Commit Graph

46 Commits

Author SHA256 Message Date
Dominique Leuenberger
52e029fb34 Accepting request 1189775 from security
refactor spec, change to obs_scm (no longer hardcoding the commit hash) and update to 1.3.6 (forwarded request 1189772 from ojkastl_buildservice)

OBS-URL: https://build.opensuse.org/request/show/1189775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=22
2024-07-26 14:16:23 +00:00
d5a79b63dc refactor spec, change to obs_scm (no longer hardcoding the commit hash) and update to 1.3.6
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=43
2024-07-26 12:41:06 +00:00
Ana Guerrero
467015097a Accepting request 1144326 from security
- update to 1.3.5 (jsc#SLE-23476):
  - Additional unique index correction
  - Remove timestamp from checkpoint
  - Drop conditional when verifying entry checkpoint
  - Fix panic for DSSE canonicalization
  - Change Redis value for locking mechanism
  - give log timestamps nanosecond precision
  - output trace in slog and override correlation header name
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) (forwarded request 1144325 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1144326
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=21
2024-02-05 21:02:38 +00:00
91a13d0d79 Accepting request 1144325 from home:msmeissn:branches:security
- update to 1.3.5 (jsc#SLE-23476):
  - Additional unique index correction
  - Remove timestamp from checkpoint
  - Drop conditional when verifying entry checkpoint
  - Fix panic for DSSE canonicalization
  - Change Redis value for locking mechanism
  - give log timestamps nanosecond precision
  - output trace in slog and override correlation header name
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

OBS-URL: https://build.opensuse.org/request/show/1144325
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=41
2024-02-05 14:47:58 +00:00
Ana Guerrero
09ec3941cd Accepting request 1142230 from security
OBS-URL: https://build.opensuse.org/request/show/1142230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=20
2024-01-29 21:32:47 +00:00
Wolfgang Frisch
3dc243eed6 Accepting request 1142127 from home:dirkmueller:Factory
- update to 1.3.4:
  * add mysql indexstorage backend
  * add s3 storage for attestations
  * fix: Do not check for pubsub.topics.get on initialization
  * fix optional field in cose schema
  * Update ranges.go
  * update indexstorage interface to reduce roundtrips
  * use a single validator library in rekor-cli
  * Remove go-playground/validator dependency from pkg/pki

OBS-URL: https://build.opensuse.org/request/show/1142127
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=39
2024-01-29 11:09:57 +00:00
Ana Guerrero
0b1cd6a84e Accepting request 1128622 from security
- updated to rekor 1.3.3 (jsc#SLE-23476):
  - Update signer flag description
  - update trillian to 1.5.3
  - adds redis_auth
  - Add method to get artifact hash for an entry
  - make e2e tests more usable with docker-compose
  - install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
  New Features:
  - enable GCP cloud profiling on rekor-server (#1746)
  - move index storage into interface (#1741)
  - add info to readme to denote additional documentation sources (#1722)
  - Add type of ed25519 key for TUF (#1677)
  - Allow parsing base64-encoded TUF metadata and root content (#1671)
  Quality Enhancements:
  - disable quota in trillian in test harness (#1680)
  Bug Fixes:
  - Update contact for code of conduct (#1720)
  - Fix panic when parsing SSH SK pubkeys (#1712)
  - Correct index creation (#1708)
  - docs: fixzes a small typo on the readme (#1686)
  - chore: fix backfill-redis Makefile target (#1685) (forwarded request 1128621 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1128622
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=19
2023-11-24 22:35:37 +00:00
4c93cf3ca5 Accepting request 1128621 from home:msmeissn:branches:security
- updated to rekor 1.3.3 (jsc#SLE-23476):
  - Update signer flag description
  - update trillian to 1.5.3
  - adds redis_auth
  - Add method to get artifact hash for an entry
  - make e2e tests more usable with docker-compose
  - install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
  New Features:
  - enable GCP cloud profiling on rekor-server (#1746)
  - move index storage into interface (#1741)
  - add info to readme to denote additional documentation sources (#1722)
  - Add type of ed25519 key for TUF (#1677)
  - Allow parsing base64-encoded TUF metadata and root content (#1671)
  Quality Enhancements:
  - disable quota in trillian in test harness (#1680)
  Bug Fixes:
  - Update contact for code of conduct (#1720)
  - Fix panic when parsing SSH SK pubkeys (#1712)
  - Correct index creation (#1708)
  - docs: fixzes a small typo on the readme (#1686)
  - chore: fix backfill-redis Makefile target (#1685)

OBS-URL: https://build.opensuse.org/request/show/1128621
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=37
2023-11-24 16:29:01 +00:00
Dominique Leuenberger
fb9e23e4ba Accepting request 1108430 from security
- updated to rekor 1.3.0 (jsc#SLE-23476):
  - Update openapi.yaml (#1655)
  - pass transient errors through retrieveLogEntry (#1653)
  - return full entryID on HTTP 409 responses (#1650)
  - feat: Support publishing new log entries to Pub/Sub topics (#1580)
  - Change values of Identity.Raw, add fingerprints (#1628)
  - Extract all subjects from SANs for x509 verifier (#1632)
  - Fix type comment for Identity struct (#1619)
  - Refactor Identities API (#1611)
  - Refactor Verifiers to return multiple keys (#1601)
  - Update checkpoint link (#1597)
  - Use correct log index in inclusion proof (#1599)
  - remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
  - pass down error with message instead of nil
  - swap killswitch for 'docker-compose restart' (forwarded request 1108429 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1108430
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=18
2023-09-02 20:07:19 +00:00
d08f200d7c Accepting request 1108429 from home:msmeissn:branches:security
- updated to rekor 1.3.0 (jsc#SLE-23476):
  - Update openapi.yaml (#1655)
  - pass transient errors through retrieveLogEntry (#1653)
  - return full entryID on HTTP 409 responses (#1650)
  - feat: Support publishing new log entries to Pub/Sub topics (#1580)
  - Change values of Identity.Raw, add fingerprints (#1628)
  - Extract all subjects from SANs for x509 verifier (#1632)
  - Fix type comment for Identity struct (#1619)
  - Refactor Identities API (#1611)
  - Refactor Verifiers to return multiple keys (#1601)
  - Update checkpoint link (#1597)
  - Use correct log index in inclusion proof (#1599)
  - remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
  - pass down error with message instead of nil
  - swap killswitch for 'docker-compose restart'

OBS-URL: https://build.opensuse.org/request/show/1108429
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=35
2023-09-01 10:57:21 +00:00
Dominique Leuenberger
44410421c8 Accepting request 1089753 from security
- updated to rekor 1.2.1 (jsc#SLE-23476):
  Security fix:
  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
  Functional Enhancements
  - add client method to generate TLE struct (#1498)
  - add dsse type (#1487)
  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
  - Add concurrency to backfill-redis (#1504)
  - omit informational message if machine-parseable output has been requested (#1486)
  - Publish stable checkpoint periodically to Redis (#1461)
  - Add intoto v0.0.2 to backfill script (#1500)
  - add new method to test insertability of proposed entries into log (#1410)
  Quality Enhancements
  - use t.Skip() in fuzzers (#1506)
  - improve fuzzing coverage (#1499)
  - Remove watcher script (#1484)
  Bug Fixes
  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
  - fix lint errors, bump linter up to 1.52 (#1485)
  - Remove dependencies from pkg/util (#1469) (forwarded request 1089735 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1089753
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=17
2023-05-30 20:02:53 +00:00
dbe9cb9c1d Accepting request 1089735 from home:msmeissn:branches:security
- updated to rekor 1.2.1 (jsc#SLE-23476):
  Security fix:
  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
  Functional Enhancements
  - add client method to generate TLE struct (#1498)
  - add dsse type (#1487)
  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
  - Add concurrency to backfill-redis (#1504)
  - omit informational message if machine-parseable output has been requested (#1486)
  - Publish stable checkpoint periodically to Redis (#1461)
  - Add intoto v0.0.2 to backfill script (#1500)
  - add new method to test insertability of proposed entries into log (#1410)
  Quality Enhancements
  - use t.Skip() in fuzzers (#1506)
  - improve fuzzing coverage (#1499)
  - Remove watcher script (#1484)
  Bug Fixes
  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
  - fix lint errors, bump linter up to 1.52 (#1485)
  - Remove dependencies from pkg/util (#1469)

OBS-URL: https://build.opensuse.org/request/show/1089735
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=33
2023-05-30 08:36:51 +00:00
Dominique Leuenberger
008e52fdf6 Accepting request 1085763 from security
Security fixes:
  - CVE-2023-30551: Fixed a potential denial of service (out of memory)
    when processing JAR META-INF files or .SIGN/.PKINFO files in APK files.
    (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9) (forwarded request 1085762 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1085763
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=16
2023-05-10 14:17:15 +00:00
cc70271fab Accepting request 1085762 from home:msmeissn:branches:security
Security fixes:
  - CVE-2023-30551: Fixed a potential denial of service (out of memory)
    when processing JAR META-INF files or .SIGN/.PKINFO files in APK files.
    (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9)

OBS-URL: https://build.opensuse.org/request/show/1085762
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=31
2023-05-09 15:13:41 +00:00
Dominique Leuenberger
e13ff8d8ec Accepting request 1084327 from security
- updated to rekor 1.1.1 (jsc#SLE-23476):
  Functional Enhancements
  - Refactor Trillian client with exported methods (#1454)
  - Switch to official redis-go client (#1459)
  - Remove replace in go.mod (#1444)
  - Add Rekor OID info. (#1390)
  Quality Enhancements
  - remove legacy encrypted cosign key (#1446)
  - swap cjson dependency (#1441)
  - Update release readme (#1456) (forwarded request 1084326 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1084327
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=15
2023-05-04 15:10:23 +00:00
44481e3973 Accepting request 1084326 from home:msmeissn:branches:security
- updated to rekor 1.1.1 (jsc#SLE-23476):
  Functional Enhancements
  - Refactor Trillian client with exported methods (#1454)
  - Switch to official redis-go client (#1459)
  - Remove replace in go.mod (#1444)
  - Add Rekor OID info. (#1390)
  Quality Enhancements
  - remove legacy encrypted cosign key (#1446)
  - swap cjson dependency (#1441)
  - Update release readme (#1456)

OBS-URL: https://build.opensuse.org/request/show/1084326
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=29
2023-05-03 12:50:54 +00:00
Dominique Leuenberger
030f80ec14 Accepting request 1077494 from security
- updated to rekor 1.1.0 (jsc#SLE-23476):
  Functional Enhancements
  - improve validation on intoto v0.0.2 type (#1351)
  - add feature to limit HTTP request body length to process (#1334)
  - add information about the file size limit (#1313)
  - Add script to backfill Redis from Rekor (#1163)
  - Feature: add search support for sha512 (#1142)
  Quality Enhancements
  - various fuzzing fixes
  Bug Fixes
  - remove goroutine usage from SearchLogQuery (#1407)
  - drop log messages regarding attestation storage to debug (#1408)
  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
  - fix: fix regex for multi-digit counts (#1321)
  - return NotFound if treesize is 0 rather than calling trillian (#1311)
  - enumerate slice to get sugared logs (#1312)
  - put a reasonable size limit on ssh key reader (#1288)
  - CLIENT: Fix Custom Host and Path Issue (#1306)
  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
  - correctly handle invalid or missing pki format (#1281)
  - Add Verifier to get public key/cert and identities for entry type (#1210)
  - fix goroutine leak in client; add insecure TLS option (#1238)
  - Fix - Remove the force-recreate flag (#1179)
  - trim whitespace around public keys before parsing (#1175)
  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
  - remove double encoding of payload and signature fields for intoto (#1150)
  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
  - Remove pem-certificate-chain from client (#1138)
  - fix flag type for operator in search (#1136) (forwarded request 1077454 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1077494
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=14
2023-04-05 19:28:33 +00:00
0340082614 Accepting request 1077454 from home:msmeissn:branches:security
- updated to rekor 1.1.0 (jsc#SLE-23476):
  Functional Enhancements
  - improve validation on intoto v0.0.2 type (#1351)
  - add feature to limit HTTP request body length to process (#1334)
  - add information about the file size limit (#1313)
  - Add script to backfill Redis from Rekor (#1163)
  - Feature: add search support for sha512 (#1142)
  Quality Enhancements
  - various fuzzing fixes
  Bug Fixes
  - remove goroutine usage from SearchLogQuery (#1407)
  - drop log messages regarding attestation storage to debug (#1408)
  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
  - fix: fix regex for multi-digit counts (#1321)
  - return NotFound if treesize is 0 rather than calling trillian (#1311)
  - enumerate slice to get sugared logs (#1312)
  - put a reasonable size limit on ssh key reader (#1288)
  - CLIENT: Fix Custom Host and Path Issue (#1306)
  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
  - correctly handle invalid or missing pki format (#1281)
  - Add Verifier to get public key/cert and identities for entry type (#1210)
  - fix goroutine leak in client; add insecure TLS option (#1238)
  - Fix - Remove the force-recreate flag (#1179)
  - trim whitespace around public keys before parsing (#1175)
  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
  - remove double encoding of payload and signature fields for intoto (#1150)
  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
  - Remove pem-certificate-chain from client (#1138)
  - fix flag type for operator in search (#1136)

OBS-URL: https://build.opensuse.org/request/show/1077454
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=27
2023-04-05 09:24:58 +00:00
Dominique Leuenberger
c8249d91cf Accepting request 1040165 from security
- updated to rekor 1.0.1 (jsc#SLE-23476):
  - stop inserting envelope hash for intoto:0.0.2 types into index

- updated to rekor 1.0.0 (jsc#SLE-23476): (forwarded request 1038886 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1040165
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=13
2022-12-05 17:01:40 +00:00
79ec9db9f1 Accepting request 1038886 from home:msmeissn:branches:security
- updated to rekor 1.0.1 (jsc#SLE-23476):
  - stop inserting envelope hash for intoto:0.0.2 types into index

- updated to rekor 1.0.0 (jsc#SLE-23476):

OBS-URL: https://build.opensuse.org/request/show/1038886
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=25
2022-12-05 08:36:59 +00:00
Dominique Leuenberger
4d34320645 Accepting request 1029934 from security
- updated to rekor 1.0.0 (sc#SLE-23476):
  - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073
  - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071
  - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074
  - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083
  - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082
  - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092
  - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080
  - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096
  - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098
  - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102
  - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101
  - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103
  - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097
  - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106 (forwarded request 1029932 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1029934
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=12
2022-10-19 11:18:02 +00:00
19d8611522 Accepting request 1029932 from home:msmeissn:branches:security
- updated to rekor 1.0.0 (sc#SLE-23476):
  - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073
  - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071
  - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074
  - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083
  - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082
  - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092
  - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080
  - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096
  - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098
  - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102
  - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101
  - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103
  - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097
  - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106

OBS-URL: https://build.opensuse.org/request/show/1029932
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=23
2022-10-19 08:39:53 +00:00
Richard Brown
c2f11c5b4b Accepting request 1007909 from security
- updated to rekor 0.12.2 (jsc#SLE-23476):
  - add description on /api/v1/index/retrieve endpoint
  - Adding e2e test coverage
  - export rekor build/version information
  - Use POST instead of GET for /api/log/entries/retrieve metrics.
  - Search through all shards when searching by hash (forwarded request 1007274 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1007909
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=11
2022-10-04 18:38:15 +00:00
913f1b929f Accepting request 1007274 from home:msmeissn:branches:security
- updated to rekor 0.12.2 (jsc#SLE-23476):
  - add description on /api/v1/index/retrieve endpoint
  - Adding e2e test coverage
  - export rekor build/version information
  - Use POST instead of GET for /api/log/entries/retrieve metrics.
  - Search through all shards when searching by hash

OBS-URL: https://build.opensuse.org/request/show/1007274
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=21
2022-10-04 13:04:17 +00:00
Richard Brown
2991d02eb6 Accepting request 1006397 from security
- updated to rekor 0.12.1 (jsc#SLE-23476):
  - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
    The addition of the intotov2 created a breaking change for the rekor-cli
  - What's Changed
    - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
    - feat: add file based signer and password by @asraa in #1049
    - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059

OBS-URL: https://build.opensuse.org/request/show/1006397
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=10
2022-09-27 18:14:31 +00:00
820202823b OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=19 2022-09-27 12:52:26 +00:00
7b96b3214e Accepting request 1006388 from home:msmeissn:branches:security
- updated to rekor 0.12.1 (jsc#SLE-23476):
  - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
    The addition of the intotov2 created a breaking change for the rekor-cli
  - What's Changed
    - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
    - feat: add file based signer and password by @asraa in #1049
    - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059

OBS-URL: https://build.opensuse.org/request/show/1006388
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=18
2022-09-27 12:37:10 +00:00
Dominique Leuenberger
df4aac75f6 Accepting request 1003863 from security
- updated to rekor 0.12.0 (jsc#SLE-23476):
  - check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
  - enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
  - api.SearchLogQueryHandler thread safety by @cdris in #1006
  - 'docker compose' to 'docker-compose' by @bobcallaway in #1009
  - Intoto v0.0.2 by @pxp928 in #973
  - Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
  - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
  - feat: add verification functions by @asraa in #986
  - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
  - Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
  - fix: use entry uuid uniformly in return responses by @asraa in #1012
  - remove /api/v1/version endpoint by @bobcallaway in #1022
  - Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
  - Fix harness tests @ main by @priyawadhwa in #1038
  - Fetch all tags in harness tests by @priyawadhwa in #1039
  - fix retrieve endpoint response code and add testing by @asraa in #1043
- updated to rekor 0.11.0:
  - Add rekor harness tests by @priyawadhwa in #945
  - Persist and check attestations across harness tests by @priyawadhwa in #952
  - Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
  - api: fix inclusion proof verification flake by @asraa in #956
  - change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
  - fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
  - Add prometheus summary to track metric latency by @priyawadhwa in #966
  - compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
  - update field documentation on publicKey for hashedrekord by @bobcallaway in #969
  - Allow sharding config to be written in yaml or json by @priyawadhwa in #974
  - fix incorrect schema id for cose type by @bobcallaway in #979
  - fix: make rekor verify work with sharded uuids by @asraa in #970 (forwarded request 1003862 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1003863
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=9
2022-09-15 21:00:05 +00:00
e704b23e12 Accepting request 1003862 from home:msmeissn:branches:security
- updated to rekor 0.12.0 (jsc#SLE-23476):
  - check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
  - enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
  - api.SearchLogQueryHandler thread safety by @cdris in #1006
  - 'docker compose' to 'docker-compose' by @bobcallaway in #1009
  - Intoto v0.0.2 by @pxp928 in #973
  - Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
  - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
  - feat: add verification functions by @asraa in #986
  - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
  - Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
  - fix: use entry uuid uniformly in return responses by @asraa in #1012
  - remove /api/v1/version endpoint by @bobcallaway in #1022
  - Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
  - Fix harness tests @ main by @priyawadhwa in #1038
  - Fetch all tags in harness tests by @priyawadhwa in #1039
  - fix retrieve endpoint response code and add testing by @asraa in #1043
- updated to rekor 0.11.0:
  - Add rekor harness tests by @priyawadhwa in #945
  - Persist and check attestations across harness tests by @priyawadhwa in #952
  - Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
  - api: fix inclusion proof verification flake by @asraa in #956
  - change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
  - fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
  - Add prometheus summary to track metric latency by @priyawadhwa in #966
  - compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
  - update field documentation on publicKey for hashedrekord by @bobcallaway in #969
  - Allow sharding config to be written in yaml or json by @priyawadhwa in #974
  - fix incorrect schema id for cose type by @bobcallaway in #979
  - fix: make rekor verify work with sharded uuids by @asraa in #970

OBS-URL: https://build.opensuse.org/request/show/1003862
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=16
2022-09-15 13:15:19 +00:00
Richard Brown
e3becf26fd Accepting request 991395 from security
(forwarded request 991394 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/991395
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=8
2022-07-28 18:58:38 +00:00
6fe6a0c040 Accepting request 991394 from home:msmeissn:branches:security
OBS-URL: https://build.opensuse.org/request/show/991394
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=14
2022-07-27 13:39:29 +00:00
b7f6cf8192 Accepting request 991392 from home:msmeissn:branches:security
- updated to rekor 0.9.1
  - feat: add subject URIs to index for x509 certificates by @asraa in #897
  - fix: sql syntax in dbcreate script by @xens in #903
  - Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904
  - Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905
  - ensure log messages have requestID where possible by @bobcallaway in #907
  - Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909
  - Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908
- updated to rekor 0.9.0
  - Add COSE support to Rekor by @kommendorkapten in #867
  - Fix intoto index keys by @bobcallaway in #889
  - Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa in #894
- updated to rekor 0.8.2
  - collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869
  - ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878

OBS-URL: https://build.opensuse.org/request/show/991392
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=13
2022-07-27 13:37:41 +00:00
Dominique Leuenberger
140fb9f380 Accepting request 985790 from security
- rekor-zypper-verify.sh: add a small script that verifies the on-system
  zypper repo cache against rekor transparency log.

OBS-URL: https://build.opensuse.org/request/show/985790
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=7
2022-06-30 11:18:16 +00:00
b4625ce4ba Accepting request 985788 from home:msmeissn:branches:security
- rekor-zypper-verify.sh: add a small script that verifies the on-system
  zypper repo cache against rekor transparency log.

OBS-URL: https://build.opensuse.org/request/show/985788
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=11
2022-06-29 12:42:40 +00:00
Dominique Leuenberger
2e94635e92 Accepting request 983855 from security
- Updated to rekor 0.8.1
  - Fix indexing bug for intoto attestations by @priyawadhwa in #870
  - Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873
- Updated to rekor 0.8.0
  - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847
  - Configure rekor server in e2e tests via env variable by @priyawadhwa in #850
  - update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860
  - update go.mod to go1.17 by @cpanato in #861
  - Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862
  - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859
  - Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864
- Updated to rekor 0.7.0
  - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735
  - intoto: add index on materials digest of slsa provenance by @asraa in #793
  - chore(deps): Included dependency review by @naveensrinivasan in #788
  - Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800
  - Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807
  - Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810
  - update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820
  - update go to 1.17.10 in the dockerfile by @cpanato in #819
  - Limit the number of certificates parsed in a chain by @haydentherapper in #823
  - Breaking change: Remove timestamping authority by @haydentherapper in #813
  - Add back owners for rfc3161 package type by @haydentherapper in #833
  - all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834
  - name stored attestations by digest instead of UUID by @bobcallaway in #769 (forwarded request 983852 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/983855
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=6
2022-06-20 13:38:21 +00:00
6c1414acb5 Accepting request 983852 from home:msmeissn:branches:security
- Updated to rekor 0.8.1
  - Fix indexing bug for intoto attestations by @priyawadhwa in #870
  - Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873
- Updated to rekor 0.8.0
  - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847
  - Configure rekor server in e2e tests via env variable by @priyawadhwa in #850
  - update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860
  - update go.mod to go1.17 by @cpanato in #861
  - Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862
  - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859
  - Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864
- Updated to rekor 0.7.0
  - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735
  - intoto: add index on materials digest of slsa provenance by @asraa in #793
  - chore(deps): Included dependency review by @naveensrinivasan in #788
  - Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800
  - Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807
  - Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810
  - update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820
  - update go to 1.17.10 in the dockerfile by @cpanato in #819
  - Limit the number of certificates parsed in a chain by @haydentherapper in #823
  - Breaking change: Remove timestamping authority by @haydentherapper in #813
  - Add back owners for rfc3161 package type by @haydentherapper in #833
  - all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834
  - name stored attestations by digest instead of UUID by @bobcallaway in #769

OBS-URL: https://build.opensuse.org/request/show/983852
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=9
2022-06-20 07:17:29 +00:00
Dominique Leuenberger
919f40a835 Accepting request 972809 from security
- Updated to rekor 0.6.0
  - attempting to fix codeowners file by @bobcallaway in #653
  - Update the warning text for the GA release. by @dlorenc in #654
  - Add docs about API stability and deprecation policy by @priyawadhwa in #661
  - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666
  - Move k8s objects out of the default namespace by @k4leung4 in #674
  - add securityContext to deployment. by @k4leung4 in #678
  - Add intoto type documentation by @jspeed-meyers in #679
  - create namespace for rekor config in yaml. by @k4leung4 in #680
  - Set rekor-cli User-Agent header on requests by @bobcallaway in #684
  - update security process link by @bobcallaway in #685
  - explicitly set permissions for github actions by @k4leung4 in #687
  - Add documentation about Alpine type by @jspeed-meyers in #697
  - Add code coverage to pull requests. by @k4leung4 in #676
  - Consistent parenthesis use in Makefile by @k4leung4 in #700
  - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671
  - Generate release yaml for non-CI builds. by @k4leung4 in #702
  - Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701
  - build trillian container to existing release. by @k4leung4 in #715
  - Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718
  - Switch to using the swag library for pointer manipulation. by @dlorenc in #719
  - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712
  - Add sharding e2e test to Github Actions by @priyawadhwa in #714
  - fix merge conflict by @priyawadhwa in #720
  - Clearer logging for createAndInitTree by @priyawadhwa in #724
  - Return virtual index when creating and getting a log entry by @priyawadhwa in #725
  - Fix copy/paste mistake in repo name. by @k4leung4 in #730
  - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729
  - Get log proofs by Tree ID by @priyawadhwa in #733
  - Refactor rekor-cli loginfo by @priyawadhwa in #734 (forwarded request 972808 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/972809
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=5
2022-04-26 18:15:39 +00:00
65092aae15 Accepting request 972808 from home:msmeissn:branches:security
- Updated to rekor 0.6.0
  - attempting to fix codeowners file by @bobcallaway in #653
  - Update the warning text for the GA release. by @dlorenc in #654
  - Add docs about API stability and deprecation policy by @priyawadhwa in #661
  - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666
  - Move k8s objects out of the default namespace by @k4leung4 in #674
  - add securityContext to deployment. by @k4leung4 in #678
  - Add intoto type documentation by @jspeed-meyers in #679
  - create namespace for rekor config in yaml. by @k4leung4 in #680
  - Set rekor-cli User-Agent header on requests by @bobcallaway in #684
  - update security process link by @bobcallaway in #685
  - explicitly set permissions for github actions by @k4leung4 in #687
  - Add documentation about Alpine type by @jspeed-meyers in #697
  - Add code coverage to pull requests. by @k4leung4 in #676
  - Consistent parenthesis use in Makefile by @k4leung4 in #700
  - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671
  - Generate release yaml for non-CI builds. by @k4leung4 in #702
  - Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701
  - build trillian container to existing release. by @k4leung4 in #715
  - Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718
  - Switch to using the swag library for pointer manipulation. by @dlorenc in #719
  - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712
  - Add sharding e2e test to Github Actions by @priyawadhwa in #714
  - fix merge conflict by @priyawadhwa in #720
  - Clearer logging for createAndInitTree by @priyawadhwa in #724
  - Return virtual index when creating and getting a log entry by @priyawadhwa in #725
  - Fix copy/paste mistake in repo name. by @k4leung4 in #730
  - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729
  - Get log proofs by Tree ID by @priyawadhwa in #733
  - Refactor rekor-cli loginfo by @priyawadhwa in #734

OBS-URL: https://build.opensuse.org/request/show/972808
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=7
2022-04-26 09:47:47 +00:00
Dominique Leuenberger
35c728fc23 Accepting request 966624 from security
- Updated to rekor 0.5.0
  * Highlights
    - Add Rekor logo to README (#650)
    - update API calls to v5 (#591)
    - Refactor helm type to remove intermediate state. (#575)
    - Refactor the shard map parsing so we can pass it down into the API object. (#564)
    - Refactor the alpine type to reduce intermediate state. (#573)
  * Enhancements
    - Add logic to GET artifacts via old or new UUID (#587)
    - helpful error message for hashedrekord types (#605)
    - Set Accept header in dynamic counter requests (#594)
    - Add sharding package and update validators (#583)
    - rekor-cli: show the url in case of error (#581)
    - Enable parsing of incomplete minisign keys, to enable re-indexing. (#567)
    - Cleanups on the TUF pluggable type. (#563)
    - Refactor the RPM type to remove more intermediate state. (#566)
    - Do some cleanups of the jar type to remove intermediate state. (#561)
  * Others
    - update version comments since dependabot doesn't do it (#617)
    - Use workload identity provider instead of GitHub Secret for GCR access (#600)
    - add OSSF scorecard action (#599)
    - enable the sbom for rekor releases (#586)
    - Point to the official website (instead of a 404) (#580)
    - Add a Makefile target for the "ko apply" step. (#572)
    - types/README.md: Corrected documentation link (#568)

- enable server build too, as people might want to deploy rekor chain
  themselves. (forwarded request 966623 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/966624
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=4
2022-04-03 19:31:08 +00:00
08eb060c06 Accepting request 966623 from home:msmeissn:branches:security
- Updated to rekor 0.5.0
  * Highlights
    - Add Rekor logo to README (#650)
    - update API calls to v5 (#591)
    - Refactor helm type to remove intermediate state. (#575)
    - Refactor the shard map parsing so we can pass it down into the API object. (#564)
    - Refactor the alpine type to reduce intermediate state. (#573)
  * Enhancements
    - Add logic to GET artifacts via old or new UUID (#587)
    - helpful error message for hashedrekord types (#605)
    - Set Accept header in dynamic counter requests (#594)
    - Add sharding package and update validators (#583)
    - rekor-cli: show the url in case of error (#581)
    - Enable parsing of incomplete minisign keys, to enable re-indexing. (#567)
    - Cleanups on the TUF pluggable type. (#563)
    - Refactor the RPM type to remove more intermediate state. (#566)
    - Do some cleanups of the jar type to remove intermediate state. (#561)
  * Others
    - update version comments since dependabot doesn't do it (#617)
    - Use workload identity provider instead of GitHub Secret for GCR access (#600)
    - add OSSF scorecard action (#599)
    - enable the sbom for rekor releases (#586)
    - Point to the official website (instead of a 404) (#580)
    - Add a Makefile target for the "ko apply" step. (#572)
    - types/README.md: Corrected documentation link (#568)

- enable server build too, as people might want to deploy rekor chain
  themselves.

OBS-URL: https://build.opensuse.org/request/show/966623
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=5
2022-04-03 09:03:38 +00:00
Dominique Leuenberger
99e043716c Accepting request 948953 from security
Fix BUILD_DATE for reproducible build results (boo#1047218) (forwarded request 948951 from bmwiedemann)

OBS-URL: https://build.opensuse.org/request/show/948953
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=3
2022-01-25 16:36:07 +00:00
f4647966d7 Accepting request 948951 from home:bmwiedemann:branches:security
Fix BUILD_DATE for reproducible build results (boo#1047218)

OBS-URL: https://build.opensuse.org/request/show/948951
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=4
2022-01-25 08:44:46 +00:00
Dominique Leuenberger
07b56f0910 Accepting request 944481 from security
- updated to 0.4.0
  Highlights
  - Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501) (forwarded request 944479 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/944481
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=2
2022-01-07 11:45:52 +00:00
23276d55ac Accepting request 944479 from home:msmeissn:branches:security
- updated to 0.4.0
  Highlights
  - Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501)

OBS-URL: https://build.opensuse.org/request/show/944479
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=3
2022-01-06 15:04:12 +00:00
Dominique Leuenberger
1f0bbe482a Accepting request 943481 from security
add to factory

OBS-URL: https://build.opensuse.org/request/show/943481
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=1
2022-01-03 09:49:56 +00:00
3dbaf89a4d Accepting request 939034 from home:msmeissn
first package of rekor transparency log server+client

OBS-URL: https://build.opensuse.org/request/show/939034
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=1
2021-12-10 09:11:57 +00:00