cosigned-v0.0.2-dev

The Helm chart for Cosigned

cosigned-v0.0.1-dev

The Helm chart for Cosigned

v1.1.0

Enhancements

• BREAKING: The -attestation flag has been renamed to -predicate in attest (#500)
• Added verify-manifest command (#490)
• Added the ability to specify and validate well-known attestation types in attest with the -type flag (#504)
• Added cosign init command to setup the trusted local repository of SigStore's TUF root metadata (#520)
• Added timestamps to Cosign's custom In-Toto predicate (#533)
• verify now always verifies that the image exists (even when referenced by digest) before verification (#543)

Bug Fixes

• verify-dockerfile no longer fails on FROM scratch (#509)
• Fixed reading from STDIN with attach sbom (#517)
• Fixed broken documentation and implementation of -output for verify and verify-attestation (#546)
• Fixed nil pointer error when calling upload blob without specifying -f (#563)

Contributors

• Adolfo García Veytia (@puerco)
• Anton Semjonov (@ansemjo)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Dan Lorenc (@dlorenc)
• @gkovan
• Hector Fernandez (@hectorj2f)
• Jake Sanders (@dekkagaijin)
• Jim Bugwadia (@JimBugwadia)
• Jose Donizetti (@josedonizetti)
• Joshua Hansen (@joshes)
• Jason Hall (@imjasonh)
• Li Yi (@denverdino)
• Priya Wadhwa (@priyawadhwa)
• Russell Brown (@rjbrown57)
• Stephan Renatus (@srenatus)

Full Changelog

67934a6 remove unnecessary COSIGN_PASSWORD (#572)
7b5e931 add v1.1.0 relnotes (#571)
764a237 release: update golang-cross image to use go 1.17 (#569)
2f805aa update Go to 1.17.0 (#568)
7b08e21 Pin k8s.io dependencies to v0.20.7 (#567)
0783cc9 Make payload types public (#564)
8ce7d29 fix nil pointer deref in cli/upload.BlobCmd (#563)
92ce88e Fix some bugs in the attestation support and add a formal spec. (#561)
9479578 Bump k8s to 0.22.1. (#560)
4326cc1 Add a commented out list of OWNERS for transparency. (#558)
5c70fc4 fix: lint warning (#557)
5267dfd Add example of openssl signing. (#554)
6db6a90 Move the prompting/confirmation down into the password implementations. (#552)
3733e69 Fix verify and verify-attestation output flag (#546)
001d55f Improve Kubernetes examples in docs and commands (#551)
0d93915 Update google.golang.org/api (#544)
969aa80 always check remote image (#543)
4c755ad Refactor to avoid not necessary conversion (#539)
e2cafee Don't run e2e tests on PRs (#540)
3b5c238 Fix CI issues for forked repos (#537)
b2c649f Improve docs for keyless SA signing (#536)
03f3f4d Refactor upload-blob to use File interface (#535)
de056ab Bump google.golang.org/api from 0.52.0 to 0.53.0 (#534)
61b103b Add support for timestamps in the cosign custom predicate, and document it. (#533)
4c76ff3 'cosign init' minor enhancements (file or URL root, write to $HOME/.sigstore) (#530)
a7aff49 update go mods, tidy (#531)
9018c86 Explicitly disable auth for the sigstore-tuf-root. (#528)
bfd42e5 Add cosign init to initialize the SigStore root metadata (#520)
f83218b version: add way to display a version when using go get or go install (#526)
07bf0f2 Add Alibaba Cloud Container Registry (#524)
ce1648e update k8s deps for 1.22 release. Update sigstore. Tidy (#523)
c0f7371 add usage of the COSIGN_PASSWORD env var (#521)
6e535ce add Go Report Card badge to README (#518)
ef05414 lazy init fulcio root (#519)
fbc9831 fix for reading sbom file from stdin (#517)
749cd29 SIGNATURE_SPEC.md: fix typo (#516)
685f1a3 Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 (#515)
b505bb4 fix in-toto.io link (#513)
4877fbb Verify-dockerfile Ignore scratch images (#509)
f3cf4a2 fixing typos in the documentation of SBOM specification (#511)
1e4b330 verify-manifest: decode and use kubernetes resources (#510)
0fdfaa9 Add cosign verify-manifest command (#490)
7e9cdfb add well-known attestation specs support to the attest command (#504)
53f7cd4 some more readme updates (#505)
e42c08e SBOM specification! (#439)
03b1eda add installation via GitHub Action to README (#503)

Thanks for all contributors!

v1.0.0

Cosign 1.0!

This is the first production ready, non-pre-release version of the cosign tool!

Huge thanks to the entire sigstore community!

Enhancements

• BREAKING: The default HSM key slot is now "signature" instead of "authentication" (#450)
• BREAKING: --fulcio-server is now --fulcio-url (#471)
• Added -cert flag to sign to allow the explicit addition of a signature certificate (#451)
• Added the attest command (#458)
• Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (#462)
• cosign will now send its version string as part of the user-agent when interacting with a container registry (#479)
• Files containing certificates for custom Fulcio endpoints can now be specified via the COSIGN_ROOT environment variable (#477)

Bug Fixes

• Fixed a situation where lower-case as would break verify-dockerfile (Complements to @Dentrax #433)

Verification

The releases are signed using cosign, and can be verified with a previous release or openssl. The key used is currently stored in this repository (at the commit the build was done) in the release/release-cosign.pub file.

Each binary is signed, and the corresponding.sig file is uploaded here. For darwin-amd64, using openssl:

$ openssl dgst -sha256 -verify release/release-cosign.pub -signature <(cat cosign-darwin-amd64.sig | base64 -D) cosign-darwin-amd64
Verified OK

With cosign:

$ cosign verify-blob -key release/release-cosign.pub -signature cosign-darwin-amd64.sig cosign-darwin-amd64
Verified OK

Full Changelog

33973d0 Allow multiple files per archive. (#497)
302c339 v1.0.0 relnotes (#493)
90efb9f cloudbuild: remove not needed dependency library (#495)
cdd92da Add missing code of conduct (stock sigstore one) (#496)
14d1d0a Allow custom root PEM (#477)
1a660a2 Avoid remote.Gets when the ref contains a digest (#487)
ade62cd Update the docs to be explicit around 1.0! (#489)
edd65a8 Only run codeql post-merge. (#488)
d0d11ee Minor update to README.md (#486)
1f9d3d9 Chore fixes (#476)
6f42979 move fulcio utils out of pkg (#482)
4155550 Unexport pkg/cosign/remote.StaticLayer (#483)
c076106 use Fulcio's client creation utility (#480)
94d54b8 Add cosign/ to useragent for remote calls (#479)
5a426a5 add additional KMS use cases of cosign (#473)
364cadc Add "cosign attest" command! (#458)
d401496 fulcio-server -> fulcio-url, pkg/fulcio refactoring (#471)
5bb088d refactor attached image code (#470)
49a4227 fix sget (#468)
7068357 Infra flags for fulcio / rekor / oidc values (#462)
647606b release: update builder container to use go 1.16.6 (#466)
a7f1ef6 more refactoring to use cryptoutils (#465)
840f9a6 Fix/verify dockerfile parser (#433)
981d702 cosign.LoadCerts -> cryptoutils.LoadCertificatesFromPEM (#464)
da50a67 Do a few more cleanups to reuse sigstore/sigstore and refactor verification. (#463)
7393e96 Refactor to use sigstore/sigstore crypto utilities (#460)
b385d1b Refactor the verification logic a bit to support more verification types. (#459)
fe1a39e Refactor the way certs are handled. (#457)
d08c803 Drop the dupe detector, this isn't needed anymore with the new interfaces (#456)
9c0eb2e Refactor signing options a bit between blob/image. (#455)
2af7bd0 Fix USAGE.md link (#454)
9ef97c2 Reduce some of the noise in e2e tests by hiding the SBOM output unless the test fails. (#453)
9adaad5 cmd/sign: Add -cert flag (#451)
fd17d7f Update sigtore dependency to include Azure KMS (#452)
607a5fe pivkey: Change default slot to Signature (9c) (#450)
48a2f82 Readme fixes and improvements (#448)
9c61577 update sigstore modules, tidy (#447)
2123698 Bump k8s.io/client-go from 0.21.2 to 0.21.3 (#445)
dbf506e Bump k8s.io/api from 0.21.2 to 0.21.3 (#444)
268ce57 Move the specs to their own directory. (#440)
d0684ec Update the readme a bit. (#441)
7e256fd added Hashicorp Vault KMS support to the description of public-key sub-command (#438)
e6d91a7 make base image an arg, use distroless/static for releases (#436)
e68da41 update deps, run go mod tidy (#432)
f79accb update workflows (other than release) to go 1.16.6 (#431)
82d49dc Numerous updates to .goreleaser.yml & associated scripts

Container image available as well gcr.io/projectsigstore/cosign:v1.0.0@sha256:5e88d8f6162c04da4fa7d63b032bac34d8c906b48e88057263d67b059ace7de4

Thanks for all contributors!

For this 1.0 release, let's thank everyone that committed!

• Dan Lorenc (dlorenc)
• Jake Sanders (dekkagaijin)
• Priya Wadhwa (priyawadhwa)
• Carlos Tadeu Panato Junior (cpanato)
• Batuhan Apaydın (developer-guy)
• Luke Hinds (lukehinds)
• Ivan Font (font)
• Jason Hall (imjasonh)
• Naveen (naveensrinivasan)
• Chris Norman (chrnorm)
• Asra Ali (asraa)
• Christian Pearce (pearcec)
• Jon Johnson (jonjohnsonjr)
• Bob Callaway (bobcallaway)
• Appu (loosebazooka)
• James Alseth (jalseth)
• rjbrown57 (rjbrown57)
• Ahmet Alp Balkan (ahmetb)
• rotem-cider (rotem-cider)
• Balazs Zachar (Cajga)
• Cody Soyland (codysoyland)
• Dan POP (danpopSD)
• Dino Dai Zovi (ddz)
• Eminks (eminks)
• Furkan Türkal (Dentrax)
• Hector Fernandez (hectorj2f)
• João Pereira (joaodrp)
• Kim Lewandowski (kimsterv)
• Mark Bestavros (mbestavros)
• Paris Z (zuBux)
• Ross Timson (rosstimson)
• Rémy Greinhofer (rgreinho)
• Tom Hennen (TomHennen)

v0.6.0

v0.6.0

Enhancements

• BREAKING: Moved cosign upload-blob to cosign upload blob (#378)
• BREAKING: Moved cosign upload to cosign attach signature (#378)
• BREAKING: Moved cosign download to cosign download signature (#392)
• Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz #369)
• Added cosign verify-dockerfile command (#395)
• Added SBOM support in cosign attach and cosign download sbom (#387)
• Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax #398)
• Added support for AWS KMS (谢谢, @codysoyland #426)
• Numerous enhancements to our build & release process, courtesy @cpanato

Bug Fixes

• Verify entry timestamp signatures of fetched Tlog entries (#371)

Contributors

• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Cody Soyland (@codysoyland)
• Dan Lorenc (@dlorenc)
• Dino A. Dai Zovi (@ddz)
• Furkan Türkal (@Dentrax)
• Jason Hall (@imjasonh)
• Paris Zoumpouloglou (@zuBux)
• Priya Wadhwa (@priyawadhwa)
• Rémy Greinhofer (@rgreinho)
• Russell Brown (@rjbrown57)

cosign image available at gcr.io/projectsigstore/cosign:v0.6.0@sha256:2303322158802ec0452758578ac80801a3754ee9cb19c128fc5d1b2ec32fa2d2

Thanks for all contributors!

v0.5.0

Enhancements

• Added cosign copy to easily move images and signatures between repositories (#317)
• Added -r flag to cosign sign for recursively signing multi-arch images (#320)
• Added cosign clean to delete signatures for an image (Thanks, @developer-guy! #324)
• Added -k8s flag to cosign generate-key-pair to create a Kubernetes secret (Hell yeah, @priyawadhwa! #345)

Bug Fixes

• Fixed an issue with misdirected image signatures when COSIGN_REPOSITORY was used (#323)

Contributors

• Balazs Zachar (@Cajga)
• Batuhan Apaydın (@developer-guy)
• Dan Lorenc (@dlorenc)
• Furkan Turkal (@Dentrax)
• Jake Sanders (@dekkagaijin)
• Jon Johnson (@jonjohnsonjr)
• Priya Wadhwa (@priyawadhwa)

v0.4.0

The fourth installment in the Cosign technologic universe

Action Required

• Signatures created with cosign before v0.4.0 are not compatible with those created after
  • The signature image's manifest now uses OCI mediaTypes (#300)
  • The signature image's tag is now terminated with .sig (instead of .cosign, #287)

Enhancements

• 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, @priyawadhwa! #285)
• Support for Hashicorp vault as a KMS provider has been added (Danke, @RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
• Windows binaries! (Grazie, @pearcec #249)

Bug Fixes

• GCP KMS URIs now include the key version (sigstore/sigstore #45)

Contributors

• Christian Pearce (@pearcec)
• Dan Lorenc (@dlorenc)
• Jake Sanders (@dekkagaijin)
• Priya Wadhwa (@priyawadhwa)
• Richard Simpson (@RichiCoder1)
• Ross Timson (@rosstimson)

v0.3.1

A minor bugfix release

Bug Fixes

• Fixed CI container image breakage introduced in v0.3.0
• Fixed lack of version information in release binaries

v0.3.0

This is the third release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release.
See #254 for more info.

Enhancements

• The -output-file flag supports writing output to a specific file
• The -key flag now supports kms references and URLs, the kms specific flag has been removed
• Yubikey/PIV hardware support is now included!
• Support for signing and verifying multiple images in one invocation

Bug Fixes

• Bug fixes in KMS keypair generation
• Bug fixes in key type parsing

Contributors

• Dan Lorenc
• Priya Wadhwa
• Ivan Font
• Depandabot!
• Mark Bestavros
• Jake Sanders
• Carlos Tadeu Panato Junior

v0.2.0 Release

This is the second release of cosign! If you came for puns, check out yesterday's Twitter thread.

The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. This release is now cross-platform, so be careful with installer scripts! You can find that here:

$ gsutil ls gs://cosign-releases/v0.2.0/
gs://cosign-releases/v0.2.0/cosign-darwin-amd64
gs://cosign-releases/v0.2.0/cosign-darwin-amd64.sig
gs://cosign-releases/v0.2.0/cosign-linux-amd64
gs://cosign-releases/v0.2.0/cosign-linux-amd64.sig

Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:

This is the second release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied.

Enhancements

• The password for private keys can now be passed via the COSIGN_PASSWORD
• KMS keys can now be used to sign and verify blobs
• The version command can now be used to return the release version
• The public-key command can now be used to extract the public key from KMS or a private key
• The COSIGN_REPOSITORY environment variable can be used to store signatures in an alternate location
• Tons of new EXAMPLES in our help text

Bug Fixes

• Improved error messages for command line flag verification
• TONS more unit and integration testing
• Too many others to count :)

Contributors

We would love to thank the contributors:

• Dan Lorenc
• Priya Wadhwa
• Ahmet Alp Balkan
• Naveen Srinivasan
• Chris Norman
• Jon Johnson
• Kim Lewandowski
• Luke Hinds
• Bob Callaway
• Dan POP
• eminks
• Mark Bestavros
• Jake Sanders