Releases: sigstore/cosign
cosigned-v0.0.2-dev
The Helm chart for Cosigned
cosigned-v0.0.1-dev
The Helm chart for Cosigned
v1.1.0
Enhancements
- BREAKING: The
-attestation
flag has been renamed to-predicate
inattest
(#500) - Added
verify-manifest
command (#490) - Added the ability to specify and validate well-known attestation types in
attest
with the-type
flag (#504) - Added
cosign init
command to setup the trusted local repository of SigStore's TUF root metadata (#520) - Added timestamps to Cosign's custom In-Toto predicate (#533)
verify
now always verifies that the image exists (even when referenced by digest) before verification (#543)
Bug Fixes
verify-dockerfile
no longer fails onFROM scratch
(#509)- Fixed reading from STDIN with
attach sbom
(#517) - Fixed broken documentation and implementation of
-output
forverify
andverify-attestation
(#546) - Fixed nil pointer error when calling
upload blob
without specifying-f
(#563)
Contributors
- Adolfo García Veytia (@puerco)
- Anton Semjonov (@ansemjo)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- @gkovan
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- Jim Bugwadia (@JimBugwadia)
- Jose Donizetti (@josedonizetti)
- Joshua Hansen (@joshes)
- Jason Hall (@imjasonh)
- Li Yi (@denverdino)
- Priya Wadhwa (@priyawadhwa)
- Russell Brown (@rjbrown57)
- Stephan Renatus (@srenatus)
Full Changelog
67934a6 remove unnecessary COSIGN_PASSWORD (#572)
7b5e931 add v1.1.0 relnotes (#571)
764a237 release: update golang-cross image to use go 1.17 (#569)
2f805aa update Go to 1.17.0 (#568)
7b08e21 Pin k8s.io
dependencies to v0.20.7 (#567)
0783cc9 Make payload types public (#564)
8ce7d29 fix nil pointer deref in cli/upload.BlobCmd (#563)
92ce88e Fix some bugs in the attestation support and add a formal spec. (#561)
9479578 Bump k8s to 0.22.1. (#560)
4326cc1 Add a commented out list of OWNERS for transparency. (#558)
5c70fc4 fix: lint warning (#557)
5267dfd Add example of openssl signing. (#554)
6db6a90 Move the prompting/confirmation down into the password implementations. (#552)
3733e69 Fix verify and verify-attestation output flag (#546)
001d55f Improve Kubernetes examples in docs and commands (#551)
0d93915 Update google.golang.org/api (#544)
969aa80 always check remote image (#543)
4c755ad Refactor to avoid not necessary conversion (#539)
e2cafee Don't run e2e tests on PRs (#540)
3b5c238 Fix CI issues for forked repos (#537)
b2c649f Improve docs for keyless SA signing (#536)
03f3f4d Refactor upload-blob to use File interface (#535)
de056ab Bump google.golang.org/api from 0.52.0 to 0.53.0 (#534)
61b103b Add support for timestamps in the cosign custom predicate, and document it. (#533)
4c76ff3 'cosign init' minor enhancements (file or URL root, write to $HOME/.sigstore) (#530)
a7aff49 update go mods, tidy (#531)
9018c86 Explicitly disable auth for the sigstore-tuf-root. (#528)
bfd42e5 Add cosign init
to initialize the SigStore root metadata (#520)
f83218b version: add way to display a version when using go get or go install (#526)
07bf0f2 Add Alibaba Cloud Container Registry (#524)
ce1648e update k8s deps for 1.22 release. Update sigstore. Tidy (#523)
c0f7371 add usage of the COSIGN_PASSWORD env var (#521)
6e535ce add Go Report Card badge to README (#518)
ef05414 lazy init fulcio root (#519)
fbc9831 fix for reading sbom file from stdin (#517)
749cd29 SIGNATURE_SPEC.md: fix typo (#516)
685f1a3 Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 (#515)
b505bb4 fix in-toto.io link (#513)
4877fbb Verify-dockerfile Ignore scratch images (#509)
f3cf4a2 fixing typos in the documentation of SBOM specification (#511)
1e4b330 verify-manifest: decode and use kubernetes resources (#510)
0fdfaa9 Add cosign verify-manifest
command (#490)
7e9cdfb add well-known attestation specs support to the attest command (#504)
53f7cd4 some more readme updates (#505)
e42c08e SBOM specification! (#439)
03b1eda add installation via GitHub Action to README (#503)
Thanks for all contributors!
v1.0.0
Cosign 1.0!
This is the first production ready, non-pre-release version of the cosign
tool!
Huge thanks to the entire sigstore community!
Enhancements
- BREAKING: The default HSM key slot is now "signature" instead of "authentication" (#450)
- BREAKING:
--fulcio-server
is now--fulcio-url
(#471) - Added
-cert
flag tosign
to allow the explicit addition of a signature certificate (#451) - Added the
attest
command (#458) - Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (#462)
cosign
will now send its version string as part of theuser-agent
when interacting with a container registry (#479)- Files containing certificates for custom Fulcio endpoints can now be specified via the
COSIGN_ROOT
environment variable (#477)
Bug Fixes
Verification
The releases are signed using cosign, and can be verified with a previous release or openssl. The key used is currently stored in this repository (at the commit the build was done) in the release/release-cosign.pub file.
Each binary is signed, and the corresponding.sig file is uploaded here. For darwin-amd64, using openssl:
$ openssl dgst -sha256 -verify release/release-cosign.pub -signature <(cat cosign-darwin-amd64.sig | base64 -D) cosign-darwin-amd64
Verified OK
With cosign:
$ cosign verify-blob -key release/release-cosign.pub -signature cosign-darwin-amd64.sig cosign-darwin-amd64
Verified OK
Full Changelog
33973d0 Allow multiple files per archive. (#497)
302c339 v1.0.0 relnotes (#493)
90efb9f cloudbuild: remove not needed dependency library (#495)
cdd92da Add missing code of conduct (stock sigstore one) (#496)
14d1d0a Allow custom root PEM (#477)
1a660a2 Avoid remote.Gets when the ref contains a digest (#487)
ade62cd Update the docs to be explicit around 1.0! (#489)
edd65a8 Only run codeql post-merge. (#488)
d0d11ee Minor update to README.md (#486)
1f9d3d9 Chore fixes (#476)
6f42979 move fulcio
utils out of pkg
(#482)
4155550 Unexport pkg/cosign/remote.StaticLayer (#483)
c076106 use Fulcio's client creation utility (#480)
94d54b8 Add cosign/ to useragent for remote calls (#479)
5a426a5 add additional KMS use cases of cosign (#473)
364cadc Add "cosign attest" command! (#458)
d401496 fulcio-server
-> fulcio-url
, pkg/fulcio
refactoring (#471)
5bb088d refactor attached image code (#470)
49a4227 fix sget (#468)
7068357 Infra flags for fulcio / rekor / oidc values (#462)
647606b release: update builder container to use go 1.16.6 (#466)
a7f1ef6 more refactoring to use cryptoutils (#465)
840f9a6 Fix/verify dockerfile parser (#433)
981d702 cosign.LoadCerts
-> cryptoutils.LoadCertificatesFromPEM
(#464)
da50a67 Do a few more cleanups to reuse sigstore/sigstore and refactor verification. (#463)
7393e96 Refactor to use sigstore/sigstore
crypto utilities (#460)
b385d1b Refactor the verification logic a bit to support more verification types. (#459)
fe1a39e Refactor the way certs are handled. (#457)
d08c803 Drop the dupe detector, this isn't needed anymore with the new interfaces (#456)
9c0eb2e Refactor signing options a bit between blob/image. (#455)
2af7bd0 Fix USAGE.md link (#454)
9ef97c2 Reduce some of the noise in e2e tests by hiding the SBOM output unless the test fails. (#453)
9adaad5 cmd/sign: Add -cert
flag (#451)
fd17d7f Update sigtore dependency to include Azure KMS (#452)
607a5fe pivkey: Change default slot to Signature (9c) (#450)
48a2f82 Readme fixes and improvements (#448)
9c61577 update sigstore modules, tidy (#447)
2123698 Bump k8s.io/client-go from 0.21.2 to 0.21.3 (#445)
dbf506e Bump k8s.io/api from 0.21.2 to 0.21.3 (#444)
268ce57 Move the specs to their own directory. (#440)
d0684ec Update the readme a bit. (#441)
7e256fd added Hashicorp Vault KMS support to the description of public-key sub-command (#438)
e6d91a7 make base image an arg, use distroless/static for releases (#436)
e68da41 update deps, run go mod tidy
(#432)
f79accb update workflows (other than release) to go 1.16.6 (#431)
82d49dc Numerous updates to .goreleaser.yml
& associated scripts
Container image available as well gcr.io/projectsigstore/cosign:v1.0.0@sha256:5e88d8f6162c04da4fa7d63b032bac34d8c906b48e88057263d67b059ace7de4
Thanks for all contributors!
For this 1.0 release, let's thank everyone that committed!
- Dan Lorenc (dlorenc)
- Jake Sanders (dekkagaijin)
- Priya Wadhwa (priyawadhwa)
- Carlos Tadeu Panato Junior (cpanato)
- Batuhan Apaydın (developer-guy)
- Luke Hinds (lukehinds)
- Ivan Font (font)
- Jason Hall (imjasonh)
- Naveen (naveensrinivasan)
- Chris Norman (chrnorm)
- Asra Ali (asraa)
- Christian Pearce (pearcec)
- Jon Johnson (jonjohnsonjr)
- Bob Callaway (bobcallaway)
- Appu (loosebazooka)
- James Alseth (jalseth)
- rjbrown57 (rjbrown57)
- Ahmet Alp Balkan (ahmetb)
- rotem-cider (rotem-cider)
- Balazs Zachar (Cajga)
- Cody Soyland (codysoyland)
- Dan POP (danpopSD)
- Dino Dai Zovi (ddz)
- Eminks (eminks)
- Furkan Türkal (Dentrax)
- Hector Fernandez (hectorj2f)
- João Pereira (joaodrp)
- Kim Lewandowski (kimsterv)
- Mark Bestavros (mbestavros)
- Paris Z (zuBux)
- Ross Timson (rosstimson)
- Rémy Greinhofer (rgreinho)
- Tom Hennen (TomHennen)
v0.6.0
v0.6.0
Enhancements
- BREAKING: Moved
cosign upload-blob
tocosign upload blob
(#378) - BREAKING: Moved
cosign upload
tocosign attach signature
(#378) - BREAKING: Moved
cosign download
tocosign download signature
(#392) - Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz #369)
- Added
cosign verify-dockerfile
command (#395) - Added SBOM support in
cosign attach
andcosign download sbom
(#387) - Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax #398)
- Added support for AWS KMS (谢谢, @codysoyland #426)
- Numerous enhancements to our build & release process, courtesy @cpanato
Bug Fixes
- Verify entry timestamp signatures of fetched Tlog entries (#371)
Contributors
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Cody Soyland (@codysoyland)
- Dan Lorenc (@dlorenc)
- Dino A. Dai Zovi (@ddz)
- Furkan Türkal (@Dentrax)
- Jason Hall (@imjasonh)
- Paris Zoumpouloglou (@zuBux)
- Priya Wadhwa (@priyawadhwa)
- Rémy Greinhofer (@rgreinho)
- Russell Brown (@rjbrown57)
cosign image available at gcr.io/projectsigstore/cosign:v0.6.0@sha256:2303322158802ec0452758578ac80801a3754ee9cb19c128fc5d1b2ec32fa2d2
Thanks for all contributors!
v0.5.0
Enhancements
- Added
cosign copy
to easily move images and signatures between repositories (#317) - Added
-r
flag tocosign sign
for recursively signing multi-arch images (#320) - Added
cosign clean
to delete signatures for an image (Thanks, @developer-guy! #324) - Added
-k8s
flag tocosign generate-key-pair
to create a Kubernetes secret (Hell yeah, @priyawadhwa! #345)
Bug Fixes
- Fixed an issue with misdirected image signatures when
COSIGN_REPOSITORY
was used (#323)
Contributors
- Balazs Zachar (@Cajga)
- Batuhan Apaydın (@developer-guy)
- Dan Lorenc (@dlorenc)
- Furkan Turkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jon Johnson (@jonjohnsonjr)
- Priya Wadhwa (@priyawadhwa)
v0.4.0
The fourth installment in the Cosign technologic universe
Action Required
- Signatures created with
cosign
before v0.4.0 are not compatible with those created after
Enhancements
- 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, @priyawadhwa! #285)
- Support for Hashicorp vault as a KMS provider has been added (Danke, @RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
- Windows binaries! (Grazie, @pearcec #249)
Bug Fixes
- GCP KMS URIs now include the key version (sigstore/sigstore #45)
Contributors
- Christian Pearce (@pearcec)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Priya Wadhwa (@priyawadhwa)
- Richard Simpson (@RichiCoder1)
- Ross Timson (@rosstimson)
v0.3.1
A minor bugfix release
Bug Fixes
- Fixed CI container image breakage introduced in v0.3.0
- Fixed lack of version information in release binaries
v0.3.0
This is the third release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release.
See #254 for more info.
Enhancements
- The
-output-file
flag supports writing output to a specific file - The
-key
flag now supportskms
references and URLs, thekms
specific flag has been removed - Yubikey/PIV hardware support is now included!
- Support for signing and verifying multiple images in one invocation
Bug Fixes
- Bug fixes in KMS keypair generation
- Bug fixes in key type parsing
Contributors
- Dan Lorenc
- Priya Wadhwa
- Ivan Font
- Depandabot!
- Mark Bestavros
- Jake Sanders
- Carlos Tadeu Panato Junior
v0.2.0 Release
This is the second release of cosign
! If you came for puns, check out yesterday's Twitter thread.
The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. This release is now cross-platform, so be careful with installer scripts! You can find that here:
$ gsutil ls gs://cosign-releases/v0.2.0/
gs://cosign-releases/v0.2.0/cosign-darwin-amd64
gs://cosign-releases/v0.2.0/cosign-darwin-amd64.sig
gs://cosign-releases/v0.2.0/cosign-linux-amd64
gs://cosign-releases/v0.2.0/cosign-linux-amd64.sig
Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:
This is the second release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied.
Enhancements
- The password for private keys can now be passed via the
COSIGN_PASSWORD
- KMS keys can now be used to sign and verify blobs
- The
version
command can now be used to return the release version - The
public-key
command can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORY
environment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
Bug Fixes
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
Contributors
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders