CHANGELOG.md

v0.11.0

Enhancements

• add support for intersection & union in search operations (sigstore#968)
• Allow sharding config to be written in yaml or json (sigstore#974)
• update field documentation on publicKey for hashedrekord (sigstore#969)
• compute payload and envelope hashes upon validating intoto proposed entries (sigstore#967)
• Add prometheus summary to track metric latency (sigstore#966)
• Add harness test for getting all entries by UUID and EntryID (sigstore#957)
• Persist and check attestations across harness tests (sigstore#952)
• Add rekor harness tests for adding and getting entries from previous versions (sigstore#945)

Bug Fixes

• fix: make rekor verify work with sharded uuids (sigstore#970)
• fix incorrect schema id for cose type (sigstore#979)
• fix nil-pointer error when artifact-hash is passed without artifact (sigstore#965)
• change default value for rekor_server.hostname to server's hostname (sigstore#963)
• api: fix inclusion proof verification flake (sigstore#956)

Others

• Update sccorecard-action to v2:alpha (sigstore#987)
• add changelog for v0.11.0 release (sigstore#982)
• remove trailing slash on directories (sigstore#984)
• update builder and cosign images (sigstore#981)
• Bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 (sigstore#976)
• Bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 (sigstore#977)
• Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 (sigstore#978)
• Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (sigstore#975)
• Bump github.com/mediocregopher/radix/v4 from 4.1.0 to 4.1.1 (sigstore#972)
• Bump actions/github-script from 6.1.0 to 6.1.1 (sigstore#971)
• Bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 (sigstore#964)
• Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 (sigstore#960)
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 (sigstore#961)
• Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 (sigstore#959)
• Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (sigstore#958)
• Bump github/codeql-action from 2.1.17 to 2.1.18 (sigstore#955)
• Bump golang from 1.18.4 to 1.18.5 (sigstore#950)
• Bump golang from 6e10f44 to 8a62670 (sigstore#948)
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (sigstore#947)

Contributors

• Asra Ali (@asraa)
• Azeem Shaikh (@azeemshaikh38)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Samsondeen (@dsa0x)
• Priya Wadhwa (@priyawadhwa)

v0.10.0

** Note: Rekor will not send application/yaml responses anymore only application/json responses

Enhancements

• Drop application/yaml content type (sigstore#933)
• Return 404 if entry isn't found in log (sigstore#915)
• reuse dsse signature wrappers instead of having a copy (sigstore#912)

Others

• update go mod in hack/tools to go1.18 (sigstore#935)
• Enable Scorecard badge (sigstore#941)
• Add rekor test harness to presubmit tests (sigstore#921)
• Bump imjasonh/setup-ko from 0.4 to 0.5 (sigstore#940)
• update go builder and cosign image (sigstore#934)
• Bump sigs.k8s.io/release-utils from 0.7.2 to 0.7.3 (sigstore#937)
• Bump github.com/google/trillian from 1.4.1 to 1.4.2 in /hack/tools (sigstore#939)
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (sigstore#936)
• Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (sigstore#930)
• Update cosign image in validate-release job (sigstore#931)
• Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.2 (sigstore#927)
• Bump github.com/veraison/go-cose from 1.0.0-alpha.1 to 1.0.0-rc.1 (sigstore#928)
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (sigstore#925)
• Bump github/codeql-action from 2.1.15 to 2.1.16 (sigstore#924)
• Bump golang from 1.18.3 to 1.18.4 (sigstore#919)
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (sigstore#920)
• Bump actions/setup-go from 3.2.0 to 3.2.1 (sigstore#916)
• Updates on the release job/makefile cleanup (sigstore#914)
• add changelog for v0.9.1 (sigstore#911)

Contributors

• Azeem Shaikh (@azeemshaikh38)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Priya Wadhwa (@priyawadhwa)

v0.9.1

Enhancements

• Optimize lookup of attestation from storage layer (sigstore#909)
• feat: add subject URIs to index for x509 certificates (sigstore#897)
• ensure log messages have requestID where possible (sigstore#907)
• Check inactive shards for UUID for /retrieve endpoint (sigstore#905)

Bug Fixes

• Fix bug where /retrieve endpoint returns wrong logIndex across shards (sigstore#908)
• fix: sql syntax in dbcreate script (sigstore#903)

Others

• cleanup makefile with generated code; cleanup unused files (sigstore#910)
• Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 (sigstore#906)
• Pin release-utils to v0.7.1 (sigstore#904)
• Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (sigstore#898)

Contributors

• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Priya Wadhwa (@priyawadhwa)
• Romain Aviolat (@xens)
• Sascha Grunert (@saschagrunert)

v0.9.0

Enhancements

• Add COSE support to Rekor (sigstore#867)

Bug Fixes

• Resolve virtual log index when calling /api/v1/log/entries/retrieve endpoint (sigstore#894)
• Fix intoto index keys (sigstore#889)
• ensure fallback logic executes if attestation key is empty when fetching attestation (sigstore#878)

Others

• Bump github/codeql-action from 2.1.14 to 2.1.15 (sigstore#893)
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (sigstore#888)
• Bump github/codeql-action from 2.1.13 to 2.1.14 (sigstore#885)
• add changelog for v0.8.2 (sigstore#882)
• Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#880)
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#881)

Contributors

• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Fredrik Skogman (@kommendorkapten)
• Priya Wadhwa (@priyawadhwa)

v0.8.2

Bug Fixes

• ensure fallback logic executes if attestation key is empty when fetching attestation (sigstore#878)

Others

• Bump github/codeql-action from 2.1.12 to 2.1.13 (sigstore#880)
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (sigstore#881)
• collect docker-compose logs if sharding tests fail, also trim IDs (sigstore#869)

Contributors

• Bob Callaway (@bobcallaway)

v0.8.1

Bug Fixes

• Allow an expired certificate chain to be uploaded and verified (sigstore#873)
• Fix indexing bug for intoto attestations (sigstore#870)

Others

• Bump actions/dependency-review-action from 1.0.2 to 2 (sigstore#871)
• Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (sigstore#868)
• add changelog for v0.8.0 (sigstore#866)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Priya Wadhwa (@priyawadhwa)

v0.8.0

Enhancements

• Print total tree size, including inactive shards in rekor-cli loginfo (sigstore#864)
• Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint (sigstore#859)
• Improve error message when using ED25519 with HashedRekord type (sigstore#862)

Others

• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (sigstore#844)
• Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (sigstore#863)
• update go.mod to go1.17 (sigstore#861)
• update cross-builder image to use go1.17.11 and dockerfile base image (sigstore#860)
• Bump github/codeql-action from 2.1.11 to 2.1.12 (sigstore#858)
• Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (sigstore#857)
• Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (sigstore#852)
• Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#853)
• Configure rekor server in e2e tests via env variable (sigstore#850)
• Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (sigstore#848)
• Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (sigstore#847)
• Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (sigstore#846)

Contributors

• Carlos Tadeu Panato Junior (@cpanato)
• dhaus67 (@dhaus67)
• Hayden Blauzvern (@haydentherapper)
• Priya Wadhwa (@priyawadhwa)

v0.7.0

Breaking Change: Removed timestamping authority API. This is a breaking API change. If you are relying on the timestamping authority to issue signed timestamps, create signed timestamps using either OpenSSL or a service such as FreeTSA.

Enhancements

• Remove timestamping authority (sigstore#813)
• Limit the number of certificates parsed in a chain (sigstore#823)
• Retrieve shard tree length if it isn't provided in the config (sigstore#810)
• Don't try to index on hash for intoto obj if one isn't available (sigstore#800)
• intoto: add index on materials digest of slsa provenance (sigstore#793)
• remove URL fetch of keys/artifacts server-side (sigstore#735)

Others

• all: remove dependency on deprecated github.com/pkg/errors (sigstore#834)
• Add back owners for rfc3161 package type (sigstore#833)
• Bump google-github-actions/auth from 0.7.2 to 0.7.3 (sigstore#832)
• Bump github/codeql-action from 2.1.10 to 2.1.11 (sigstore#829)
• Bump google-github-actions/auth from 0.7.1 to 0.7.2 (sigstore#830)
• Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (sigstore#828)
• Bump actions/dependency-review-action (sigstore#825)
• Bump actions/github-script from 6.0.0 to 6.1.0 (sigstore#826)
• Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (sigstore#827)
• update go to 1.17.10 in the dockerfile (sigstore#819)
• Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (sigstore#818)
• Bump github.com/google/trillian from 1.4.0 to 1.4.1 (sigstore#817)
• Bump actions/setup-go from 3.0.0 to 3.1.0 (sigstore#822)
• Bump github/codeql-action (sigstore#821)
• update release builder images to use go 1.17.10 and cosign image to 1.18.0 (sigstore#820)
• Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (sigstore#815)
• Bump github/codeql-action from 2.1.9 to 2.1.10 (sigstore#816)
• Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (sigstore#811)
• Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (sigstore#802)
• Move trillian/merkly to transparency-dev (sigstore#807)
• Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (sigstore#803)
• chore(deps): Included dependency review (sigstore#788)
• Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (sigstore#799)
• Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (sigstore#794)
• Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (sigstore#795)
• Bump github/codeql-action from 2.1.8 to 2.1.9 (sigstore#796)
• Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (sigstore#791)
• Bump google-github-actions/auth from 0.7.0 to 0.7.1 (sigstore#790)
• Bump actions/checkout from 3.0.1 to 3.0.2 (sigstore#786)
• Bump codecov/codecov-action from 3.0.0 to 3.1.0 (sigstore#785)
• Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (sigstore#782)
• Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (sigstore#781)
• Bump anchore/sbom-action from 0.10.0 to 0.11.0 (sigstore#779)
• Bump actions/checkout from 3.0.0 to 3.0.1 (sigstore#778)
• Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (sigstore#777)
• Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (sigstore#776)

Contributors

• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Koichi Shiraishi (@zchee)
• Naveen Srinivasan (@naveensrinivasan)
• Priya Wadhwa (@priyawadhwa)

v0.6.0

Notice: The server side remote fetching of resources will be removed in the next release

Enhancements

• Create EntryID for new artifacts and return EntryID to user (sigstore#623)
• Add search through inactive shards for GET by UUID (sigstore#750)
• Add in configmap to release for sharding config (sigstore#766)
• set p.Block after parsing; other cleanup (sigstore#759)
• Add index to hashed intoto envelope (sigstore#761)
• Add the SHA256 digest of the intoto payload into the rekor entry (sigstore#764)
• Add support for providing certificate chain for X509 signature types (sigstore#747)
• Specify public key for inactive shards in shard config (sigstore#746)
• Use active tree on server startup (sigstore#727)
• Require tlog_id when inactive shard config file is passed in (sigstore#739)
• Replace trillian_log_server.log_id_ranges flag with a config file (sigstore#742)
• Update loginfo API endpoint to return information about inactive shards (sigstore#738)
• Refactor rekor-cli loginfo (sigstore#734)
• Get log proofs by Tree ID (sigstore#733)
• Return virtual index when creating and getting a log entry (sigstore#725)
• Clearer logging for createAndInitTree (sigstore#724)
• Change TreeID to be of type string instead of int64 (sigstore#712)
• Switch to using the swag library for pointer manipulation. (sigstore#719)
• Make the loginfo command a bit more future/backwards proof. (sigstore#718)
• Use logRangesFlag in API, route reads based on TreeID (sigstore#671)
• Set rekor-cli User-Agent header on requests (sigstore#684)
• create namespace for rekor config in yaml. (sigstore#680)
• add securityContext to deployment. (sigstore#678)
• Move k8s objects out of the default namespace (sigstore#674)

Bug Fixes

• Fix search without sha prefix (sigstore#767)
• Fix link in types README (sigstore#765)
• fix typo in filename (sigstore#758)
• fix build date format for version command (sigstore#745)
• fix merge conflict (sigstore#720)

Documentation

• Add documentation about Alpine type (sigstore#697)
• update security process link (sigstore#685)
• Add intoto type documentation (sigstore#679)
• Add docs about API stabilitly and deprecation policy (sigstore#661)

Others

• Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (sigstore#768)
• Bump anchore/sbom-action from 0.9.0 to 0.10.0 (sigstore#763)
• Bump github/codeql-action from 2.1.7 to 2.1.8 (sigstore#762)
• Update release jobs and trillian images (sigstore#756)
• Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (sigstore#757)
• Bump anchore/sbom-action from 0.8.0 to 0.9.0 (sigstore#754)
• Bump codecov/codecov-action from 2.1.0 to 3 (sigstore#753)
• Bump github/codeql-action from 2.1.6 to 2.1.7 (sigstore#752)
• Bump google-github-actions/auth from 0.6.0 to 0.7.0 (sigstore#751)
• Bump github/codeql-action from 1.1.5 to 2.1.6 (sigstore#748)
• Bump anchore/sbom-action from 0.7.0 to 0.8.0 (sigstore#743)
• Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (sigstore#744)
• Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (sigstore#740)
• Bump github/codeql-action from 1.1.4 to 1.1.5 (sigstore#736)
• Use reusuable release workflow in sigstore/sigstore (sigstore#729)
• Fix copy/paste mistake in repo name. (sigstore#730)
• Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (sigstore#728)
• Bump golang from ca70980 to c7c9458 (sigstore#722)
• Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (sigstore#723)
• Add sharding e2e test to Github Actions (sigstore#714)
• Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (sigstore#717)
• Bump github/codeql-action from 1.1.3 to 1.1.4 (sigstore#716)
• Add trillian container to existing release. (sigstore#715)
• Bump golang from 0168c35 to ca70980 (sigstore#707)
• Mirror signed release images from GCR to GHCR as part of release (sigstore#701)
• Bump anchore/sbom-action from 0.6.0 to 0.7.0 (sigstore#709)
• Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (sigstore#710)
• Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (sigstore#708)
• Generate release yaml artifact. (sigstore#702)
• Bump actions/upload-artifact from 2.3.1 to 3 (sigstore#704)
• Go update to 1.17.8 and cosign to 1.6.0 (sigstore#705)
• Consistent parenthesis use in Makefile (sigstore#700)
• add code coverage to pull request. (sigstore#676)
• Bump actions/checkout from 2.4.0 to 3 (sigstore#698)
• Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (sigstore#696)
• Bump actions/setup-go from 2.2.0 to 3.0.0 (sigstore#694)
• Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#695)
• Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (sigstore#693)
• Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (sigstore#692)
• Bump golangci/golangci-lint-action from 2.5.2 to 3 (sigstore#691)
• Bump github/codeql-action from 1.1.2 to 1.1.3 (sigstore#690)
• Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (sigstore#689)
• explicitly set permissions for github actions (sigstore#687)
• Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (sigstore#686)
• Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (sigstore#683)
• Bump github/codeql-action from 1.1.0 to 1.1.2 (sigstore#682)
• Bump actions/github-script from 5.1.0 to 6 (sigstore#669)
• Bump github/codeql-action from 1.0.32 to 1.1.0 (sigstore#668)
• update cross-build and dockerfile to use go 1.17.7 (sigstore#666)
• Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (sigstore#664)
• Bump actions/setup-go from 2.1.5 to 2.2.0 (sigstore#663)
• Bump golang from 301609e to fff998d (sigstore#662)
• use upstream k8s version lib (sigstore#657)
• Bump github/codeql-action from 1.0.31 to 1.0.32 (sigstore#659)
• Bump go.uber.org/zap from 1.20.0 to 1.21.0 (sigstore#660)
• Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (sigstore#656)
• Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (sigstore#655)
• Update the warning text for the GA release. (sigstore#654)
• attempting to fix codeowners file (sigstore#653)
• update release job (sigstore#651)
• Bump google-github-actions/auth from 0.5.0 to 0.6.0 (sigstore#652)

Contributors

• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Dan Lorenc (@dlorenc)
• Eddie Zaneski (@eddiezane)
• Hayden Blauzvern (@haydentherapper)
• John Speed Meyers
• Kenny Leung (@k4leung4)
• Lily Sturmann (@lkatalin)
• Priya Wadhwa (@priyawadhwa)
• Scott Nichols (@n3wscott)

v0.5.0

Highlights

• Add Rekor logo to README (sigstore#650)
• update API calls to v5 (sigstore#591)
• Refactor helm type to remove intermediate state. (sigstore#575)
• Refactor the shard map parsing so we can pass it down into the API object. (sigstore#564)
• Refactor the alpine type to reduce intermediate state. (sigstore#573)

Enhancements

• Add logic to GET artifacts via old or new UUID (sigstore#587)
• helpful error message for hashedrekord types (sigstore#605)
• Set Accept header in dynamic counter requests (sigstore#594)
• Add sharding package and update validators (sigstore#583)
• rekor-cli: show the url in case of error (sigstore#581)
• Enable parsing of incomplete minisign keys, to enable re-indexing. (sigstore#567)
• Cleanups on the TUF pluggable type. (sigstore#563)
• Refactor the RPM type to remove more intermediate state. (sigstore#566)
• Do some cleanups of the jar type to remove intermediate state. (sigstore#561)

Others

• Update Makefile (sigstore#621)
• update version comments since dependabot doesn't do it (sigstore#617)
• Use workload identity provider instead of GitHub Secret for GCR access (sigstore#600)
• add OSSF scorecard action (sigstore#599)
• enable the sbom for rekor releases (sigstore#586)
• Point to the official website (instead of a 404) (sigstore#580)
• add milestone to closed prs (sigstore#574)
• Add a Makefile target for the "ko apply" step. (sigstore#572)
• types/README.md: Corrected documentation link (sigstore#568)

Dependencies Updates

• Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (sigstore#636)
• Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (sigstore#635)
• Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (sigstore#634)
• Bump golang from f71d4ca to 301609e (sigstore#627)
• Bump golang from 0fa6504 to f71d4ca (sigstore#624)
• Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (sigstore#622)
• Bump github/codeql-action from 1.0.29 to 1.0.30 (sigstore#619)
• Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (sigstore#618)
• bump swagger and go mod tidy (sigstore#616)
• Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (sigstore#614)
• Bump github.com/go-openapi/errors from 0.20.1 to 0.20.2 (sigstore#613)
• Bump google-github-actions/auth from 0.4.4 to 0.5.0 (sigstore#612)
• Bump github/codeql-action from 1.0.28 to 1.0.29 (sigstore#611)
• Bump gopkg.in/ini.v1 from 1.66.2 to 1.66.3 (sigstore#608)
• Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (sigstore#609)
• Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (sigstore#606)
• Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (sigstore#607)
• Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (sigstore#603)
• Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (sigstore#602)
• Bump golang from 8c0269d to 0fa6504 (sigstore#597)
• Pin dependencies in github action workflows and Dockerfile (sigstore#595)
• update release image to use go 1.17.6 (sigstore#589)
• Bump golang from 1.17.5 to 1.17.6 (sigstore#588)
• Bump go.uber.org/goleak from 1.1.11 to 1.1.12 (sigstore#585)
• Bump go.uber.org/zap from 1.19.1 to 1.20.0 (sigstore#584)
• Bump github.com/go-playground/validator/v10 from 10.9.0 to 10.10.0 (sigstore#579)
• Bump actions/github-script from 4 to 5 (sigstore#577)

Contributors

• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Dan Lorenc (@dlorenc)
• Jason Hall (@imjasonh)
• Lily Sturmann (@lkatalin)
• Morten Linderud (@Foxboron)
• Nathan Smith (@nsmith5)
• Sylvestre Ledru (@sylvestre)
• Trishank Karthik Kuppusamy (@trishankatdatadog)

v0.4.0

Highlights

• Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (sigstore#501)

Enhancements

• Update the schema to match that of Trillian repo. The map specific (sigstore#528)
• allow setting the user-agent string sent from the client (sigstore#521)
• update key usage for ts cert (sigstore#504)
• api/index/retrieve: allow searching on indicies with sha1 hashes (sigstore#499)
• Only include Attestation data if attestation storage enabled (sigstore#494)
• Fuzzing RequestFromRekor API (sigstore#488)
• Included pprof for profiling the application. (sigstore#485)
• refactor release and add signing (sigstore#483)
• More verbose error message for redis connection failure (sigstore#479) (sigstore#480)
• Fixed modtime for reproducible goreleaser (sigstore#473)
• add goreleaser and cloudbuild for releases (sigstore#443)
• Add dynamic JS tree size counter (sigstore#468)
• check that entry UUID == leafHash of returned entry (sigstore#469)
• chore: upgrade cosign version (sigstore#465)
• Reproducible builds with trimpath (sigstore#464)
• correct links, add Table of Contents of sorts (sigstore#449)
• update go tuf for rsa key impl (sigstore#446)
• Canonicalize JSON before inserting into trillian (sigstore#445)
• Export search UUIDs field (sigstore#438)
• Add a flag to start specifying log index ranges for virtual indices. (sigstore#435)
• Cleanup some initialization/flag parsing in rekor-server. (sigstore#433)
• Drop 404 errors down to a warning. (sigstore#426)
• Cleanup the output of search (the text goes to stderr not stdout). (sigstore#421)
• remove extradata field from types (sigstore#418)
• Update usage of ./cmd/rekor-cli/ from rekor to rekor-cli (sigstore#417)
• Add TUF type (sigstore#383)
• Updates to INSTALLATION.md notes (sigstore#415)
• Update snippets to use console type for snippets (sigstore#410)
• version: add way to display a version when using go get or go install (sigstore#405)
• Use an in memory timestamping key (sigstore#402)
• Links are case sensitive (sigstore#401)
• Installation guide (sigstore#400)
• Add a SignedTimestampNote (sigstore#397)
• Provide instructions on verifying releases (sigstore#399)
• rekor-server: add html page when humans reach the server via the browser (sigstore#394)
• use go modules to track tools (sigstore#395)

Bug Fixes

• bug: fix minisign prehashed entries (sigstore#639)
• fix timestamp addition and unmarshal (sigstore#525)
• Correct & parallelize tests (sigstore#522)
• Fix fuzz go.sum issue (sigstore#509)
• fix validation error (sigstore#503)
• Correct Helm index keys (sigstore#474)
• Fix a bug in x509 certificate handling. (sigstore#461)
• Fix a conflict from parallel dependabot merges. (sigstore#456)
• fix tuf metadata marshalling (sigstore#447)
• Switch DSSE provider to go-securesystemslib (sigstore#442)
• fix unmarshalling sth (sigstore#409)
• Fix port flag override (sigstore#396)
• makefile: small fix on the makefile for the rekor-server (sigstore#393)

Dependencies Updates

• Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (sigstore#531)
• Bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (sigstore#530)
• Bump the DSSE signing library. (sigstore#529)
• Bump golang from 1.17.4 to 1.17.5 (sigstore#527)
• Bump golang from 1.17.3 to 1.17.4 (sigstore#523)
• Bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (sigstore#520)
• Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (sigstore#517)
• Bump github.com/secure-systems-lab/go-securesystemslib (sigstore#516)
• Bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (sigstore#513)
• Upgraded go-playground/validator module to v10 (sigstore#507)
• Bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (sigstore#495)
• Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (sigstore#510)
• Bump the trillian import to v1.4.0. (sigstore#502)
• Bump the trillian versions to v1.4.0 in our docker-compose setup. (sigstore#500)
• update go.mod for go-fuzz (sigstore#496)
• Bump sigstore/cosign-installer from 1.3.0 to 1.3.1 (sigstore#491)
• Bump golang from 1.17.2 to 1.17.3 (sigstore#482)
• Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (sigstore#478)
• Bump actions/checkout from 2.3.5 to 2.4.0 (sigstore#477)
• Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (sigstore#470)
• bump go-swagger to v0.28.0 (sigstore#463)
• Bump github.com/in-toto/in-toto-golang from 0.3.2 to 0.3.3 (sigstore#459)
• Bump actions/checkout from 2.3.4 to 2.3.5 (sigstore#458)
• Bump github.com/mediocregopher/radix/v4 from 4.0.0-beta.1 to 4.0.0 (sigstore#460)
• Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (sigstore#451)
• Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (sigstore#454)
• Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (sigstore#453)
• Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (sigstore#452)
• Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (sigstore#450)
• Bump golang from 1.17.1 to 1.17.2 (sigstore#448)
• Bump google.golang.org/grpc from 1.40.0 to 1.41.0 (sigstore#441)
• Bump golang.org/x/mod from 0.5.0 to 0.5.1 (sigstore#440)
• Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (sigstore#439)
• Bump gopkg.in/ini.v1 from 1.63.0 to 1.63.2 (sigstore#437)
• Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (sigstore#436)
• Bump gocloud to v0.24.0. (sigstore#434)
• Bump golang from 1.17.0 to 1.17.1 (sigstore#432)
• Bump go.uber.org/zap from 1.19.0 to 1.19.1 (sigstore#431)
• Bump gopkg.in/ini.v1 from 1.62.0 to 1.63.0 (sigstore#429)
• Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (sigstore#425)
• Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (sigstore#423)
• Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (sigstore#422)
• Bump golang from 1.16.7 to 1.17.0 (sigstore#413)
• Bump golang.org/x/mod from 0.4.2 to 0.5.0 (sigstore#412)
• Bump google.golang.org/grpc from 1.39.1 to 1.40.0 (sigstore#411)
• Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (sigstore#408)
• Bump go.uber.org/zap from 1.18.1 to 1.19.0 (sigstore#407)
• Bump golang from 1.16.6 to 1.16.7 (sigstore#403)
• Bump google.golang.org/grpc from 1.39.0 to 1.39.1 (sigstore#404)

Contributors

• Aditya Sirish (@adityasaky)
• Andrew Block (@sabre1041)
• Asra Ali (@asraa)
• Axel Simon (@axelsimon)
• Batuhan Apaydın (@developer-guy)
• Bob Callaway (@bobcallaway)
• Carlos Panato (@cpanato)
• Dan Lorenc (@dlorenc)
• Dan Luhring (@luhring)
• Harry Fallows (@harryfallows)
• Hector Fernandez (@hectorj2f)
• Jake Sanders (@dekkagaijin)
• Jason Hall (@imjasonh)
• Lily Sturmann (@lkatalin)
• Luke Hinds (@lukehinds)
• Marina Moore (@mnm678)
• Mikhail Swift (@mikhailswift)
• Naveen Srinivasan (@naveensrinivasan)
• Robert James Hernandez (@sarcasticadmin)
• Santiago Torres (@SantiagoTorres)
• Tiziano Santoro (@tiziano88)
• Trishank Karthik Kuppusamy (@trishankatdatadog)
• Ville Aikas (@vaikas)
• kpcyrd (@kpcyrd)