- Update to version 3.0.3:
* 4554: Closes 4554 - Add warning when --output* is used (#4556)
* chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)
* chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)
* chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)
* chore(deps): bump the actions group with 4 updates (#4544)
* chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)
* chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)
* update builder to use go1.25.5 (#4566)
* Protobuf bundle support for subcommand `clean` (#4539)
* Add staging flag to initialize with staging TUF metadata
* update slack invite link (#4560)
* Updating sign-blob to also support signing with a certificate (#4547)
* Bump sigstore library dependencies (#4532)
* Protobuf bundle support for subcommands `save` and `load` (#4538)
* Fix cert attachment for new bundle with signing config
* Fix OCI verification with local cert - old bundle
* chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)
* chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)
* chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)
* update go builder and cosign (#4529)
* chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)
* chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)
* chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)
* chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)
* chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)
* chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)
* chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502) (forwarded request 1322929 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1323778
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=30
* 4554: Closes 4554 - Add warning when --output* is used (#4556)
* chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)
* chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)
* chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)
* chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)
* chore(deps): bump the actions group with 4 updates (#4544)
* chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)
* chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)
* update builder to use go1.25.5 (#4566)
* Protobuf bundle support for subcommand `clean` (#4539)
* Add staging flag to initialize with staging TUF metadata
* update slack invite link (#4560)
* Updating sign-blob to also support signing with a certificate (#4547)
* Bump sigstore library dependencies (#4532)
* Protobuf bundle support for subcommands `save` and `load` (#4538)
* Fix cert attachment for new bundle with signing config
* Fix OCI verification with local cert - old bundle
* chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)
* chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)
* chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)
* update go builder and cosign (#4529)
* chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)
* chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)
* chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)
* chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)
* chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)
* chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)
* chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)
* chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=60
- Update to version 2.6.0:
- Require exclusively a SigningConfig or service URLs when signing (#4403)
- Add a terminal spinner while signing with sigstore-go (#4402)
- Bump sigstore-go, support alternative hash algorithms with keys (#4386)
- Add support for SigningConfig in sign/attest (#4371)
- Support self-managed keys when signing with sigstore-go (#4368)
- Remove SHA256 assumption in sign-blob/verify-blob (#4050)
- introduce dockerfile to pin the go version to decouple go version from go.mod (#4369)
- refactor: extract function to write referrer attestations (#4357)
- Break import cycle with e2e build tag (#4370)
- Update conformance test binary for signing config (#4367)
- update builder image to use go1.25 (#4366)
- Don't load content from TUF if trusted root path is specified (#4347)
- Don't require timestamps when verifying with a key (#4337)
- Fixes to cosign sign / verify for the new bundle format (#4346)
- update builder to use go1.24.6 (#4334)
- bump golangci-lint to v2.3.x (#4333)
- Have cosign sign support bundle format (#4316)
- Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)
- Verify subject with bundle only when checking claims (#4320)
- Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306) (forwarded request 1305826 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1305829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=29
- Require exclusively a SigningConfig or service URLs when signing (#4403)
- Add a terminal spinner while signing with sigstore-go (#4402)
- Bump sigstore-go, support alternative hash algorithms with keys (#4386)
- Add support for SigningConfig in sign/attest (#4371)
- Support self-managed keys when signing with sigstore-go (#4368)
- Remove SHA256 assumption in sign-blob/verify-blob (#4050)
- introduce dockerfile to pin the go version to decouple go version from go.mod (#4369)
- refactor: extract function to write referrer attestations (#4357)
- Break import cycle with e2e build tag (#4370)
- Update conformance test binary for signing config (#4367)
- update builder image to use go1.25 (#4366)
- Don't load content from TUF if trusted root path is specified (#4347)
- Don't require timestamps when verifying with a key (#4337)
- Fixes to cosign sign / verify for the new bundle format (#4346)
- update builder to use go1.24.6 (#4334)
- bump golangci-lint to v2.3.x (#4333)
- Have cosign sign support bundle format (#4316)
- Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)
- Verify subject with bundle only when checking claims (#4320)
- Add to `attest-blob` the ability to supply a complete in-toto statement, and add to `verify-blob-attestation` the ability to verify with just a digest (#4306)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=58
- Update to version 2.5.3 (jsc#SLE-23879)
- Add signing-config create command (#4280)
- Allow multiple services to be specified for trusted-root create (#4285)
- force when copying the latest image to overwrite (#4298)
- Fix cert verification logic for trusted-root/SCTs (#4294)
- Fix lint error for types package (#4295)
- feat: Add OCI 1.1+ experimental support to tree (#4205)
- Add validity period end for trusted-root create (#4271)
- avoid double-loading trustedroot from file (#4264)
- Update to 2.5.2:
- Do not load trusted root when CT env key is set
- docs: improve doc for --no-upload option (#4206)
- Update to 2.5.1:
* Features
- Add Rekor v2 support for trusted-root create (#4242)
- Add baseUrl and Uri to trusted-root create command
- Upgrade to TUF v2 client with trusted root
- Don't verify SCT for a private PKI cert (#4225)
- Bump TSA library to relax EKU chain validation rules (#4219)
* Bug Fixes
- Bump sigstore-go to pick up log index=0 fix (#4162)
- remove unused recursive flag on attest command (#4187)
* Docs
- Fix indentation in verify-blob cmd examples (#4160)
* GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)
- switch to go1.24, enable fips build
OBS-URL: https://build.opensuse.org/request/show/1294392
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=28
- Update to version 2.5.3 (jsc#SLE-23879)
- Add signing-config create command (#4280)
- Allow multiple services to be specified for trusted-root create (#4285)
- force when copying the latest image to overwrite (#4298)
- Fix cert verification logic for trusted-root/SCTs (#4294)
- Fix lint error for types package (#4295)
- feat: Add OCI 1.1+ experimental support to tree (#4205)
- Add validity period end for trusted-root create (#4271)
- avoid double-loading trustedroot from file (#4264)
- Update to 2.5.2:
- Do not load trusted root when CT env key is set
- docs: improve doc for --no-upload option (#4206)
- Update to 2.5.1:
* Features
- Add Rekor v2 support for trusted-root create (#4242)
- Add baseUrl and Uri to trusted-root create command
- Upgrade to TUF v2 client with trusted root
- Don't verify SCT for a private PKI cert (#4225)
- Bump TSA library to relax EKU chain validation rules (#4219)
* Bug Fixes
- Bump sigstore-go to pick up log index=0 fix (#4162)
- remove unused recursive flag on attest command (#4187)
* Docs
- Fix indentation in verify-blob cmd examples (#4160)
* GO-2025-3660/ CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego
- switch to go1.24, enable fips build
OBS-URL: https://build.opensuse.org/request/show/1294378
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=55
- Update to version 2.5.0:
* Update sigstore-go to pick up bug fixes (#4150)
* Update golangci-lint to v2, update golangci-lint-action (#4143)
* Feat/non filename completions (#4115)
* update builder to use go1.24.1 (#4116)
* Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
* Remove cert log line (#4113)
* cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
* bump to latest scaffolding release for testing (#4099)
* increase 2e2_test docker compose tiemout to 180s (#4091)
* Fix replace with compliant image mediatype (#4077)
* Add TSA certificate related flags and fields for cosign attest (#4079)
- Security issues fixed:
- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239337) (forwarded request 1268967 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1268968
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=27
* Update sigstore-go to pick up bug fixes (#4150)
* Update golangci-lint to v2, update golangci-lint-action (#4143)
* Feat/non filename completions (#4115)
* update builder to use go1.24.1 (#4116)
* Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
* Remove cert log line (#4113)
* cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
* bump to latest scaffolding release for testing (#4099)
* increase 2e2_test docker compose tiemout to 180s (#4091)
* Fix replace with compliant image mediatype (#4077)
* Add TSA certificate related flags and fields for cosign attest (#4079)
- Security issues fixed:
- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239337)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=53
- Update to version 2.4.3:
* Enable fetching signatures without remote get. (#4047)
* Bump sigstore/sigstore to support KMS plugins (#4073)
* sort properly Go imports (#4071)
* sync comment with parameter name in function signature (#4063)
* fix go imports order to be alphabetical (#4062)
* fix comment typo and imports order (#4061)
* Feat/file flag completion improvements (#4028)
* Udpate builder to use go1.23.6 (#4052)
* Refactor verifyNewBundle into library function (#4013)
* fix parsing error in --only for cosign copy (#4049)
* Fix codeowners syntax, add dep-maintainers (#4046) (forwarded request 1247438 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1247439
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=26
* Enable fetching signatures without remote get. (#4047)
* Bump sigstore/sigstore to support KMS plugins (#4073)
* sort properly Go imports (#4071)
* sync comment with parameter name in function signature (#4063)
* fix go imports order to be alphabetical (#4062)
* fix comment typo and imports order (#4061)
* Feat/file flag completion improvements (#4028)
* Udpate builder to use go1.23.6 (#4052)
* Refactor verifyNewBundle into library function (#4013)
* fix parsing error in --only for cosign copy (#4049)
* Fix codeowners syntax, add dep-maintainers (#4046)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=51
- Update to version 2.4.2:
- Updated open-policy-agent to 1.1.0 library (#4036)
- Note that only Rego v0 policies are supported at this time
- Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
- Add support for verifying root checksum in cosign initialize (#3953)
- Detect if user supplied a valid protobuf bundle (#3931)
- Add a log message if user doesn't provide --trusted-root (#3933)
- Support mTLS towards container registry (#3922)
- Add bundle create helper command (#3901)
- Add trusted-root create helper command (#3876)
Bug Fixes:
- fix: set tls config while retaining other fields from default http transport (#4007)
- policy fuzzer: ignore known panics (#3993)
- Fix for multiple WithRemote options (#3982)
- Add nightly conformance test workflow (#3979)
- Fix copy --only for signatures + update/align docs (#3904)
- use "osc service mr" to update
OBS-URL: https://build.opensuse.org/request/show/1243310
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=48
- update to 2.4.0 (jsc#SLE-23879)
- Add new bundle support to verify-blob and verify-blob-attestation (#3796)
- Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
- Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799) (forwarded request 1205245 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1205246
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=24
- Add new bundle support to verify-blob and verify-blob-attestation (#3796)
- Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
- Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=46
- update to 2.3.0 (jsc#SLE-23879)
* Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
- fix: close attestationFile (#3679)
- Set bundleVerified to true after Rekor verification (Resolves#3740) (#3745)
* Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776) (forwarded request 1189438 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1189439
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=22
* Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
- fix: close attestationFile (#3679)
- Set bundleVerified to true after Rekor verification (Resolves#3740) (#3745)
* Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=42
- updated to 2.2.4 (jsc#SLE-23879)
* Bug Fixes
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
- CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
* Documentation
* add oci bundle spec (#3622)
* Correct help text of triangulate cmd (#3551)
* Correct help text of verify-attestation policy argument (#3527)
* feat: add OVHcloud MPR registry tested with cosign (#3639) (forwarded request 1167810 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1167811
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=20
- updated to 2.2.4 (jsc#SLE-23879)
* Bug Fixes
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- CVE-2024-29902: Malicious attachments can cause system-wide denial of service (bsc#1222835)
- CVE-2024-29903: Malicious artifects can cause machine-wide denial of service (bsc#1222837)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
* Documentation
* add oci bundle spec (#3622)
* Correct help text of triangulate cmd (#3551)
* Correct help text of verify-attestation policy argument (#3527)
* feat: add OVHcloud MPR registry tested with cosign (#3639)
OBS-URL: https://build.opensuse.org/request/show/1167810
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=38
- updated to 2.2.3 (jsc#SLE-23879)
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves#3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) (forwarded request 1143629 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1143630
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=19
- updated to 2.2.3 (jsc#SLE-23879)
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves#3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
OBS-URL: https://build.opensuse.org/request/show/1143629
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=36
- updated to 2.2.2 (jsc#SLE-23879)
v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for
--insecure-skip-log, --private-infrastructure.
Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)
Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)
Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation:
* Update SBOM_SPEC.md (#3358)
OBS-URL: https://build.opensuse.org/request/show/1132643
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=34
- updated to 2.2.1 (jsc#SLE-23879)
This release comes with a fix for
CVE-2023-46737 / bsc#1216933 described in this [Github Security
Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Enhancements:
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes#2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes#3236, disable SCT checking for a cosign verification when usin… (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224)
Documentation:
* Add some docs about verifying in an air-gapped environment (#3321) (forwarded request 1123989 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1124000
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=17
- updated to 2.2.1 (jsc#SLE-23879)
This release comes with a fix for
CVE-2023-46737 / bsc#1216933 described in this [Github Security
Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Enhancements:
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes#2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes#3236, disable SCT checking for a cosign verification when usin… (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224)
Documentation:
* Add some docs about verifying in an air-gapped environment (#3321)
OBS-URL: https://build.opensuse.org/request/show/1123989
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=32
- updated to 2.2.0 (jsc#SLE-23879)
- Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add 'cosign sign' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
- Bug Fixes
* Fix nondeterminsitic timestamps (#3121)
- Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
- updated to 2.1.1 (jsc#SLE-23879)
- Bug Fixes
- wait for the workers become available again to continue the execution (#3084)
- fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
- Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
- Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add sign --sign-container-identity CLI (#2984) (forwarded request 1108431 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1108432
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=16
- updated to 2.2.0 (jsc#SLE-23879)
- Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add 'cosign sign' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
- Bug Fixes
* Fix nondeterminsitic timestamps (#3121)
- Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
- updated to 2.1.1 (jsc#SLE-23879)
- Bug Fixes
- wait for the workers become available again to continue the execution (#3084)
- fix help text when in a container (#3082)
- updated to 2.1.0 (jsc#SLE-23879)
- Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
- Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add sign --sign-container-identity CLI (#2984)
OBS-URL: https://build.opensuse.org/request/show/1108431
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=30
- update to 2.0.0 (jsc#SLE-23879)
Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525) (forwarded request 1067997 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1067999
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=13
- update to 2.0.0 (jsc#SLE-23879)
Breaking Changes:
* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
Enhancements:
* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
* Allow users to pass in a path for the --identity-token flag (#2538)
* Breaking change: Respect tlog-upload=false, default to true (#2505)
* Support outputing a certificate without uploading to the tlog (#2506)
* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
* respect tlog-upload flag with TSA (#2474)
* Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
* Support TSA and Rekor verifications (#2463)
* add support for tsa signing and verification of images (#2460)
* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
* Remove experimental mode from cosign attest and verify-attestation (#2458)
* Remove experimental mode from sign-blob and verify-blob (#2457)
* Add --offline flag to force offline verification (#2427)
* Air gap support (#2299)
* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
* Remove experimental flag from cosign sign and cosign verify (#2387)
* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
* Add warning to use digest instead of tags to other cosign commands (#2650)
* Fix up UI messages (#2629)
* Remove hardcoded Fulcio from output (#2621)
* Fix missing privacy statement, print in multiple locations (#2622)
* feat: allows custom key names for import-key-pair (#2587)
* feat: support keyless verification for verify-blob-attestation (#2525)
OBS-URL: https://build.opensuse.org/request/show/1067997
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=24
- update to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd (forwarded request 1006385 from dirkmueller)
OBS-URL: https://build.opensuse.org/request/show/1006386
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=11
- update to 1.12.1:
* fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
* fix: fix cert chain validation for verify-blob in non-experimental mode
* fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
* Fix BYO-root with intermediate to fetch intermediates from annotation
* fix: fixing breaking changes in rekor v1.12.0 upgrade
- use go-modules service to generate the vendor.tar and use zstd
OBS-URL: https://build.opensuse.org/request/show/1006385
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=20
- updated to 1.12.0 (jsc#SLE-23879)
- CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
- Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
- feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
- remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
- Clarify error when KMS provider fails to load by @znewman01 in #2220
- feat: set annotations to generate additional bash completion information by @dirien in #2221
- Add deprecation warning for sget CLI and packages by @imjasonh in #2019
- upgrade setup-ko to point to new repo by @imjasonh in #2225
- Temp fix for e2e test by @haydentherapper in #2247
- update kind to use release v0.15.0 and some version comments by @cpanato in #2246
- Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
- fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
- updated to 1.11.1
- add stale workflow using the workflow template by @cpanato in #2175
- Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
- add release cadence section in the readme by @cpanato in #2179
- feat: Rework fig autocomplete command by @dirien in #2187
- fix: fix typo that caused attestation verification failure by @asraa in #2199
- updated to 1.11.0
- Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
- Add notes to clarify registry use. by @bendory in #2145
- Use TUF from scaffolding for validating cosign. by @vaikas in #2146
- docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
- fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
- fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
- fix handling of verify-attestation types for URIs by @otms61 in #2159
- fix oidc post-merge job by @cpanato in #2164
- Remove third_party by @imjasonh in #2166
- use updated device flow logic with PKCE by @bobcallaway in #2163 (forwarded request 1003867 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1003868
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=10
- updated to 1.12.0 (jsc#SLE-23879)
- CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
- Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
- feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
- remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
- Clarify error when KMS provider fails to load by @znewman01 in #2220
- feat: set annotations to generate additional bash completion information by @dirien in #2221
- Add deprecation warning for sget CLI and packages by @imjasonh in #2019
- upgrade setup-ko to point to new repo by @imjasonh in #2225
- Temp fix for e2e test by @haydentherapper in #2247
- update kind to use release v0.15.0 and some version comments by @cpanato in #2246
- Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
- fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
- updated to 1.11.1
- add stale workflow using the workflow template by @cpanato in #2175
- Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
- add release cadence section in the readme by @cpanato in #2179
- feat: Rework fig autocomplete command by @dirien in #2187
- fix: fix typo that caused attestation verification failure by @asraa in #2199
- updated to 1.11.0
- Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
- Add notes to clarify registry use. by @bendory in #2145
- Use TUF from scaffolding for validating cosign. by @vaikas in #2146
- docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
- fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
- fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
- fix handling of verify-attestation types for URIs by @otms61 in #2159
- fix oidc post-merge job by @cpanato in #2164
- Remove third_party by @imjasonh in #2166
- use updated device flow logic with PKCE by @bobcallaway in #2163
OBS-URL: https://build.opensuse.org/request/show/1003867
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=18
- updated to 1.10.1 (jsc#SLE-23879)
- CVE-2022-35929: Fixed that cosign verify-attestaton --type can
report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
(bsc#1202157)
- What else changed:
- add flag to allow skipping upload to transparency log by @k4leung4 in #2089
- Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
- Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
- Fix field names in the vulnerability attestation by @otms61 in #2099
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
- sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
- Resolves#522 set Created date to time of execution by @Lerentis in #2108
- Introduce a custom error type to classify errors. by @mattmoor in #2114
- feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
- update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
- chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
- Correct the type used for attest by @mattmoor in #2128 (forwarded request 993341 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/993342
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=9
- updated to 1.10.1 (jsc#SLE-23879)
- CVE-2022-35929: Fixed that cosign verify-attestaton --type can
report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
(bsc#1202157)
- What else changed:
- add flag to allow skipping upload to transparency log by @k4leung4 in #2089
- Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
- Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
- Fix field names in the vulnerability attestation by @otms61 in #2099
- remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
- sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
- Resolves#522 set Created date to time of execution by @Lerentis in #2108
- Introduce a custom error type to classify errors. by @mattmoor in #2114
- feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
- update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
- chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
- Correct the type used for attest by @mattmoor in #2128
OBS-URL: https://build.opensuse.org/request/show/993341
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=16
- updated to 1.10.0
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- encrypt values to create the github action secret by @cpanato in #1990
- sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- feat: cert-extensions verify by @developer-guy in #1626
- Fix#1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051 (forwarded request 991559 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/991560
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=8
- updated to 1.10.0
- replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
- Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
- tuf: improve TUF client concurrency and caching by @asraa in #1953
- Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
- feat(fulcioroots): singleton error pattern by @developer-guy in #1965
- Drop tuf client dependency on GCS client library by @imjasonh in #1967
- Add spdxjson predicate type for attestations by @jdolitsky in #1974
- Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
- cleanup: unexport kubernetes.Client method by @imjasonh in #1973
- cleanup ci job and remove policy-controller references by @cpanato in #1981
- fix/update post build job by @cpanato in #1983
- docs: updated Azure kms commands. by @JBrejnholt in #1972
- Add cyclonedx predicate type for attestations by @jdolitsky in #1977
- Route deprecated -version to version subcommand by @puerco in #1854
- docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
- Add --platform flag to cosign sbom download by @puerco in #1975
- Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
- Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
- encrypt values to create the github action secret by @cpanato in #1990
- sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
- Attempt to clean up pkg/cosign by @imjasonh in #2018
- public-key: fix command description by @Dentrax in #2024
- [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
- feat: cert-extensions verify by @developer-guy in #1626
- Fix#1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
- Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
- chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
- Fix OIDC test by @cpanato in #2050
- Add env subcommand. by @wlynch in #2051
OBS-URL: https://build.opensuse.org/request/show/991559
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=14
- updated to 1.9.0
- Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
- [Cosigned] Add signature pull secrets by @DennyHoang in #1805
- feat: add rego policy support by @hectorj2f in #1817
- Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
- cosigned: Test unsupported KMS providers by @imjasonh in #1820
- chore(deps): Included dependency review by @naveensrinivasan in #1792
- Add auth flow option to KeyOpts. by @wlynch in #1827
- Document Staging instance usage with Keyless by @k4leung4 in #1824
- New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
- Validate tlog entry when verifying signature via public key. by @wlynch in #1833
- Add function to explicitly request a certain provider by @priyawadhwa in #1837
- cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
- remove exclude from go.mod by @cpanato in #1846
- [Cosigned] Glob matching improvement by @DennyHoang in #1842
- sget: Enable KMS providers for sget by @imjasonh in #1852
- Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
- Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
- If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
- Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
- Normalize certificate flag names by @haydentherapper in #1868
- Check certificate policy flags with only a certificate by @haydentherapper in #1869
- Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
- Point git commmit FUN.md to gitsign! by @wlynch in #1874
- [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
- go.mod: format go.mod by @zchee in #1879
- Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
- tree: only report artifacts that are present by @ribbybibby in #1872
- update README with ebpf modules by @EItanya in #1888
- Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 (forwarded request 983635 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/983636
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cosign?expand=0&rev=7
- updated to 1.9.0
- Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
- [Cosigned] Add signature pull secrets by @DennyHoang in #1805
- feat: add rego policy support by @hectorj2f in #1817
- Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
- cosigned: Test unsupported KMS providers by @imjasonh in #1820
- chore(deps): Included dependency review by @naveensrinivasan in #1792
- Add auth flow option to KeyOpts. by @wlynch in #1827
- Document Staging instance usage with Keyless by @k4leung4 in #1824
- New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
- Validate tlog entry when verifying signature via public key. by @wlynch in #1833
- Add function to explicitly request a certain provider by @priyawadhwa in #1837
- cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
- remove exclude from go.mod by @cpanato in #1846
- [Cosigned] Glob matching improvement by @DennyHoang in #1842
- sget: Enable KMS providers for sget by @imjasonh in #1852
- Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
- Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
- If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
- Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
- Normalize certificate flag names by @haydentherapper in #1868
- Check certificate policy flags with only a certificate by @haydentherapper in #1869
- Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
- Point git commmit FUN.md to gitsign! by @wlynch in #1874
- [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
- go.mod: format go.mod by @zchee in #1879
- Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
- tree: only report artifacts that are present by @ribbybibby in #1872
- update README with ebpf modules by @EItanya in #1888
- Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
OBS-URL: https://build.opensuse.org/request/show/983635
OBS-URL: https://build.opensuse.org/package/show/security/cosign?expand=0&rev=12
