From 0340082614a6400ed550b6a1b0695f2bda3f61fdeed0ff4344463b76a514ebff Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 5 Apr 2023 09:24:58 +0000 Subject: [PATCH] Accepting request 1077454 from home:msmeissn:branches:security - updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements - improve validation on intoto v0.0.2 type (#1351) - add feature to limit HTTP request body length to process (#1334) - add information about the file size limit (#1313) - Add script to backfill Redis from Rekor (#1163) - Feature: add search support for sha512 (#1142) Quality Enhancements - various fuzzing fixes Bug Fixes - remove goroutine usage from SearchLogQuery (#1407) - drop log messages regarding attestation storage to debug (#1408) - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) - fix: fix regex for multi-digit counts (#1321) - return NotFound if treesize is 0 rather than calling trillian (#1311) - enumerate slice to get sugared logs (#1312) - put a reasonable size limit on ssh key reader (#1288) - CLIENT: Fix Custom Host and Path Issue (#1306) - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) - correctly handle invalid or missing pki format (#1281) - Add Verifier to get public key/cert and identities for entry type (#1210) - fix goroutine leak in client; add insecure TLS option (#1238) - Fix - Remove the force-recreate flag (#1179) - trim whitespace around public keys before parsing (#1175) - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) - remove double encoding of payload and signature fields for intoto (#1150) - fix SearchLogQuery behavior to conform to openapi spec (#1145) - Remove pem-certificate-chain from client (#1138) - fix flag type for operator in search (#1136) OBS-URL: https://build.opensuse.org/request/show/1077454 OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=27 --- rekor-1.0.1.tar.gz | 3 --- rekor-1.1.0.tar.gz | 3 +++ rekor.changes | 40 ++++++++++++++++++++++++++++++++++++++++ rekor.spec | 6 +++--- vendor.tar.xz | 4 ++-- 5 files changed, 48 insertions(+), 8 deletions(-) delete mode 100644 rekor-1.0.1.tar.gz create mode 100644 rekor-1.1.0.tar.gz diff --git a/rekor-1.0.1.tar.gz b/rekor-1.0.1.tar.gz deleted file mode 100644 index 6c948aa..0000000 --- a/rekor-1.0.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b29e753b6a2b9085b3227648f686163b92ab2195b3c01e6692177bd32f1f231 -size 677071 diff --git a/rekor-1.1.0.tar.gz b/rekor-1.1.0.tar.gz new file mode 100644 index 0000000..2a1736c --- /dev/null +++ b/rekor-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f5491170f4d330797740bfbc04537effdca5cc4c96d68266726a2edd9654088 +size 868412 diff --git a/rekor.changes b/rekor.changes index 43d8e06..3038166 100644 --- a/rekor.changes +++ b/rekor.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Wed Apr 5 08:27:23 UTC 2023 - Marcus Meissner + +- updated to rekor 1.1.0 (jsc#SLE-23476): + Functional Enhancements + + - improve validation on intoto v0.0.2 type (#1351) + - add feature to limit HTTP request body length to process (#1334) + - add information about the file size limit (#1313) + - Add script to backfill Redis from Rekor (#1163) + - Feature: add search support for sha512 (#1142) + + Quality Enhancements + + - various fuzzing fixes + + Bug Fixes + + - remove goroutine usage from SearchLogQuery (#1407) + - drop log messages regarding attestation storage to debug (#1408) + - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) + - fix: fix regex for multi-digit counts (#1321) + - return NotFound if treesize is 0 rather than calling trillian (#1311) + - enumerate slice to get sugared logs (#1312) + - put a reasonable size limit on ssh key reader (#1288) + - CLIENT: Fix Custom Host and Path Issue (#1306) + - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) + - correctly handle invalid or missing pki format (#1281) + - Add Verifier to get public key/cert and identities for entry type (#1210) + - fix goroutine leak in client; add insecure TLS option (#1238) + - Fix - Remove the force-recreate flag (#1179) + - trim whitespace around public keys before parsing (#1175) + - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) + - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) + - remove double encoding of payload and signature fields for intoto (#1150) + - fix SearchLogQuery behavior to conform to openapi spec (#1145) + - Remove pem-certificate-chain from client (#1138) + - fix flag type for operator in search (#1136) + - use sigstore/community dep review (#1132) + ------------------------------------------------------------------- Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner diff --git a/rekor.spec b/rekor.spec index 6ef9c58..03091fd 100644 --- a/rekor.spec +++ b/rekor.spec @@ -1,7 +1,7 @@ # # spec file for package rekor # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,9 +19,9 @@ %define apps cli server Name: rekor -Version: 1.0.1 +Version: 1.1.0 Release: 0 -%define revision d3162350e96098ca8a24adfdbee42057e43b5de6 +%define revision 4a6592612dc015f24d0700b6d274b3663d128ad8 Summary: Supply Chain Transparency Log License: Apache-2.0 URL: https://github.com/sigstore/rekor diff --git a/vendor.tar.xz b/vendor.tar.xz index 1d321a0..e7acde7 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0a0d571c7f82993c4f120b29c5a74ba20e63a314d98f0eb622f5f12a51842a3d -size 5276265 +oid sha256:b9d09adf4a8e1bec89550992741068b2e3c433f82ce5241d7e851bea42bf0699 +size 4239016