v1.5.2 - CVE-2022-23649

This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts.
See: GHSA-ccxc-vr6p-4858

Changelog

• 8ffcd12 Cherry-pick release notes for 1.5.1 and 1.5.2 (#1487)
• c09e04a Cherry pick vulnerability PRs to release-1.5 (#1486)
• 52164f2 cherry picks to release-1.5 branch (#1482)

Thanks for all contributors!

v1.5.1

Changelog

• c3e4d8b Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
• 8b77279 Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
• d2781b8 expose dafaults fulcio, rekor, oidc issuer urls (#1368)
• 4921aa7 add check to make sure the go modules are in sync (#1369)
• 6575648 README: fix link to race conditions (#1367)
• e3024f4 Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
• e1e0153 docs: verify-attestation cue and rego policy doc (#1362)
• 21e6b80 Update verify-blob to support DSSEs (#1355)
• 79012c3 organize, update select deps (#1358)
• cd49449 Bump go-containerregistry to pick up ACR keychain fix (#1357)
• 239d4c4 Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
• 44de8d1 sync go modules (#1353)

Thanks to all contributors!

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Changelog

• 7572520 add ascii art when using the version command (#1349)
• 4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
• 03a2778 Add vaikas to CODEOWNERS (#1347)
• f186ee3 add changelog for v1.5.0 (#1345)
• 9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
• e534409 Fix minor typo (a missing verb) in README (#1346)
• 22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
• a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
• 1a92b50 Bump recommended Go development version in README (#1340)
• 1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
• bca7ba6 Export function to verify individual signature (#1334)
• b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
• a7838c5 update go-github to v42 release (#1335)
• b0848d1 install latest release for ko instead of head of main branch (#1333)
• 2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
• fbf8dcb update gcp setup for the GH action (#1330)
• 888b392 fix: cosign verify for vault (#1328)
• e64cc10 update some dependencies (#1326)
• 461b032 fix missing goimports (#1327)
• 78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
• 0532601 Take OIDC client secret into account (#1310)
• 475c99d Verify checksum of downloaded utilities during CI (#1322)
• 97509b9 pin github actions by digest (#1319)
• 4592c23 Fix TestSignBlobBundle (#1320)
• bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
• 079e28d Add flag to verify OIDC issuer in certificate (#1308)
• 2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
• 24914ac add OSSF scorecard action (#1318)
• 244c07a Add TUF timestamp to attestation bundle (#1316)
• 46cf94b Provide certificate flags to all verify commands (#1305)
• d58fc63 Bundle TUF timestamp with signature on signing (#1294)
• c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
• 754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
• aa0b8c1 add error message (#1296)
• a7bd67c Move bundle out of oci and into bundle package (#1295)
• 9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
• ef380f0 update import documentation (#1290)
• e671216 Fix a couple bugs in cert verification for blobs (#1287)
• 76e691b Fix a few bugs in cosign initialize (#1280)
• b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
• 419be8a update release image to use go 1.17.6 (#1284)
• 809b091 Bump google.golang.org/api. (#1283)
• 4376cca Bump opa and go-gitlab. (#1281)
• b6aaddc Update SBOM spec to indicate compat for syft (#1278)
• f19f4f7 Update signature spec with timestamp annotation (#1274)
• 7f54a8f Bump miekg/pkcs11 (#1275)
• 36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
• 6af964c Fix the unit tests with expired TUF metadata. (#1270)
• 242f586 One-to-one mapping of invocation to scan result (#1268)
• 1a7f9d6 refactor common utilities (#1266)
• d89eb8e Fix output-file flag. (#1264)
• 9a27e1f Importing RSA and EC keypairs (#1050)
• 8194edd enable sbom generation when releasing (#1261)
• 0a4a68a feat: log error to stderr (#1260)
• 591601c feat: support attach attestation (#1253)
• 2e99320 Refactor the tuf client code. (#1252)
• dfc0347 Moved certificate output before checking for upload during signing (#1255)
• c09d682 Remove remaining ioutil usage (#1256)
• 894a3bc Update the embedded TUF metadata. (#1251)
• 645c259 Bump sigstore/sigstore. (#1247)
• 4ecb43d fix: typo in the error message (#1250)
• 1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
• f32c1d7 Fix semantic bug in DSSE specification. (#1248)
• 4e4bbf6 Spelling (#1246)
• 7e5abbf feat: resolve --cert from URL (#1245)
• c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
• 6f41b4b Log the proper remote repo for the signatures on verify (#1243)
• 24d43bd feat: generate/upload sbom for cosign projects (#1237)
• b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
• 47d936c update codeowners list with miissing codeowners (#1238)
• 3dd690e feat: vuln attest support (#1168)
• 6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
• 1104dfd feat: generate/upload sbom for cosign projects (#1236)
• 0c25819 update build images for release and bump cosign in the release job (#1234)
• ac8a7e9 feat: implement cosign download attestation (#1216)
• d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
• 9da74c9 update deps (#1222)
• b2d6393 nit: add comments to Signer interface (#1228)
• f2e034d clean up references to 'keyless' in ephemeral.Signer (#1225)
• acf5900 create DSSEAttestor interface, payload.DSSEAttestor implementation (#1221)
• ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
• 1feacab use mutate.Signature in the new Signers (#1213)
• 28b03f7 create mutate functions for oci.Signature (#1199)
• 500cd40 update snapshot and timestamp (#1211)
• cbdc1b3 add a writeable $HOME for the nonroot cosigned user (#1209)
• 4d4c830 signing attestation should private key (#1200)
• 6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
• 008f860 create KeylessSigner (#1189)
• 2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
• 3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
• cfd981e nit: drop every section title down a level (#1188)

Thanks for all contributors!

v1.4.1

A whole buncha bugfixes!

Enhancements

• Files created with --output-signature and --output-certificate now created with 0600 permissions (#1151)
• Added cosign verify-attestation --local-image for verifying signed images with attestations from disk (#1174)
• Added the ability to fetch the TUF root over HTTP with cosign initialize --mirror (#1185)

Bug Fixes

• Fixed saving and loading a signed image index to disk (#1147)
• Fixed sign-blob --output-certificate writing an empty file (#1149)
• Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (#1157)

Contributors

• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Hayden Blauzvern (@haydentherapper)
• Jake Sanders (@dekkagaijin)
• Matt Moore (@mattmoor)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)

Changelog

• 934567a add 1.4.1 relnotes (#1186)
• fe3a030 Allow fetching TUF root from HTTP (#1185)
• d8e1795 update golang cross image to use go1.17.5 (#1184)
• 2e9d3d8 add e2e tests for Windows + PowerShell (#1177)
• 4c473e5 add tests for cosign initialize (#1182)
• b113e30 update go-tuf and use the newly exposed Close() (#1181)
• 5a5914f Add option to verify attestations from local image (#1174)
• d0d91ab add test for interactive private key password prompt (#1176)
• e5056ed enable e2e-test coverage for Win & OSX (#1166)
• dc744ea use a different repo for each e2e test against the registry (#1175)
• 4652b36 re-enable windows in e2e-with-binary, fix issues (#1172)
• 75e3d62 Bump GGCR to latest. (#1169)
• 287bb27 disable broken Windows e2e-with-binary (#1167)
• 8644a7a use sync.Once to init the global tuf root (#1163)
• 10b7f9d Add option to verify local image (#1159)
• bd8b7d5 bump k8s versions used for kind-e2e-cosigned (#1164)
• 1510379 Add make target for doc generation (#1162)
• 79a843b expand CI testing to Windows and OSX, fix issues uncovered (#1158)
• 9394f85 Pull in the new Fulcio client code. (#1126)
• dd53292 return error when rekor pub cannot be retrieved, fix file path construction (#1157)
• a684c45 add job to run some e2e tests to sing a artifcat and check the outputs (#1154)
• 96c02ba fix: improve perms, error handling (#1151)
• ab632c8 update crane (#1150)
• b454d08 cosigned: add version to cosigned (#1139)
• 26c99d8 fix: --output-certificate not working properly (#1149)
• 430080f Fix bug when saving and loading an image index (#1147)
• 39e6540 sign-blob --output -> --output-signature (#1148)

Thanks for all contributors!

v1.4.0

Highlights

• BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (#1127)
• BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (#1083)
• cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (#1052)
• Releases are now additionally signed using the keyless workflow (#1073, #1111)

Enhancements

• Validate the whole attestation statement, not just the predicate (#1035)
• Added the options to replace attestations using cosign attest --replace (#1039)
• Added URI to cosign verify-blob output (#1047)
• Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (#1016, #1093, #1066, #1095)
• [cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (#1040, #1096)
• [cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (#1084)
• Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071)
• Builds should now be reproducible (#1053)
• Allows base64 files as --cert in cosign verify-blob (#1088)
• Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
• Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (#1094)
• cosign sign will no longer fail to sign private images in keyless mode without --force (#1116)
• cosign verify now supports signatures stored in files and remote URLs with --signature (#1068)
• cosign verify now supports certs stored in files (#1095)
• Added support for syft format in cosign attach sbom (#1137)

Bug Fixes

• Fixed verification of Rekor bundles for InToto attestations (#1030)
• Fixed a potential memory leak when signing and verifying with security keys (#1113)

Contributors

• Ashley Davis (@SgtCoDFish)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Brandon Philips (@philips)
• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Christian Rebischke (@shibumi)
• Dan Lorenc (@dlorenc)
• Erkan Zileli (@erkanzileli)
• Furkan Türkal (@Dentrax)
• garantir-km (@garantir-km)
• Jake Sanders (@dekkagaijin)
• jbpratt (@jbpratt)
• Matt Moore (@mattmoor)
• Mikey Strauss (@houdini91)
• Naveen Srinivasan (@naveensrinivasan)
• Priya Wadhwa (@priyawadhwa)
• Sambhav Kothari (@samj1912)

Changelog

• 50315fc remove obsolete --output flag (#1146)
• a1efb18 add relnotes for v1.4.0 (#1145)
• a47a835 feat: enable --check flag of addlicense (#1135)
• e48db5a Add support for syft json type to cosign (#1137)
• 7de7387 Use --recursive flag in sign example (#1143)
• 6d8cec1 Fixed a typo in README.md (#1142)
• 63e9342 cjson - Move to go-securesystemslib (#1141)
• e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
• a05dc7b Bump deps (#1132)
• 7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
• dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
• 9076d71 feat: sign --output-certificate and verify --cert (#1095)
• 034e946 Update output to note when signatures are pushed (#1117)
• 54fb569 feat: support signature file in verify cmd (#1068)
• ec00f69 Make the transparency log upload non-fatal. (#1116)
• 1da6742 have rekor.NewSigner accept a *client.Rekor instead of a URL (#1115)
• ac7e33c call Close() on security keys before returning error (#1113)
• 2294fd4 Add Fulcio v1 root to the cosign (#1112)
• 304c2b2 continued sign refacc (#1098)
• a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
• 9555f33 use hashed rekord type for tlog upload (#1081)
• 6fc942b plumb context through to tlog requests (#1103)
• fcc8256 minor: supply ShouldUploadToTlog with context (#1104)
• 690853e Bump non-k8s deps (#1102)
• 040ed3d feat(ci): Add Gofish support (#996)
• 79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
• 2dc6e4f Add support for storing attestations in oci/layout (#1096)
• 98cf544 Update slsa-provenance predicate to v0.2 (#1054)
• 7ec91a4 Add cosign save and cosign load commands (#1094)
• e1141af refactoring signature logic (#1065)
• 4274149 fix: alias output to output-signature on sign-blob (#1093)
• 86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
• 2cc9c9a Bump client-go and viper. (#1089)
• aff2e37 feat: verify-blob --cert base64 (#1088)
• 5586790 fix: reproducible builds (#1053)
• 1974064 Add flag for manually specifying a hash algo when verifying (#1071)
• 90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
• eed3e12 Add mutate.AttachFileTo* for attaching SBOMs. (#1084)
• e1acd18 Drop strfmt.Base64 from pkg/oci. (#1083)
• f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
• 9cf8c3f Bump some deps that dependabot missed. (#1079)
• 18318ba implement output-signature and output-certificate flags (#1016)
• 857d9a5 adding keyless (#1073)
• 01b6c8f sync go mod (#1072)
• 943e824 feat: add output flag for signCmd (#1066)
• d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
• 413d06e fix root path (#1062)
• e868a54 cmd: update triangulate help command (#1061)
• d48fe25 verify-blob: add URI to verify-blob output (#1047)
• c5e3393 cmd: update clean command help (#1058)
• bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
• 3e43108 Remove img field from sigLayer (#1042)
• ccc4468 feat: replace option for same attestation (#1039)
• 5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
• fe00315 README: simplify the install section (#1049)
• cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
• 6ed55d6 split private signature and attestation verification fns (#1043)
• c338616 PKCS11: Fix certificate check (#1041)
• f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
• 89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
• c85db3a release: update cosign to 1.3.1 (#1038)
• 84c94b6 feat: validate whole statement not just predicate part (#1035)

Thanks for all contributors!

v1.3.1

Breaking Changes

• [cosign/pkg]: cosign.Verify has been removed in favor of explicit cosign.VerifyImageSignatures and cosign.VerifyImageAttestations
  (#1026)

Enhancements

• Add ability for verify-blob to find signing cert in transparency log (#991)
• root policy: add optional issuer to maintainer keys (#999)
• PKCS11 signing support (#985)
• Included timeout option for uploading to Rekor (#1001)

Bug Fixes

• Bump sigstore/sigstore to pickup a fix for azure kms (#1011 / #1028)

Contributors

• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Dan Lorenc (@dlorenc)
• Dennis Leon (@DennisDenuto)
• Erkan Zileli (@erkanzileli)
• Furkan Türkal (@Dentrax)
• garantir-km (@garantir-km)
• Jake Sanders (@dekkagaijin)
• Naveen (@naveensrinivasan)

Changelog

645ebf0 add change to 1.3.1 changelog (#1036)
5a33731 remove Verify in favor of explicit VerifyImage{Signatures, Attestations} (#1026)
5d866c3 fix help msg upload=>no-upload (#1033)
076e179 add changelog for v1.3.1 (#1032)
c2c3a1d fix variable (#1031)
ff2104c ci: update oidc ci tests (#1029)
ce7cf28 update sigstore/sigstore to v1.0.1 (#1028)
0c771f8 Bump the thales pkcs11 library to v1.2.5 (#1009)
cb41bd4 make the purpose of secrets checked into .github/workflows explicit (#1025)
5a350e4 fix(doc): add an example for existing option on verify-blob command (#1024)
c0744b3 Add the missing GIT_HASH env var in the post-submit github-oidc.yaml action. (#1022)
88313ee Remove fuzzing check - unsupported go-fuzz (#1020)
d442592 Included timeout option for uploading to Rekor (#1001)
d3440b5 remove not needed dockerfiles (#1017)
82c9cee refactor release process to use ko to build the images (#1008)
55471fc Add an initial comparison document between nv2 and cosign. (#1014)
bb05c81 Bump sigstore/sigstore to pickup a fix for azure kms. (#1011)
db34c33 refactor version and add version command to sget (#1010)
391bac3 Bump k8s.io/apimachinery and opa. (#1004)
7066f12 PKCS11 signing support (#985)
9b9cd94 add optional issuer to root policy (#999)
5deaca0 Add ability for verify-blob to find signing cert in transparency log (#991)
6573dcd update automation to use 1.3.0 release (#997)
c6c032e update deps, go mod tidy (#994)

Thanks for all contributors!

v1.3.0

Release 1.3.0

Highlights

• BREAKING: verify-manifest is now manifest verify (#712)
• BREAKING: /pkg has been heavily refactored. Further refactoring work will make its way into 1.4.0
• WARNING: The CLI now uses POSIX-style (double-dash --flag) for long-form flags. It will temporarily accept the single-dash -flag form with a warning, which will become an error in a future release (#835)
• Added sget as part of Cosign's releases (#752)
• The copasetic utility was unceremoniously baleeted (#785)

Enhancements

• Began reworking /pkg around new abstrations for signing, verification, and storage (#666)
  • Notice: refactoring of /pkg will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with cosign as a library and found it lacking (#844)
  • GGCR-style libraries for interacting with images now exist under pkg/oci (#770)
  • pkg/cosign/remote.UploadSignature API was been removed in favor of new pkg/oci/remote APIs (#774)
  • The function signature of cosign.Verify was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see also cosign.Verify{Signatures,Attestations} (#782)
  • Removed cremote.UploadFile in favor of static.NewFile and remote.Write (#797)
• Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
• Migrated the CLI to cobra (Welcome to the team, @n3wscott)
• Added the --allow-insecure-registry flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (#669)
• 🔒 cosigned now includes a mutating webhook that resolves image tags to digests (#800)
• 🔒 The cosigned validating webhook now requires image digest references (#799)
• The cosigned webhook now ignores resources that are being deleted (#803)
• The cosigned webhook now supports resolving private images that are authenticated via imagePullSecrets (#804)
• manifest verify now supports verifying images in all Kubernetes objects that fit within PodSpec, PodSpecTemplate, or JobSpecTemplate, including CRDs (#697)
• Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! #836)
• cosign has generated Markdown docs available in the doc/ directory (#839)
• Added support for verifying with secrets from a Gitlab project (#934)
• Added a --k8s-keychain option that enables cosign to support ambient registry credentials based on the "k8schain" library (#972)
• CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (#973)
• attest: replaced --upload flag with a --no-upload flag (#979)

Bug Fixes

• cosigned now verifies CronJob images (Terve, @vaikas #809)
• Fixed the verify --cert-email option to actually work (Sweet as, @passcod #821)
• public-key -sk no longer causes error: x509: unsupported public key type: *crypto.PublicKey (#864)
• Fixed interactive terminal support in Windows (#871)
• The -ct flag is no longer ignored in upload blob (#910)

Contributors

• Aditya Sirish (@adityasaky)
• Asra Ali (@asraa)
• Axel Simon (@axelsimon)
• Batuhan Apaydın (@developer-guy)
• Brandon Mitchell (@sudo-bmitch)
• Carlos Panato (@cpanato)
• Chao Lin (@blackcat-lin)
• Dan Lorenc (@dlorenc)
• Dan Luhring (@luhring)
• Eng Zer Jun (@Juneezee)
• Erkan Zileli (@erkanzileli)
• Félix Saparelli (@passcod)
• Furkan Türkal (@Dentrax)
• Hector Fernandez (@hectorj2f)
• Ivan Font (@font)
• Jake Sanders (@dekkagaijin)
• Jason Hall (@imjasonh)
• Jim Bugwadia (@JimBugwadia)
• Joel Kamp (@mrjoelkamp)
• Luke Hinds (@lukehinds)
• Matt Moore (@mattmoor)
• Naveen (@naveensrinivasan)
• Olivier Gaumond (@oliviergaumond)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)
• Ramkumar Chinchani (@rchincha)
• Rémy Greinhofer (@rgreinho)
• Scott Nichols (@n3wscott)
• Shubham Palriwala (@ShubhamPalriwala)
• Viacheslav Vasilyev (@avoidik)
• Ville Aikas (@vaikas)

Full Changelog

a91aa20 Fix the release (#987)
ae36ba5 update changelog for 1.3.0 (#986)
6d5f08c Bump opa and apis. (#980)
daa78e4 Add luhring to codeowners (#981)
58f8d20 Invert upload flag to allow for not uploading attestation (#979)
0ebe3b5 refactor: move from io/ioutil to io and os packages (#978)
79c0dc9 Remove commented out sections in CI configs (#960)
c875e7e Bump google.golang.org/api and github.com/go-openapi/strfmt. (#975)
bd469e7 Fixed modtime for reproducible goreleaser (#971)
70138fb Ship multi-arch images for all the cosign components. (#973)
fbe6fab Add support for using k8schain under a flag. (#972)
51803c2 Fix cosign attach sbom with COSIGN_REPOSITORY. (#970)
6f3aec5 Included trimpath in goreleaser (#968)
bfeb7d4 Add issuer URL to the verification blob. (#967)
c45f841 Have download sbom use the Attachment API. (#965)
068a277 Return better errors from cosigned (#964)
7957228 Make the DSSE wrapped private. (#966)
0bf537f release: fix registry name, push to gcr and not to ghcr (#958)
9314b85 Add a "filesystem" OIDC provider. (#956)
2f6560f Use setup-ko. (#957)
46e2740 Allow disabling verifySCT. (#955)
19fce84 Improve GitHub OIDC example (#954)
7c48e9a feat: extract pub key from GitLab (#941)
91bb398 fix codeql workflow permission (#951)
1f67ea7 cmd/policy: ability to pass expire days (#938)
7e295f1 Scorecard improvements (#949)
be6ab36 Reproducible builds with trimpath (#944)
b753a22 fix: Fixed multiple public keys issue (#942)
9f80297 Verify a signature using secrets from a gitlab project (#934)
9e304d1 Return k8schain error. (#937)
23ccfd8 fix: add dollars (#933)
0915b41 Document Red Hat Quay support (#929)
b2351d3 Add keyless signing w/ storage in rekor to FUN.md (#924)
9e406b3 fix issue 919 (#930)
617bc78 docs: fix broken link (#926)
fc58838 Bump go-github, go-gitlab, and cloudstorage. (#922)
f482fff Hook up k8schain to verification. (#920)
dcfb11d Don't ignore the media type flag to upload-blob! (#910)
0bab648 Add the OIDC options to AttestOptions. (#918)
f34112c Bump in-toto and cloud storage. (#909)
2594f7a Fix two bugs in the pivkey code related to cleanup and certs. (#912)
699fab4 Add Attachment to empty. (#911)
c9bf33a add Attachment to SignedEntity (#857)
7991c87 Bump dependencies and tidy. (#902)
7dd85a7 Fix the KO_VERSION variable in the post-merge container build. (#905)
19300db Replace predicate file path with io.Reader (#904)
42e5df0 Sign without pulling from the registry (#903)
7d2d51d update root ux (#747)
e2f034e feat: store public key within GitHub/GitLab variable (#900)
a1180fa Pin crane dependency used in e2e tests (#896)
c041930 verify: add support for rsapkcs15 keys (#851)
a9aa82b Fix verify-blob error message (#676) (#895)
5e54075 Fix verify command line options (#894)
aa1028f Fix CI (#897)
8e3be12 Add a test/example for signing using GitHub OIDC (#901)
0605155 fix: use GITLAB_HOST env var name (#899)
8588a92 fix: show reasons of the rego validations (#885)
4c5112c fix: safer way to install google/ko (#889)
37bcea0 Error with the filename provided (#891)
5499d63 chore: KO_VERSION as environment var (#886)
42ec945 Clarify how to install sget (#882)
a064fab Re-expose commands. (#883)
f85fe3f chore: add image details to the error msg (#875)
5302c87 add github&gitlab reference support to generate-key-pair (#848)
8a67024 fix: make isTerminal suitable for windows (#871)
a04f060 disable usage on errors (#878)
1bd3067 added keyvault doc (#870)
cc4ce1b Remove the preallocation of signatures slice. (#869)
2ba1605 Allow cosigned to validate Fulcio signatures. (#867)
b0408bf feat: add validation for predicates via cue or rego policy files support (#641)
278ad7d make COSIGN_REPOSITORY use explicit again (#860)
142e7ed fix x509: unsupported public key type: *crypto.PublicKey (#864)
c79fa81 TagOptions -> ReferenceOptions (#863)
5c1240b feat: add custom signature tag registry options (#808)
2f6a293 release: update golang-cross image to image tag v1.17.2 (#861)
d49fa54 [root policy] Add root policy signing (#856)
0142711 get rid of "." in default tag suffixes (#853)
2919bf0 oic. -> oci. (#852)
9962e87 Add changelog for v1.3.0 (#849)
37000c8 update select dependencies (#850)
e6d08d6 support user customizable predicates (#847)
75c326b move make help below the default rules so that naked make does the right thing (#845)
6c5c65f Only run CI on PRs and push to main or releases (#842)
06...

v1.2.1

This release fixes compatibility issues between the v1.2.0 release and the Go toolchain.

Thanks, @luhring!

Changelog

be15523 Remove go.mod replace directive (#716) (#726)
03a1061 add changelog for 1.2.1 (#727)

Thanks for all contributors!

v1.2.0

v1.2.0

Enhancements

• BREAKING: move verify-dockerfile to dockerfile verify (#662)
• Have the keyless cosign sign flow use a single 3LO. (#665)
• Allow to verify-blob from urls (#646)
• Support GCP environments without workload identity (GCB). (#652)
• Switch the release cosign container to debug. (#649)
• Add logic to detect and use ambient OIDC from exec envs. (#644)
• Add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
• Add support for downloading signature from remote (#629)
• Add sbom and attestations to triangulate (#628)
• Add cosign attachment signing and verification (#615)
• Embed CT log public key (#607)
• Verify SCTs returned by fulcio (#600)
• Add extra replacement variables and GCP's role identifier (#597)
• Store attestations in the layer (payload) rather than the annotation. (#579)
• Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (#583)
• Upgrade in-toto-golang to adapt SLSA Provenance (#582)

Bug Fixes

• Fix verify-dockerfile to allow lowercase FROM (#643)
• Fix signing for the cosigned image. (#634)
• Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
• helm/ci: update helm repo before installing the dependency (#598)
• Set the correct predicate type/URI for each supported predicate type. (#592)
• Warnings on admissionregistration version (#581)
• Remove unnecessary COSIGN_PASSWORD (#572)

Contributors

• Batuhan Apaydın
• Ben Walding
• Carlos Alexandro Becker
• Carlos Tadeu Panato Junior
• Erkan Zileli
• Hector Fernandez
• Jake Sanders
• Jason Hall
• Matt Moore
• Michael Lieberman
• Naveen Srinivasan
• Pradeep Chhetri
• Sambhav Kothari
• dlorenc
• priyawadhwa

Thank you to all our contributors!!

Changelog

aa5d23b CHANGELOG for cosign 1.2 (#668)
1b1cafc move verify-dockerfile to dockerfile verify (#662)
275e015 Have the keyless cosign sign flow use a single 3LO. (#665)
152eefb Move LoadEcdsa... into pkg/cosign/keys.go (#667)
c37c20e feat: allow to verify-blob from urls (#646)
b1e7ca2 Extract a types package for media and payload types. (#664)
e14b69d small typo (#663)
e055194 Provide a mechanism for downstream folks to avoid _ imports. (#661)
b27c63a Split apart fulcioverifier for transparency log verification. (#660)
de598c1 Send log statement to STDERR (#659)
696a46a Remove unnecessary space after 'with index:' (#656)
3f83940 Support GCP environments without workload identity (GCB). (#652)
118399c Revert "Consistently use STDERR for output. (#647)" (#650)
60cf6b8 Refactor verification output. (#632)
f2a1276 Switch the release cosign container to debug. (#649)
f8f2e7a Pinned the dockerfile to sha256 (#619)
fefa881 Consistently use STDERR for output. (#647)
fb04df8 Refactor cosigned to take advantage of duck typing. (#637)
739947d Add logic to detect and use ambient OIDC from exec envs. (#644)
cb310df Fix verify-dockerfile to allow lowercase FROM (#643)
6d2fc54 docs: add remote url example for verify_blog cmd (#640)
248f849 add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
59be0ee Break off a fulcioroot package. (#639)
56d7d96 Use a nonroot base image for ko-based images (#638)
efde83c Fix signing for the cosigned image. (#634)
508cc59 Drop the unused apiReader (#636)
6a1e1b5 Drop the distinction between Create/Update. (#635)
8d550b3 feat: add support for downloading signature from remote (#629)
cb0c46a Add ko targets for the webhook image. (#630)
53fbe01 Something changed in go 1.17 to make this a failure now. (#631)
a05fb65 Add sbom and attestations to triangulate (#628)
ff28387 Bump opa to v0.32.0 (#625)
b0e5c74 Bump k8s controller-runtime to v0.10.0. (#626)
de600d2 chore: cleanup Makefile targers (#627)
5abd51e Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
40830f1 Modify golangci-lint installation (#624)
79fa380 Add cosign attachment signing and verification (#615)
de3f9d6 Bump go/storage. (#614)
c35f311 verify_blob: add missing help option to use teh pub kwy from a remote (#616)
9906181 helm/cosigned: remove helm charts (#609)
842a81a Embed CT log public key (#607)
54c956c Actually bump dependencies and get healthy on go 1.17. (#606)
cb9f980 Verify SCTs returned by fulcio (#600)
c79ba73 Add extra replacement variables and GCP's role identifier (#597)
c875b79 helm/ci: update helm repo before installing the dependency (#598)
b41d57f Set the correct predicate type/URI for each supported predicate type. (#592)
584e63f chore: add a new CODEOWNER (#593)
b1c033d Make the warning around TUF roots a little less scary. (#590)

cosigned-v0.0.3-dev

The Helm chart for Cosigned