Skip to content

Releases: deislabs/ratify

v1.2.0

31 May 06:05
@github-actions github-actions
v1.2.0
da2cdca
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0 Latest
Latest

🚨 Deprecations

  • CertificateStore is deprecated in favor of KeyManagementProvider. Please migrate to KeyManagementProvider by following guide here. Support will be removed in Ratify v2.0.0

New Features

📄 Documentation

🎉 New Contributors

🐛 🩹 Bug Fixes

Changes since v1.2.0-rc.1

Contributors

binbin-li, duffney, and 6 other contributors
Assets 8

v1.2.0-rc.1

22 May 00:27
@github-actions github-actions
v1.2.0-rc.1
280494f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0-rc.1 Pre-release
Pre-release

🚨 Deprecations

  • CertificateStore is deprecated in favor of KeyManagementProvider. Please migrate to KeyManagementProvider by following guide here. Support will be removed in Ratify v2.0.0

New Features

📄 Documentation

🎉 New Contributors

🐛 🩹 Bug Fixes

What's Changed

  • fix: bump dev helmfile ratify chart versions by @akashsinghal in #1216
  • feat: add namespace to external data request key by @binbin-li in #1201
  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.9 to 1.16.12 by @dependabot in #1224
  • chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.9.1 by @dependabot in #1225
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.25.11 to 1.25.12 by @dependabot in #1226
  • build: bump up upload-artifact action to v4.0.0 by @binbin-li in #1227
  • chore: Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #1229
  • feat: add version to CRD spec by @susanshi in #1215
  • fix: surface plugin error in exec.go by @susanshi in #1228
  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.12 to 1.16.13 by @dependabot in #1235
  • chore: Bump k8s.io/client-go from 0.28.4 to 0.28.5 by @dependabot in #1232
  • chore: Bump apache/skywalking-eyes from ee81ff786927ea6ffa48b1e29c48e5289f4753aa to ed436a5593c63a25f394ea29da61b0ac3731a9fe by @dependabot in #1231
  • feat: add cache isolation by @binbin-li in #1213
  • chore: update codecov config by @junczhu in #1237
  • docs: updated docs with the latest verifier report format by @junczhu in #1236
  • fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
  • docs: add multi-tenancy support discussions by @binbin-li in #1175
  • fix: differentiate aks logs from e2e log by @susanshi in #1243
  • ci: add cache cleanup post merge by @akashsinghal in #1242
  • docs: Update log format in doc by @junczhu in #1240
  • ci: switch to fail-fast from continue-on-error by @binbin-li in #1245
  • ci: add dev helm chart publishing workflow by @akashsinghal in #1209
  • fix: update constraint templates to work with new type field by @akashsinghal in #1217
  • fix: improve vuln report verifier report messages by @akashsinghal in #1238
  • feat: improve plugin config dependency by @junczhu in #1223
  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.13 to 1.16.14 by @dependabot in #1250
  • chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.0 to 1.2.1 by @dependabot in #1252
  • chore: Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 by @dependabot in #1253
  • chore: Bump azure/login from 1.5.1 to 1.6.0 by @dependabot in #1255
  • chore: rename func for readability by @junczhu in #1257
  • chore: Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #1261
  • chore: Bump azure/login from 1.6.0 to 1.6.1 by @dependabot in #1266
  • chore: Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #1270
  • chore: Bump k8s.io/client-go from 0.28.5 to 0.28.6 by @dependabot in #1273
  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.14 to 1.16.16 by @dependabot in #1275
  • chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6 by @dependabot in #1271
  • chore: Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #1279
  • chore: Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #1281
  • chore: Bump github.com/docker/cli from 24.0.7+incompatible to 24.0.8+inco...
Read more

Contributors

binbin-li, duffney, and 7 other contributors
Assets 8
0 Join discussion

v1.1.1

02 May 23:12
@github-actions github-actions
v1.1.1
986b5b8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.1

Changelog

Bug Fixes

Assets 8

v1.1.0

12 Dec 02:35
@github-actions github-actions
v1.1.0
7725e46
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.0

💥 🚨 CRD BREAKING CHANGES 🚨 💥

  • Certificate Store is a namespaced CR. We have made a fix in this release so that Certificate Store CR can be uniquely referenced by Verifier CR. Please follow migration steps here

New Features

  • Enables SBOM verifier improvements:
    • Add deny license and deny package properties to the existing SBOM verifier
    • Add SBOM verifier to Helm chart
  • Introduce new Vulnerability report verifier for Sarif reports generated by Trivy and Grype
    • Enforces report content to match Sarif schema
    • Enforces a MaximumAge duration (ex: '24h')
    • Enforces against existence of disallowedSeverity levels (ex: 'critical')
    • Enforces against existence of denylistCVEs (ex: CVE-2021-44228 log4shell)
    • Introduce a passthrough flag which will bypass all checks and append sarif content in verifier report
    • Adds vulnerability report verifier to Helm chart
    • For documentation on how to use refer to the docs
  • Introduce a verifier name and a verifier type (specName) to the existing VerifierConfig and VerifierPlugin. This enables support for multiple verifiers of the same verifier type. You can find more info here.
  • Introduce new –debug flag to Ratify CLI that sets the logger level to DEBUG.
  • Introduce support for notation-go logs with trace-id support

📄 Documentation

Note: We’ve moved most of our feature documentation to the Ratify Website.

🧪 Tests

  • Added new E2E CLI test for SBOM verifier
  • Added unit tests and E2E tests for vulnerability report verifier
  • Add more unit tests to increase the test coverage for authProvider.

CLI

  • Verifier Scenarios
    • Notation
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
    • Vulnerability Report
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin

Kubernetes

  • Verifier Scenarios
    • Notation
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
    • Vulnerability Report
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertificateProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation
  • High Availability Tests
    • 2 Replicas, Redis + Dapr, Notation
  • Quick Start helmfile.yaml test

🐛 🩹 Bug Fixes

  • fix: update auth cache miss error handling by @akashsinghal in #1105
  • fix: rename error for verifier plugins to be more generic by @akashsinghal in #1129
  • fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource by @susanshi in #1134
  • fix: allow multiple notationCert in default chart by @susanshi in #1151
  • fix: add certificates to chart value by @susanshi in #1172
  • fix: remove trailing hyphen in notation template by @akashsinghal in #1197

🎉 New Contributors

📝 Changelog

Read more

Contributors

bspaans, binbin-li, and 5 other contributors
Assets 8

v1.0.0

26 Sep 20:22
@github-actions github-actions
v1.0.0
6cceec1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0

Ratify v1

Ratify is a verification engine available as a binary executable and on Kubernetes that enables customers to author policies to verify security artifact metadata, such as image signatures and SBOMs, and allows deployment of only those that comply with these policies. This is the first stable release v1.0.0🎉.

Important

Experimental features are only intended for testing in a development environment and should not be used in production. Please adhere to the specified feature and performance limits for production workloads. More information can be found in the ratify documentation.

Key Features

  • Ratify as a CLI binary for verifying artifacts stored in a registry
  • Out-of-box support in published helm chart for running Ratify as an External Data Provider for Gatekeeper admission controller
  • Native Kubernetes support for managing and running Ratify as a scalable & reliable service
    • Verifier, Store, Certificate Store, and Policy CRDs for simple Ratify configuration
    • TLS certificate management and rotation for mTLS service-to-service communication
    • Standardized logging and prometheus metrics support + Grafana dashboard.
  • Extensible plugin model to support new verifier and referrer store plugins
    • 1st party support for Notation verifier and registry interaction via ORAS referrer store.
    • External verifiers such as Cosign, SBOM, SPDX, Licensechecker, etc.
  • Built-in policy evaluation engine support using embedded OPA engine or config-based policies.
  • Built-in certificate stores makes interacting with Key Management Systems (KMS) simple.

Experimental Features

  • Ratify in High Availability (HA) mode using a distributed cache (dapr + redis)

What's Changed since v1.0.0-rc8

  • Add end-to-end test for init containers and ephemeral container mutation/verification. See #1086
  • Update Policy CRD to contain a type instead of metadata for determing policy provider. See #1079

💥 🚨 BREAKING CHANGES 🚨 💥

  • Policy CRD now REQUIRES crd's metadata.name to be ratify-policy. spec.type must be rego-policy or config-policy ONLY.
    • See #1079 for more information

📄 Documentation

🧪 Tests

CLI

  • Verifier Scenarios
    • Notation
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin

Kubernetes

  • Verifier Scenarios
    • Notation
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertificateProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation
  • High Availability Tests
    • 2 Replicas, Redis + Dapr, Notation
  • Quick Start helmfile.yaml test

🐛 🩹 Bug Fixes

📝 Changelog

  • fix: update helmfile.yaml for rc8 by @susanshi in #1069
  • chore: Bump github.com/docker/cli from 24.0.0+incompatible to 24.0.6+incompatible by @dependabot in #1070
  • chore: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #1077
  • chore: Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1063
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.39 by @dependabot in #1073
  • chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.7.2 by @dependabot in #1071
  • chore: Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1080
  • docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
  • chore: update local build doc by @junczhu in #1075
  • chore: Bump k8s.io/client-go from 0.27.5 to 0.27.6 by @dependabot in #1085
  • test: add constraint template e2e test for initContainers and ephemeralContainers by @junczhu in #1086
  • chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #1082
  • fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
  • feat: add type to policy CRD by @binbin-li in #1079
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.39 to 1.18.42 by @dependabot in #1094
  • chore: Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1092
  • docs: redirect to website by @susanshi in #1087
  • fix: update errors doc reference links by @akashsinghal in #1098
  • chore: prepare for v1.0.0 release by @akashsinghal in #1097

Full Changelog: v1.0.0-rc.8...v1.0.0

Contributors

binbin-li, susanshi, and 3 other contributors
Assets 8

v1.0.0-rc.8

11 Sep 08:56
@github-actions github-actions
v1.0.0-rc.8
98408ae
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-rc.8 Pre-release
Pre-release

New Features

  • User agent header by Ratify now includes OS/Arch and version.
  • Introducing new health probe.
    • Add liveness probes to deployment files
    • Allows probe port to be configured
  • Updated oras-go to v2.3.0 and GK 3.13 support

📄 Documentation

🧪 Tests

  • Added new automated test for quick start test.

CLI

  • Verifier Scenarios
    • Notation
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin

Kubernetes

  • Verifier Scenarios
    • Notation
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertifacteProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation
  • High Availability Tests
    • 2 Replicas, Redis + Dapr, Notation

🐛 🩹 Bug Fixes

📝 Changelog

Full Changelog: v1.0.0-rc.7...v1.0.0-rc.8

Contributors

binbin-li, duffney, and 5 other contributors
Assets 8

v1.0.0-rc.7

25 Aug 22:01
@github-actions github-actions
v1.0.0-rc.7
3e5256a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-rc.7 Pre-release
Pre-release

New Features

  • Introducing OPA engine integration to support Rego Policy
    • Embeds OPA engine in Ratify so that service can make verifications using the OPA engine for Rego Policies.
    • Adds support for multiple verifiers against the same artifact.
    • Users can still provide a configuration Policy which is the default option.
    • Introduces new Policy controller and CRD that allows switching between configuration policy and Rego Policy at runtime
    • More information here
  • Introducing support to enable High Availability (HA) for Ratify
    • Unifies all existing in-memory caches through a new cache interface that allows registering and specifying new cache providers
    • Implements Ristretto as the default cache provider
    • Implements support for Dapr cache provider
    • More info here
  • Introducing integration with Helmfile Tool
    • Simplifies helm install for upgrade scenarios to HA support
    • Simplifies helm install for quick start experience
  • Introducing Terraform configs for Azure
    • Adds Terraform configs to simplify the deployment of Azure Resources for Ratify
  • Enable optional image mutation in Helm chart
    • Allows image mutation to be optional in helm chart since there might be scenarios where OPA Gatekeeper constraints are based on image tags.
  • Introduce graceful shutdown for http server
    • Adds support for ‘Shutdown’ command to be invoked on SIGTERM signal or interrupt OS command
    • Adds channel to wait on shutdown process to complete (6 second context timeout)
  • Introducing improved error handling
    • Refactor most errors to a custom error struct
    • Introduce error codes for faster searching
    • Adds stacks to improve debuggability
    • Adds a configurable internal logger utility that initializes the logger for Ratify and configures the context with a trace-id from requests
    • More info here
  • Introducing new Ratify arm64 & arm/v7 images
  • Introducing new Ratify Logo
    • We are improving the project branding. Check out the new Ratify Logo here

💥 🚨 BREAKING CHANGES 🚨 💥

  • Notation signature verifier name now registered using name notation instead of notaryv2
    • More information here
  • logLevel helm chart value now found at logger.level
    • More information here
  • TLS certs are NOT auto generated by Ratify chart. It's recommended to set featureFlags.RATIFY_CERT_ROTATION to true.
  • PKCS12 certs with Azure Key Vault setup is NOT supported

📄 Documentation

🧪 Tests

CLI

  • Verifier Scenarios
    • Notation
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin

Kubernetes

  • Verifier Scenarios
    • Notation
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertifacteProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation
  • High Availability Tests
    • 2 Replicas, Redis + Dapr, Notation

🐛 🩹 Bug Fixes

🎉 New Contributors

📝 Changelog

Read more

Contributors

binbin-li, duffney, and 9 other contributors
Assets 8

v1.0.0-rc.6

10 Jul 02:25
@github-actions github-actions
v1.0.0-rc.6
199d5cf
This commit was signed with the committer’s verified signature.
susanshi Susan Shi
GPG key ID: F11AF769AB225339
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-rc.6 Pre-release
Pre-release

Changelog

  • 29ce6de chore: update chart for v1.0.0-rc.6 (#921)
  • 199d5cf fix: downgrade goreleaser to last stable version (#922)
  • f819c03 fix: publish ratify image with plugin (#916)
Assets 8

v1.0.0-rc.5

16 Jun 20:40
@github-actions github-actions
v1.0.0-rc.5
0d03e79
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-rc.5 Pre-release
Pre-release

New Features

  • Introducing support for TLS Certificate Management
    • Adds a custom configuration fetcher for TLS config so that every new TLS connection reads the cert files from disk. You can learn more here and here.
    • Adopt the cert-controller used in Gatekeeper which checks the validation of certificates every 12 hours and generates a new certificate.
    • Design doc is here.
  • Update Go to 1.20 to use coverage profiling for integration tests.
    • Helps to report coverage for integration tests. You can find more here.
  • Improved error messages from Certificate Store CRD
    • Shortens out the error message to Certificate Store Status. You can learn more here.
  • Introduce ability to build external plugins conditionally
    • Updates the dockerfile and tests to be able to select which external plugins to be built. You can find out more here.

Documentation

Tests

CLI

  • Verifier Scenarios
    • Notation v2
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin
  • OCI 1.0 spec compatability test

Kubernetes

  • Verifier Scenarios
    • Notation v2
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertifacteProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation

Bug Fixes

Changelog

  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.22 to 1.13.24 by @dependabot in #826
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.23 to 1.18.25 by @dependabot in #828
  • chore: Bump github.com/docker/cli from 23.0.5+incompatible to 23.0.6+incompatible by @dependabot in #827
  • chore: Bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #830
  • chore: Bump actions/setup-go from 4.0.0 to 4.0.1 by @dependabot in #829
  • chore: bump rekor to 1.1, cosign to 2.0, msal-go to 1.0 by @dependabot in #812
  • chore: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by @dependabot in #832
  • feat: upgrade go to 1.20 to use coverage profiling for integration tests. by @binbin-li in #833
  • chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot in #841
  • chore: bump k8s.io/apimachinery from 0.26.1 to 0.26.5 by @dependabot in #840
  • chore: bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #839
  • chore: bump google.golang.org/grpc from 1.54.0 to 1.54.1 by @dependabot in #838
  • chore: bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #837
  • fix: fix go version in build-pr.yml by @binbin-li in #842
  • docs: update CRD version to v1beta1 by @binbin-li in #844
  • chore: bump github/codeql-action from 2.3.3 to 2.3.4 by @dependabot in #847
  • chore: bump github/codeql-action from 2.3.4 to 2.3.5 by @dependabot in #849
  • feat: support tls cert rotation by @akashsinghal in #831
  • feat: add brief err to CertificateStore CRD by @binbin-li in #846
  • chore: bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 by @dependabot in #850
  • chore: bump github.com/notaryproject/notation-core-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #853
  • chore: bump k8s.io/client-go from 0.25.4 to 0.25.10 by @dependabot in #852
  • chore: bump github.com/spdx/tools-golang from 0.5.0 to 0.5.1 by @dependabot in #854
  • chore: bump k8s.io/api from 0.26.1 to 0.26.5 by @dependabot in #851
  • test: testscript change echo file to printf by @fseldow in #859
  • chore: bump github/codeql-action from 2.3.5 to 2.3.6 by @dependabot in #862
  • chore: bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #867
  • chore: bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot in #866
  • build: build external plugins conditionally by @binbin-li in #860
  • chore: bump github.com/notaryproject/notation-go from 1.0.0-rc.4 to 1.0.0-rc.6 by @dependabot in #864
  • chore: bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 by @dependabot in #868
  • test: switch to splitted bats test by @binbin-li in #870
  • fix: switch to working version of sbom-tool by @binbin-li in #873
  • chore: bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #879
  • chore: bump github/codeql-action from 2.3.6 to 2.13.4 by @dependabot in #878
  • chore: bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.6.0 to 1.6.1 by @dependabot in #877
  • chore: bump github.com/spdx/tools-golang from 0.5.1 to 0.5.2 by @dependabot in #876
  • chore: bump docker/login-action from 2.1.0 to 2.2.0 by @dependabot in #872
  • chore: bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 by @dependabot in #880
  • chore: bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 by @dependabot in #881
  • fix: update Azure build steps by @akashsinghal in #882
  • feat: add cert rotator by @binbin-li in #869
  • fix: Azure workload identity fails to refresh token by @susanshi in #883
  • test: move cert rotator to plugin test since it will deploy image with plugins by @fseldow in #888
  • chore: update chart for v1.0.0-rc.5 by @akashsinghal in #890
  • fix: update go releaser to use quoted go version by @akashsinghal in #891

Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5

Contributors

binbin-li, susanshi, and 3 other contributors
Assets 8

v1.0.0-rc.4

12 May 20:10
@github-actions github-actions
v1.0.0-rc.4
faff08b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-rc.4 Pre-release
Pre-release

New Features

  • Introducing new dependency metrics
    • Adds metrics and supporting dashboards for registry requests, blob cache hit, AAD exchange duration, ACR Exchange duration, and AKV cert fetch duration. More information can be found here.
  • Introducing support for multiple signature report in verifier report for Cosign
    • Cosign allows for multiple signatures to be attached as layers in a single OCI Image. Ratify now provides support to bubble up failures/successes per signature layer.
    • More information can be found here.
  • Introducing fixes for ECR Basic Auth registry parse and new notation plugin manager for use with the notation verifier
    • Adds a new plugin manager that can be used with the Notation verifier. It allows users to download notation plugins through the ratify Dynamic Plugins feature to use in verification.
    • Fix an issue with ECR basic auth when downloading objects through the Dynamic Plugins feature.
    • More information can be found here.
  • Introducing pre-install hook for Ratify CRs
    • Add pre-install hook to CR templates so that they can skip rendering and only be installed after CRDs are updated.

Documentation

Tests

CLI

  • Verifier Scenarios
    • Notation v2
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin
  • OCI 1.0 spec compatability test

Kubernetes

  • Verifier Scenarios
    • Notation v2
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertifacteProvider CRD Status

Bug Fixes

Changelog

  • feat: add pre-install hook to Ratify CRs by @binbin-li in #772
  • chore: Bump github/codeql-action from 2.2.11 to 2.2.12 by @dependabot in #776
  • chore: Bump k8s.io/apimachinery from 0.24.12 to 0.24.13 by @dependabot in #782
  • chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.19 to 1.13.20 by @dependabot in #781
  • chore: Bump k8s.io/client-go from 0.24.12 to 0.24.13 by @dependabot in #778
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.20 to 1.18.21 by @dependabot in #780
  • ci: enforce semantic title on PR by @binbin-li in #783
  • docs: update community meeting schedule by @akashsinghal in #785
  • feat: add dependency metrics by @akashsinghal in #774
  • feat: add multi signature report in verifier report for cosign by @akashsinghal in #784
  • docs: add cache doc by @akashsinghal in #786
  • chore: Bump github.com/docker/cli from 23.0.3+incompatible to 23.0.4+incompatible by @dependabot in #793
  • chore: Bump github/codeql-action from 2.2.12 to 2.3.0 by @dependabot in #792
  • chore: Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #794
  • ci: Harden GitHub Actions by @step-security-bot in #797
  • chore: Bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #800
  • chore: Bump github/codeql-action from 2.3.0 to 2.3.1 by @dependabot in #801
  • chore: Bump github/codeql-action from 2.3.1 to 2.3.2 by @dependabot in #802
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.22 by @dependabot in #807
  • chore: Bump github.com/Azure/go-autorest/autorest from 0.11.28 to 0.11.29 by @dependabot in #806
  • chore: Bump github.com/docker/cli from 23.0.4+incompatible to 23.0.5+incompatible by @dependabot in #808
  • feat: ECR basic auth registry parse and add notation plugin manager by @byronchien in #804
  • chore: Bump github/codeql-action from 2.3.2 to 2.3.3 by @dependabot in #813
  • chore: Bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #814
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.22 to 1.18.23 by @dependabot in #816
  • fix: update notation plugin manager directory by @akashsinghal in #815
  • chore: Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible by @dependabot in #822
  • docs: Update AWS docs to reference notation and IRSA by @byronchien in #824
  • docs: Add new notation-validation sample policy by @byronchien in #823
  • chore: prepare chart for rc4 release by @akashsinghal in #825

New Contributors

Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4

Contributors

binbin-li, akashsinghal, and 3 other contributors
Assets 8