v2.0.1

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.1

Enhancements

• Add environment variable token provider (#2864)
• Remove cosign policy command (#2846)
• Allow customising 'go' executable with GOEXE var (#2841)
• Consistent tlog warnings during verification (#2840)
• Add riscv64 arch (#2821)
• Default generated PEM labels to SIGSTORE (#2735)
• Update privacy statement and confirmation (#2797)
• Add exit codes for verify errors (#2766)
• Add Buildkite provider (#2779)
• verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)

Bug Fixes

• PKCS11 sessions are now opened read only (#2853)
• Makefile: date format of log should not show signatures (#2835)
• Add missing flags to cosign verify dockerfile/manifest (#2830)
• Add a warning to remember how to configure a custom Gitlab host (#2816)
• Remove tag warning message from save/copy commands (#2799)
• Mark keyless pem files with b64 (#2671)

Contributors

• Aleksandr Razumov
• Batuhan Apaydın
• Billy Lynch
• Carlos Tadeu Panato Junior
• Chris Burns
• Derek Burdick
• Dmitry Savintsev
• favonia
• Hayden B
• Hector Fernandez
• Ivana Atanasova
• joe miller
• Luiz Carvalho
• Paolo Mainardi
• priyawadhwa
• Radoslav Dimitrov
• Steve Winslow
• Vincent Batts
• Zack Newman

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Cosign v2.0.0 is out!

There are many improvments and breaking changes from Cosign 1.x. To see a full list, please see the Sigstore blog and the cosign CHANGELOG.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0

Thanks to all contributors!

• Anish Shah
• Arnaud J Le Hors
• Arthur Lutz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Chris Burns
• Christian Loos
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Huang Huang
• Jan Wozniak
• Josh Dolitsky
• Josh Wolf
• Kenny Leung
• Marko Mudrinić
• Matt Moore
• Matthias Glastra
• Miloslav Trmač
• Mukuls77
• Priya Wadhwa
• Puerco
• Stefan Zhelyazkov
• Tim Seagren
• Tom Meadows
• Ville Aikas
• Zack Newman
• asraa
• kpk47
• priyawadhwa

v2.0.0-rc.3

v2.0.0-rc.3

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.3

Enhancements

• Support non-Sigstore TSA requests (#2708)
• Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
• Output certificate in bundle when entry is not uploaded to Rekor (#2715)
• attach signature and attach sbom must use STDIN to upload raw string (#2637)

Bug Fixes

• Fix: Add missing schemes to cosign predicate types. (#2717)
• Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)

Documentation

• Adds deprecation note for keyless docs (#2716)

v2.0.0-rc.2

v2.0.0-rc.2

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Enhancements

• add generate-key-pair GitHub Enterprise server support (#2676)
• add in format string for warning (#2699)
• Support for fetching Fulcio certs with self-managed key (#2532)
• 2476 predicate type download (#2484)
• Upgrade to go1.20 (#2689)

Bug Fixes

• Fix prompts with Windows line endings (#2674)

Documentation

• docs(README): verify example failing on latest (#2694)

Contributors

• Anish Shah
• Arthur Lutz
• Carlos Tadeu Panato Junior
• Christian Loos
• Tim Seagren
• Zack Newman
• priyawadhwa

New Contributors

• @chaospuppy made their first contribution in #2484
• @arthurzenika made their first contribution in #2694
• @netsandbox made their first contribution in #2676

Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2

v2.0.0-rc.1

v2.0.0-rc.1

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Critical breaking changes include:

• Certificate issuer and subject are now required on cosign verify

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.1

Breaking Changes

• insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
• Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)

Enhancements

• Add warning to use digest instead of tags to other cosign commands (#2650)
• Fix up UI messages (#2629)
• Remove hardcoded Fulcio from output (#2621)
• Fix missing privacy statement, print in multiple locations (#2622)
• feat: allows custom key names for import-key-pair (#2587)
• feat: support keyless verification for verify-blob-attestation (#2525)
• attest-blob: add functionality for keyless signing (#2515)
• Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
• feat: add debug information to cert validation error (#2579)

Bug Fixes

• fix: panic with unsigned local image (#2656)
• Make sure a cert passed in via --cert matches the bundle cert (#2652)
• fix: fix github oidc post submit test (#2594)
• fix: add enhanced error messages for failing verification with TUF targets (#2589)

Contributors

• Carlos Tadeu Panato Junior
• Chris Burns
• Hayden B
• Hector Fernandez
• Huang Huang
• Kenny Leung
• Priya Wadhwa
• Stefan Zhelyazkov
• Ville Aikas
• Zack Newman
• asraa
• dependabot[bot]
• kpk47
• priyawadhwa

v2.0.0-rc.0

v2.0.0-rc.0

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.0

Enhancements

• Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
• Allow users to pass in a path for the --identity-token flag (#2538)
• Breaking change: Respect tlog-upload=false, default to true (#2505)
• Support outputing a certificate without uploading to the tlog (#2506)
• Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
• respect tlog-upload flag with TSA (#2474)
• Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
• Support TSA and Rekor verifications (#2463)
• add support for tsa signing and verification of images (#2460)
• cosign policy sign: remove experimental flag and make keyless signing default (#2459)
• Remove experimental mode from cosign attest and verify-attestation (#2458)
• Remove experimental mode from sign-blob and verify-blob (#2457)
• Add --offline flag to force offline verification (#2427)
• Air gap support (#2299)
• Breaking change: Change SCT verification behavior to default to enforcement (#2400)
• Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
• Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
• Remove experimental flag from cosign sign and cosign verify (#2387)
• verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)

Bug Fixes

• Fix the file existence check. (#2552)
• Fix timestamp verification, add verify-blob tests (#2527)
• fix(verify): Consolidate certificate expiry logic (#2504)
• Updates to Timestamp signing and verification (#2499)
• fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
• Fix path for e2e-tests badge (#2490)
• Fix spdx json media type (#2479)
• fix sct verificaction (#2426)

Others

• update builder image that uses go 1.19.4 (#2520)

Contributors

• Anish Shah
• Arnaud J Le Hors
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Jan Wozniak
• Matthias Glastra
• Miloslav Trmač
• Puerco
• Tom Meadows
• Ville Aikas
• Zack Newman
• asraa
• priyawadhwa

v1.13.1

What's Changed

• add changelog for v1.13.0 release by @cpanato in #2310
• Fix option description: "sign" --> "verify" by @ChristianCiach in #2306
• Update Dockerfile section of README by @tetsuo-cpp in #2323
• Add '--cert-identity' flag to support subject alternate names for ver… by @kpk47 in #2278
• Add attest-blob command by @priyawadhwa in #2286
• Add --output-attestation flag to attest-blob and remove experimental signing by @priyawadhwa in #2332
• Remove experimental flags from attest-blob and refactor by @priyawadhwa in #2338
• Update warning when users sign images by tag. by @znewman01 in #2313
• Add verify-blob-attestation command and tests by @priyawadhwa in #2337
• Nits for #2337 by @vaikas in #2342
• verify-blob-attestation: allow multiple subjects in in_toto attestation by @priyawadhwa in #2341
• chore(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.1 by @dependabot in #2340
• Add CHANGELOG for v1.13.1 by @priyawadhwa in #2349

New Contributors

• @tetsuo-cpp made their first contribution in #2323
• @kpk47 made their first contribution in #2278

Full Changelog: v1.13.0...v1.13.1

v1.13.0

Highlights

• For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

What's Changed

• add changelog for v1.12.1 by @cpanato in #2270
• deps: update sigstore/sigstore by @asraa in #2271
• chore(deps): bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #2274
• feat: use stdin as an input for predicate by @developer-guy in #2269
• feat: improve the verification message by @developer-guy in #2268
• use scaffolding 0.4.8 for tests. by @vaikas in #2280
• chore(deps): bump actions/dependency-review-action from 2.3.0 to 2.4.0 by @dependabot in #2281
• fix pivtool generate key touch policy by @cpanato in #2282
• Check error on chain verification failure by @haydentherapper in #2284
• Fix: Remove an extra registry request from verification path. by @mattmoor in #2285
• Fix: Create a static copy of signatures as part of verification. by @mattmoor in #2287
• Data race in FetchSignaturesForReference by @RTann in #2283
• Add support for Fulcio username identity in SAN by @haydentherapper in #2291
• fix: make tlog entry lookups for online verification shard-aware by @asraa in #2297
• Better help text to sign and verify SBOM by @ChristianCiach in #2308
• Adding warning to pin to digest by @ChaosInTheCRD in #2311
• Add annotations for upload blob. by @cldmnky in #2188
• replace deprecate package by @cpanato in #2314
• update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in #2315

New Contributors

• @RTann made their first contribution in #2283
• @ChristianCiach made their first contribution in #2308
• @ChaosInTheCRD made their first contribution in #2311
• @cldmnky made their first contribution in #2188

Full Changelog: v1.12.1...v1.13.0

v1.12.1

Highlights

fix: Pulls Fulcio root and intermediate when --certificate-chain is not passed into verify-blob command. The v1.12.0 release introduced a regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would check a --certificate (without a --certificate-chain provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).

What's Changed

• fix: fix cert chain validation for verify-blob in non-experimental mode by @asraa in #2256
• fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba by @developer-guy in #2254
• Fix BYO-root with intermediate to fetch intermediates from annotation by @haydentherapper in #2244
• fix: fixing breaking changes in rekor v1.12.0 upgrade by @developer-guy in #2260

New Contributors

• @n3k0m4 made their first contribution in #2263

Full Changelog: v1.12.0...v1.12.1

v1.12.0

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

• When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

What's Changed

• use scaffolding v0.4.6. by @vaikas in #2201
• Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
• feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
• remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
• Upgrade to go1.19 by @cpanato in #2213
• Clarify error when KMS provider fails to load by @znewman01 in #2220
• feat: set annotations to generate additional bash completion information by @dirien in #2221
• Add deprecation warning for sget CLI and packages by @imjasonh in #2019
• upgrade setup-ko to point to new repo by @imjasonh in #2225
• update go builder to go1.19.1 by @cpanato in #2241
• Temp fix for e2e test by @haydentherapper in #2247
• update kind to use release v0.15.0 and some version comments by @cpanato in #2246
• Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
• fix: fix secret test, non-experimental bundle should pass by @asraa in #2249

New Contributors

• @mozillazg made their first contribution in #2008

Full Changelog: v1.11.1...v1.12.0