- CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
- refactor release cloudbuild job (#1476)
- increase timeout for goreleaser snapshot (#1473)
- Double goreleaser timeout (#1472)
- Bump webhook timeout. (#1465)
- convert release cosigned to also generate yaml artifact. (#1453)
- feat: add -buildid= to ldflags (#1451)
- update cross-build to use go 1.17.7 (#1446)
- Batuhan Apaydın (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Kenny Leung (@k4leung4)
- Matt Moore (@mattmoor)
- Nathan Smith (@nsmith5)
- Priya Wadhwa (@priyawadhwa)
- Zack Newman (@znewman01)
- add check to make sure the go modules are in sync (#1369)
- Update verify-blob to support DSSEs (#1355)
- docs: verify-attestation cue and rego policy doc (#1362)
- README: fix link to race conditions (#1367)
- Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
- Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
- expose dafaults fulcio, rekor, oidc issuer urls (#1368)
- Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
- organize, update select deps (#1358)
- Bump go-containerregistry to pick up ACR keychain fix (#1357)
- Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
- sync go modules (#1353)
- Batuhan Apaydın (@developer-guy)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Mark Lodato (@MarkLodato)
- Rémy Greinhofer (@rgreinho)
- enable sbom generation when releasing (#1261)
- feat: log error to stderr (#1260)
- feat: support attach attestation (#1253)
- feat: resolve --cert from URL (#1245)
- feat: generate/upload sbom for cosign projects (#1237)
- feat: vuln attest support (#1168)
- feat: add ambient credential detection with spiffe/spire (#1220)
- feat: generate/upload sbom for cosign projects (#1236)
- feat: implement cosign download attestation (#1216)
- Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
- Export function to verify individual signature (#1334)
- Add suffix with digest to signature file output for recursive signing (#1267)
- Take OIDC client secret into account (#1310)
- Add --bundle flag to sign-blob and verify-blob (#1306)
- Add flag to verify OIDC issuer in certificate (#1308)
- add OSSF scorecard action (#1318)
- Add TUF timestamp to attestation bundle (#1316)
- Provide certificate flags to all verify commands (#1305)
- Bundle TUF timestamp with signature on signing (#1294)
- Add support for importing PKCShttps://github.com//pull/8 private keys, and add validation (#1300)
- add error message (#1296)
- Move bundle out of
ociand intobundlepackage (#1295) - Reorganize verify-blob code and add a unit test (#1286)
- One-to-one mapping of invocation to scan result (#1268)
- refactor common utilities (#1266)
- Importing RSA and EC keypairs (#1050)
- Refactor the tuf client code. (#1252)
- Moved certificate output before checking for upload during signing (#1255)
- Remove remaining ioutil usage (#1256)
- Update the embedded TUF metadata. (#1251)
- Add support for other public key types for SCT verification, allow override for testing. (#1241)
- Log the proper remote repo for the signatures on verify (#1243)
- Do not require multiple Fulcio certs in the TUF root (#1230)
- clean up references to 'keyless' in
ephemeral.Signer(#1225) - create
DSSEAttestorinterface,payload.DSSEAttestorimplementation (#1221) - use
mutate.Signaturein the newSigners (#1213) - create
mutatefunctions foroci.Signature(#1199) - add a writeable
$HOMEfor thenonrootcosigned user (#1209) - signing attestation should private key (#1200)
- Remove the "upload" flag for "cosign initialize" (#1201)
- create KeylessSigner (#1189)
- fix: cosign verify for vault (#1328)
- fix missing goimports (#1327)
- Fix TestSignBlobBundle (#1320)
- Fix a couple bugs in cert verification for blobs (#1287)
- Fix a few bugs in cosign initialize (#1280)
- Fix the unit tests with expired TUF metadata. (#1270)
- Fix output-file flag. (#1264)
- fix: typo in the error message (#1250)
- Fix semantic bugs in attestation verifification. (#1249)
- Fix semantic bug in DSSE specification. (#1248)
- Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
- Bump recommended Go development version in README (#1340)
- Bump the snapshot and timestamp roles metadata from root signing. (#1339)
- Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
- update go-github to v42 release (#1335)
- install latest release for ko instead of head of main branch (#1333)
- remove wrong settings in the gco auth for gh actions (#1332)
- update gcp setup for the GH action (#1330)
- update some dependencies (#1326)
- Verify checksum of downloaded utilities during CI (#1322)
- pin github actions by digest (#1319)
- Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
- Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
- Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
- update import documentation (#1290)
- update release image to use go 1.17.6 (#1284)
- Bump google.golang.org/api. (#1283)
- Bump opa and go-gitlab. (#1281)
- Update SBOM spec to indicate compat for syft (#1278)
- Bump miekg/pkcs11 (#1275)
- Update signature spec with timestamp annotation (#1274)
- Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
- Bump sigstore/sigstore. (#1247)
- Spelling (#1246)
- Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
- update codeowners list with missing codeowners (#1238)
- update build images for release and bump cosign in the release job (#1234)
- update deps (#1222)
- nit: add comments to
Signerinterface (#1228) - update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
- update snapshot and timestamp (#1211)
- Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
- Bump the DSSE library and handle manual changes in the API. (#1191)
- nit: drop every section title down a level (#1188)
- Andrew Block (@sabre1041)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Bob Callaway (@bobcallaway)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Tadeu Panato Junior (@cpanato)
- Dan Lorenc (@dlorenc)
- Hayden Blauzvern (@haydentherapper)
- Hector Fernandez (@hectorj2f)
- Itxaka (@Itxaka)
- Ivan Wallis (@venafi-iw)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Josh Dolitsky (@jdolitsky)
- Josh Soref (@jsoref)
- Matt Moore (@mattmoor)
- Morten Linderud (@Foxboron)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Rob Best (@ribbybibby)
- Sambhav Kothari (@samj1912)
- Ville Aikas (@vaikas)
- Zack Newman (@znewman01)
A whole buncha bugfixes!
- Files created with
--output-signatureand--output-certificatenow created with 0600 permissions (#1151) - Added
cosign verify-attestation --local-imagefor verifying signed images with attestations from disk (#1174) - Added the ability to fetch the TUF root over HTTP with
cosign initialize --mirror(#1185)
- Fixed saving and loading a signed image index to disk (#1147)
- Fixed
sign-blob --output-certificatewriting an empty file (#1149) - Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Jake Sanders (@dekkagaijin)
- Matt Moore (@mattmoor)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosignreleases will generate signatures that do not validate in older versions ofcosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.devwhen signing payloads (#1127) - BREAKING [cosign/pkg]:
SignedEntryTimestampis now of type[]byte. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)(#1083) cosign-linux-pivkey-amd64releases are now of the formcosign-linux-pivkey-pkcs11key-amd64(#1052)- Releases are now additionally signed using the keyless workflow (#1073, #1111)
- Validate the whole attestation statement, not just the predicate (#1035)
- Added the options to replace attestations using
cosign attest --replace(#1039) - Added URI to
cosign verify-bloboutput (#1047) - Signatures and certificates created by
cosign signandcosign sign-blobcan be output to file using the--output-signatureand--output-certificateflags, respectively (#1016, #1093, #1066, #1095) - [cosign/pkg] Added the
pkg/oci/layoutpackage for storing signatures and attestations on disk (#1040, #1096) - [cosign/pkg] Added
mutatemethods to attachoci.Files tooci.Signed*objects (#1084) - Added the
--signature-digest-algorithmflag tocosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071) - Builds should now be reproducible (#1053)
- Allows base64 files as
--certincosign verify-blob(#1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (#1091)
- Added
cosign saveandcosign loadcommands to save and upload container images and associated signatures to disk (#1094) cosign signwill no longer fail to sign private images in keyless mode without--force(#1116)cosign verifynow supports signatures stored in files and remote URLs with--signature(#1068)cosign verifynow supports certs stored in files (#1095)- Added support for
syftformat incosign attach sbom(#1137)
- Fixed verification of Rekor bundles for InToto attestations (#1030)
- Fixed a potential memory leak when signing and verifying with security keys (#1113)
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
- BREAKING [cosign/pkg]:
cosign.Verifyhas been removed in favor of explicitcosign.VerifyImageSignaturesandcosign.VerifyImageAttestations(#1026)
- Add ability for verify-blob to find signing cert in transparency log (#991)
- root policy: add optional issuer to maintainer keys (#999)
- PKCS11 signing support (#985)
- Included timeout option for uploading to Rekor (#1001)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Dennis Leon (@DennisDenuto)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- Naveen (@naveensrinivasan)
- BREAKING:
verify-manifestis nowmanifest verify(#712) - BREAKING:
/pkghas been heavily refactored. Further refactoring work will make its way into 1.4.0 - WARNING: The CLI now uses POSIX-style (double-dash
--flag) for long-form flags. It will temporarily accept the single-dash-flagform with a warning, which will become an error in a future release (#835) - Added
sgetas part of Cosign's releases (#752) - The
copaseticutility was unceremoniously baleeted (#785)
- Began reworking
/pkgaround new abstractions for signing, verification, and storage (#666)- Notice: refactoring of
/pkgwill continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting withcosignas a library and found it lacking (#844) - GGCR-style libraries for interacting with images now exist under
pkg/oci(#770) pkg/cosign/remote.UploadSignatureAPI was been removed in favor of newpkg/oci/remoteAPIs (#774)- The function signature of
cosign.Verifywas changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see alsocosign.Verify{Signatures,Attestations}(#782) - Removed
cremote.UploadFilein favor ofstatic.NewFileandremote.Write(#797)
- Notice: refactoring of
- Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
- Migrated the CLI to
cobra(Welcome to the team, @n3wscott) - Added the
--allow-insecure-registryflag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (#669) - 🔒
cosignednow includes a mutating webhook that resolves image tags to digests (#800) - 🔒 The
cosignedvalidating webhook now requires image digest references (#799) - The
cosignedwebhook now ignores resources that are being deleted (#803) - The
cosignedwebhook now supports resolving private images that are authenticated viaimagePullSecrets(#804) manifest verifynow supports verifying images in all Kubernetes objects that fit withinPodSpec,PodSpecTemplate, orJobSpecTemplate, including CRDs (#697)- Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! #836)
cosignhas generated Markdown docs available in thedoc/directory (#839)- Added support for verifying with secrets from a GitLab project (#934)
- Added a
--k8s-keychainoption that enables cosign to support ambient registry credentials based on the "k8schain" library (#972) - CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (#973)
attest: replaced--uploadflag with a--no-uploadflag (#979)
cosignednow verifiesCronJobimages (Terve, @vaikas #809)- Fixed the
verify--cert-emailoption to actually work (Sweet as, @passcod #821) public-key -skno longer causeserror: x509: unsupported public key type: *crypto.PublicKey(#864)- Fixed interactive terminal support in Windows (#871)
- The
-ctflag is no longer ignored inupload blob(#910)
- Aditya Sirish (@adityasaky)
- Asra Ali (@asraa)
- Axel Simon (@axelsimon)
- Batuhan Apaydın (@developer-guy)
- Brandon Mitchell (@sudo-bmitch)
- Carlos Panato (@cpanato)
- Chao Lin (@blackcat-lin)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Eng Zer Jun (@Juneezee)
- Erkan Zileli (@erkanzileli)
- Félix Saparelli (@passcod)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Ivan Font (@font)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Jim Bugwadia (@JimBugwadia)
- Joel Kamp (@mrjoelkamp)
- Luke Hinds (@lukehinds)
- Matt Moore (@mattmoor)
- Naveen (@naveensrinivasan)
- Olivier Gaumond (@oliviergaumond)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Ramkumar Chinchani (@rchincha)
- Rémy Greinhofer (@rgreinho)
- Scott Nichols (@n3wscott)
- Shubham Palriwala (@ShubhamPalriwala)
- Viacheslav Vasilyev (@avoidik)
- Ville Aikas (@vaikas)
- BREAKING: move
verify-dockerfiletodockerfile verify(#662) - Have the keyless
cosign signflow use a single 3LO. (#665) - Allow to
verify-blobfrom urls (#646) - Support GCP environments without workload identity (GCB). (#652)
- Switch the release cosign container to debug. (#649)
- Add logic to detect and use ambient OIDC from exec envs. (#644)
- Add
-cert-emailflag to provide the email expected from a fulcio cert to be valid (#622) - Add support for downloading signature from remote (#629)
- Add sbom and attestations to triangulate (#628)
- Add cosign attachment signing and verification (#615)
- Embed CT log public key (#607)
- Verify SCTs returned by fulcio (#600)
- Add extra replacement variables and GCP's role identifier (#597)
- Store attestations in the layer (payload) rather than the annotation. (#579)
- Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (#583)
- Upgrade in-toto-golang to adapt SLSA Provenance (#582)
- Fix verify-dockerfile to allow lowercase FROM (#643)
- Fix signing for the cosigned image. (#634)
- Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
- helm/ci: update helm repo before installing the dependency (#598)
- Set the correct predicate type/URI for each supported predicate type. (#592)
- Warnings on admissionregistration version (#581)
- Remove unnecessary COSIGN_PASSWORD (#572)
- Batuhan Apaydın
- Ben Walding
- Carlos Alexandro Becker
- Carlos Tadeu Panato Junior
- Erkan Zileli
- Hector Fernandez
- Jake Sanders
- Jason Hall
- Matt Moore
- Michael Lieberman
- Naveen Srinivasan
- Pradeep Chhetri
- Sambhav Kothari
- dlorenc
- priyawadhwa
- BREAKING: The
-attestationflag has been renamed to-predicateinattest(#500) - Added
verify-manifestcommand (#490) - Added the ability to specify and validate well-known attestation types in
attestwith the-typeflag (#504) - Added
cosign initcommand to setup the trusted local repository of SigStore's TUF root metadata (#520) - Added timestamps to Cosign's custom In-Toto predicate (#533)
verifynow always verifies that the image exists (even when referenced by digest) before verification (#543)
verify-dockerfileno longer fails onFROM scratch(#509)- Fixed reading from STDIN with
attach sbom(#517) - Fixed broken documentation and implementation of
-outputforverifyandverify-attestation(#546) - Fixed nil pointer error when calling
upload blobwithout specifying-f(#563)
- Adolfo García Veytia (@puerco)
- Anton Semjonov (@ansemjo)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- @gkovan
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- Jim Bugwadia (@JimBugwadia)
- Jose Donizetti (@josedonizetti)
- Joshua Hansen (@joshes)
- Jason Hall (@imjasonh)
- Priya Wadhwa (@priyawadhwa)
- Russell Brown (@rjbrown57)
- Stephan Renatus (@srenatus)
- Li Yi (@denverdino)
- BREAKING: The default HSM key slot is now "signature" instead of "authentication" (#450)
- BREAKING:
--fulcio-serveris now--fulcio-url(#471) - Added
-certflag tosignto allow the explicit addition of a signature certificate (#451) - Added the
attestcommand (#458) - Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (#462)
cosignwill now send its version string as part of theuser-agentwhen interacting with a container registry (#479)- Files containing certificates for custom Fulcio endpoints can now be specified via the
COSIGN_ROOTenvironment variable (#477)
- Fixed a situation where lower-case
aswould breakverify-dockerfile(Complements to @Dentrax #433)
- Appu Goundan (@loosebazooka)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- James Alseth (@jalseth)
- Jason Hall (@imjasonh)
- João Pereira (@joaodrp)
- Luke Hinds (@lukehinds)
- Tom Hennen (@TomHennen)
- BREAKING: Moved
cosign upload-blobtocosign upload blob(#378) - BREAKING: Moved
cosign uploadtocosign attach signature(#378) - BREAKING: Moved
cosign downloadtocosign download signature(#392) - Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz #369)
- Added
cosign verify-dockerfilecommand (#395) - Added SBOM support in
cosign attachandcosign download sbom(#387) - Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax #398)
- Added support for AWS KMS (谢谢, @codysoyland #426)
- Numerous enhancements to our build & release process, courtesy @cpanato
- Verify entry timestamp signatures of fetched Tlog entries (#371)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Cody Soyland (@codysoyland)
- Dan Lorenc (@dlorenc)
- Dino A. Dai Zovi (@ddz)
- Furkan Türkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Paris Zoumpouloglou (@zuBux)
- Priya Wadhwa (@priyawadhwa)
- Rémy Greinhofer (@rgreinho)
- Russell Brown (@rjbrown57)
- Added
cosign copyto easily move images and signatures between repositories (#317) - Added
-rflag tocosign signfor recursively signing multi-arch images (#320) - Added
cosign cleanto delete signatures for an image (Thanks, @developer-guy! #324) - Added
-k8sflag tocosign generate-key-pairto create a Kubernetes secret (Hell yeah, @priyawadhwa! #345)
- Fixed an issue with misdirected image signatures when
COSIGN_REPOSITORYwas used (#323)
- Balazs Zachar (@Cajga)
- Batuhan Apaydın (@developer-guy)
- Dan Lorenc (@dlorenc)
- Furkan Turkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jon Johnson (@jonjohnsonjr)
- Priya Wadhwa (@priyawadhwa)
- Signatures created with
cosignbefore v0.4.0 are not compatible with those created after
- 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! #285)
- Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
- GCP KMS URIs now include the key version (#45)
- Christian Pearce (@pearcec)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Priya Wadhwa (@priyawadhwa)
- Richard Simpson (@RichiCoder1)
- Ross Timson (@rosstimson)
- Fixed CI container image breakage introduced in v0.3.0
- Fixed lack of version information in release binaries
This is the third release of cosign!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release. See #254 for more info.
- The
-output-fileflag supports writing output to a specific file - The
-keyflag now supportskmsreferences and URLs, thekmsspecific flag has been removed - Yubikey/PIV hardware support is now included!
- Support for signing and verifying multiple images in one invocation
- Bug fixes in KMS keypair generation
- Bug fixes in key type parsing
- Dan Lorenc
- Priya Wadhwa
- Ivan Font
- Dependabot!
- Mark Bestavros
- Jake Sanders
- Carlos Tadeu Panato Junior
This is the second release of cosign!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied.
- The password for private keys can now be passed via the
COSIGN_PASSWORD - KMS keys can now be used to sign and verify blobs
- The
versioncommand can now be used to return the release version - The
public-keycommand can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORYenvironment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders
This is the first release of cosign!
The main goal of this release is to release something we can start using to sign other releases of sigstore projects, including cosign itself.
We expect many flags, commands, and formats to change going forward. No backwards compatibility is promised or implied.
This release added a feature to cosign called cosign.
The cosign feature can be used to sign container images and blobs.
Detailed documentation can be found in the README and the Detailed Usage.
There was no way to sign container images. Now there is!
We would love to thank the contributors:
- dlorenc
- priyawadhwa
- Ahmet Alp Balkan
- Ivan Font
- Jason Hall
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway