search

nlamirault / dotfiles

My dotfiles
Other
0 stars 0 forks source link

Update dependency cosign to v1.13.6 #162

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 4 months ago

Mend Renovate

This PR contains the following updates:

Package Update Change
cosign minor 1.3.0 -> 1.13.6

Release Notes

sigstore/cosign (cosign) ### [`v1.13.6`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1136) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.13.2...v1.13.6) *Note: v1.13.3, .4, and .5 were skipped due to issues in the release pipeline* This release backports support for the latest TUF specification. We encourage users to upgrade to Cosign v2. #### Updates - V1 go tuf update ([#​3598](https://togithub.com/sigstore/cosign/issues/3598)) - Update cloud build script to latest for v1.13.x ([#​3615](https://togithub.com/sigstore/cosign/issues/3615)) ### [`v1.13.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1132) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.13.1...v1.13.2) This release backports a security fix. We encourage users to upgrade to Cosign v2. #### Updates - \[release-1.13] update builder image that uses go 1.19.4 ([#​2521](https://togithub.com/sigstore/cosign/issues/2521)) - Backport GHSA-vfp6-jrw2-99g9 in ([#​3364](https://togithub.com/sigstore/cosign/issues/3364)) ### [`v1.13.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1131) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.13.0...v1.13.1) #### Enhancements - verify-blob-attestation: allow multiple subjects in in_toto attestation ([#​2341](https://togithub.com/sigstore/cosign/issues/2341)) - Add verify-blob-attestation command and tests ([#​2337](https://togithub.com/sigstore/cosign/issues/2337)) - Add --output-attestation flag to attest-blob and remove experimental signing ([#​2332](https://togithub.com/sigstore/cosign/issues/2332)) - Add attest-blob command ([#​2286](https://togithub.com/sigstore/cosign/issues/2286)) - Add '--cert-identity' flag to support subject alternate names for ver… ([#​2278](https://togithub.com/sigstore/cosign/issues/2278)) - Update Dockerfile section of README ([#​2323](https://togithub.com/sigstore/cosign/issues/2323)) #### Bug Fixes - Update warning when users sign images by tag. ([#​2313](https://togithub.com/sigstore/cosign/issues/2313)) #### Others - Remove experimental flags from attest-blob and refactor ([#​2338](https://togithub.com/sigstore/cosign/issues/2338)) #### Contributors - Alex Cameron - Ville Aikas - Zack Newman - asraa - kpk47 - priyawadhwa ### [`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0) > # Highlights > > - For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version." #### Enhancements - Add support for Fulcio username identity in SAN ([https://github.com/sigstore/cosign/pull/2291](https://togithub.com/sigstore/cosign/pull/2291)) - Data race in FetchSignaturesForReference ([https://github.com/sigstore/cosign/pull/2283](https://togithub.com/sigstore/cosign/pull/2283)) - Check error on chain verification failure ([https://github.com/sigstore/cosign/pull/2284](https://togithub.com/sigstore/cosign/pull/2284)) - feat: improve the verification message ([https://github.com/sigstore/cosign/pull/2268](https://togithub.com/sigstore/cosign/pull/2268)) - feat: use stdin as an input for predicate ([https://github.com/sigstore/cosign/pull/2269](https://togithub.com/sigstore/cosign/pull/2269)) #### Bug Fixes - fix: make tlog entry lookups for online verification shard-aware ([https://github.com/sigstore/cosign/pull/2297](https://togithub.com/sigstore/cosign/pull/2297)) - Fix: Create a static copy of signatures as part of verification. ([https://github.com/sigstore/cosign/pull/2287](https://togithub.com/sigstore/cosign/pull/2287)) - Fix: Remove an extra registry request from verification path. ([https://github.com/sigstore/cosign/pull/2285](https://togithub.com/sigstore/cosign/pull/2285)) - fix pivtool generate key touch policy ([https://github.com/sigstore/cosign/pull/2282](https://togithub.com/sigstore/cosign/pull/2282)) #### Others - use scaffolding 0.4.8 for tests. ([https://github.com/sigstore/cosign/pull/2280](https://togithub.com/sigstore/cosign/pull/2280)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - Matt Moore ([@​mattmoor](https://togithub.com/mattmoor)) - Ross Tannenbaum ([@​RTann](https://togithub.com/RTann)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) ### [`v1.12.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1121) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.12.0...v1.12.1) > # Highlights > > - Pulls Fulcio root and intermediate when `--certificate-chain` is not passed into `verify-blob`. The v1.12.0 release introduced a regression: when `COSIGN_EXPERIMENTAL` was not set, cosign `verify-blob` would check a `--certificate` (without a `--certificate-chain` provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior). #### Bug Fixes - fix: fixing breaking changes in rekor v1.12.0 upgrade ([https://github.com/sigstore/cosign/pull/2260](https://togithub.com/sigstore/cosign/pull/2260)) - Fixed bug where intermediate certificates were not automatically read from the OCI chain annotation ([https://github.com/sigstore/cosign/pull/2244](https://togithub.com/sigstore/cosign/pull/2244)) - fix: add COSIGN_EXPERIMENTAL=1 for verify-blob ([https://github.com/sigstore/cosign/pull/2254](https://togithub.com/sigstore/cosign/pull/2254)) - fix: fix cert chain validation for verify-blob in non-experimental mode ([https://github.com/sigstore/cosign/pull/2256](https://togithub.com/sigstore/cosign/pull/2256)) - fix: fix secret test, non-experimental bundle should pass ([https://github.com/sigstore/cosign/pull/2249](https://togithub.com/sigstore/cosign/pull/2249)) - Fix e2e test failure, add test for local bundle without rekor bundle ([https://github.com/sigstore/cosign/pull/2248](https://togithub.com/sigstore/cosign/pull/2248)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - n3k0m4 ([@​n3k0m4](https://togithub.com/n3k0m4)) ### [`v1.12.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1120) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.11.1...v1.12.0) **Note: This release comes with a fix for `CVE-2022-36056` described in this [Github Security Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388). Please upgrade to this release ASAP** > # Highlights > > **BREAKING:** The fix for [GHSA-GHSA-8gw7-4j42-w388](https://togithub.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388) (CVE-2022-36056) means that some `verify-blob` commands that used to work may not anymore. In particular: > > - When using `verify-blob` with signatures created with keyless mode, we require either `COSIGN_EXPERIMENTAL=1` or a valid Rekor bundle for offline verification passed with `--bundle`. > > If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately. #### Enhancements - Add deprecation warning for sget CLI and packages ([https://github.com/sigstore/cosign/pull/2019](https://togithub.com/sigstore/cosign/pull/2019)) - feat: set annotations to generate additional bash completion information ([https://github.com/sigstore/cosign/pull/2221](https://togithub.com/sigstore/cosign/pull/2221)) - feat: integrate Alibaba Cloud Container Registry cred helper ([https://github.com/sigstore/cosign/pull/2008](https://togithub.com/sigstore/cosign/pull/2008)) - Support non-ECDSA key types for verify-blob ([https://github.com/sigstore/cosign/pull/2203](https://togithub.com/sigstore/cosign/pull/2203)) - Bump github.com/theupdateframework/go-tuf from 0.3.1 to 0.5.0 ([https://github.com/sigstore/cosign/pull/2232](https://togithub.com/sigstore/cosign/pull/2232)) - feat: Add support for verifying ECDSA PEM-encoded keys. Continues deprecated hex-encoded keys for backward compatibility #### Bug Fixes - fix: fix secret test, non-experimental bundle should pass ([https://github.com/sigstore/cosign/pull/2249](https://togithub.com/sigstore/cosign/pull/2249)) - Fix e2e test failure, add test for local bundle without rekor bundle ([https://github.com/sigstore/cosign/pull/2248](https://togithub.com/sigstore/cosign/pull/2248)) - Clarify error when KMS provider fails to load ([https://github.com/sigstore/cosign/pull/2220](https://togithub.com/sigstore/cosign/pull/2220)) #### Others - update kind to use release v0.15.0 and some version comments ([https://github.com/sigstore/cosign/pull/2246](https://togithub.com/sigstore/cosign/pull/2246)) - Bump github.com/theupdateframework/go-tuf from 0.3.1 to 0.5.0 ([https://github.com/sigstore/cosign/pull/2232](https://togithub.com/sigstore/cosign/pull/2232)) - update go builder to go1.19.1 ([https://github.com/sigstore/cosign/pull/2241](https://togithub.com/sigstore/cosign/pull/2241)) - Bump mikefarah/yq from 4.27.3 to 4.27.5 ([https://github.com/sigstore/cosign/pull/2239](https://togithub.com/sigstore/cosign/pull/2239)) - Bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 ([https://github.com/sigstore/cosign/pull/2234](https://togithub.com/sigstore/cosign/pull/2234)) - Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 ([https://github.com/sigstore/cosign/pull/2233](https://togithub.com/sigstore/cosign/pull/2233)) - Bump google.golang.org/api from 0.94.0 to 0.95.0 ([https://github.com/sigstore/cosign/pull/2229](https://togithub.com/sigstore/cosign/pull/2229)) - upgrade setup-ko to point to new repo ([https://github.com/sigstore/cosign/pull/2225](https://togithub.com/sigstore/cosign/pull/2225)) - Bump github.com/spf13/viper from 1.12.0 to 1.13.0 ([https://github.com/sigstore/cosign/pull/2224](https://togithub.com/sigstore/cosign/pull/2224)) - Upgrade to go1.19 ([https://github.com/sigstore/cosign/pull/2213](https://togithub.com/sigstore/cosign/pull/2213)) - remove doubl quotes, looks like it is passing as a single string to cosign and not as an array ([https://github.com/sigstore/cosign/pull/2205](https://togithub.com/sigstore/cosign/pull/2205)) - use scaffolding v0.4.6. ([https://github.com/sigstore/cosign/pull/2201](https://togithub.com/sigstore/cosign/pull/2201)) - Bump google.golang.org/api from 0.93.0 to 0.94.0 ([https://github.com/sigstore/cosign/pull/2200](https://togithub.com/sigstore/cosign/pull/2200)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Engin Diri ([@​dirien](https://togithub.com/dirien)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - Huang Huang ([@​mozillazg](https://togithub.com/mozillazg)) - Jason Hall ([@​imjasonh](https://togithub.com/imjasonh)) - Priya Wadhwa ([@​priyawadhwa](https://togithub.com/priyawadhwa)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) - Zack Newman ([@​znewman01](https://togithub.com/znewman01)) ### [`v1.11.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1111) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.11.0...v1.11.1) #### Enhancements - feat: Rework fig autocomplete command ([https://github.com/sigstore/cosign/pull/2187](https://togithub.com/sigstore/cosign/pull/2187)) #### Bug Fixes - fix: fix typo that caused attestation verification failure ([https://github.com/sigstore/cosign/pull/2199](https://togithub.com/sigstore/cosign/pull/2199)) #### Documention - add release cadence section in the readme ([https://github.com/sigstore/cosign/pull/2179](https://togithub.com/sigstore/cosign/pull/2179)) #### Others - Bump actions/cache from 3.0.7 to 3.0.8 ([https://github.com/sigstore/cosign/pull/2192](https://togithub.com/sigstore/cosign/pull/2192)) - Bump actions/dependency-review-action from 2.0.4 to 2.1.0 ([https://github.com/sigstore/cosign/pull/2185](https://togithub.com/sigstore/cosign/pull/2185)) - Bump actions/setup-go from 3.2.1 to 3.3.0 ([https://github.com/sigstore/cosign/pull/2196](https://togithub.com/sigstore/cosign/pull/2196)) - Bump github.com/go-openapi/swag from 0.22.1 to 0.22.3 ([https://github.com/sigstore/cosign/pull/2182](https://togithub.com/sigstore/cosign/pull/2182)) - Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 ([https://github.com/sigstore/cosign/pull/2190](https://togithub.com/sigstore/cosign/pull/2190)) - Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 ([https://github.com/sigstore/cosign/pull/2181](https://togithub.com/sigstore/cosign/pull/2181)) - Bump github.com/xanzy/go-gitlab from 0.72.0 to 0.73.0 ([https://github.com/sigstore/cosign/pull/2191](https://togithub.com/sigstore/cosign/pull/2191)) - Bump github.com/xanzy/go-gitlab from 0.73.0 to 0.73.1 ([https://github.com/sigstore/cosign/pull/2195](https://togithub.com/sigstore/cosign/pull/2195)) - Bump github/codeql-action from 2.1.18 to 2.1.19 ([https://github.com/sigstore/cosign/pull/2184](https://togithub.com/sigstore/cosign/pull/2184)) - Bump github/codeql-action from 2.1.19 to 2.1.20 ([https://github.com/sigstore/cosign/pull/2193](https://togithub.com/sigstore/cosign/pull/2193)) - Bump google.golang.org/api from 0.92.0 to 0.93.0 ([https://github.com/sigstore/cosign/pull/2183](https://togithub.com/sigstore/cosign/pull/2183)) - Update Scorecard action to v2:alpha ([https://github.com/sigstore/cosign/pull/2177](https://togithub.com/sigstore/cosign/pull/2177)) - add stale workflow using the workflow template ([https://github.com/sigstore/cosign/pull/2175](https://togithub.com/sigstore/cosign/pull/2175)) - bump fulcio dep to 0.5.2 ([https://github.com/sigstore/cosign/pull/2176](https://togithub.com/sigstore/cosign/pull/2176)) - bump scaffold in tests to use release v0.4.5 ([https://github.com/sigstore/cosign/pull/2180](https://togithub.com/sigstore/cosign/pull/2180)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Azeem Shaikh ([@​azeemshaikh38](https://togithub.com/azeemshaikh38)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Engin Diri ([@​dirien](https://togithub.com/dirien)) - Kenny Leung ([@​k4leung4](https://togithub.com/k4leung4)) ### [`v1.11.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1110) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.10.1...v1.11.0) #### Enhancements - use updated device flow logic with PKCE ([https://github.com/sigstore/cosign/pull/2163](https://togithub.com/sigstore/cosign/pull/2163)) #### Bug Fixes - fix panic when os.Stat returns an error besides ErrNotExists ([https://github.com/sigstore/cosign/pull/2162](https://togithub.com/sigstore/cosign/pull/2162)) - fix: add env cmd to root ([https://github.com/sigstore/cosign/pull/2171](https://togithub.com/sigstore/cosign/pull/2171)) - fix: rekor get tlog entry with uuid ([https://github.com/sigstore/cosign/pull/2058](https://togithub.com/sigstore/cosign/pull/2058)) - fix oidc post-merge job ([https://github.com/sigstore/cosign/pull/2164](https://togithub.com/sigstore/cosign/pull/2164)) - fix handling of verify-attestation types for URIs ([https://github.com/sigstore/cosign/pull/2159](https://togithub.com/sigstore/cosign/pull/2159)) - fix: adds envelope hash to in-toto entries in tlog entry creation ([https://github.com/sigstore/cosign/pull/2118](https://togithub.com/sigstore/cosign/pull/2118)) - fix: fix blob verification output ([https://github.com/sigstore/cosign/pull/2157](https://togithub.com/sigstore/cosign/pull/2157)) - Verify the certificate chain against the Fulcio root trust by default ([https://github.com/sigstore/cosign/pull/2139](https://togithub.com/sigstore/cosign/pull/2139)) #### Documention - docs: clarify wording in spec about usage of certificate chain ([https://github.com/sigstore/cosign/pull/2152](https://togithub.com/sigstore/cosign/pull/2152)) - Add notes to clarify registry use. ([https://github.com/sigstore/cosign/pull/2145](https://togithub.com/sigstore/cosign/pull/2145)) #### Others - Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 ([https://github.com/sigstore/cosign/pull/2167](https://togithub.com/sigstore/cosign/pull/2167)) - Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 ([https://github.com/sigstore/cosign/pull/2168](https://togithub.com/sigstore/cosign/pull/2168)) - update e2e job to run only when push to main ([https://github.com/sigstore/cosign/pull/2169](https://togithub.com/sigstore/cosign/pull/2169)) - Remove third_party ([https://github.com/sigstore/cosign/pull/2166](https://togithub.com/sigstore/cosign/pull/2166)) - bump to scaffolding v0.4.4 ([https://github.com/sigstore/cosign/pull/2165](https://togithub.com/sigstore/cosign/pull/2165)) - Bump sigs.k8s.io/release-utils from 0.6.0 to 0.7.3 ([https://github.com/sigstore/cosign/pull/2102](https://togithub.com/sigstore/cosign/pull/2102)) - Run tests using Go 1.18 ([https://github.com/sigstore/cosign/pull/2093](https://togithub.com/sigstore/cosign/pull/2093)) - Bump actions/github-script from 6.1.0 to 6.1.1 ([https://github.com/sigstore/cosign/pull/2156](https://togithub.com/sigstore/cosign/pull/2156)) - Bump go.uber.org/atomic from 1.9.0 to 1.10.0 ([https://github.com/sigstore/cosign/pull/2155](https://togithub.com/sigstore/cosign/pull/2155)) - Bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 ([https://github.com/sigstore/cosign/pull/2148](https://togithub.com/sigstore/cosign/pull/2148)) - Bump tests to use scaffolding-0.4.3. ([https://github.com/sigstore/cosign/pull/2153](https://togithub.com/sigstore/cosign/pull/2153)) - Bump google.golang.org/api from 0.91.0 to 0.92.0 ([https://github.com/sigstore/cosign/pull/2150](https://togithub.com/sigstore/cosign/pull/2150)) - Bump actions/cache from 3.0.6 to 3.0.7 ([https://github.com/sigstore/cosign/pull/2151](https://togithub.com/sigstore/cosign/pull/2151)) - Use TUF from scaffolding for validating cosign. ([https://github.com/sigstore/cosign/pull/2146](https://togithub.com/sigstore/cosign/pull/2146)) - Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.6 to 0.1.7 ([https://github.com/sigstore/cosign/pull/2141](https://togithub.com/sigstore/cosign/pull/2141)) - Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 ([https://github.com/sigstore/cosign/pull/2140](https://togithub.com/sigstore/cosign/pull/2140)) - Bump github.com/xanzy/go-gitlab from 0.70.0 to 0.71.0 ([https://github.com/sigstore/cosign/pull/2142](https://togithub.com/sigstore/cosign/pull/2142)) - Bump actions/cache from 3.0.5 to 3.0.6 ([https://github.com/sigstore/cosign/pull/2136](https://togithub.com/sigstore/cosign/pull/2136)) - Bump github.com/go-piv/piv-go from 1.9.0 to 1.10.0 ([https://github.com/sigstore/cosign/pull/2135](https://togithub.com/sigstore/cosign/pull/2135)) - Bump github/codeql-action from 2.1.17 to 2.1.18 ([https://github.com/sigstore/cosign/pull/2129](https://togithub.com/sigstore/cosign/pull/2129)) - Update CHANGELOG for 1.10.1 release ([https://github.com/sigstore/cosign/pull/2130](https://togithub.com/sigstore/cosign/pull/2130)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Bob Callaway ([@​bobcallaway](https://togithub.com/bobcallaway)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - David Bendory ([@​bendory](https://togithub.com/bendory)) - Jason Hall ([@​imjasonh](https://togithub.com/imjasonh)) - Kazuma Watanabe ([@​wata727](https://togithub.com/wata727)) - Matt Moore ([@​mattmoor](https://togithub.com/mattmoor)) - Noah Kreiger ([@​nkreiger](https://togithub.com/nkreiger)) - Priya Wadhwa ([@​priyawadhwa](https://togithub.com/priyawadhwa)) - Samsondeen ([@​dsa0x](https://togithub.com/dsa0x)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) - saso ([@​otms61](https://togithub.com/otms61)) ### [`v1.10.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1101) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.10.0...v1.10.1) **Note: This release comes with a fix for CVE-2022-35929 described in this [Github Security Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296). Please upgrade to this release ASAP** #### Enhancements - update cross-builder to go1.18.5 and cosign image to 1.10.0 ([https://github.com/sigstore/cosign/pull/2119](https://togithub.com/sigstore/cosign/pull/2119)) - feat: attach: attestation: allow passing multiple payloads ([https://github.com/sigstore/cosign/pull/2085](https://togithub.com/sigstore/cosign/pull/2085)) - Resolves [#​522](https://togithub.com/sigstore/cosign/issues/522) set Created date to time of execution ([https://github.com/sigstore/cosign/pull/2108](https://togithub.com/sigstore/cosign/pull/2108)) - Fix field names in the vulnerability attestation ([https://github.com/sigstore/cosign/pull/2099](https://togithub.com/sigstore/cosign/pull/2099)) - Change Result in Vulnerability Attestation to interface{} ([https://github.com/sigstore/cosign/pull/2096](https://togithub.com/sigstore/cosign/pull/2096)) - Improve error message when no sigs/atts are found for an image ([https://github.com/sigstore/cosign/pull/2101](https://togithub.com/sigstore/cosign/pull/2101)) - add flag to allow skipping upload to transparency log ([https://github.com/sigstore/cosign/pull/2089](https://togithub.com/sigstore/cosign/pull/2089)) #### Documention - chore: fix documentation and warning on using untrusted rekor key ([https://github.com/sigstore/cosign/pull/2124](https://togithub.com/sigstore/cosign/pull/2124)) - Enable Scorecard badge ([https://github.com/sigstore/cosign/pull/2109](https://togithub.com/sigstore/cosign/pull/2109)) #### Bug Fixes - Merge pull request from GHSA-vjxv-45g9-9296 - Correct the type used for attest ([https://github.com/sigstore/cosign/pull/2128](https://togithub.com/sigstore/cosign/pull/2128)) #### Others - Bump mikefarah/yq from 4.26.1 to 4.27.2 ([https://github.com/sigstore/cosign/pull/2116](https://togithub.com/sigstore/cosign/pull/2116)) - Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 ([https://github.com/sigstore/cosign/pull/2115](https://togithub.com/sigstore/cosign/pull/2115)) - Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 ([https://github.com/sigstore/cosign/pull/2120](https://togithub.com/sigstore/cosign/pull/2120)) - Bump google.golang.org/api from 0.90.0 to 0.91.0 ([https://github.com/sigstore/cosign/pull/2125](https://togithub.com/sigstore/cosign/pull/2125)) - Bump google.golang.org/api from 0.89.0 to 0.90.0 ([https://github.com/sigstore/cosign/pull/2111](https://togithub.com/sigstore/cosign/pull/2111)) - Bump github/codeql-action from 2.1.16 to 2.1.17 ([https://github.com/sigstore/cosign/pull/2112](https://togithub.com/sigstore/cosign/pull/2112)) - Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 ([https://github.com/sigstore/cosign/pull/2110](https://togithub.com/sigstore/cosign/pull/2110)) - Bump google.golang.org/api from 0.88.0 to 0.89.0 ([https://github.com/sigstore/cosign/pull/2106](https://togithub.com/sigstore/cosign/pull/2106)) - Bump imjasonh/setup-ko from 0.4 to 0.5 ([https://github.com/sigstore/cosign/pull/2107](https://togithub.com/sigstore/cosign/pull/2107)) - Introduce a custom error type to classify errors. ([https://github.com/sigstore/cosign/pull/2114](https://togithub.com/sigstore/cosign/pull/2114)) - Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 ([https://github.com/sigstore/cosign/pull/2103](https://togithub.com/sigstore/cosign/pull/2103)) - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint ([https://github.com/sigstore/cosign/pull/2105](https://togithub.com/sigstore/cosign/pull/2105)) - Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 ([https://github.com/sigstore/cosign/pull/2100](https://togithub.com/sigstore/cosign/pull/2100)) - Remove knative/pkg deps ([https://github.com/sigstore/cosign/pull/2092](https://togithub.com/sigstore/cosign/pull/2092)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Azeem Shaikh ([@​azeemshaikh38](https://togithub.com/azeemshaikh38)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Furkan Türkal ([@​Dentrax](https://togithub.com/Dentrax)) - Jason Hall ([@​imjasonh](https://togithub.com/imjasonh)) - Kenny Leung ([@​k4leung4](https://togithub.com/k4leung4)) - Matt Moore ([@​mattmoor](https://togithub.com/mattmoor)) - Teppei Fukuda ([@​knqyf263](https://togithub.com/knqyf263)) - Tobias Trabelsi ([@​Lerentis](https://togithub.com/Lerentis)) - saso ([@​otms61](https://togithub.com/otms61)) ### [`v1.10.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1100) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.9.0...v1.10.0) #### Enhancements - Add env subcommand. ([https://github.com/sigstore/cosign/pull/2051](https://togithub.com/sigstore/cosign/pull/2051)) - feat: cert-extensions verify ([https://github.com/sigstore/cosign/pull/1626](https://togithub.com/sigstore/cosign/pull/1626)) - sign-blob: bundle should work independently ([https://github.com/sigstore/cosign/pull/2016](https://togithub.com/sigstore/cosign/pull/2016)) - Add --oidc-provider flag to specify which provider to use for ambient credentials ([https://github.com/sigstore/cosign/pull/1998](https://togithub.com/sigstore/cosign/pull/1998)) - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore ([https://github.com/sigstore/cosign/pull/1866](https://togithub.com/sigstore/cosign/pull/1866)) - Add --platform flag to cosign sbom download ([https://github.com/sigstore/cosign/pull/1975](https://togithub.com/sigstore/cosign/pull/1975)) - Route deprectated -version to subcommand ([https://github.com/sigstore/cosign/pull/1854](https://togithub.com/sigstore/cosign/pull/1854)) - Add cyclonedx predicate type for attestations ([https://github.com/sigstore/cosign/pull/1977](https://togithub.com/sigstore/cosign/pull/1977)) - Updated Azure kms commands. ([https://github.com/sigstore/cosign/pull/1972](https://togithub.com/sigstore/cosign/pull/1972)) - Add spdxjson predicate type for attestations ([https://github.com/sigstore/cosign/pull/1974](https://togithub.com/sigstore/cosign/pull/1974)) - Drop tuf client dependency on GCS client library ([https://github.com/sigstore/cosign/pull/1967](https://togithub.com/sigstore/cosign/pull/1967)) - feat(fulcioroots): singleton error pattern ([https://github.com/sigstore/cosign/pull/1965](https://togithub.com/sigstore/cosign/pull/1965)) - tuf: improve TUF client concurrency and caching ([https://github.com/sigstore/cosign/pull/1953](https://togithub.com/sigstore/cosign/pull/1953)) - Separate RegExp matching of issuer/subject from strict ([https://github.com/sigstore/cosign/pull/1956](https://togithub.com/sigstore/cosign/pull/1956)) #### Documention - update design doc link ([https://github.com/sigstore/cosign/pull/2077](https://togithub.com/sigstore/cosign/pull/2077)) - specs: fix list formatting on SIGNATURE_SPEC ([https://github.com/sigstore/cosign/pull/2030](https://togithub.com/sigstore/cosign/pull/2030)) - public-key: fix command description ([https://github.com/sigstore/cosign/pull/2024](https://togithub.com/sigstore/cosign/pull/2024)) - docs(readme): add installation steps for container image for cosign binary ([https://github.com/sigstore/cosign/pull/1986](https://togithub.com/sigstore/cosign/pull/1986)) - Add Cloudsmith Container Registry to tested registry list ([https://github.com/sigstore/cosign/pull/1966](https://togithub.com/sigstore/cosign/pull/1966)) #### Bug Fixes - Fix OIDC test ([https://github.com/sigstore/cosign/pull/2050](https://togithub.com/sigstore/cosign/pull/2050)) - Use cosign.ConfirmPrompt more consistently ([https://github.com/sigstore/cosign/pull/2039](https://togithub.com/sigstore/cosign/pull/2039)) - chore: add note about SIGSTORE_REKOR_PUBLIC_KEY ([https://github.com/sigstore/cosign/pull/2040](https://togithub.com/sigstore/cosign/pull/2040)) - Fix [#​1378](https://togithub.com/sigstore/cosign/issues/1378) create new attestation signature in replace mode if not existent ([https://github.com/sigstore/cosign/pull/2014](https://togithub.com/sigstore/cosign/pull/2014)) - encrypt values to create the github action secret ([https://github.com/sigstore/cosign/pull/1990](https://togithub.com/sigstore/cosign/pull/1990)) - fix/update post build job ([https://github.com/sigstore/cosign/pull/1983](https://togithub.com/sigstore/cosign/pull/1983)) - fix typos ([https://github.com/sigstore/cosign/pull/1982](https://togithub.com/sigstore/cosign/pull/1982)) #### Others - Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 ([https://github.com/sigstore/cosign/pull/2079](https://togithub.com/sigstore/cosign/pull/2079)) - Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 ([https://github.com/sigstore/cosign/pull/2078](https://togithub.com/sigstore/cosign/pull/2078)) - Bump google.golang.org/api from 0.87.0 to 0.88.0 ([https://github.com/sigstore/cosign/pull/2081](https://togithub.com/sigstore/cosign/pull/2081)) - Remove hack/tools.go ([https://github.com/sigstore/cosign/pull/2080](https://togithub.com/sigstore/cosign/pull/2080)) - Remove replace directives in go.mod. ([https://github.com/sigstore/cosign/pull/2070](https://togithub.com/sigstore/cosign/pull/2070)) - Bump mikefarah/yq from 4.25.3 to 4.26.1 ([https://github.com/sigstore/cosign/pull/2076](https://togithub.com/sigstore/cosign/pull/2076)) - Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 ([https://github.com/sigstore/cosign/pull/2075](https://togithub.com/sigstore/cosign/pull/2075)) - Bump actions/dependency-review-action from 2.0.2 to 2.0.4 ([https://github.com/sigstore/cosign/pull/2073](https://togithub.com/sigstore/cosign/pull/2073)) - Bump google.golang.org/api from 0.86.0 to 0.87.0 ([https://github.com/sigstore/cosign/pull/2064](https://togithub.com/sigstore/cosign/pull/2064)) - chore(deps): CycloneDX PredicateType changed to use in-toto-golang ([https://github.com/sigstore/cosign/pull/2067](https://togithub.com/sigstore/cosign/pull/2067)) - Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 ([https://github.com/sigstore/cosign/pull/2063](https://togithub.com/sigstore/cosign/pull/2063)) - Bump google.golang.org/grpc from 1.47.0 to 1.48.0 ([https://github.com/sigstore/cosign/pull/2062](https://togithub.com/sigstore/cosign/pull/2062)) - Bump actions/setup-go from 3.2.0 to 3.2.1 ([https://github.com/sigstore/cosign/pull/2060](https://togithub.com/sigstore/cosign/pull/2060)) - Bump github/codeql-action from 2.1.15 to 2.1.16 ([https://github.com/sigstore/cosign/pull/2065](https://togithub.com/sigstore/cosign/pull/2065)) - Bump actions/cache from 3.0.4 to 3.0.5 ([https://github.com/sigstore/cosign/pull/2066](https://togithub.com/sigstore/cosign/pull/2066)) - update to go 1.18 ([https://github.com/sigstore/cosign/pull/2059](https://togithub.com/sigstore/cosign/pull/2059)) - Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 ([https://github.com/sigstore/cosign/pull/2046](https://togithub.com/sigstore/cosign/pull/2046)) - update ct/otel and etcd ([https://github.com/sigstore/cosign/pull/2054](https://togithub.com/sigstore/cosign/pull/2054)) - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 ([https://github.com/sigstore/cosign/pull/2055](https://togithub.com/sigstore/cosign/pull/2055)) - Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 ([https://github.com/sigstore/cosign/pull/2042](https://togithub.com/sigstore/cosign/pull/2042)) - Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 ([https://github.com/sigstore/cosign/pull/2032](https://togithub.com/sigstore/cosign/pull/2032)) - Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 ([https://github.com/sigstore/cosign/pull/2037](https://togithub.com/sigstore/cosign/pull/2037)) - Bump github/codeql-action from 2.1.14 to 2.1.15 ([https://github.com/sigstore/cosign/pull/2038](https://togithub.com/sigstore/cosign/pull/2038)) - Bump google.golang.org/api from 0.85.0 to 0.86.0 ([https://github.com/sigstore/cosign/pull/2036](https://togithub.com/sigstore/cosign/pull/2036)) - Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 ([https://github.com/sigstore/cosign/pull/2035](https://togithub.com/sigstore/cosign/pull/2035)) - Bump ossf/scorecard-action from 1.1.1 to 1.1.2 ([https://github.com/sigstore/cosign/pull/2033](https://togithub.com/sigstore/cosign/pull/2033)) - Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 ([https://github.com/sigstore/cosign/pull/2029](https://togithub.com/sigstore/cosign/pull/2029)) - Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 ([https://github.com/sigstore/cosign/pull/2026](https://togithub.com/sigstore/cosign/pull/2026)) - Attempt to clean up pkg/cosign ([https://github.com/sigstore/cosign/pull/2018](https://togithub.com/sigstore/cosign/pull/2018)) - Bump github/codeql-action from 2.1.13 to 2.1.14 ([https://github.com/sigstore/cosign/pull/2023](https://togithub.com/sigstore/cosign/pull/2023)) - Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 ([https://github.com/sigstore/cosign/pull/2021](https://togithub.com/sigstore/cosign/pull/2021)) - Bump mikefarah/yq from 4.25.2 to 4.25.3 ([https://github.com/sigstore/cosign/pull/2022](https://togithub.com/sigstore/cosign/pull/2022)) - Bump google.golang.org/api from 0.84.0 to 0.85.0 ([https://github.com/sigstore/cosign/pull/2015](https://togithub.com/sigstore/cosign/pull/2015)) - Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 ([https://github.com/sigstore/cosign/pull/2010](https://togithub.com/sigstore/cosign/pull/2010)) - Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 ([https://github.com/sigstore/cosign/pull/2011](https://togithub.com/sigstore/cosign/pull/2011)) - Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 ([https://github.com/sigstore/cosign/pull/2012](https://togithub.com/sigstore/cosign/pull/2012)) - Bump github/codeql-action from 2.1.12 to 2.1.13 ([https://github.com/sigstore/cosign/pull/2013](https://togithub.com/sigstore/cosign/pull/2013)) - Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 ([https://github.com/sigstore/cosign/pull/2009](https://togithub.com/sigstore/cosign/pull/2009)) - Bump actions/dependency-review-action from 2.0.1 to 2.0.2 ([https://github.com/sigstore/cosign/pull/2001](https://togithub.com/sigstore/cosign/pull/2001)) - Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 ([https://github.com/sigstore/cosign/pull/1996](https://togithub.com/sigstore/cosign/pull/1996)) - Bump actions/dependency-review-action from 1.0.2 to 2.0.1 ([https://github.com/sigstore/cosign/pull/2000](https://togithub.com/sigstore/cosign/pull/2000)) - Bump google.golang.org/api from 0.83.0 to 0.84.0 ([https://github.com/sigstore/cosign/pull/1999](https://togithub.com/sigstore/cosign/pull/1999)) - Bump sigstore/sigstore to HEAD ([https://github.com/sigstore/cosign/pull/1995](https://togithub.com/sigstore/cosign/pull/1995)) - Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 ([https://github.com/sigstore/cosign/pull/1988](https://togithub.com/sigstore/cosign/pull/1988)) - cleanup ci job and remove policy-controller references ([https://github.com/sigstore/cosign/pull/1981](https://togithub.com/sigstore/cosign/pull/1981)) - Bump google.golang.org/api from 0.82.0 to 0.83.0 ([https://github.com/sigstore/cosign/pull/1979](https://togithub.com/sigstore/cosign/pull/1979)) - cleanup: unexport kubernetes.Client method ([https://github.com/sigstore/cosign/pull/1973](https://togithub.com/sigstore/cosign/pull/1973)) - Remove policy-controller now that it lives in sigstore/policy-controller ([https://github.com/sigstore/cosign/pull/1976](https://togithub.com/sigstore/cosign/pull/1976)) - Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 ([https://github.com/sigstore/cosign/pull/1980](https://togithub.com/sigstore/cosign/pull/1980)) - Bump actions/cache from 3.0.3 to 3.0.4 ([https://github.com/sigstore/cosign/pull/1970](https://togithub.com/sigstore/cosign/pull/1970)) - Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 ([https://github.com/sigstore/cosign/pull/1968](https://togithub.com/sigstore/cosign/pull/1968)) - Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 ([https://github.com/sigstore/cosign/pull/1963](https://togithub.com/sigstore/cosign/pull/1963)) - Bump google.golang.org/grpc from 1.46.2 to 1.47.0 ([https://github.com/sigstore/cosign/pull/1943](https://togithub.com/sigstore/cosign/pull/1943)) - Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 ([https://github.com/sigstore/cosign/pull/1958](https://togithub.com/sigstore/cosign/pull/1958)) - replace gcr.io/distroless/ to use ghcr.io/distroless/ ([https://github.com/sigstore/cosign/pull/1961](https://togithub.com/sigstore/cosign/pull/1961)) - Bump github/codeql-action from 2.1.11 to 2.1.12 ([https://github.com/sigstore/cosign/pull/1951](https://togithub.com/sigstore/cosign/pull/1951)) - Bump google.golang.org/api from 0.81.0 to 0.82.0 ([https://github.com/sigstore/cosign/pull/1948](https://togithub.com/sigstore/cosign/pull/1948)) #### Contributors - Adolfo García Veytia ([@​puerco](https://togithub.com/puerco)) - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Billy Lynch ([@​wlynch](https://togithub.com/wlynch)) - Bob Callaway ([@​bobcallaway](https://togithub.com/bobcallaway)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Ciara Carey ([@​ciaracarey](https://togithub.com/ciaracarey)) - Frederik Boster ([@​Syquel](https://togithub.com/Syquel)) - Furkan Türkal ([@​Dentrax](https://togithub.com/Dentrax)) - Hector Fernandez ([@​hectorj2f](https://togithub.com/hectorj2f)) - Jason Hall ([@​imjasonh](https://togithub.com/imjasonh)) - Jinhong Brejnholt ([@​JBrejnholt](https://togithub.com/JBrejnholt)) - Josh Dolitsky ([@​jdolitsky](https://togithub.com/jdolitsky)) - Masahiro331 ([@​masahiro331](https://togithub.com/masahiro331)) - Priya Wadhwa ([@​priyawadhwa](https://togithub.com/priyawadhwa)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) - William Woodruff ([@​woodruffw](https://togithub.com/woodruffw)) ### [`v1.9.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.8.0...v1.9.0) #### Enhancements - Do not push to public rekor. ([https://github.com/sigstore/cosign/pull/1931](https://togithub.com/sigstore/cosign/pull/1931)) - Add privacy statement for PII storage ([https://github.com/sigstore/cosign/pull/1909](https://togithub.com/sigstore/cosign/pull/1909)) - Add support for "\*\*" in image glob matching[https://github.com/sigstore/cosign/pull/1914](https://togithub.com/sigstore/cosign/pull/1914)14) - \[cosigned] Rename cosigned references to policy-controller [https://github.com/sigstore/cosign/pull/1893](https://togithub.com/sigstore/cosign/pull/1893)3) - \[cosigned] Remove undefined apiGroups from policy clusterrole [https://github.com/sigstore/cosign/pull/1896](https://togithub.com/sigstore/cosign/pull/1896)6) - tree: support --attachment-tag-prefix ([https://github.com/sigstore/cosign/pull/1900](https://togithub.com/sigstore/cosign/pull/1900)) - v1beta1 API for cosigned ([https://github.com/sigstore/cosign/pull/1890](https://togithub.com/sigstore/cosign/pull/1890)) - tree: only report artifacts that are present ([https://github.com/sigstore/cosign/pull/1872](https://togithub.com/sigstore/cosign/pull/1872)) - Check certificate policy flags with only a certificate ([https://github.com/sigstore/cosign/pull/1869](https://togithub.com/sigstore/cosign/pull/1869)) - Normalize certificate flag names ([https://github.com/sigstore/cosign/pull/1868](https://togithub.com/sigstore/cosign/pull/1868)) - Add rekor.0.pub TUF target to unit tests ([https://github.com/sigstore/cosign/pull/1860](https://togithub.com/sigstore/cosign/pull/1860)) - If SBOM ref has .json suffix, assume JSON mediatype ([https://github.com/sigstore/cosign/pull/1859](https://togithub.com/sigstore/cosign/pull/1859)) - sget: Enable KMS providers for sget ([https://github.com/sigstore/cosign/pull/1852](https://togithub.com/sigstore/cosign/pull/1852)) - Use filepath match instead of glob ([https://github.com/sigstore/cosign/pull/1842](https://togithub.com/sigstore/cosign/pull/1842)) - cosigned: Fix podAntiAffinity labels ([https://github.com/sigstore/cosign/pull/1841](https://togithub.com/sigstore/cosign/pull/1841)) - Add function to explictly request a certain provider ([https://github.com/sigstore/cosign/pull/1837](https://togithub.com/sigstore/cosign/pull/1837)) - Validate tlog entry when verifying signature via public key. ([https://github.com/sigstore/cosign/pull/1833](https://togithub.com/sigstore/cosign/pull/1833)) - New flag --oidc-providers-disable to disable OIDC providers ([https://github.com/sigstore/cosign/pull/1832](https://togithub.com/sigstore/cosign/pull/1832)) - Add auth flow option to KeyOpts. ([https://github.com/sigstore/cosign/pull/1827](https://togithub.com/sigstore/cosign/pull/1827)) - cosigned: Test unsupported KMS providers ([https://github.com/sigstore/cosign/pull/1820](https://togithub.com/sigstore/cosign/pull/1820)) - Refactor fulcio signer to take in KeyOpts (take 2) ([https://github.com/sigstore/cosign/pull/1818](https://togithub.com/sigstore/cosign/pull/1818)) - feat: add rego policy support ([https://github.com/sigstore/cosign/pull/1817](https://togithub.com/sigstore/cosign/pull/1817)) - \[Cosigned] Add signature pull secrets [https://github.com/sigstore/cosign/pull/1805](https://togithub.com/sigstore/cosign/pull/1805)5) - Check failure message of policy that fails with issuer mismatch ([https://github.com/sigstore/cosign/pull/1815](https://togithub.com/sigstore/cosign/pull/1815)) - Support PKCS1 encoded and non-ECDSA CT log public keys ([https://github.com/sigstore/cosign/pull/1806](https://togithub.com/sigstore/cosign/pull/1806)) #### Documention - update README with ebpf modules ([https://github.com/sigstore/cosign/pull/1888](https://togithub.com/sigstore/cosign/pull/1888)) - Point git commmit FUN.md to gitsign! ([https://github.com/sigstore/cosign/pull/1874](https://togithub.com/sigstore/cosign/pull/1874)) - Add IBM Cloud Container Registry to tested registry list ([https://github.com/sigstore/cosign/pull/1856](https://togithub.com/sigstore/cosign/pull/1856)) - Document Staging instance usage with Keyless ([https://github.com/sigstore/cosign/pull/1824](https://togithub.com/sigstore/cosign/pull/1824)) #### Bug Fixes - fix: fix [#​1930](https://togithub.com/sigstore/cosign/issues/1930) for AWS KMS formats ([https://github.com/sigstore/cosign/pull/1946](https://togithub.com/sigstore/cosign/pull/1946)) - fix: fix fetching updated targets from TUF root ([https://github.com/sigstore/cosign/pull/1921](https://togithub.com/sigstore/cosign/pull/1921)) - Fix piv-tool generate-key command in TOKENS doc ([https://github.com/sigstore/cosign/pull/1850](https://togithub.com/sigstore/cosign/pull/1850)) #### Others - remove deprecation ([https://github.com/sigstore/cosign/pull/1952](https://togithub.com/sigstore/cosign/pull/1952)) - Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 ([https://github.com/sigstore/cosign/pull/1949](https://togithub.com/sigstore/cosign/pull/1949)) - update cross-builder image to use go1.17.11 ([https://github.com/sigstore/cosign/pull/1950](https://togithub.com/sigstore/cosign/pull/1950)) - Bump ossf/scorecard-action from 1.1.0 to 1.1.1 ([https://github.com/sigstore/cosign/pull/1945](https://togithub.com/sigstore/cosign/pull/1945)) - Bump github.com/secure-systems-lab/go-securesystemslib ([https://github.com/sigstore/cosign/pull/1944](https://togithub.com/sigstore/cosign/pull/1944)) - Bump actions/cache from 3.0.2 to 3.0.3 ([https://github.com/sigstore/cosign/pull/1937](https://togithub.com/sigstore/cosign/pull/1937)) - Bump mikefarah/yq from 4.25.1 to 4.25.2 ([https://github.com/sigstore/cosign/pull/1933](https://togithub.com/sigstore/cosign/pull/1933)) - Bump github.com/spf13/viper from 1.11.0 to 1.12.0 ([https://github.com/sigstore/cosign/pull/1924](https://togithub.com/sigstore/cosign/pull/1924)) - Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 ([https://github.com/sigstore/cosign/pull/1926](https://togithub.com/sigstore/cosign/pull/1926)) - Bump actions/setup-go from 3.1.0 to 3.2.0 ([https://github.com/sigstore/cosign/pull/1927](https://togithub.com/sigstore/cosign/pull/1927)) - Bump actions/dependency-review-action from 1.0.1 to 1.0.2 ([https://github.com/sigstore/cosign/pull/1915](https://togithub.com/sigstore/cosign/pull/1915)) - Bump google-github-actions/auth from 0.7.3 to 0.8.0 ([https://github.com/sigstore/cosign/pull/1916](https://togithub.com/sigstore/cosign/pull/1916)) - Bump ossf/scorecard-action from 1.0.4 to 1.1.0 ([https://github.com/sigstore/cosign/pull/1922](https://togithub.com/sigstore/cosign/pull/1922)) - Bump google.golang.org/api from 0.80.0 to 0.81.0 ([https://github.com/sigstore/cosign/pull/1918](https://togithub.com/sigstore/cosign/pull/1918)) - Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 ([https://github.com/sigstore/cosign/pull/1919](https://togithub.com/sigstore/cosign/pull/1919)) - Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 ([https://github.com/sigstore/cosign/pull/1920](https://togithub.com/sigstore/cosign/pull/1920)) - Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 ([https://github.com/sigstore/cosign/pull/1913](https://togithub.com/sigstore/cosign/pull/1913)) - Move deprecated dependency: google/trillian/merkle to transparency-dev ([https://github.com/sigstore/cosign/pull/1910](https://togithub.com/sigstore/cosign/pull/1910)) - Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 ([https://github.com/sigstore/cosign/pull/1902](https://togithub.com/sigstore/cosign/pull/1902)) - Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 ([https://github.com/sigstore/cosign/pull/1883](https://togithub.com/sigstore/cosign/pull/1883)) - Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 ([https://github.com/sigstore/cosign/pull/1906](https://togithub.com/sigstore/cosign/pull/1906)) - Bump actions/upload-artifact from 3.0.0 to 3.1.0 ([https://github.com/sigstore/cosign/pull/1907](https://togithub.com/sigstore/cosign/pull/1907)) - The timeout arg in golangci-lint has been moved to the generic args param. ([https://github.com/sigstore/cosign/pull/1901](https://togithub.com/sigstore/cosign/pull/1901)) - Update go-tuf ([https://github.com/sigstore/cosign/pull/1894](https://togithub.com/sigstore/cosign/pull/1894)) - Bump google.golang.org/api from 0.79.0 to 0.80.0 ([https://github.com/sigstore/cosign/pull/1897](https://togithub.com/sigstore/cosign/pull/1897)) - Bump google-github-actions/auth from 0.7.2 to 0.7.3 ([https://github.com/sigstore/cosign/pull/1898](https://togithub.com/sigstore/cosign/pull/1898)) - Bump github/codeql-action from 2.1.10 to 2.1.11 ([https://github.com/sigstore/cosign/pull/1891](https://togithub.com/sigstore/cosign/pull/1891)) - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to [`f1b065c`](https://togithub.com/sigstore/cosign/commit/f1b065c6cb3d) ([https://github.com/sigstore/cosign/pull/1889](https://togithub.com/sigstore/cosign/pull/1889)) - Remove dependency on deprecated github.com/pkg/errors ([https://github.com/sigstore/cosign/pull/1887](https://togithub.com/sigstore/cosign/pull/1887)) - Bump google.golang.org/grpc from 1.46.0 to 1.46.2 ([https://github.com/sigstore/cosign/pull/1884](https://togithub.com/sigstore/cosign/pull/1884)) - Bump google-github-actions/auth from 0.7.1 to 0.7.2 ([https://github.com/sigstore/cosign/pull/1886](https://togithub.com/sigstore/cosign/pull/1886)) - go.mod: format go.mod ([https://github.com/sigstore/cosign/pull/1879](https://togithub.com/sigstore/cosign/pull/1879)) - chore: remove regex from image pattern ([https://github.com/sigstore/cosign/pull/1873](https://togithub.com/sigstore/cosign/pull/1873)) - Bump actions/dependency-review-action ([https://github.com/sigstore/cosign/pull/1875](https://togithub.com/sigstore/cosign/pull/1875)) - Bump actions/github-script from 6.0.0 to 6.1.0 ([https://github.com/sigstore/cosign/pull/1876](https://togithub.com/sigstore/cosign/pull/1876)) - Bump actions/setup-go from 3.0.0 to 3.1.0 ([https://github.com/sigstore/cosign/pull/1870](https://togithub.com/sigstore/cosign/pull/1870)) - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go ([https://github.com/sigstore/cosign/pull/1861](https://togithub.com/sigstore/cosign/pull/1861)) - Bump github/codeql-action from 2.1.9 to 2.1.10 ([https://github.com/sigstore/cosign/pull/1863](https://togithub.com/sigstore/cosign/pull/1863)) - Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 ([https://github.com/sigstore/cosign/pull/1864](https://togithub.com/sigstore/cosign/pull/1864)) - Bump google.golang.org/api from 0.78.0 to 0.79.0 ([https://github.com/sigstore/cosign/pull/1858](https://togithub.com/sigstore/cosign/pull/1858)) - Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 ([https://github.com/sigstore/cosign/pull/1857](https://togithub.com/sigstore/cosign/pull/1857)) - Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 ([https://github.com/sigstore/cosign/pull/1851](https://togithub.com/sigstore/cosign/pull/1851)) - remove exclude from go.mod ([https://github.com/sigstore/cosign/pull/1846](https://togithub.com/sigstore/cosign/pull/1846)) - Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 ([https://github.com/sigstore/cosign/pull/1843](https://togithub.com/sigstore/cosign/pull/1843)) - Bump google.golang.org/api from 0.77.0 to 0.78.0 ([https://github.com/sigstore/cosign/pull/1838](https://togithub.com/sigstore/cosign/pull/1838)) - Bump mikefarah/yq from 4.24.5 to 4.25.1 ([https://github.com/sigstore/cosign/pull/1831](https://togithub.com/sigstore/cosign/pull/1831)) - Bump google.golang.org/api from 0.76.0 to 0.77.0 ([https://github.com/sigstore/cosign/pull/1829](https://togithub.com/sigstore/cosign/pull/1829)) - Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 ([https://github.com/sigstore/cosign/pull/1830](https://togithub.com/sigstore/cosign/pull/1830)) - Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 ([https://github.com/sigstore/cosign/pull/1828](https://togithub.com/sigstore/cosign/pull/1828)) - chore(deps): Included dependency review ([https://github.com/sigstore/cosign/pull/1792](https://togithub.com/sigstore/cosign/pull/1792)) - Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 ([https://github.com/sigstore/cosign/pull/1813](https://togithub.com/sigstore/cosign/pull/1813)) - Bump github/codeql-action from 2.1.8 to 2.1.9 ([https://github.com/sigstore/cosign/pull/1814](https://togithub.com/sigstore/cosign/pull/1814)) - Bump google.golang.org/api from 0.75.0 to 0.76.0 ([https://github.com/sigstore/cosign/pull/1810](https://togithub.com/sigstore/cosign/pull/1810)) - Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 ([https://github.com/sigstore/cosign/pull/1809](https://togithub.com/sigstore/cosign/pull/1809)) - Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 ([https://github.com/sigstore/cosign/pull/1808](https://togithub.com/sigstore/cosign/pull/1808)) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Adolfo García Veytia ([@​puerco](https://togithub.com/puerco)) - Andrés Torres ([@​elfotografo007](https://togithub.com/elfotografo007)) - Billy Lynch ([@​wlynch](https://togithub.com/wlynch)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Dan Lorenc ([@​dlorenc](https://togithub.com/dlorenc)) - Denny ([@​DennyHoang](https://togithub.com/DennyHoang)) - Eitan Yarmush ([@​EItanya](https://togithub.com/EItanya)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - Hector Fernandez ([@​hectorj2f](https://togithub.com/hectorj2f)) - Jack Baines ([@​bainsy88](https://togithub.com/bainsy88)) - Jason Hall ([@​imjasonh](https://togithub.com/imjasonh)) - Josh Dolitsky ([@​jdolitsky](https://togithub.com/jdolitsky)) - Kenny Leung ([@​k4leung4](https://togithub.com/k4leung4)) - Koichi Shiraishi ([@​zchee](https://togithub.com/zchee)) - Naveen Srinivasan ([@​naveensrinivasan](https://togithub.com/naveensrinivasan)) - Neal McBurnett ([@​nealmcb](https://togithub.com/nealmcb)) - Priya Wadhwa ([@​priyawadhwa](https://togithub.com/priyawadhwa)) - Rob Best ([@​ribbybibby](https://togithub.com/ribbybibby)) - Tomasz Janiszewski ([@​janisz](https://togithub.com/janisz)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) - Vladimir Nachev ([@​vpnachev](https://togithub.com/vpnachev)) ### [`v1.8.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v180) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.7.2...v1.8.0) *NOTE*: If you use Fulcio to issue certificates you will need to use this release. #### Enhancements - Support PKCS1 encoded and non-ECDSA CT log public keys ([https://github.com/sigstore/cosign/pull/1806](https://togithub.com/sigstore/cosign/pull/1806)) - Load in intermediate cert pool from TUF ([https://github.com/sigstore/cosign/pull/1804](https://togithub.com/sigstore/cosign/pull/1804)) - Don't fail open in VerifyBundle ([https://github.com/sigstore/cosign/pull/1648](https://togithub.com/sigstore/cosign/pull/1648)) - Handle context cancelled properly + tests. ([https://github.com/sigstore/cosign/pull/1796](https://togithub.com/sigstore/cosign/pull/1796)) - Allow passing keys via environment variables (`env://` refs) ([https://github.com/sigstore/cosign/pull/1794](https://togithub.com/sigstore/cosign/pull/1794)) - Add parallelization for processing policies / authorities. ([https://github.com/sigstore/cosign/pull/1795](https://togithub.com/sigstore/cosign/pull/1795)) - Attestations + policy in cip. ([https://github.com/sigstore/cosign/pull/1772](https://togithub.com/sigstore/cosign/pull/1772)) - Refactor fulcio signer to take in KeyOpts. ([https://github.com/sigstore/cosign/pull/1788](https://togithub.com/sigstore/cosign/pull/1788)) - Remove the dependency on v1alpha1.Identity which brings in ([https://github.com/sigstore/cosign/pull/1790](https://togithub.com/sigstore/cosign/pull/1790)) - Add Fulcio intermediate CA certificate to intermediate pool ([https://github.com/sigstore/cosign/pull/1774](https://togithub.com/sigstore/cosign/pull/1774)) - Cosigned validate against remote sig src ([https://github.com/sigstore/cosign/pull/1754](https://togithub.com/sigstore/cosign/pull/1754)) - tuf: add debug info if tuf update fails ([https://github.com/sigstore/cosign/pull/1766](https://togithub.com/sigstore/cosign/pull/1766)) - Break the CIP action tests into a sh script. ([https://github.com/sigstore/cosign/pull/1767](https://togithub.com/sigstore/cosign/pull/1767)) - \[policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags [https://github.com/sigstore/cosign/pull/1757](https://togithub.com/sigstore/cosign/pull/1757)7) - Verify embedded SCTs ([https://github.com/sigstore/cosign/pull/1731](https://togithub.com/sigstore/cosign/pull/1731)) - Validate issuer/subject regexp in validate webhook. ([https://github.com/sigstore/cosign/pull/1761](https://togithub.com/sigstore/cosign/pull/1761)) - Add intermediate CA certificate pool for Fulcio ([https://github.com/sigstore/cosign/pull/1749](https://togithub.com/sigstore/cosign/pull/1749)) - \[cosigned] The webhook name is now configurable via --webhook-name flag [https://github.com/sigstore/cosign/pull/1726](https://togithub.com/sigstore/cosign/pull/1726)6) - Use bundle log ID to find verification key ([https://github.com/sigstore/cosign/pull/1748](https://togithub.com/sigstore/cosign/pull/1748)) - Refactor policy related code, add support for vuln verify ([https://github.com/sigstore/cosign/pull/1747](https://togithub.com/sigstore/cosign/pull/1747)) - Create convert functions for internal CIP ([https://github.com/sigstore/cosign/pull/1736](https://togithub.com/sigstore/cosign/pull/1736)) - Move the KMS integration imports into the binary entrypoints ([https://github.com/sigstore/cosign/pull/1744](https://togithub.com/sigstore/cosign/pull/1744)) #### Bug Fixes - Fix a bug where an error would send duplicate results. ([https://github.com/sigstore/cosign/pull/1797](https://togithub.com/sigstore/cosign/pull/1797)) - fix: more informative error ([https://github.com/sigstore/cosign/pull/1778](https://togithub.com/sigstore/cosign/pull/1778)) - fix: add support for rsa keys ([https://github.com/sigstore/cosign/pull/1768](https://togithub.com/sigstore/cosign/pull/1768)) - Implement identities, fix bug in webhook validation. ([http

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

stale[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.