------------------------------------------------------------------- Thu Jan 22 06:00:54 UTC 2026 - Johannes Kastl - Update to version 1.5.0: This release fixes the following security issues: - GHSA-4c4x-jm2x-pf9j / CVE-2026-24117 / bsc#1257135: Fixed Server-Side Request Forgery (SSRF) via provided public key URL - GHSA-273p-m2cw-6833 / CVE-2026-23831 / bsc#1257132: Fixed lack of input validation thatg can cause a thread crash - GHSA-j5w8-q4qc-rx2x / CVE-2025-58181 / bsc#1253817: Fixed golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption Note that this drops support for fetching public keys via URL when querying the search API. * Vulnerability Fixes - Handle malformed COSE and DSSE entries (#2729) - Drop support for fetching public keys by URL in the search index (#2731) * Features - Add support for a custom TLS config for clients (#2709) * Dependencies - build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to 9.17.2 (#2706) - build(deps): Bump google.golang.org/api from 0.256.0 to 0.259.0 (#2723) - build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 (#2722) - build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#2724) - build(deps): Bump the all group across 1 directory with 3 updates (#2727) - build(deps): Bump the all group with 2 updates (#2728) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2726) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2720) - build(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#2716) - build(deps): Bump golang.org/x/sync from 0.18.0 to 0.19.0 (#2715) - build(deps): Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#2714) - build(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#2717) - build(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#2718) - build(deps): Bump sigstore/scaffolding/trillian_log_signer (#2713) - build(deps): Bump sigstore/scaffolding/trillian_log_server (#2712) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2711) - build(deps): Bump the all group across 1 directory with 4 updates (#2707) - build(deps): Bump golang from 1.25.4 to 1.25.5 in the all group (#2703) - build(deps): Bump the all group across 1 directory with 4 updates (#2708) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli - build(deps): Bump golang from `e68f6a0` to `6981837` - build(deps): Bump sigstore/scaffolding/trillian_log_signer - build(deps): Bump sigstore/scaffolding/trillian_log_server - build(deps): Bump google.golang.org/api from 0.254.0 to 0.256.0 - build(deps): Bump the all group with 2 updates - build(deps): Bump github/codeql-action in the all group - build(deps): Bump the all group with 3 updates (#2692) - build(deps): Bump the all group with 2 updates - build(deps): Bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 - build(deps): Bump actions/checkout from 5.0.0 to 6.0.0 - build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0 - build(deps): Bump golang.org/x/crypto in /hack/tools - build(deps): Bump golang from `6ca9eb0` to `e68f6a0` - build(deps): Bump google.com/cloudsdktool/google-cloud-cli ------------------------------------------------------------------- Mon Nov 17 06:20:08 UTC 2025 - Johannes Kastl - Update to version 1.4.3: This release reduces dependencies for a number of exported packages. This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle -keyless.sigstore.json . * Improvements - use interruptable context to elegantly handle signals in rekor-cli (#2681) - restapi: Don't log client errors as errors (#2680) - pkg: separate pki types from implementations (#2668) - e2e: don't mix e2e and regular utilities (#2672) - pkg: remove viper config from spec definitions (#2669) - log: remove zap & go-chi dependecy from pkg/types (#2667) - chore: update go-openapi/runtime to v0.29.0 (#2670) - chore: remove double imported mapstructure pkg (#2671) - remove archived dependency and use stdlib slices (#2650) * Documentation - (docs): guard unsafe int/uint conversions flagged by gosec (#2679) * Dependencies - build(deps): Bump actions/setup-go from 5.5.0 to 6.0.0 - build(deps): Bump actions/upload-artifact from 4.6.2 to 5.0.0 - build(deps): Bump cloud.google.com/go/pubsub/v2 from 2.0.0 to 2.3.0 (#2654) - build(deps): Bump github.com/go-openapi/loads from 0.22.0 to 0.23.1 (#2632) - build(deps): Bump github.com/go-openapi/swag from 0.24.1 to 0.25.1 (#2666) - build(deps): Bump github.com/go-openapi/swag/conv from 0.24.0 to 0.25.1 (#2628) - build(deps): Bump github.com/go-openapi/validate from 0.24.0 to 0.25.0 (#2629) - build(deps): Bump github.com/go-swagger/go-swagger from 0.32.3 to 0.33.1 in /hack/tools in the all group (#2643) - build(deps): Bump github.com/redis/go-redis/v9 from 9.12.1 to 9.13.0 - build(deps): Bump github.com/redis/go-redis/v9 from 9.13.0 to 9.14.0 - build(deps): Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 - build(deps): Bump github.com/spf13/viper from 1.20.1 to 1.21.0 - build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.4.0 to 2.5.0 (#2661) - build(deps): Bump github/codeql-action from 3.30.3 to 4.30.9 (#2645) - build(deps): Bump github/codeql-action in the all group (#2659) - build(deps): Bump github/codeql-action in the all group (#2663) - build(deps): Bump go.step.sm/crypto from 0.70.0 to 0.72.0 (#2651) - build(deps): Bump go.step.sm/crypto from 0.73.0 to 0.74.0 (#2674) - build(deps): Bump golang from 1.25.0 to 1.25.1 in the all group (#2611) - build(deps): Bump golang from 1.25.1 to 1.25.2 in the all group (#2644) - build(deps): Bump golang from 1.25.2 to 1.25.3 in the all group - build(deps): Bump golang from 1.25.3 to 1.25.4 in the all group (#2675) - build(deps): Bump golang from `a5e935d` to `8305f5f` - build(deps): Bump golang.org/x/mod from 0.27.0 to 0.28.0 - build(deps): Bump golang.org/x/mod from 0.28.0 to 0.29.0 (#2665) - build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0 - build(deps): Bump golang.org/x/net from 0.44.0 to 0.46.0 (#2656) - build(deps): Bump golang.org/x/sync from 0.16.0 to 0.17.0 - build(deps): Bump google.com/cloudsdktool/google-cloud-cli - build(deps): Bump google.com/cloudsdktool/google-cloud-cli - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2618) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2642) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2658) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2660) - build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2676) - build(deps): Bump google.golang.org/api from 0.248.0 to 0.249.0 - build(deps): Bump google.golang.org/api from 0.249.0 to 0.252.0 (#2648) - build(deps): Bump google.golang.org/api from 0.252.0 to 0.253.0 (#2653) - build(deps): Bump google.golang.org/grpc from 1.75.1 to 1.76.0 (#2652) - build(deps): Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#2646) - build(deps): Bump sigstore/scaffolding/trillian_log_server (#2636) - build(deps): Bump sigstore/scaffolding/trillian_log_server (#2678) - build(deps): Bump sigstore/scaffolding/trillian_log_signer (#2635) - build(deps): Bump sigstore/scaffolding/trillian_log_signer (#2677) - build(deps): Bump the all group across 1 directory with 5 updates (#2647) - build(deps): Bump the all group with 2 updates - build(deps): Bump the all group with 2 updates - build(deps): Bump the all group with 2 updates - build(deps): Bump the all group with 3 updates - build(deps): Bump the all group with 7 updates (#2673) ------------------------------------------------------------------- Thu Sep 18 13:01:07 UTC 2025 - Johannes Kastl - Update to version 1.4.2: * build(deps): Bump google-github-actions/auth from 2.1.12 to 3.0.0 by @dependabot[bot] in #2601 * build(deps): Bump github/codeql-action from 3.29.11 to 3.30.0 in the all group by @dependabot[bot] in #2602 * build(deps): Bump the all group with 3 updates by @dependabot[bot] in #2599 * optimize performance of regex operations by @bobcallaway in #2603 * move to direct decoding instead of mapstructure by @bobcallaway in #2598 * build(deps): Bump github.com/go-openapi/swag from 0.23.1 to 0.24.1 by @dependabot[bot] in #2600 * build(deps): Bump golang from 1.24.6 to 1.25.0 in the all group by @dependabot[bot] in #2587 * process type contents serially by @bobcallaway in #2604 * use pubsub client to check IAM permissions by @bobcallaway in #2605 * add changelog for v1.4.2 by @bobcallaway in #2606 ------------------------------------------------------------------- Mon Sep 01 11:06:50 UTC 2025 - Marcus Meissner - Update to version 1.4.1 (jsc#SLE-23476):: * build(deps): Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#2596) CVE-2025-58058: rekor: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory: (bsc#1248910) * build(deps): Bump github.com/redis/go-redis/v9 from 9.11.0 to 9.12.1 CVE-2025-29923: rekor: github.com/redis/go-redis: potential out of order responses when `CLIENT SETINFO` times out during connection establishment (bsc#1241153) * use less expensive gRPC call to implement GetLeafAndProofByHash (#2581) * move to per-shard trillian client manager (#2564) * use cheaper gRPC endpoint when we already have the inclusion proof (#2580) * simplify hash and signature verification in rekord type (#2579) * return correct error if GetLeafAndProofByHash fails (#2574) ------------------------------------------------------------------- Sun Aug 03 12:03:29 UTC 2025 - Johannes Kastl - Update to version 1.4.0: * changelog for v1.4.0 release (#2550) * enable retries and timeouts on GCP KMS calls (#2548) * allow configuring gRPC default service config for trillian client load balancing & timeouts (#2549) * remove stable checkpoint feature (#2537) * build(deps): Bump sigs.k8s.io/release-utils from 0.11.1 to 0.12.0 * build(deps): Bump golang.org/x/net from 0.41.0 to 0.42.0 (#2544) * build(deps): Bump the all group with 3 updates (#2545) * fix lints * bump golangci-lint to v2.2.x * use go1.24.5 to build rekor * build(deps): Bump google.golang.org/api from 0.238.0 to 0.242.0 (#2543) * build(deps): Bump golang.org/x/sync from 0.15.0 to 0.16.0 (#2541) * build(deps): Bump github.com/spf13/pflag in the all group (#2542) * build(deps): Bump github.com/sigstore/protobuf-specs from 0.4.3 to 0.5.0 * move context handling in trillian RPC calls to be request based and idiomatic (#2536) * build(deps): Bump github.com/go-viper/mapstructure/v2 (#2522) * build(deps): Bump golang from 1.24.4 to 1.24.5 in the all group (#2534) * build(deps): Bump the all group with 2 updates (#2518) * build(deps): Bump the all group with 2 updates (#2524) * build(deps): Bump sigstore/scaffolding/trillian_log_server (#2527) * build(deps): Bump sigstore/scaffolding/trillian_log_signer (#2526) * build(deps): Bump github.com/go-viper/mapstructure/v2 in /hack/tools (#2523) * backoff pubsub emulator to last-known good (#2535) * build(deps): Bump golang from `db5d0af` to `10c1318` * build(deps): Bump sigstore/cosign-installer in the all group * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump google.golang.org/api from 0.237.0 to 0.238.0 * build(deps): Bump go.step.sm/crypto from 0.66.0 to 0.67.0 * build(deps): Bump github/codeql-action in the all group * build(deps): Bump google.golang.org/api from 0.236.0 to 0.237.0 * build(deps): Bump the all group with 7 updates * Update GoReleaser configurations (#2511) * update builder to use go1.24.4 * build(deps): Bump google.golang.org/grpc from 1.72.2 to 1.73.0 * build(deps): Bump golang.org/x/net from 0.40.0 to 0.41.0 * build(deps): Bump github.com/redis/go-redis/v9 from 9.9.0 to 9.10.0 * build(deps): Bump google.golang.org/api from 0.235.0 to 0.236.0 * build(deps): Bump golang from 1.24.3 to 1.24.4 in the all group * build(deps): Bump github.com/go-swagger/go-swagger * build(deps): Bump github/codeql-action in the all group * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump github.com/google/rpmpack from 0.6.0 to 0.7.0 * build(deps): Bump github.com/redis/go-redis/v9 from 9.8.0 to 9.9.0 * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump go.step.sm/crypto from 0.64.0 to 0.66.0 * build(deps): Bump google.golang.org/api from 0.234.0 to 0.235.0 * build(deps): Bump golang from `4c0a181` to `81bf592` * build(deps): Bump google.golang.org/api from 0.233.0 to 0.234.0 * build(deps): Bump golang from `86b4cff` to `4c0a181` * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump google.golang.org/grpc in the all group * build(deps): Bump go.step.sm/crypto from 0.63.0 to 0.64.0 * Don't initialize index storage with stable checkpoint publishing (#2486) * build(deps): Bump golang from `39d9e7d` to `86b4cff` * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump the all group with 2 updates * build(deps): Bump google.golang.org/api from 0.232.0 to 0.233.0 * build(deps): Bump the all group with 2 updates * Fix docker compose up --wait failing when Trillian server isn't healthy (#2473) * build(deps): Bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#2477) * build(deps): Bump golang.org/x/net from 0.39.0 to 0.40.0 (#2475) * build(deps): Bump golang from 1.24.2 to 1.24.3 in the all group (#2480) * build(deps): Bump google.golang.org/api from 0.231.0 to 0.232.0 * build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2478) * build(deps): Bump actions/setup-go from 5.4.0 to 5.5.0 in the all group (#2474) * build(deps): Bump github.com/redis/go-redis/v9 from 9.7.3 to 9.8.0 (#2470) * build(deps): Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 (#2471) * build(deps): Bump google.golang.org/api from 0.230.0 to 0.231.0 * build(deps): Bump go.step.sm/crypto from 0.61.0 to 0.63.0 (#2468) * build(deps): Bump github/codeql-action in the all group (#2467) * build(deps): Bump golang from `d9db321` to `30baaea` (#2469) * build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2466) * build(deps): Bump the all group with 2 updates * build(deps): Bump google.golang.org/api from 0.229.0 to 0.230.0 * build(deps): Bump the all group with 3 updates * build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2462) * Bump sigstore/sigstore, use shared Tink library (#2461) * better mysql healthcheck (#2459) * build(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to 0.11.1 * build(deps): Bump google.golang.org/grpc from 1.71.1 to 1.72.0 * build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.3.0 to 2.4.0 * build(deps): Bump google.com/cloudsdktool/google-cloud-cli * build(deps): Bump golang * build(deps): Bump codecov/codecov-action in the all group * build(deps): Bump go.step.sm/crypto from 0.60.0 to 0.61.0 * build(deps): Bump golang.org/x/crypto in /hack/tools * update builder image to use go1.24.2 * build(deps): Bump golang from `991aa6a` to `1ecc479` * build(deps): Bump ko-build/setup-ko from 0.8 to 0.9 in the all group * build(deps): Bump cloud.google.com/go/pubsub from 1.47.0 to 1.49.0 * build(deps): Bump github.com/prometheus/client_golang * build(deps): Bump the all group with 7 updates * build(deps): Bump github.com/spf13/viper from 1.19.0 to 1.20.1 * Add CHANGELOG for v1.3.10 (#2439) ------------------------------------------------------------------- Fri Apr 11 18:10:26 UTC 2025 - Johannes Kastl - Update to version 1.3.10: * Features - Added --client-signing-algorithms flag (#1974) * Fixes / Misc - emit unpopulated values when marshalling (#2438) - pkg/api: better logs when algorithm registry rejects a key (#2429) - chore: improve mysql readiness checks (#2397) - Added --client-signing-algorithms flag (#1974) * Security fixes (over the last releases): - CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227053) - CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236519) - CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638) - CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239191) - CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239327) - CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240468) ------------------------------------------------------------------- Tue Jan 28 08:22:57 UTC 2025 - meissner@suse.com - Update to version 1.3.9 (jsc#SLE-23476): * Cache checkpoint for inactive shards (#2332) * Support per-shard signing keys (#2330) ------------------------------------------------------------------- Fri Jan 17 06:27:47 UTC 2025 - opensuse_buildservice@ojkastl.de - Update to version 1.3.8: * Bug Fixes - fix zizmor issues (#2298) - remove unneeded value in log message (#2282) * Quality Enhancements - chore: relax go directive to permit 1.22.x - fetch minisign from homebrew instead of custom ppa (#2329) - fix(ci): simplify GOVERSION extraction - chore(deps): bump actions pins to latest - Updates go and golangci-lint (#2302) - update builder to use go1.23.4 (#2301) - clean up spaces - log request body on 500 error to aid debugging (#2283) ------------------------------------------------------------------- Fri Nov 22 09:44:21 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.3.7: * New Features - log request body on 500 error to aid debugging (#2283) - Add support for signing with Tink keyset (#2228) - Add public key hash check in Signed Note verification (#2214) - update Trillian TLS configuration (#2202) - Add TLS support for Trillian server (#2164) - Replace docker-compose with plugin if available (#2153) - Add flags to backfill script (#2146) - Unset DisableKeepalive for backfill HTTP client (#2137) - Add script to delete indexes from Redis (#2120) - Run CREATE statement in backfill script (#2109) - Add MySQL support to backfill script (#2081) - Run e2e tests on mysql and redis index backends (#2079) * Bug Fixes - remove unneeded value in log message (#2282) - Add error message when computing consistency proof (#2278) - fix validation error handling on API (#2217) - fix error in pretty-printed inclusion proof from verify subcommand (#2210) - Fix index scripts (#2203) - fix failing sharding test - Better error handling in backfill script (#2148) - Batch entries in cleanup script (#2158) - Add missing workflow for index cleanup test (#2121) - hashedrekord: fix schema $id (#2092) ------------------------------------------------------------------- Fri Jul 26 12:01:47 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.3.6: * New Features - Add support for IEEE P1363 encoded ECDSA signatures - Add index performance script (#2042) - Add support for ed25519ph user keys in hashedrekord (#1945) - Add metrics for index insertion (#2015) - Add TLS support for Redis Client implementation (#1998) * Bug Fixes - fix typo in remoteIp and set full name for trace field ------------------------------------------------------------------- Fri Jul 26 12:00:14 UTC 2024 - Johannes Kastl - refactor spec file - switch to using obs_scm to generate the source obscpio archive * this way we do no longer need to hardcode the commit hash * and the tarball was never verified anyway ------------------------------------------------------------------- Mon Feb 5 14:38:58 UTC 2024 - Marcus Meissner - update to 1.3.5 (jsc#SLE-23476): - Additional unique index correction - Remove timestamp from checkpoint - Drop conditional when verifying entry checkpoint - Fix panic for DSSE canonicalization - Change Redis value for locking mechanism - give log timestamps nanosecond precision - output trace in slog and override correlation header name - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) ------------------------------------------------------------------- Sun Jan 28 18:45:08 UTC 2024 - Dirk Müller - update to 1.3.4: * add mysql indexstorage backend * add s3 storage for attestations * fix: Do not check for pubsub.topics.get on initialization * fix optional field in cose schema * Update ranges.go * update indexstorage interface to reduce roundtrips * use a single validator library in rekor-cli * Remove go-playground/validator dependency from pkg/pki ------------------------------------------------------------------- Fri Nov 24 16:03:38 UTC 2023 - Marcus Meissner - updated to rekor 1.3.3 (jsc#SLE-23476): - Update signer flag description - update trillian to 1.5.3 - adds redis_auth - Add method to get artifact hash for an entry - make e2e tests more usable with docker-compose - install go at correct version for codeql - updated to rekor 1.3.2 (jsc#SLE-23476): - updated to rekor 1.3.1 (jsc#SLE-23476): New Features: - enable GCP cloud profiling on rekor-server (#1746) - move index storage into interface (#1741) - add info to readme to denote additional documentation sources (#1722) - Add type of ed25519 key for TUF (#1677) - Allow parsing base64-encoded TUF metadata and root content (#1671) Quality Enhancements: - disable quota in trillian in test harness (#1680) Bug Fixes: - Update contact for code of conduct (#1720) - Fix panic when parsing SSH SK pubkeys (#1712) - Correct index creation (#1708) - docs: fixzes a small typo on the readme (#1686) - chore: fix backfill-redis Makefile target (#1685) ------------------------------------------------------------------- Fri Sep 1 08:54:06 UTC 2023 - Marcus Meissner - updated to rekor 1.3.0 (jsc#SLE-23476): - Update openapi.yaml (#1655) - pass transient errors through retrieveLogEntry (#1653) - return full entryID on HTTP 409 responses (#1650) - feat: Support publishing new log entries to Pub/Sub topics (#1580) - Change values of Identity.Raw, add fingerprints (#1628) - Extract all subjects from SANs for x509 verifier (#1632) - Fix type comment for Identity struct (#1619) - Refactor Identities API (#1611) - Refactor Verifiers to return multiple keys (#1601) - Update checkpoint link (#1597) - Use correct log index in inclusion proof (#1599) - remove instrumentation library (#1595) - updated to rekor 1.2.2 (jsc#SLE-23476): - pass down error with message instead of nil - swap killswitch for 'docker-compose restart' ------------------------------------------------------------------- Tue May 30 07:52:52 UTC 2023 - Marcus Meissner - updated to rekor 1.2.1 (jsc#SLE-23476): Security fix: - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790) Functional Enhancements - add client method to generate TLE struct (#1498) - add dsse type (#1487) - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488) - Add concurrency to backfill-redis (#1504) - omit informational message if machine-parseable output has been requested (#1486) - Publish stable checkpoint periodically to Redis (#1461) - Add intoto v0.0.2 to backfill script (#1500) - add new method to test insertability of proposed entries into log (#1410) Quality Enhancements - use t.Skip() in fuzzers (#1506) - improve fuzzing coverage (#1499) - Remove watcher script (#1484) Bug Fixes - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199) - Remove requirement of PayloadHash for intoto 0.0.1 (#1490) - fix lint errors, bump linter up to 1.52 (#1485) - Remove dependencies from pkg/util (#1469) ------------------------------------------------------------------- Wed May 3 12:23:27 UTC 2023 - Marcus Meissner - updated to rekor 1.1.1 (jsc#SLE-23476): Functional Enhancements - Refactor Trillian client with exported methods (#1454) - Switch to official redis-go client (#1459) - Remove replace in go.mod (#1444) - Add Rekor OID info. (#1390) Quality Enhancements - remove legacy encrypted cosign key (#1446) - swap cjson dependency (#1441) - Update release readme (#1456) Security fixes: - CVE-2023-30551: Fixed a potential denial of service (out of memory) when processing JAR META-INF files or .SIGN/.PKINFO files in APK files. (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9) ------------------------------------------------------------------- Wed Apr 5 08:27:23 UTC 2023 - Marcus Meissner - updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements - improve validation on intoto v0.0.2 type (#1351) - add feature to limit HTTP request body length to process (#1334) - add information about the file size limit (#1313) - Add script to backfill Redis from Rekor (#1163) - Feature: add search support for sha512 (#1142) Quality Enhancements - various fuzzing fixes Bug Fixes - remove goroutine usage from SearchLogQuery (#1407) - drop log messages regarding attestation storage to debug (#1408) - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) - fix: fix regex for multi-digit counts (#1321) - return NotFound if treesize is 0 rather than calling trillian (#1311) - enumerate slice to get sugared logs (#1312) - put a reasonable size limit on ssh key reader (#1288) - CLIENT: Fix Custom Host and Path Issue (#1306) - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) - correctly handle invalid or missing pki format (#1281) - Add Verifier to get public key/cert and identities for entry type (#1210) - fix goroutine leak in client; add insecure TLS option (#1238) - Fix - Remove the force-recreate flag (#1179) - trim whitespace around public keys before parsing (#1175) - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) - remove double encoding of payload and signature fields for intoto (#1150) - fix SearchLogQuery behavior to conform to openapi spec (#1145) - Remove pem-certificate-chain from client (#1138) - fix flag type for operator in search (#1136) - use sigstore/community dep review (#1132) ------------------------------------------------------------------- Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner - updated to rekor 1.0.1 (jsc#SLE-23476): - stop inserting envelope hash for intoto:0.0.2 types into index ------------------------------------------------------------------- Wed Oct 19 08:21:25 UTC 2022 - Marcus Meissner - updated to rekor 1.0.0 (jsc#SLE-23476): - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073 - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071 - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074 - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083 - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082 - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092 - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080 - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096 - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098 - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102 - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101 - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103 - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097 - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106 ------------------------------------------------------------------- Fri Sep 30 13:59:10 UTC 2022 - Marcus Meissner - updated to rekor 0.12.2 (jsc#SLE-23476): - add description on /api/v1/index/retrieve endpoint - Adding e2e test coverage - export rekor build/version information - Use POST instead of GET for /api/log/entries/retrieve metrics. - Search through all shards when searching by hash ------------------------------------------------------------------- Tue Sep 27 12:22:57 UTC 2022 - Marcus Meissner - updated to rekor 0.12.1 (jsc#SLE-23476): - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version The addition of the intotov2 created a breaking change for the rekor-cli - What's Changed - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052 - feat: add file based signer and password by @asraa in #1049 - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059 ------------------------------------------------------------------- Thu Sep 15 12:33:21 UTC 2022 - Marcus Meissner - updated to rekor 0.12.0 (jsc#SLE-23476): - check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003 - enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004 - api.SearchLogQueryHandler thread safety by @cdris in #1006 - 'docker compose' to 'docker-compose' by @bobcallaway in #1009 - Intoto v0.0.2 by @pxp928 in #973 - Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011 - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013 - feat: add verification functions by @asraa in #986 - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017 - Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015 - fix: use entry uuid uniformly in return responses by @asraa in #1012 - remove /api/v1/version endpoint by @bobcallaway in #1022 - Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030 - Fix harness tests @ main by @priyawadhwa in #1038 - Fetch all tags in harness tests by @priyawadhwa in #1039 - fix retrieve endpoint response code and add testing by @asraa in #1043 - updated to rekor 0.11.0: - Add rekor harness tests by @priyawadhwa in #945 - Persist and check attestations across harness tests by @priyawadhwa in #952 - Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957 - api: fix inclusion proof verification flake by @asraa in #956 - change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963 - fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965 - Add prometheus summary to track metric latency by @priyawadhwa in #966 - compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967 - update field documentation on publicKey for hashedrekord by @bobcallaway in #969 - Allow sharding config to be written in yaml or json by @priyawadhwa in #974 - fix incorrect schema id for cose type by @bobcallaway in #979 - fix: make rekor verify work with sharded uuids by @asraa in #970 - update builder and cosign images by @cpanato in #981 - remove trailing slash on directories by @bobcallaway in #984 - add support for intersection & union in search operations by @dsa0x in #968 - Update scorecard-action to v2:alpha by @azeemshaikh38 in #987 - updated to rekor 0.10.0: - reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912 - Updates on the release job/makefile cleanup by @cpanato in #914 - Return 404 if entry isn't found in log by @priyawadhwa in #915 - Update cosign image in validate-release job by @priyawadhwa in #931 - update go builder and cosign image by @cpanato in #934 - Drop application/yaml content type by @haydentherapper in #933 - Add rekor test harness to presubmit tests by @priyawadhwa in #921 - sparkles Enable Scorecard badge by @azeemshaikh38 in #941 - update go mod in hack/tools to go1.18 by @cpanato in #935 - add ldflags back by @cpanato in #944 ------------------------------------------------------------------- Wed Jul 27 13:26:17 UTC 2022 - Marcus Meissner - updated to rekor 0.9.1 - feat: add subject URIs to index for x509 certificates by @asraa in #897 - fix: sql syntax in dbcreate script by @xens in #903 - Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904 - Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905 - ensure log messages have requestID where possible by @bobcallaway in #907 - Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909 - Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908 - updated to rekor 0.9.0 - Add COSE support to Rekor by @kommendorkapten in #867 - Fix intoto index keys by @bobcallaway in #889 - Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa in #894 - updated to rekor 0.8.2 - collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869 - ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878 ------------------------------------------------------------------- Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner - rekor-zypper-verify.sh: add a small script that verifies the on-system zypper repo cache against rekor transparency log. ------------------------------------------------------------------- Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner - Updated to rekor 0.8.1 - Fix indexing bug for intoto attestations by @priyawadhwa in #870 - Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873 - Updated to rekor 0.8.0 - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847 - Configure rekor server in e2e tests via env variable by @priyawadhwa in #850 - update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860 - update go.mod to go1.17 by @cpanato in #861 - Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862 - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859 - Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864 - Updated to rekor 0.7.0 - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735 - intoto: add index on materials digest of slsa provenance by @asraa in #793 - chore(deps): Included dependency review by @naveensrinivasan in #788 - Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800 - Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807 - Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810 - update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820 - update go to 1.17.10 in the dockerfile by @cpanato in #819 - Limit the number of certificates parsed in a chain by @haydentherapper in #823 - Breaking change: Remove timestamping authority by @haydentherapper in #813 - Add back owners for rfc3161 package type by @haydentherapper in #833 - all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834 - name stored attestations by digest instead of UUID by @bobcallaway in #769 ------------------------------------------------------------------- Tue Apr 26 09:41:49 UTC 2022 - Marcus Meissner - Updated to rekor 0.6.0 - attempting to fix codeowners file by @bobcallaway in #653 - Update the warning text for the GA release. by @dlorenc in #654 - Add docs about API stability and deprecation policy by @priyawadhwa in #661 - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666 - Move k8s objects out of the default namespace by @k4leung4 in #674 - add securityContext to deployment. by @k4leung4 in #678 - Add intoto type documentation by @jspeed-meyers in #679 - create namespace for rekor config in yaml. by @k4leung4 in #680 - Set rekor-cli User-Agent header on requests by @bobcallaway in #684 - update security process link by @bobcallaway in #685 - explicitly set permissions for github actions by @k4leung4 in #687 - Add documentation about Alpine type by @jspeed-meyers in #697 - Add code coverage to pull requests. by @k4leung4 in #676 - Consistent parenthesis use in Makefile by @k4leung4 in #700 - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671 - Generate release yaml for non-CI builds. by @k4leung4 in #702 - Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701 - build trillian container to existing release. by @k4leung4 in #715 - Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718 - Switch to using the swag library for pointer manipulation. by @dlorenc in #719 - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712 - Add sharding e2e test to Github Actions by @priyawadhwa in #714 - fix merge conflict by @priyawadhwa in #720 - Clearer logging for createAndInitTree by @priyawadhwa in #724 - Return virtual index when creating and getting a log entry by @priyawadhwa in #725 - Fix copy/paste mistake in repo name. by @k4leung4 in #730 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729 - Get log proofs by Tree ID by @priyawadhwa in #733 - Refactor rekor-cli loginfo by @priyawadhwa in #734 - Update loginfo API endpoint to return information about inactive shards by @priyawadhwa in #738 - Replace trillian_log_server.log_id_ranges flag with a config file by @priyawadhwa in #742 - fix build date format for version command by @cpanato in #745 - Require tlog_id when log_id_ranges is passed in by @lkatalin in #739 - Use active tree on server startup by @lkatalin in #727 - Specify public key for inactive shards in shard config by @priyawadhwa in #746 - Add support for providing certificate chain for X509 signature types by @haydentherapper in #747 - fix typo in filename by @bobcallaway in #758 - Update release jobs and trillian images by @cpanato in #756 - Add the SHA256 digest of the intoto payload into the rekor entry by @bobcallaway in #764 - Add index to hashed intoto envelope by @asraa in #761 - Fix link in types README by @eddiezane in #765 - set p.Block after parsing in helm provenance type by @bobcallaway in #759 - Fix search without sha prefix by @eddiezane in #767 - Add in configmap to release for sharding config by @priyawadhwa in #766 - Search inactive trees for GET by UUID requests by @lkatalin in #750 - Create EntryID for new artifacts and return EntryID to user by @lkatalin in #623 - Update cloudbuild to not fail when copy the images by @cpanato in #773 ------------------------------------------------------------------- Fri Apr 1 15:13:27 UTC 2022 - Marcus Meissner - Updated to rekor 0.5.0 * Highlights - Add Rekor logo to README (#650) - update API calls to v5 (#591) - Refactor helm type to remove intermediate state. (#575) - Refactor the shard map parsing so we can pass it down into the API object. (#564) - Refactor the alpine type to reduce intermediate state. (#573) * Enhancements - Add logic to GET artifacts via old or new UUID (#587) - helpful error message for hashedrekord types (#605) - Set Accept header in dynamic counter requests (#594) - Add sharding package and update validators (#583) - rekor-cli: show the url in case of error (#581) - Enable parsing of incomplete minisign keys, to enable re-indexing. (#567) - Cleanups on the TUF pluggable type. (#563) - Refactor the RPM type to remove more intermediate state. (#566) - Do some cleanups of the jar type to remove intermediate state. (#561) * Others - update version comments since dependabot doesn't do it (#617) - Use workload identity provider instead of GitHub Secret for GCR access (#600) - add OSSF scorecard action (#599) - enable the sbom for rekor releases (#586) - Point to the official website (instead of a 404) (#580) - Add a Makefile target for the "ko apply" step. (#572) - types/README.md: Corrected documentation link (#568) ------------------------------------------------------------------- Thu Feb 3 09:46:25 UTC 2022 - Marcus Meissner - enable server build too, as people might want to deploy rekor chain themselves. ------------------------------------------------------------------- Tue Jan 25 08:32:11 UTC 2022 - Bernhard Wiedemann - Fix BUILD_DATE for reproducible build results (boo#1047218) ------------------------------------------------------------------- Thu Jan 6 14:52:16 UTC 2022 - Marcus Meissner - updated to 0.4.0 Highlights - Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501) ------------------------------------------------------------------- Wed Dec 8 16:58:06 UTC 2021 - Marcus Rueckert - prepare building of the serve part ------------------------------------------------------------------- Fri Nov 26 16:01:30 UTC 2021 - Marcus Rueckert - initial package