Johnson (@jonjohnsonjr)
  • Priya Wadhwa (@priyawadhwa)

v0.4.0

Action Required

  • Signatures created with cosign before v0.4.0 are not compatible with those created after
    • The signature image's manifest now uses OCI mediaTypes (#300)
    • The signature image's tag is now terminated with .sig (instead of .cosign, #287)

Enhancements

  • 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! #285)
  • Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)

Bug Fixes

  • GCP KMS URIs now include the key version (#45)

Contributors

  • Christian Pearce (@pearcec)
  • Dan Lorenc (@dlorenc)
  • Jake Sanders (@dekkagaijin)
  • Priya Wadhwa (@priyawadhwa)
  • Richard Simpson (@RichiCoder1)
  • Ross Timson (@rosstimson)

v0.3.1

Bug Fixes

  • Fixed CI container image breakage introduced in v0.3.0
  • Fixed lack of version information in release binaries

v0.3.0

This is the third release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release. See #254 for more info.

Enhancements

  • The -output-file flag supports writing output to a specific file
  • The -key flag now supports kms references and URLs, the kms specific flag has been removed
  • Yubikey/PIV hardware support is now included!
  • Support for signing and verifying multiple images in one invocation

Bug Fixes

  • Bug fixes in KMS keypair generation
  • Bug fixes in key type parsing

Contributors

  • Dan Lorenc
  • Priya Wadhwa
  • Ivan Font
  • Dependabot!
  • Mark Bestavros
  • Jake Sanders
  • Carlos Tadeu Panato Junior

v0.2.0

This is the second release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied.

Enhancements

  • The password for private keys can now be passed via the COSIGN_PASSWORD
  • KMS keys can now be used to sign and verify blobs
  • The version command can now be used to return the release version
  • The public-key command can now be used to extract the public key from KMS or a private key
  • The COSIGN_REPOSITORY environment variable can be used to store signatures in an alternate location
  • Tons of new EXAMPLES in our help text

Bug Fixes

  • Improved error messages for command line flag verification
  • TONS more unit and integration testing
  • Too many others to count :)

Contributors

We would love to thank the contributors:

  • Dan Lorenc
  • Priya Wadhwa
  • Ahmet Alp Balkan
  • Naveen Srinivasan
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway
  • Dan POP
  • eminks
  • Mark Bestavros
  • Jake Sanders

v0.1.0

This is the first release of cosign!

The main goal of this release is to release something we can start using to sign other releases of sigstore projects, including cosign itself.

We expect many flags, commands, and formats to change going forward. No backwards compatibility is promised or implied.

Enhancements

This release added a feature to cosign called cosign. The cosign feature can be used to sign container images and blobs. Detailed documentation can be found in the README and the Detailed Usage.

Bug Fixes

There was no way to sign container images. Now there is!

Contributors

We would love to thank the contributors:

  • dlorenc
  • priyawadhwa
  • Ahmet Alp Balkan
  • Ivan Font
  • Jason Hall
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway