From d5a79b63dc0a13c5f464107b94fde9461e0d375191f7058176e218e25f7ab069 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 26 Jul 2024 12:41:06 +0000 Subject: [PATCH] refactor spec, change to obs_scm (no longer hardcoding the commit hash) and update to 1.3.6 OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=43 --- .gitattributes | 23 +++ .gitignore | 1 + _service | 23 +++ _servicedata | 4 + rekor-1.3.5.tar.gz | 3 + rekor-1.3.6.obscpio | 3 + rekor-zypper-verify.sh | 31 +++ rekor.changes | 451 +++++++++++++++++++++++++++++++++++++++++ rekor.obsinfo | 4 + rekor.spec | 79 ++++++++ vendor.tar.zst | 3 + 11 files changed, 625 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 rekor-1.3.5.tar.gz create mode 100644 rekor-1.3.6.obscpio create mode 100644 rekor-zypper-verify.sh create mode 100644 rekor.changes create mode 100644 rekor.obsinfo create mode 100644 rekor.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..b3266b2 --- /dev/null +++ b/_service @@ -0,0 +1,23 @@ + + + https://github.com/sigstore/rekor + git + .git + v1.3.6 + @PARENT_TAG@ + enable + v(.*) + + + + + zst + + + + + + *.tar + gz + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..1ee64d1 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/sigstore/rekor + a6788566cd62facb0fb0450e9d2c2867f551e37c \ No newline at end of file diff --git a/rekor-1.3.5.tar.gz b/rekor-1.3.5.tar.gz new file mode 100644 index 0000000..4844292 --- /dev/null +++ b/rekor-1.3.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc82064bc32a83bd4d4d7f4fccb8579d3ebb9f64073ff000da99b01af508b40f +size 830762 diff --git a/rekor-1.3.6.obscpio b/rekor-1.3.6.obscpio new file mode 100644 index 0000000..f0d65a5 --- /dev/null +++ b/rekor-1.3.6.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5dea844ae511e8957e0d433438b9b128126bc8cea9efd35c601a4b696980758f +size 3277324 diff --git a/rekor-zypper-verify.sh b/rekor-zypper-verify.sh new file mode 100644 index 0000000..11c4aa8 --- /dev/null +++ b/rekor-zypper-verify.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# +# This scripts verifies presence of the current repomd signatures in the rekor log +# for each of existing libzypp tracked repos. +# + +zypper -q refresh + +for repo in /etc/zypp/repos.d/*.repo +do + if grep enabled=1 $repo >/dev/null; then + repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'` + name="`grep ^name= $repo|sed -e 's/name=//;'`" + if [ "x$name" == "x" ]; then + name="$repodirname" + fi + + # echo "name: $name, repodirname $repodirname" + + repodata="/var/cache/zypp/raw/$repodirname/repodata" + if [ -d "$repodata" ]; then + if rekor-cli verify --artifact "$repodata/repomd.xml" --signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" >/dev/null 2>&1; then + echo "$name repomd.xml signature is in rekor log" + else + echo "$name repomd.xml signature is NOT in rekor log" + fi + else + echo "$name has no repodata/ directory in $repodata, not a RPM-MD repository?" + fi + fi +done diff --git a/rekor.changes b/rekor.changes new file mode 100644 index 0000000..dbe3694 --- /dev/null +++ b/rekor.changes @@ -0,0 +1,451 @@ +------------------------------------------------------------------- +Fri Jul 26 12:01:47 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.3.6: + * New Features + - Add support for IEEE P1363 encoded ECDSA signatures + - Add index performance script (#2042) + - Add support for ed25519ph user keys in hashedrekord (#1945) + - Add metrics for index insertion (#2015) + - Add TLS support for Redis Client implementation (#1998) + * Bug Fixes + - fix typo in remoteIp and set full name for trace field + +------------------------------------------------------------------- +Fri Jul 26 12:00:14 UTC 2024 - Johannes Kastl + +- refactor spec file +- switch to using obs_scm to generate the source obscpio archive + * this way we do no longer need to hardcode the commit hash + * and the tarball was never verified anyway + +------------------------------------------------------------------- +Mon Feb 5 14:38:58 UTC 2024 - Marcus Meissner + +- update to 1.3.5 (jsc#SLE-23476): + - Additional unique index correction + - Remove timestamp from checkpoint + - Drop conditional when verifying entry checkpoint + - Fix panic for DSSE canonicalization + - Change Redis value for locking mechanism + - give log timestamps nanosecond precision + - output trace in slog and override correlation header name +- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) + +------------------------------------------------------------------- +Sun Jan 28 18:45:08 UTC 2024 - Dirk Müller + +- update to 1.3.4: + * add mysql indexstorage backend + * add s3 storage for attestations + * fix: Do not check for pubsub.topics.get on initialization + * fix optional field in cose schema + * Update ranges.go + * update indexstorage interface to reduce roundtrips + * use a single validator library in rekor-cli + * Remove go-playground/validator dependency from pkg/pki + +------------------------------------------------------------------- +Fri Nov 24 16:03:38 UTC 2023 - Marcus Meissner + +- updated to rekor 1.3.3 (jsc#SLE-23476): + - Update signer flag description + - update trillian to 1.5.3 + - adds redis_auth + - Add method to get artifact hash for an entry + - make e2e tests more usable with docker-compose + - install go at correct version for codeql +- updated to rekor 1.3.2 (jsc#SLE-23476): +- updated to rekor 1.3.1 (jsc#SLE-23476): + New Features: + - enable GCP cloud profiling on rekor-server (#1746) + - move index storage into interface (#1741) + - add info to readme to denote additional documentation sources (#1722) + - Add type of ed25519 key for TUF (#1677) + - Allow parsing base64-encoded TUF metadata and root content (#1671) + Quality Enhancements: + - disable quota in trillian in test harness (#1680) + Bug Fixes: + - Update contact for code of conduct (#1720) + - Fix panic when parsing SSH SK pubkeys (#1712) + - Correct index creation (#1708) + - docs: fixzes a small typo on the readme (#1686) + - chore: fix backfill-redis Makefile target (#1685) + +------------------------------------------------------------------- +Fri Sep 1 08:54:06 UTC 2023 - Marcus Meissner + +- updated to rekor 1.3.0 (jsc#SLE-23476): + - Update openapi.yaml (#1655) + - pass transient errors through retrieveLogEntry (#1653) + - return full entryID on HTTP 409 responses (#1650) + - feat: Support publishing new log entries to Pub/Sub topics (#1580) + - Change values of Identity.Raw, add fingerprints (#1628) + - Extract all subjects from SANs for x509 verifier (#1632) + - Fix type comment for Identity struct (#1619) + - Refactor Identities API (#1611) + - Refactor Verifiers to return multiple keys (#1601) + - Update checkpoint link (#1597) + - Use correct log index in inclusion proof (#1599) + - remove instrumentation library (#1595) + +- updated to rekor 1.2.2 (jsc#SLE-23476): + - pass down error with message instead of nil + - swap killswitch for 'docker-compose restart' + +------------------------------------------------------------------- +Tue May 30 07:52:52 UTC 2023 - Marcus Meissner + +- updated to rekor 1.2.1 (jsc#SLE-23476): + + Security fix: + + - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790) + + Functional Enhancements + + - add client method to generate TLE struct (#1498) + - add dsse type (#1487) + - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488) + - Add concurrency to backfill-redis (#1504) + - omit informational message if machine-parseable output has been requested (#1486) + - Publish stable checkpoint periodically to Redis (#1461) + - Add intoto v0.0.2 to backfill script (#1500) + - add new method to test insertability of proposed entries into log (#1410) + + Quality Enhancements + + - use t.Skip() in fuzzers (#1506) + - improve fuzzing coverage (#1499) + - Remove watcher script (#1484) + + Bug Fixes + + - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199) + - Remove requirement of PayloadHash for intoto 0.0.1 (#1490) + - fix lint errors, bump linter up to 1.52 (#1485) + - Remove dependencies from pkg/util (#1469) + +------------------------------------------------------------------- +Wed May 3 12:23:27 UTC 2023 - Marcus Meissner + +- updated to rekor 1.1.1 (jsc#SLE-23476): + Functional Enhancements + + - Refactor Trillian client with exported methods (#1454) + - Switch to official redis-go client (#1459) + - Remove replace in go.mod (#1444) + - Add Rekor OID info. (#1390) + + Quality Enhancements + + - remove legacy encrypted cosign key (#1446) + - swap cjson dependency (#1441) + - Update release readme (#1456) + + Security fixes: + + - CVE-2023-30551: Fixed a potential denial of service (out of memory) + when processing JAR META-INF files or .SIGN/.PKINFO files in APK files. + (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9) + +------------------------------------------------------------------- +Wed Apr 5 08:27:23 UTC 2023 - Marcus Meissner + +- updated to rekor 1.1.0 (jsc#SLE-23476): + Functional Enhancements + + - improve validation on intoto v0.0.2 type (#1351) + - add feature to limit HTTP request body length to process (#1334) + - add information about the file size limit (#1313) + - Add script to backfill Redis from Rekor (#1163) + - Feature: add search support for sha512 (#1142) + + Quality Enhancements + + - various fuzzing fixes + + Bug Fixes + + - remove goroutine usage from SearchLogQuery (#1407) + - drop log messages regarding attestation storage to debug (#1408) + - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) + - fix: fix regex for multi-digit counts (#1321) + - return NotFound if treesize is 0 rather than calling trillian (#1311) + - enumerate slice to get sugared logs (#1312) + - put a reasonable size limit on ssh key reader (#1288) + - CLIENT: Fix Custom Host and Path Issue (#1306) + - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) + - correctly handle invalid or missing pki format (#1281) + - Add Verifier to get public key/cert and identities for entry type (#1210) + - fix goroutine leak in client; add insecure TLS option (#1238) + - Fix - Remove the force-recreate flag (#1179) + - trim whitespace around public keys before parsing (#1175) + - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) + - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) + - remove double encoding of payload and signature fields for intoto (#1150) + - fix SearchLogQuery behavior to conform to openapi spec (#1145) + - Remove pem-certificate-chain from client (#1138) + - fix flag type for operator in search (#1136) + - use sigstore/community dep review (#1132) + +------------------------------------------------------------------- +Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner + +- updated to rekor 1.0.1 (jsc#SLE-23476): + - stop inserting envelope hash for intoto:0.0.2 types into index + +------------------------------------------------------------------- +Wed Oct 19 08:21:25 UTC 2022 - Marcus Meissner + +- updated to rekor 1.0.0 (jsc#SLE-23476): + - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073 + - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071 + - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074 + - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083 + - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082 + - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092 + - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080 + - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096 + - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098 + - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102 + - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101 + - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103 + - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097 + - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106 + +------------------------------------------------------------------- +Fri Sep 30 13:59:10 UTC 2022 - Marcus Meissner + +- updated to rekor 0.12.2 (jsc#SLE-23476): + - add description on /api/v1/index/retrieve endpoint + - Adding e2e test coverage + - export rekor build/version information + - Use POST instead of GET for /api/log/entries/retrieve metrics. + - Search through all shards when searching by hash + +------------------------------------------------------------------- +Tue Sep 27 12:22:57 UTC 2022 - Marcus Meissner + +- updated to rekor 0.12.1 (jsc#SLE-23476): + - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version + The addition of the intotov2 created a breaking change for the rekor-cli + - What's Changed + - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052 + - feat: add file based signer and password by @asraa in #1049 + - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059 + +------------------------------------------------------------------- +Thu Sep 15 12:33:21 UTC 2022 - Marcus Meissner + +- updated to rekor 0.12.0 (jsc#SLE-23476): + - check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003 + - enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004 + - api.SearchLogQueryHandler thread safety by @cdris in #1006 + - 'docker compose' to 'docker-compose' by @bobcallaway in #1009 + - Intoto v0.0.2 by @pxp928 in #973 + - Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011 + - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013 + - feat: add verification functions by @asraa in #986 + - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017 + - Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015 + - fix: use entry uuid uniformly in return responses by @asraa in #1012 + - remove /api/v1/version endpoint by @bobcallaway in #1022 + - Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030 + - Fix harness tests @ main by @priyawadhwa in #1038 + - Fetch all tags in harness tests by @priyawadhwa in #1039 + - fix retrieve endpoint response code and add testing by @asraa in #1043 +- updated to rekor 0.11.0: + - Add rekor harness tests by @priyawadhwa in #945 + - Persist and check attestations across harness tests by @priyawadhwa in #952 + - Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957 + - api: fix inclusion proof verification flake by @asraa in #956 + - change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963 + - fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965 + - Add prometheus summary to track metric latency by @priyawadhwa in #966 + - compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967 + - update field documentation on publicKey for hashedrekord by @bobcallaway in #969 + - Allow sharding config to be written in yaml or json by @priyawadhwa in #974 + - fix incorrect schema id for cose type by @bobcallaway in #979 + - fix: make rekor verify work with sharded uuids by @asraa in #970 + - update builder and cosign images by @cpanato in #981 + - remove trailing slash on directories by @bobcallaway in #984 + - add support for intersection & union in search operations by @dsa0x in #968 + - Update scorecard-action to v2:alpha by @azeemshaikh38 in #987 +- updated to rekor 0.10.0: + - reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912 + - Updates on the release job/makefile cleanup by @cpanato in #914 + - Return 404 if entry isn't found in log by @priyawadhwa in #915 + - Update cosign image in validate-release job by @priyawadhwa in #931 + - update go builder and cosign image by @cpanato in #934 + - Drop application/yaml content type by @haydentherapper in #933 + - Add rekor test harness to presubmit tests by @priyawadhwa in #921 + - sparkles Enable Scorecard badge by @azeemshaikh38 in #941 + - update go mod in hack/tools to go1.18 by @cpanato in #935 + - add ldflags back by @cpanato in #944 + +------------------------------------------------------------------- +Wed Jul 27 13:26:17 UTC 2022 - Marcus Meissner + +- updated to rekor 0.9.1 + - feat: add subject URIs to index for x509 certificates by @asraa in #897 + - fix: sql syntax in dbcreate script by @xens in #903 + - Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904 + - Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905 + - ensure log messages have requestID where possible by @bobcallaway in #907 + - Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909 + - Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908 + +- updated to rekor 0.9.0 + - Add COSE support to Rekor by @kommendorkapten in #867 + - Fix intoto index keys by @bobcallaway in #889 + - Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa in #894 +- updated to rekor 0.8.2 + - collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869 + - ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878 + +------------------------------------------------------------------- +Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner + +- rekor-zypper-verify.sh: add a small script that verifies the on-system + zypper repo cache against rekor transparency log. + +------------------------------------------------------------------- +Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner + +- Updated to rekor 0.8.1 + - Fix indexing bug for intoto attestations by @priyawadhwa in #870 + - Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873 +- Updated to rekor 0.8.0 + - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847 + - Configure rekor server in e2e tests via env variable by @priyawadhwa in #850 + - update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860 + - update go.mod to go1.17 by @cpanato in #861 + - Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862 + - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859 + - Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864 +- Updated to rekor 0.7.0 + - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735 + - intoto: add index on materials digest of slsa provenance by @asraa in #793 + - chore(deps): Included dependency review by @naveensrinivasan in #788 + - Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800 + - Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807 + - Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810 + - update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820 + - update go to 1.17.10 in the dockerfile by @cpanato in #819 + - Limit the number of certificates parsed in a chain by @haydentherapper in #823 + - Breaking change: Remove timestamping authority by @haydentherapper in #813 + - Add back owners for rfc3161 package type by @haydentherapper in #833 + - all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834 + - name stored attestations by digest instead of UUID by @bobcallaway in #769 + +------------------------------------------------------------------- +Tue Apr 26 09:41:49 UTC 2022 - Marcus Meissner + +- Updated to rekor 0.6.0 + + - attempting to fix codeowners file by @bobcallaway in #653 + - Update the warning text for the GA release. by @dlorenc in #654 + - Add docs about API stability and deprecation policy by @priyawadhwa in #661 + - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666 + - Move k8s objects out of the default namespace by @k4leung4 in #674 + - add securityContext to deployment. by @k4leung4 in #678 + - Add intoto type documentation by @jspeed-meyers in #679 + - create namespace for rekor config in yaml. by @k4leung4 in #680 + - Set rekor-cli User-Agent header on requests by @bobcallaway in #684 + - update security process link by @bobcallaway in #685 + - explicitly set permissions for github actions by @k4leung4 in #687 + - Add documentation about Alpine type by @jspeed-meyers in #697 + - Add code coverage to pull requests. by @k4leung4 in #676 + - Consistent parenthesis use in Makefile by @k4leung4 in #700 + - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671 + - Generate release yaml for non-CI builds. by @k4leung4 in #702 + - Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701 + - build trillian container to existing release. by @k4leung4 in #715 + - Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718 + - Switch to using the swag library for pointer manipulation. by @dlorenc in #719 + - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712 + - Add sharding e2e test to Github Actions by @priyawadhwa in #714 + - fix merge conflict by @priyawadhwa in #720 + - Clearer logging for createAndInitTree by @priyawadhwa in #724 + - Return virtual index when creating and getting a log entry by @priyawadhwa in #725 + - Fix copy/paste mistake in repo name. by @k4leung4 in #730 + - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729 + - Get log proofs by Tree ID by @priyawadhwa in #733 + - Refactor rekor-cli loginfo by @priyawadhwa in #734 + - Update loginfo API endpoint to return information about inactive shards by @priyawadhwa in #738 + - Replace trillian_log_server.log_id_ranges flag with a config file by @priyawadhwa in #742 + - fix build date format for version command by @cpanato in #745 + - Require tlog_id when log_id_ranges is passed in by @lkatalin in #739 + - Use active tree on server startup by @lkatalin in #727 + - Specify public key for inactive shards in shard config by @priyawadhwa in #746 + - Add support for providing certificate chain for X509 signature types by @haydentherapper in #747 + - fix typo in filename by @bobcallaway in #758 + - Update release jobs and trillian images by @cpanato in #756 + - Add the SHA256 digest of the intoto payload into the rekor entry by @bobcallaway in #764 + - Add index to hashed intoto envelope by @asraa in #761 + - Fix link in types README by @eddiezane in #765 + - set p.Block after parsing in helm provenance type by @bobcallaway in #759 + - Fix search without sha prefix by @eddiezane in #767 + - Add in configmap to release for sharding config by @priyawadhwa in #766 + - Search inactive trees for GET by UUID requests by @lkatalin in #750 + - Create EntryID for new artifacts and return EntryID to user by @lkatalin in #623 + - Update cloudbuild to not fail when copy the images by @cpanato in #773 + +------------------------------------------------------------------- +Fri Apr 1 15:13:27 UTC 2022 - Marcus Meissner + +- Updated to rekor 0.5.0 + * Highlights + - Add Rekor logo to README (#650) + - update API calls to v5 (#591) + - Refactor helm type to remove intermediate state. (#575) + - Refactor the shard map parsing so we can pass it down into the API object. (#564) + - Refactor the alpine type to reduce intermediate state. (#573) + * Enhancements + - Add logic to GET artifacts via old or new UUID (#587) + - helpful error message for hashedrekord types (#605) + - Set Accept header in dynamic counter requests (#594) + - Add sharding package and update validators (#583) + - rekor-cli: show the url in case of error (#581) + - Enable parsing of incomplete minisign keys, to enable re-indexing. (#567) + - Cleanups on the TUF pluggable type. (#563) + - Refactor the RPM type to remove more intermediate state. (#566) + - Do some cleanups of the jar type to remove intermediate state. (#561) + * Others + - update version comments since dependabot doesn't do it (#617) + - Use workload identity provider instead of GitHub Secret for GCR access (#600) + - add OSSF scorecard action (#599) + - enable the sbom for rekor releases (#586) + - Point to the official website (instead of a 404) (#580) + - Add a Makefile target for the "ko apply" step. (#572) + - types/README.md: Corrected documentation link (#568) + +------------------------------------------------------------------- +Thu Feb 3 09:46:25 UTC 2022 - Marcus Meissner + +- enable server build too, as people might want to deploy rekor chain + themselves. + +------------------------------------------------------------------- +Tue Jan 25 08:32:11 UTC 2022 - Bernhard Wiedemann + +- Fix BUILD_DATE for reproducible build results (boo#1047218) + +------------------------------------------------------------------- +Thu Jan 6 14:52:16 UTC 2022 - Marcus Meissner + +- updated to 0.4.0 + Highlights + + - Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501) + +------------------------------------------------------------------- +Wed Dec 8 16:58:06 UTC 2021 - Marcus Rueckert + +- prepare building of the serve part + +------------------------------------------------------------------- +Fri Nov 26 16:01:30 UTC 2021 - Marcus Rueckert + +- initial package diff --git a/rekor.obsinfo b/rekor.obsinfo new file mode 100644 index 0000000..6235479 --- /dev/null +++ b/rekor.obsinfo @@ -0,0 +1,4 @@ +name: rekor +version: 1.3.6 +mtime: 1712031396 +commit: a6788566cd62facb0fb0450e9d2c2867f551e37c diff --git a/rekor.spec b/rekor.spec new file mode 100644 index 0000000..0556cf0 --- /dev/null +++ b/rekor.spec @@ -0,0 +1,79 @@ +# +# spec file for package rekor +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define apps cli server + +Name: rekor +Version: 1.3.6 +Release: 0 +Summary: Supply Chain Transparency Log +License: Apache-2.0 +URL: https://github.com/sigstore/rekor +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.zst +Source2: rekor-zypper-verify.sh +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) + +%description +Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website + +The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact. + +Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling. + +%prep +%autosetup -p1 -a1 + +%build +COMMIT_HASH="$(sed -n 's/commit: \(.*\)/\1/p' %_sourcedir/%{name}.obsinfo)" + +DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ" +BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") + +for app in %{apps} +do + CLI_PKG=sigs.k8s.io/release-utils/version + CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=%{COMMIT_HASH} -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}" + + go build \ + -mod=vendor \ + -trimpath \ + -buildmode=pie \ + -ldflags "${CLI_LDFLAGS}" ./cmd/rekor-${app} +done + +%check +for app in %{apps} +do + ./rekor-${app} version | grep %{version} +done + +%install +for app in %{apps} ; do +install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app} +done +install -m 0755 %SOURCE2 %{buildroot}%{_bindir}/rekor-zypp-verify + +%files +%license LICENSE +%doc *.md +%{_bindir}/rekor-* + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..1ba995b --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8f1ff950db90505d4d61e6b0a60be3beef1b517a7c156e694dba9f81d05cff6 +size 5958336