SHA256
1
0
forked from pool/rekor
rekor/rekor.changes
Wolfgang Frisch 3dc243eed6 Accepting request 1142127 from home:dirkmueller:Factory
- update to 1.3.4:
  * add mysql indexstorage backend
  * add s3 storage for attestations
  * fix: Do not check for pubsub.topics.get on initialization
  * fix optional field in cose schema
  * Update ranges.go
  * update indexstorage interface to reduce roundtrips
  * use a single validator library in rekor-cli
  * Remove go-playground/validator dependency from pkg/pki

OBS-URL: https://build.opensuse.org/request/show/1142127
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=39
2024-01-29 11:09:57 +00:00

418 lines
22 KiB
Plaintext

-------------------------------------------------------------------
Sun Jan 28 18:45:08 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 1.3.4:
* add mysql indexstorage backend
* add s3 storage for attestations
* fix: Do not check for pubsub.topics.get on initialization
* fix optional field in cose schema
* Update ranges.go
* update indexstorage interface to reduce roundtrips
* use a single validator library in rekor-cli
* Remove go-playground/validator dependency from pkg/pki
-------------------------------------------------------------------
Fri Nov 24 16:03:38 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.3.3 (jsc#SLE-23476):
- Update signer flag description
- update trillian to 1.5.3
- adds redis_auth
- Add method to get artifact hash for an entry
- make e2e tests more usable with docker-compose
- install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
New Features:
- enable GCP cloud profiling on rekor-server (#1746)
- move index storage into interface (#1741)
- add info to readme to denote additional documentation sources (#1722)
- Add type of ed25519 key for TUF (#1677)
- Allow parsing base64-encoded TUF metadata and root content (#1671)
Quality Enhancements:
- disable quota in trillian in test harness (#1680)
Bug Fixes:
- Update contact for code of conduct (#1720)
- Fix panic when parsing SSH SK pubkeys (#1712)
- Correct index creation (#1708)
- docs: fixzes a small typo on the readme (#1686)
- chore: fix backfill-redis Makefile target (#1685)
-------------------------------------------------------------------
Fri Sep 1 08:54:06 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.3.0 (jsc#SLE-23476):
- Update openapi.yaml (#1655)
- pass transient errors through retrieveLogEntry (#1653)
- return full entryID on HTTP 409 responses (#1650)
- feat: Support publishing new log entries to Pub/Sub topics (#1580)
- Change values of Identity.Raw, add fingerprints (#1628)
- Extract all subjects from SANs for x509 verifier (#1632)
- Fix type comment for Identity struct (#1619)
- Refactor Identities API (#1611)
- Refactor Verifiers to return multiple keys (#1601)
- Update checkpoint link (#1597)
- Use correct log index in inclusion proof (#1599)
- remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
- pass down error with message instead of nil
- swap killswitch for 'docker-compose restart'
-------------------------------------------------------------------
Tue May 30 07:52:52 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.2.1 (jsc#SLE-23476):
Security fix:
- CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
Functional Enhancements
- add client method to generate TLE struct (#1498)
- add dsse type (#1487)
- support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
- Add concurrency to backfill-redis (#1504)
- omit informational message if machine-parseable output has been requested (#1486)
- Publish stable checkpoint periodically to Redis (#1461)
- Add intoto v0.0.2 to backfill script (#1500)
- add new method to test insertability of proposed entries into log (#1410)
Quality Enhancements
- use t.Skip() in fuzzers (#1506)
- improve fuzzing coverage (#1499)
- Remove watcher script (#1484)
Bug Fixes
- Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
- Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
- fix lint errors, bump linter up to 1.52 (#1485)
- Remove dependencies from pkg/util (#1469)
-------------------------------------------------------------------
Wed May 3 12:23:27 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.1.1 (jsc#SLE-23476):
Functional Enhancements
- Refactor Trillian client with exported methods (#1454)
- Switch to official redis-go client (#1459)
- Remove replace in go.mod (#1444)
- Add Rekor OID info. (#1390)
Quality Enhancements
- remove legacy encrypted cosign key (#1446)
- swap cjson dependency (#1441)
- Update release readme (#1456)
Security fixes:
- CVE-2023-30551: Fixed a potential denial of service (out of memory)
when processing JAR META-INF files or .SIGN/.PKINFO files in APK files.
(bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9)
-------------------------------------------------------------------
Wed Apr 5 08:27:23 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.1.0 (jsc#SLE-23476):
Functional Enhancements
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142)
Quality Enhancements
- various fuzzing fixes
Bug Fixes
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136)
- use sigstore/community dep review (#1132)
-------------------------------------------------------------------
Tue Nov 29 13:42:54 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.0.1 (jsc#SLE-23476):
- stop inserting envelope hash for intoto:0.0.2 types into index
-------------------------------------------------------------------
Wed Oct 19 08:21:25 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 1.0.0 (jsc#SLE-23476):
- add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073
- Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071
- export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074
- Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083
- Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082
- verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092
- add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080
- enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096
- remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098
- update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102
- remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101
- install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103
- add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097
- Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106
-------------------------------------------------------------------
Fri Sep 30 13:59:10 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 0.12.2 (jsc#SLE-23476):
- add description on /api/v1/index/retrieve endpoint
- Adding e2e test coverage
- export rekor build/version information
- Use POST instead of GET for /api/log/entries/retrieve metrics.
- Search through all shards when searching by hash
-------------------------------------------------------------------
Tue Sep 27 12:22:57 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 0.12.1 (jsc#SLE-23476):
- ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
The addition of the intotov2 created a breaking change for the rekor-cli
- What's Changed
- fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
- feat: add file based signer and password by @asraa in #1049
- Adds new rekor metrics for latency and QPS. by @var-sdk in #1059
-------------------------------------------------------------------
Thu Sep 15 12:33:21 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 0.12.0 (jsc#SLE-23476):
- check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
- enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
- api.SearchLogQueryHandler thread safety by @cdris in #1006
- 'docker compose' to 'docker-compose' by @bobcallaway in #1009
- Intoto v0.0.2 by @pxp928 in #973
- Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
- Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
- feat: add verification functions by @asraa in #986
- Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
- Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
- fix: use entry uuid uniformly in return responses by @asraa in #1012
- remove /api/v1/version endpoint by @bobcallaway in #1022
- Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
- Fix harness tests @ main by @priyawadhwa in #1038
- Fetch all tags in harness tests by @priyawadhwa in #1039
- fix retrieve endpoint response code and add testing by @asraa in #1043
- updated to rekor 0.11.0:
- Add rekor harness tests by @priyawadhwa in #945
- Persist and check attestations across harness tests by @priyawadhwa in #952
- Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
- api: fix inclusion proof verification flake by @asraa in #956
- change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
- fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
- Add prometheus summary to track metric latency by @priyawadhwa in #966
- compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
- update field documentation on publicKey for hashedrekord by @bobcallaway in #969
- Allow sharding config to be written in yaml or json by @priyawadhwa in #974
- fix incorrect schema id for cose type by @bobcallaway in #979
- fix: make rekor verify work with sharded uuids by @asraa in #970
- update builder and cosign images by @cpanato in #981
- remove trailing slash on directories by @bobcallaway in #984
- add support for intersection & union in search operations by @dsa0x in #968
- Update scorecard-action to v2:alpha by @azeemshaikh38 in #987
- updated to rekor 0.10.0:
- reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912
- Updates on the release job/makefile cleanup by @cpanato in #914
- Return 404 if entry isn't found in log by @priyawadhwa in #915
- Update cosign image in validate-release job by @priyawadhwa in #931
- update go builder and cosign image by @cpanato in #934
- Drop application/yaml content type by @haydentherapper in #933
- Add rekor test harness to presubmit tests by @priyawadhwa in #921
- sparkles Enable Scorecard badge by @azeemshaikh38 in #941
- update go mod in hack/tools to go1.18 by @cpanato in #935
- add ldflags back by @cpanato in #944
-------------------------------------------------------------------
Wed Jul 27 13:26:17 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to rekor 0.9.1
- feat: add subject URIs to index for x509 certificates by @asraa in #897
- fix: sql syntax in dbcreate script by @xens in #903
- Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904
- Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905
- ensure log messages have requestID where possible by @bobcallaway in #907
- Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909
- Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908
- updated to rekor 0.9.0
- Add COSE support to Rekor by @kommendorkapten in #867
- Fix intoto index keys by @bobcallaway in #889
- Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa in #894
- updated to rekor 0.8.2
- collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869
- ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878
-------------------------------------------------------------------
Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner <meissner@suse.com>
- rekor-zypper-verify.sh: add a small script that verifies the on-system
zypper repo cache against rekor transparency log.
-------------------------------------------------------------------
Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Updated to rekor 0.8.1
- Fix indexing bug for intoto attestations by @priyawadhwa in #870
- Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873
- Updated to rekor 0.8.0
- Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847
- Configure rekor server in e2e tests via env variable by @priyawadhwa in #850
- update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860
- update go.mod to go1.17 by @cpanato in #861
- Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862
- Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859
- Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864
- Updated to rekor 0.7.0
- remove URL fetch of keys/artifacts server-side by @bobcallaway in #735
- intoto: add index on materials digest of slsa provenance by @asraa in #793
- chore(deps): Included dependency review by @naveensrinivasan in #788
- Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800
- Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807
- Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810
- update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820
- update go to 1.17.10 in the dockerfile by @cpanato in #819
- Limit the number of certificates parsed in a chain by @haydentherapper in #823
- Breaking change: Remove timestamping authority by @haydentherapper in #813
- Add back owners for rfc3161 package type by @haydentherapper in #833
- all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834
- name stored attestations by digest instead of UUID by @bobcallaway in #769
-------------------------------------------------------------------
Tue Apr 26 09:41:49 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Updated to rekor 0.6.0
- attempting to fix codeowners file by @bobcallaway in #653
- Update the warning text for the GA release. by @dlorenc in #654
- Add docs about API stability and deprecation policy by @priyawadhwa in #661
- update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666
- Move k8s objects out of the default namespace by @k4leung4 in #674
- add securityContext to deployment. by @k4leung4 in #678
- Add intoto type documentation by @jspeed-meyers in #679
- create namespace for rekor config in yaml. by @k4leung4 in #680
- Set rekor-cli User-Agent header on requests by @bobcallaway in #684
- update security process link by @bobcallaway in #685
- explicitly set permissions for github actions by @k4leung4 in #687
- Add documentation about Alpine type by @jspeed-meyers in #697
- Add code coverage to pull requests. by @k4leung4 in #676
- Consistent parenthesis use in Makefile by @k4leung4 in #700
- Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671
- Generate release yaml for non-CI builds. by @k4leung4 in #702
- Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701
- build trillian container to existing release. by @k4leung4 in #715
- Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718
- Switch to using the swag library for pointer manipulation. by @dlorenc in #719
- Change TreeID to be of type string instead of int64 by @priyawadhwa in #712
- Add sharding e2e test to Github Actions by @priyawadhwa in #714
- fix merge conflict by @priyawadhwa in #720
- Clearer logging for createAndInitTree by @priyawadhwa in #724
- Return virtual index when creating and getting a log entry by @priyawadhwa in #725
- Fix copy/paste mistake in repo name. by @k4leung4 in #730
- Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729
- Get log proofs by Tree ID by @priyawadhwa in #733
- Refactor rekor-cli loginfo by @priyawadhwa in #734
- Update loginfo API endpoint to return information about inactive shards by @priyawadhwa in #738
- Replace trillian_log_server.log_id_ranges flag with a config file by @priyawadhwa in #742
- fix build date format for version command by @cpanato in #745
- Require tlog_id when log_id_ranges is passed in by @lkatalin in #739
- Use active tree on server startup by @lkatalin in #727
- Specify public key for inactive shards in shard config by @priyawadhwa in #746
- Add support for providing certificate chain for X509 signature types by @haydentherapper in #747
- fix typo in filename by @bobcallaway in #758
- Update release jobs and trillian images by @cpanato in #756
- Add the SHA256 digest of the intoto payload into the rekor entry by @bobcallaway in #764
- Add index to hashed intoto envelope by @asraa in #761
- Fix link in types README by @eddiezane in #765
- set p.Block after parsing in helm provenance type by @bobcallaway in #759
- Fix search without sha prefix by @eddiezane in #767
- Add in configmap to release for sharding config by @priyawadhwa in #766
- Search inactive trees for GET by UUID requests by @lkatalin in #750
- Create EntryID for new artifacts and return EntryID to user by @lkatalin in #623
- Update cloudbuild to not fail when copy the images by @cpanato in #773
-------------------------------------------------------------------
Fri Apr 1 15:13:27 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Updated to rekor 0.5.0
* Highlights
- Add Rekor logo to README (#650)
- update API calls to v5 (#591)
- Refactor helm type to remove intermediate state. (#575)
- Refactor the shard map parsing so we can pass it down into the API object. (#564)
- Refactor the alpine type to reduce intermediate state. (#573)
* Enhancements
- Add logic to GET artifacts via old or new UUID (#587)
- helpful error message for hashedrekord types (#605)
- Set Accept header in dynamic counter requests (#594)
- Add sharding package and update validators (#583)
- rekor-cli: show the url in case of error (#581)
- Enable parsing of incomplete minisign keys, to enable re-indexing. (#567)
- Cleanups on the TUF pluggable type. (#563)
- Refactor the RPM type to remove more intermediate state. (#566)
- Do some cleanups of the jar type to remove intermediate state. (#561)
* Others
- update version comments since dependabot doesn't do it (#617)
- Use workload identity provider instead of GitHub Secret for GCR access (#600)
- add OSSF scorecard action (#599)
- enable the sbom for rekor releases (#586)
- Point to the official website (instead of a 404) (#580)
- Add a Makefile target for the "ko apply" step. (#572)
- types/README.md: Corrected documentation link (#568)
-------------------------------------------------------------------
Thu Feb 3 09:46:25 UTC 2022 - Marcus Meissner <meissner@suse.com>
- enable server build too, as people might want to deploy rekor chain
themselves.
-------------------------------------------------------------------
Tue Jan 25 08:32:11 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
- Fix BUILD_DATE for reproducible build results (boo#1047218)
-------------------------------------------------------------------
Thu Jan 6 14:52:16 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 0.4.0
Highlights
- Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501)
-------------------------------------------------------------------
Wed Dec 8 16:58:06 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- prepare building of the serve part
-------------------------------------------------------------------
Fri Nov 26 16:01:30 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- initial package