Accepting request 1077494 from security

- updated to rekor 1.1.0 (jsc#SLE-23476):
  Functional Enhancements
  - improve validation on intoto v0.0.2 type (#1351)
  - add feature to limit HTTP request body length to process (#1334)
  - add information about the file size limit (#1313)
  - Add script to backfill Redis from Rekor (#1163)
  - Feature: add search support for sha512 (#1142)
  Quality Enhancements
  - various fuzzing fixes
  Bug Fixes
  - remove goroutine usage from SearchLogQuery (#1407)
  - drop log messages regarding attestation storage to debug (#1408)
  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
  - fix: fix regex for multi-digit counts (#1321)
  - return NotFound if treesize is 0 rather than calling trillian (#1311)
  - enumerate slice to get sugared logs (#1312)
  - put a reasonable size limit on ssh key reader (#1288)
  - CLIENT: Fix Custom Host and Path Issue (#1306)
  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
  - correctly handle invalid or missing pki format (#1281)
  - Add Verifier to get public key/cert and identities for entry type (#1210)
  - fix goroutine leak in client; add insecure TLS option (#1238)
  - Fix - Remove the force-recreate flag (#1179)
  - trim whitespace around public keys before parsing (#1175)
  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
  - remove double encoding of payload and signature fields for intoto (#1150)
  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
  - Remove pem-certificate-chain from client (#1138)
  - fix flag type for operator in search (#1136) (forwarded request 1077454 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1077494
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=14

rekor-1.0.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0b29e753b6a2b9085b3227648f686163b92ab2195b3c01e6692177bd32f1f231
-size 677071

rekor-1.1.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f5491170f4d330797740bfbc04537effdca5cc4c96d68266726a2edd9654088
+size 868412

rekor.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Wed Apr  5 08:27:23 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- updated to rekor 1.1.0 (jsc#SLE-23476):
+  Functional Enhancements
+
+  - improve validation on intoto v0.0.2 type (#1351)
+  - add feature to limit HTTP request body length to process (#1334)
+  - add information about the file size limit (#1313)
+  - Add script to backfill Redis from Rekor (#1163)
+  - Feature: add search support for sha512 (#1142)
+
+  Quality Enhancements
+
+  - various fuzzing fixes
+
+  Bug Fixes
+
+  - remove goroutine usage from SearchLogQuery (#1407)
+  - drop log messages regarding attestation storage to debug (#1408)
+  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
+  - fix: fix regex for multi-digit counts (#1321)
+  - return NotFound if treesize is 0 rather than calling trillian (#1311)
+  - enumerate slice to get sugared logs (#1312)
+  - put a reasonable size limit on ssh key reader (#1288)
+  - CLIENT: Fix Custom Host and Path Issue (#1306)
+  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
+  - correctly handle invalid or missing pki format (#1281)
+  - Add Verifier to get public key/cert and identities for entry type (#1210)
+  - fix goroutine leak in client; add insecure TLS option (#1238)
+  - Fix - Remove the force-recreate flag (#1179)
+  - trim whitespace around public keys before parsing (#1175)
+  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
+  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
+  - remove double encoding of payload and signature fields for intoto (#1150)
+  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
+  - Remove pem-certificate-chain from client (#1138)
+  - fix flag type for operator in search (#1136)
+  - use sigstore/community dep review (#1132)
+
 -------------------------------------------------------------------
 Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner <meissner@suse.com>
 

rekor.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package rekor
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:           rekor
-Version:        1.0.1
+Version:        1.1.0
 Release:        0
-%define revision d3162350e96098ca8a24adfdbee42057e43b5de6
+%define revision 4a6592612dc015f24d0700b6d274b3663d128ad8
 Summary:        Supply Chain Transparency Log
 License:        Apache-2.0
 URL:            https://github.com/sigstore/rekor

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0a0d571c7f82993c4f120b29c5a74ba20e63a314d98f0eb622f5f12a51842a3d
-size 5276265
+oid sha256:b9d09adf4a8e1bec89550992741068b2e3c433f82ce5241d7e851bea42bf0699
+size 4239016