1# v2.2.4
2
3## Bug Fixes
4
5* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
6* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
7* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
8* Honor creation timestamp for signatures again (#3549)
9
10## Features
11
12* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
13
14## Documentation
15
16* add oci bundle spec (#3622)
17* Correct help text of triangulate cmd (#3551)
18* Correct help text of verify-attestation policy argument (#3527)
19* feat: add OVHcloud MPR registry tested with cosign (#3639)
20
21## Testing
22
23* Refactor e2e-tests.yml workflow (#3627)
24* Clean up and clarify e2e scripts (#3628)
25* Don't ignore transparency log in tests if possible (#3528)
26* Make E2E tests hermetic (#3499)
27* add e2e test for pkcs11 token signing (#3495)
28
29# v2.2.3
30
31## Bug Fixes
32
33* Fix race condition on verification with multiple signatures attached to image (#3486)
34* fix(clean): Fix clean cmd for private registries (#3446)
35* Fixed BYO PKI verification (#3427)
36
37## Features
38
39* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
40* Add support for OpenVEX predicate type (#3405)
41
42## Documentation
43
44* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
45* add examples for cosign attach signature cmd (#3468)
46
47## Misc
48
49* Remove CertSubject function (#3467)
50* Use local rekor and fulcio instances in e2e tests (#3478)
51
52## Contributors
53
54* aalsabag
55* Bob Callaway
56* Carlos Tadeu Panato Junior
57* Colleen Murphy
58* Hayden B
59* Mukuls77
60* Omri Bornstein
61* Puerco
62* vivek kumar sahu
63
64# v2.2.2
65
66v2.2.2 adds a new container with a shell, `gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
67container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.
68
69For private deployments, we have also added an alias for `--insecure-skip-log`, `--private-infrastructure`.
70
71## Bug Fixes
72
73* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
74* Don't require CT log keys if using a key/sk (#3415)
75* Fix copy without any flag set (#3409)
76* Update cosign generate cmd to not include newline (#3393)
77* Fix idempotency error with signing (#3371)
78
79## Features
80
81* Add `--yes` flag `cosign import-key-pair` to skip the overwrite confirmation. (#3383)
82* Use the timeout flag value in verify* commands. (#3391)
83* add --private-infrastructure flag (#3369)
84
85## Container Updates
86
87* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
88
89## Documentation
90
91* Update SBOM\_SPEC.md (#3358)
92
93## Contributors
94
95* Carlos Tadeu Panato Junior
96* Dylan Richardson
97* Hayden B
98* Lily Sturmann
99* Nikos Fotiou
100* Yonghe Zhao
101
102# v2.2.1
103**Note: This release comes with a fix for CVE-2023-46737 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). Please upgrade to this release ASAP**
104
105## Enhancements
106* feat: Support basic auth and bearer auth login to registry (#3310)
107* add support for ignoring certificates with pkcs11 (#3334)
108* Support ReplaceOp in Signatures (#3315)
109* feat: added ability to get image digest back via triangulate (#3255)
110* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
111* feat: add support attaching a Rekor bundle to a container (#3246)
112* feat: add support outputting rekor response on signing (#3248)
113* feat: improve dockerfile verify subcommand (#3264)
114* Add guard flag for experimental OCI 1.1 verify. (#3272)
115* Deprecate SBOM attachments (#3256)
116* feat: dedent line in cosign copy doc (#3244)
117* feat: add platform flag to cosign copy command (#3234)
118* Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
119* attest: pass OCI remote opts to att resolver. (#3225)
120
121## Bug Fixes
122* Merge pull request from GHSA-vfp6-jrw2-99g9
123* fix: allow cosign download sbom when image is absent (#3245)
124* ci: add a OCI registry test for referrers support (#3253)
125* Fix ReplaceSignatures (#3292)
126* Stop using deprecated in_toto.ProvenanceStatement (#3243)
127* Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
128* fix: update error in `SignedEntity` to be more descriptive (#3233)
129* Fail timestamp verification if no root is provided (#3224)
130
131
132## Documentation
133* Add some docs about verifying in an air-gapped environment (#3321)
134* Update CONTRIBUTING.md (#3268)
135* docs: improves the Contribution guidelines (#3257)
136* Remove security policy (#3230)
137
138
139## Others
140* Set go to min 1.21 and update dependencies (#3327)
141* Update contact for code of conduct (#3266)
142* Update .ko.yaml (#3240)
143
144
145## Contributors
146* AdamKorcz
147* Andres Galante
148* Appu
149* Billy Lynch
150* Bob Callaway
151* Caleb Woodbine
152* Carlos Tadeu Panato Junior
153* Dylan Richardson
154* Gareth Healy
155* Hayden B
156* John Kjell
157* Jon Johnson
158* jonvnadelberg
159* Luiz Carvalho
160* Priya Wadhwa
161* Ramkumar Chinchani
162* Tosone
163* Ville Aikas
164* Vishal Choudhary
165* ziel
166
167# v2.2.0
168
169## Enhancements
170
171* switch to uploading DSSE types to rekor instead of intoto (#3113)
172* add 'cosign sign' command-line parameters for mTLS (#3052)
173* improve error messages around bundle != payload hash (#3146)
174* make VerifyImageAttestation function public (#3156)
175* Switch to cryptoutils function for SANS (#3185)
176* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
177
178## Bug Fixes
179
180* Fix nondeterminsitic timestamps (#3121)
181
182## Documentation
183
184* doc: Add example of sign-blob with key in env var (#3152)
185* add deprecation notice for cosign-releases GCS bucket (#3148)
186* update doc links (#3186)
187
188## Others
189
190* Upgrade to go1.21 (#3188)
191* Updates ci tests (#3142)
192* test using latest release of scaffolding (#3187)
193* ci: free up disk space for the gh runner (#3169)
194* update go-github to v53 (#3116)
195* call e2e test for cosign attach (#3112)
196* bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)
197
198## Contributors
199
200* Bob Callaway
201* Carlos Tadeu Panato Junior
202* Dmitry Savintsev
203* Hayden B
204* Hector Fernandez
205* Jason Hall
206* Jon Johnson
207* Jubril Oyetunji
208* Paulo Gomes
209* Priya Wadhwa
210* 张志强
211
212# v2.1.1
213
214## Bug Fixes
215* wait for the workers become available again to continue the execution (#3084)
216* fix help text when in a container (#3082)
217
218## Documentation
219* update changelog (#3080)
220* DNM: Add CHANGELOG for v2.1.0 (#3068)
221
222## Contributors
223
224* Carlos Tadeu Panato Junior
225* priyawadhwa
226
227# v2.1.0
228
229**Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.**
230
231## Enhancements
232* Verify sigs and attestations in parallel (#3066)
233* Deep inspect attestations when filtering download (#3031)
234* refactor bundle validation code, add support for DSSE rekor type (#3016)
235* Allow overriding remote options (#3049)
236* feat: adds no cert found on sig exit code (#3038)
237* Make predicate a required flag in attest commands (#3033)
238* Added support for attaching Time stamp authority Response in attach command (#3001)
239* Add `sign --sign-container-identity` CLI (#2984)
240* Feature: Allow cosign to sign digests before they are uploaded. (#2959)
241* accepts `attachment-tag-prefix` for `cosign copy` (#3014)
242* Feature: adds '--allow-insecure-registry' for cosign load (#3000)
243* download attestation: support --platform flag (#2980)
244* Cleanup: Add `Digest` to the `SignedEntity` interface. (#2960)
245* verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
246* verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
247
248## Bug Fixes
249* Fix pkg/cosign/errors (#3050)
250* fix: update doc to refer to github-actions oidc provider (#3040)
251* fix: prefer GitHub OIDC provider if enabled (#3044)
252* Fix --sig-only in cosign copy (#3074)
253
254## Documentation
255* Fix links to sigstore/docs in markdown files (#3064)
256* Update release readme (#2942)
257
258## Contributors
259
260**Thank you to our contributors!**
261* Bob Callaway
262* Carlos Tadeu Panato Junior
263* Chok Yip Lau
264* Chris Burns
265* Dmitry Savintsev
266* Enyinna Ochulor
267* Hayden B
268* Hector Fernandez
269* Jakub Hrozek
270* Jason Hall
271* Jon Johnson
272* Luiz Carvalho
273* Matt Moore
274* Mritunjay Kumar Sharma
275* Mukuls77
276* Ramkumar Chinchani
277* Sascha Grunert
278* Yolanda Robla Mota
279* priyawadhwa
280
281# v2.0.2
282
283## Enhancements
284
285* Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
286* feat: Make cosign copy faster (#2901)
287* remove sget (#2885)
288* Require a payload to be provided with a signature (#2785)
289
290## Bug Fixes
291
292* cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
293* Use `SOURCE_DATE_EPOCH` for OCI CreatedAt times (#2878)
294
295## Documentation
296
297* Remove experimental warning from Fulcio flags (#2923)
298* add missing oidc provider (#2922)
299* Add zot as a supported registry (#2920)
300* deprecates `kms_support` docs (#2900)
301* chore(docs) deprecate note for usage docs (#2906)
302* adds note of deprecation for examples.md docs (#2899)
303
304## Contributors
305
306* Carlos Tadeu Panato Junior
307* Chris Burns
308* Dmitry Savintsev
309* eiffel-fl
310* Hayden B
311* Hector Fernandez
312* Jon Johnson
313* Miloslav Trmač
314* priyawadhwa
315* Ramkumar Chinchani
316
317# v2.0.1
318
319## Enhancements
320
321* Add environment variable token provider (#2864)
322* Remove cosign policy command (#2846)
323* Allow customising 'go' executable with GOEXE var (#2841)
324* Consistent tlog warnings during verification (#2840)
325* Add riscv64 arch (#2821)
326* Default generated PEM labels to SIGSTORE (#2735)
327* Update privacy statement and confirmation (#2797)
328* Add exit codes for verify errors (#2766)
329* Add Buildkite provider (#2779)
330* verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
331
332## Bug Fixes
333
334* PKCS11 sessions are now opened read only (#2853)
335* Makefile: date format of log should not show signatures (#2835)
336* Add missing flags to cosign verify dockerfile/manifest (#2830)
337* Add a warning to remember how to configure a custom Gitlab host (#2816)
338* Remove tag warning message from save/copy commands (#2799)
339* Mark keyless pem files with b64 (#2671)
340
341## Contributors
342
343* Aleksandr Razumov
344* Batuhan Apaydın
345* Billy Lynch
346* Carlos Tadeu Panato Junior
347* Chris Burns
348* Derek Burdick
349* Dmitry Savintsev
350* favonia
351* Hayden B
352* Hector Fernandez
353* Ivana Atanasova
354* joe miller
355* Luiz Carvalho
356* Paolo Mainardi
357* priyawadhwa
358* Radoslav Dimitrov
359* Steve Winslow
360* Vincent Batts
361* Zack Newman
362
363# v2.0.0
364This is the official 2.0.0 release of cosign!
365There are many new features and breaking changes from version 1.x, for a full explanation please read the Cosign 2.0 [blog post](https://blog.sigstore.dev/).
366
367## Breaking Changes
368* `COSIGN_EXPERIMENTAL=1` is no longer required to have identity-based ("keyless") signing and transparency.
369* By default, artifact signatures will be uploaded to Rekor, for both key-based and identity-based signing. To not upload to Rekor, include `--tlog-upload=false`.
370 * You must also include `--insecure-ignore-tlog=true` when verifying an artifact that was not uploaded to Rekor.
371 * Examples of when you may want to skip uploading to the transparency log are if you have a private Sigstore deployment that does not use transparency or a private artifact.
372 * We strongly encourage all other use-cases to upload artifact signatures to Rekor. Transparency is a critical component of supply chain security, to allow artifact maintainers and consumers to monitor a public log for their artifacts and signing identities.
373* Verification now requires identity flags, `--certificate-identity` and `--certificate-oidc-issuer`. Like verifying a signature with a public key, it's critical to specify who you trust to generate a signature for identity-based signing. See sigstore/cosign#2056 for more discussion on this change.
374* --certificate-email has been removed. Use --certificate-identity, which supports not only email verification but also any identity specified in a certificate, including SPIFFE, GitHub Actions, or service account identities.
375* Cosign no longer supports providing a certificate that does not conform to the Fulcio certificate profile, which includes setting the SubjectAlternativeName and OIDC Issuer OID. To verify with a non-conformant certificate, extract the public key from the certificate and verify with `cosign verify --key <key.pem>`. We are actively working on more support for custom certificates for those who want to bring their existing PKI.
376* Signing OCI images by tag prints a warning and is strongly discouraged, e.g. `cosign sign container.registry.io/foo:tag`. This is considered insecure since tags are mutable. If you want to specify a particular image, you are recommended to do so by digest.
377* SCT verification, a proof of inclusion in a certificate transparency log, is now on by default for verifying Fulcio certificates. For private deployments without certificate transparency, use `--insecure-ignore-sct=true` to skip this check.
378* DSSE support in verify-blob has been removed. You can now verify attestations using verify-blob-attestation.
379* Environment variable `SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY` has been removed. For private deployments, if you would like to set the Rekor public key to verify transparency log entries, use either a TUF setup or set `SIGSTORE_REKOR_PUBLIC_KEY` with the PEM of the custom Rekor public key..
380* verify-blob no longer searches for a certificate. You must provide one with either `--certificate` or `--bundle`.
381* `cosign attest --type {custom|vuln}` (and `cosign verify-attestation`) will now use the RFC 3986 compliant URIs, adding https://, so that these predicate types are compliant with the in-toto specification.
382* The CosignPredicate envelope that wraps the predicates of SPDX and CycloneDX attestations has been removed, which was a violation of the schema specified via the predicateType field (more information).
383* `--force` has been removed. To skip any prompts, use `--yes`.
384
385## Improvements
386* Blob attestation and verification is now supported with cosign attest-blob and cosign verify-blob-attestation.
387* You can now set flags via environment variables, for example instead of `--certificate-identity=email`, you can set an environment variable for `COSIGN_CERTIFICATE_IDENTITY=email`.
388* `--offline=true` removes the fallback to the Rekor log when verifying an artifact. Previously, if you did not provide a bundle (a persisted response from Rekor), Cosign would fallback to querying Rekor. You can now skip this fallback for offline environments. Note that if the bundle fails to verify, Cosign will not fallback and will fail early.
389* A Fulcio certificate can now be issued for self-managed keys by providing `--issue-certificate=true` with a key, `--key`, or security key, `--sk`. This is useful when adopting Sigstore incrementally.
390* Experimental support for trusted timestamping has been added. Timestamping leverages a third party to provide the timestamp that will be used to verify short-lived Fulcio certificates, which distributes trust. We will be writing more about this in an upcoming blog post!
391 * To use a timestamp when signing a container, use` cosign sign --timestamp-server-url=<url> <container>`, such as https://freetsa.org/tsr, and to verify, `cosign verify --timestamp-certificate-chain=<path-to-PEM-encodeded-chain> <other flags> <artifact>`.
392 * To use a timestamp when signing a blob, use `cosign sign-blob --timestamp-server-url=<url> --rfc3161-timestamp=<output-path> --bundle=<output-path> <blob>`, and to verify, `cosign verify-blob --rfc3161-timestamp=<output-path> --timestamp-certificate-chain=<path-to-PEM-encoded-chain> --bundle=<output-path> <other flags> <blob>`.
393
394For specific PRs representing enhancements, bug fixes, documentation, and breaking changes, please see the sections below for prereleases v2.0.0-rc.0, v2.0.0-rc.1, v2.0.0-rc.2, and v2.0.0-rc.3.
395
396### Thanks to all contributors!
397
398* Anish Shah
399* Arnaud J Le Hors
400* Arthur Lutz
401* Batuhan Apaydın
402* Bob Callaway
403* Carlos Tadeu Panato Junior
404* Chris Burns
405* Christian Loos
406* Emmanuel T Odeke
407* Hayden B
408* Hector Fernandez
409* Huang Huang
410* Jan Wozniak
411* Josh Dolitsky
412* Josh Wolf
413* Kenny Leung
414* Marko Mudrinić
415* Matt Moore
416* Matthias Glastra
417* Miloslav Trmač
418* Mukuls77
419* Priya Wadhwa
420* Puerco
421* Stefan Zhelyazkov
422* Tim Seagren
423* Tom Meadows
424* Ville Aikas
425* Zack Newman
426* asraa
427* kpk47
428* priyawadhwa
429
430
431# v2.0.0-rc.3
432_Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change._
433
434## Enhancements
435* Support non-Sigstore TSA requests (#2708)
436* Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
437* Output certificate in bundle when entry is not uploaded to Rekor (#2715)
438* attach signature and attach sbom must use STDIN to upload raw string (#2637)
439
440## Bug Fixes
441* Fix: Add missing schemes to cosign predicate types. (#2717)
442* Fix: Drop the `CosignPredicate` wrapper around SBOM attestations. (#2718)
443
444## Documentation
445* Adds deprecation note for keyless docs (#2716)
446
447
448# v2.0.0-rc.2
449_Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change._
450
451## Enhancements
452* add generate-key-pair GitHub Enterprise server support (#2676)
453* add in format string for warning (#2699)
454* Support for fetching Fulcio certs with self-managed key (#2532)
455* 2476 predicate type download (#2484)
456* Upgrade to go1.20 (#2689)
457
458## Bug Fixes
459* Fix prompts with Windows line endings (#2674)
460
461## Documentation
462
463* docs(README): verify example failing on latest (#2694)
464
465## Contributors
466* Anish Shah
467* Arthur Lutz
468* Carlos Tadeu Panato Junior
469* Christian Loos
470* Tim Seagren
471* Zack Newman
472* priyawadhwa
473
474# v2.0.0-rc.1
475_Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change._
476
477Critical breaking changes include:
478* Certificate issuer and subject are now required on `cosign verify`
479
480## Breaking Changes
481* insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
482* Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
483
484## Enhancements
485* Add warning to use digest instead of tags to other cosign commands (#2650)
486* Fix up UI messages (#2629)
487* Remove hardcoded Fulcio from output (#2621)
488* Fix missing privacy statement, print in multiple locations (#2622)
489* feat: allows custom key names for import-key-pair (#2587)
490* feat: support keyless verification for verify-blob-attestation (#2525)
491* attest-blob: add functionality for keyless signing (#2515)
492* Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
493* feat: add debug information to cert validation error (#2579)
494
495## Bug Fixes
496* fix: panic with unsigned local image (#2656)
497* Make sure a cert passed in via --cert matches the bundle cert (#2652)
498* fix: fix github oidc post submit test (#2594)
499* fix: add enhanced error messages for failing verification with TUF targets (#2589)
500
501## Contributors
502* Carlos Tadeu Panato Junior
503* Chris Burns
504* Hayden B
505* Hector Fernandez
506* Huang Huang
507* Kenny Leung
508* Priya Wadhwa
509* Stefan Zhelyazkov
510* Ville Aikas
511* Zack Newman
512* asraa
513* dependabot[bot]
514* kpk47
515* priyawadhwa
516
517# v2.0.0-rc.0
518
519_Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change._
520
521Critical breaking changes include:
522* Removing the COSIGN_EXPERIMENTAL environment variable, so the default signing method is now keyless signing with Fulcio
523* By default Cosign will now always upload to Rekor, this can be toggled with the `--tlog-upload` flag (defaults to true)
524
525## Breaking Changes
526* Breaking change: Change SCT verification behavior to default to enforcement (#2400)
527* Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
528* Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
529
530## Enhancements
531* Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
532* Allow users to pass in a path for the --identity-token flag (#2538)
533* Breaking change: Respect tlog-upload=false, default to true (#2505)
534* Support outputing a certificate without uploading to the tlog (#2506)
535* Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
536* respect tlog-upload flag with TSA (#2474)
537* Better feedback if specifying incompatible argument on `cosign sign --attachment` (#2449)
538* Support TSA and Rekor verifications (#2463)
539* add support for tsa signing and verification of images (#2460)
540* cosign policy sign: remove experimental flag and make keyless signing default (#2459)
541* Remove experimental mode from cosign attest and verify-attestation (#2458)
542* Remove experimental mode from sign-blob and verify-blob (#2457)
543* Add --offline flag to force offline verification (#2427)
544* Air gap support (#2299)
545* Remove experimental flag from cosign sign and cosign verify (#2387)
546* verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
547
548## Bug Fixes
549* Fix the file existence check. (#2552)
550* Fix timestamp verification, add verify-blob tests (#2527)
551* fix(verify): Consolidate certificate expiry logic (#2504)
552* Updates to Timestamp signing and verification (#2499)
553* fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
554* Fix path for e2e-tests badge (#2490)
555* Fix spdx json media type (#2479)
556* fix sct verificaction (#2426)
557
558## Others
559* update builder image that uses go 1.19.4 (#2520)
560
561## Contributors
562* Anish Shah
563* Arnaud J Le Hors
564* Batuhan Apaydın
565* Bob Callaway
566* Carlos Tadeu Panato Junior
567* Emmanuel T Odeke
568* Hayden B
569* Hector Fernandez
570* Jan Wozniak
571* Matthias Glastra
572* Miloslav Trmač
573* Puerco
574* Tom Meadows
575* Ville Aikas
576* Zack Newman
577* asraa
578* priyawadhwa
579
580# v1.13.6
581
582_Note: v1.13.3, .4, and .5 were skipped due to issues in the release pipeline_
583
584This release backports support for the latest TUF specification. We encourage users to upgrade to Cosign v2.
585
586## Updates
587* V1 go tuf update (#3598)
588* Update cloud build script to latest for v1.13.x (#3615)
589
590# v1.13.2
591
592This release backports a security fix. We encourage users to upgrade to Cosign v2.
593
594## Updates
595* [release-1.13] update builder image that uses go 1.19.4 (#2521)
596* Backport GHSA-vfp6-jrw2-99g9 in (#3364)
597
598# v1.13.1
599
600## Enhancements
601* verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
602* Add verify-blob-attestation command and tests (#2337)
603* Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
604* Add attest-blob command (#2286)
605* Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
606* Update Dockerfile section of README (#2323)
607
608## Bug Fixes
609* Update warning when users sign images by tag. (#2313)
610
611## Others
612* Remove experimental flags from attest-blob and refactor (#2338)
613
614## Contributors
615* Alex Cameron
616* Ville Aikas
617* Zack Newman
618* asraa
619* kpk47
620* priyawadhwa
621
622# v1.13.0
623
624> # Highlights
625> * For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."
626
627## Enhancements
628
629* Add support for Fulcio username identity in SAN (https://github.com/sigstore/cosign/pull/2291)
630* Data race in FetchSignaturesForReference (https://github.com/sigstore/cosign/pull/2283)
631* Check error on chain verification failure (https://github.com/sigstore/cosign/pull/2284)
632* feat: improve the verification message (https://github.com/sigstore/cosign/pull/2268)
633* feat: use stdin as an input for predicate (https://github.com/sigstore/cosign/pull/2269)
634
635## Bug Fixes
636
637* fix: make tlog entry lookups for online verification shard-aware (https://github.com/sigstore/cosign/pull/2297)
638* Fix: Create a static copy of signatures as part of verification. (https://github.com/sigstore/cosign/pull/2287)
639* Fix: Remove an extra registry request from verification path. (https://github.com/sigstore/cosign/pull/2285)
640* fix pivtool generate key touch policy (https://github.com/sigstore/cosign/pull/2282)
641
642## Others
643
644* use scaffolding 0.4.8 for tests. (https://github.com/sigstore/cosign/pull/2280)
645
646## Contributors
647
648* Asra Ali (@asraa)
649* Batuhan Apaydın (@developer-guy)
650* Carlos Tadeu Panato Junior (@cpanato)
651* Hayden Blauzvern (@haydentherapper)
652* Matt Moore (@mattmoor)
653* Ross Tannenbaum (@RTann)
654* Ville Aikas (@vaikas)
655
656# v1.12.1
657
658> # Highlights
659> * Pulls Fulcio root and intermediate when `--certificate-chain` is not passed into `verify-blob`. The v1.12.0 release introduced a regression: when `COSIGN_EXPERIMENTAL` was not set, cosign `verify-blob` would check a `--certificate` (without a `--certificate-chain` provided) against the operating system root CA bundle. In this release, Cosign checks the certificate against Fulcio's CA root instead (restoring the earlier behavior).
660
661## Bug Fixes
662
663* fix: fixing breaking changes in rekor v1.12.0 upgrade (https://github.com/sigstore/cosign/pull/2260)
664* Fixed bug where intermediate certificates were not automatically read from the OCI chain annotation (https://github.com/sigstore/cosign/pull/2244)
665* fix: add COSIGN_EXPERIMENTAL=1 for verify-blob (https://github.com/sigstore/cosign/pull/2254)
666* fix: fix cert chain validation for verify-blob in non-experimental mode (https://github.com/sigstore/cosign/pull/2256)
667* fix: fix secret test, non-experimental bundle should pass (https://github.com/sigstore/cosign/pull/2249)
668* Fix e2e test failure, add test for local bundle without rekor bundle (https://github.com/sigstore/cosign/pull/2248)
669
670## Contributors
671
672* Asra Ali (@asraa)
673* Batuhan Apaydın (@developer-guy)
674* Carlos Tadeu Panato Junior (@cpanato)
675* Hayden Blauzvern (@haydentherapper)
676* n3k0m4 (@n3k0m4)
677
678# v1.12.0
679
680**Note: This release comes with a fix for `CVE-2022-36056` described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388). Please upgrade to this release ASAP**
681
682> # Highlights
683> **BREAKING:** The fix for [GHSA-GHSA-8gw7-4j42-w388](https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388) (CVE-2022-36056) means that some `verify-blob` commands that used to work may not anymore. In particular:
684> - When using `verify-blob` with signatures created with keyless mode, we require either `COSIGN_EXPERIMENTAL=1` or a valid Rekor bundle for offline verification passed with `--bundle`.
685>
686> If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.
687
688
689## Enhancements
690
691* Add deprecation warning for sget CLI and packages (https://github.com/sigstore/cosign/pull/2019)
692* feat: set annotations to generate additional bash completion information (https://github.com/sigstore/cosign/pull/2221)
693* feat: integrate Alibaba Cloud Container Registry cred helper (https://github.com/sigstore/cosign/pull/2008)
694* Support non-ECDSA key types for verify-blob (https://github.com/sigstore/cosign/pull/2203)
695* Bump github.com/theupdateframework/go-tuf from 0.3.1 to 0.5.0 (https://github.com/sigstore/cosign/pull/2232)
696 * feat: Add support for verifying ECDSA PEM-encoded keys. Continues deprecated hex-encoded keys for backward compatibility
697
698## Bug Fixes
699
700* fix: fix secret test, non-experimental bundle should pass (https://github.com/sigstore/cosign/pull/2249)
701* Fix e2e test failure, add test for local bundle without rekor bundle (https://github.com/sigstore/cosign/pull/2248)
702* Clarify error when KMS provider fails to load (https://github.com/sigstore/cosign/pull/2220)
703
704## Others
705
706* update kind to use release v0.15.0 and some version comments (https://github.com/sigstore/cosign/pull/2246)
707* Bump github.com/theupdateframework/go-tuf from 0.3.1 to 0.5.0 (https://github.com/sigstore/cosign/pull/2232)
708* update go builder to go1.19.1 (https://github.com/sigstore/cosign/pull/2241)
709* Bump mikefarah/yq from 4.27.3 to 4.27.5 (https://github.com/sigstore/cosign/pull/2239)
710* Bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 (https://github.com/sigstore/cosign/pull/2234)
711* Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (https://github.com/sigstore/cosign/pull/2233)
712* Bump google.golang.org/api from 0.94.0 to 0.95.0 (https://github.com/sigstore/cosign/pull/2229)
713* upgrade setup-ko to point to new repo (https://github.com/sigstore/cosign/pull/2225)
714* Bump github.com/spf13/viper from 1.12.0 to 1.13.0 (https://github.com/sigstore/cosign/pull/2224)
715* Upgrade to go1.19 (https://github.com/sigstore/cosign/pull/2213)
716* remove doubl quotes, looks like it is passing as a single string to cosign and not as an array (https://github.com/sigstore/cosign/pull/2205)
717* use scaffolding v0.4.6. (https://github.com/sigstore/cosign/pull/2201)
718* Bump google.golang.org/api from 0.93.0 to 0.94.0 (https://github.com/sigstore/cosign/pull/2200)
719
720## Contributors
721
722* Asra Ali (@asraa)
723* Carlos Tadeu Panato Junior (@cpanato)
724* Engin Diri (@dirien)
725* Hayden Blauzvern (@haydentherapper)
726* Huang Huang (@mozillazg)
727* Jason Hall (@imjasonh)
728* Priya Wadhwa (@priyawadhwa)
729* Ville Aikas (@vaikas)
730* Zack Newman (@znewman01)
731
732# v1.11.1
733
734## Enhancements
735
736* feat: Rework fig autocomplete command (https://github.com/sigstore/cosign/pull/2187)
737
738## Bug Fixes
739
740* fix: fix typo that caused attestation verification failure (https://github.com/sigstore/cosign/pull/2199)
741
742## Documention
743
744* add release cadence section in the readme (https://github.com/sigstore/cosign/pull/2179)
745
746## Others
747
748* Bump actions/cache from 3.0.7 to 3.0.8 (https://github.com/sigstore/cosign/pull/2192)
749* Bump actions/dependency-review-action from 2.0.4 to 2.1.0 (https://github.com/sigstore/cosign/pull/2185)
750* Bump actions/setup-go from 3.2.1 to 3.3.0 (https://github.com/sigstore/cosign/pull/2196)
751* Bump github.com/go-openapi/swag from 0.22.1 to 0.22.3 (https://github.com/sigstore/cosign/pull/2182)
752* Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 (https://github.com/sigstore/cosign/pull/2190)
753* Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 (https://github.com/sigstore/cosign/pull/2181)
754* Bump github.com/xanzy/go-gitlab from 0.72.0 to 0.73.0 (https://github.com/sigstore/cosign/pull/2191)
755* Bump github.com/xanzy/go-gitlab from 0.73.0 to 0.73.1 (https://github.com/sigstore/cosign/pull/2195)
756* Bump github/codeql-action from 2.1.18 to 2.1.19 (https://github.com/sigstore/cosign/pull/2184)
757* Bump github/codeql-action from 2.1.19 to 2.1.20 (https://github.com/sigstore/cosign/pull/2193)
758* Bump google.golang.org/api from 0.92.0 to 0.93.0 (https://github.com/sigstore/cosign/pull/2183)
759* Update Scorecard action to v2:alpha (https://github.com/sigstore/cosign/pull/2177)
760* add stale workflow using the workflow template (https://github.com/sigstore/cosign/pull/2175)
761* bump fulcio dep to 0.5.2 (https://github.com/sigstore/cosign/pull/2176)
762* bump scaffold in tests to use release v0.4.5 (https://github.com/sigstore/cosign/pull/2180)
763
764## Contributors
765
766* Asra Ali (@asraa)
767* Azeem Shaikh (@azeemshaikh38)
768* Carlos Tadeu Panato Junior (@cpanato)
769* Engin Diri (@dirien)
770* Kenny Leung (@k4leung4)
771
772# v1.11.0
773
774## Enhancements
775
776* use updated device flow logic with PKCE (https://github.com/sigstore/cosign/pull/2163)
777
778## Bug Fixes
779
780* fix panic when os.Stat returns an error besides ErrNotExists (https://github.com/sigstore/cosign/pull/2162)
781* fix: add env cmd to root (https://github.com/sigstore/cosign/pull/2171)
782* fix: rekor get tlog entry with uuid (https://github.com/sigstore/cosign/pull/2058)
783* fix oidc post-merge job (https://github.com/sigstore/cosign/pull/2164)
784* fix handling of verify-attestation types for URIs (https://github.com/sigstore/cosign/pull/2159)
785* fix: adds envelope hash to in-toto entries in tlog entry creation (https://github.com/sigstore/cosign/pull/2118)
786* fix: fix blob verification output (https://github.com/sigstore/cosign/pull/2157)
787* Verify the certificate chain against the Fulcio root trust by default (https://github.com/sigstore/cosign/pull/2139)
788
789## Documention
790
791* docs: clarify wording in spec about usage of certificate chain (https://github.com/sigstore/cosign/pull/2152)
792* Add notes to clarify registry use. (https://github.com/sigstore/cosign/pull/2145)
793
794## Others
795
796* Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 (https://github.com/sigstore/cosign/pull/2167)
797* Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (https://github.com/sigstore/cosign/pull/2168)
798* update e2e job to run only when push to main (https://github.com/sigstore/cosign/pull/2169)
799* Remove third_party (https://github.com/sigstore/cosign/pull/2166)
800* bump to scaffolding v0.4.4 (https://github.com/sigstore/cosign/pull/2165)
801* Bump sigs.k8s.io/release-utils from 0.6.0 to 0.7.3 (https://github.com/sigstore/cosign/pull/2102)
802* Run tests using Go 1.18 (https://github.com/sigstore/cosign/pull/2093)
803* Bump actions/github-script from 6.1.0 to 6.1.1 (https://github.com/sigstore/cosign/pull/2156)
804* Bump go.uber.org/atomic from 1.9.0 to 1.10.0 (https://github.com/sigstore/cosign/pull/2155)
805* Bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 (https://github.com/sigstore/cosign/pull/2148)
806* Bump tests to use scaffolding-0.4.3. (https://github.com/sigstore/cosign/pull/2153)
807* Bump google.golang.org/api from 0.91.0 to 0.92.0 (https://github.com/sigstore/cosign/pull/2150)
808* Bump actions/cache from 3.0.6 to 3.0.7 (https://github.com/sigstore/cosign/pull/2151)
809* Use TUF from scaffolding for validating cosign. (https://github.com/sigstore/cosign/pull/2146)
810* Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.6 to 0.1.7 (https://github.com/sigstore/cosign/pull/2141)
811* Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (https://github.com/sigstore/cosign/pull/2140)
812* Bump github.com/xanzy/go-gitlab from 0.70.0 to 0.71.0 (https://github.com/sigstore/cosign/pull/2142)
813* Bump actions/cache from 3.0.5 to 3.0.6 (https://github.com/sigstore/cosign/pull/2136)
814* Bump github.com/go-piv/piv-go from 1.9.0 to 1.10.0 (https://github.com/sigstore/cosign/pull/2135)
815* Bump github/codeql-action from 2.1.17 to 2.1.18 (https://github.com/sigstore/cosign/pull/2129)
816* Update CHANGELOG for 1.10.1 release (https://github.com/sigstore/cosign/pull/2130)
817
818## Contributors
819
820* Asra Ali (@asraa)
821* Batuhan Apaydın (@developer-guy)
822* Bob Callaway (@bobcallaway)
823* Carlos Tadeu Panato Junior (@cpanato)
824* David Bendory (@bendory)
825* Jason Hall (@imjasonh)
826* Kazuma Watanabe (@wata727)
827* Matt Moore (@mattmoor)
828* Noah Kreiger (@nkreiger)
829* Priya Wadhwa (@priyawadhwa)
830* Samsondeen (@dsa0x)
831* Ville Aikas (@vaikas)
832* saso (@otms61)
833
834# v1.10.1
835
836**Note: This release comes with a fix for CVE-2022-35929 described in this [Github Security Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296). Please upgrade to this release ASAP**
837
838## Enhancements
839
840* update cross-builder to go1.18.5 and cosign image to 1.10.0 (https://github.com/sigstore/cosign/pull/2119)
841* feat: attach: attestation: allow passing multiple payloads (https://github.com/sigstore/cosign/pull/2085)
842* Resolves #522 set Created date to time of execution (https://github.com/sigstore/cosign/pull/2108)
843* Fix field names in the vulnerability attestation (https://github.com/sigstore/cosign/pull/2099)
844* Change Result in Vulnerability Attestation to interface{} (https://github.com/sigstore/cosign/pull/2096)
845* Improve error message when no sigs/atts are found for an image (https://github.com/sigstore/cosign/pull/2101)
846* add flag to allow skipping upload to transparency log (https://github.com/sigstore/cosign/pull/2089)
847
848## Documention
849
850* chore: fix documentation and warning on using untrusted rekor key (https://github.com/sigstore/cosign/pull/2124)
851* Enable Scorecard badge (https://github.com/sigstore/cosign/pull/2109)
852
853## Bug Fixes
854
855* Merge pull request from GHSA-vjxv-45g9-9296
856* Correct the type used for attest (https://github.com/sigstore/cosign/pull/2128)
857
858## Others
859
860* Bump mikefarah/yq from 4.26.1 to 4.27.2 (https://github.com/sigstore/cosign/pull/2116)
861* Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (https://github.com/sigstore/cosign/pull/2115)
862* Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (https://github.com/sigstore/cosign/pull/2120)
863* Bump google.golang.org/api from 0.90.0 to 0.91.0 (https://github.com/sigstore/cosign/pull/2125)
864* Bump google.golang.org/api from 0.89.0 to 0.90.0 (https://github.com/sigstore/cosign/pull/2111)
865* Bump github/codeql-action from 2.1.16 to 2.1.17 (https://github.com/sigstore/cosign/pull/2112)
866* Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (https://github.com/sigstore/cosign/pull/2110)
867* Bump google.golang.org/api from 0.88.0 to 0.89.0 (https://github.com/sigstore/cosign/pull/2106)
868* Bump imjasonh/setup-ko from 0.4 to 0.5 (https://github.com/sigstore/cosign/pull/2107)
869* Introduce a custom error type to classify errors. (https://github.com/sigstore/cosign/pull/2114)
870* Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (https://github.com/sigstore/cosign/pull/2103)
871* remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (https://github.com/sigstore/cosign/pull/2105)
872* Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (https://github.com/sigstore/cosign/pull/2100)
873* Remove knative/pkg deps (https://github.com/sigstore/cosign/pull/2092)
874
875## Contributors
876
877* Asra Ali (@asraa)
878* Azeem Shaikh (@azeemshaikh38)
879* Carlos Tadeu Panato Junior (@cpanato)
880* Furkan Türkal (@Dentrax)
881* Jason Hall (@imjasonh)
882* Kenny Leung (@k4leung4)
883* Matt Moore (@mattmoor)
884* Teppei Fukuda (@knqyf263)
885* Tobias Trabelsi (@Lerentis)
886* saso (@otms61)
887
888# v1.10.0
889
890## Enhancements
891
892* Add env subcommand. (https://github.com/sigstore/cosign/pull/2051)
893* feat: cert-extensions verify (https://github.com/sigstore/cosign/pull/1626)
894* sign-blob: bundle should work independently (https://github.com/sigstore/cosign/pull/2016)
895* Add --oidc-provider flag to specify which provider to use for ambient credentials (https://github.com/sigstore/cosign/pull/1998)
896* Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore (https://github.com/sigstore/cosign/pull/1866)
897* Add --platform flag to cosign sbom download (https://github.com/sigstore/cosign/pull/1975)
898* Route deprectated -version to subcommand (https://github.com/sigstore/cosign/pull/1854)
899* Add cyclonedx predicate type for attestations (https://github.com/sigstore/cosign/pull/1977)
900* Updated Azure kms commands. (https://github.com/sigstore/cosign/pull/1972)
901* Add spdxjson predicate type for attestations (https://github.com/sigstore/cosign/pull/1974)
902* Drop tuf client dependency on GCS client library (https://github.com/sigstore/cosign/pull/1967)
903* feat(fulcioroots): singleton error pattern (https://github.com/sigstore/cosign/pull/1965)
904* tuf: improve TUF client concurrency and caching (https://github.com/sigstore/cosign/pull/1953)
905* Separate RegExp matching of issuer/subject from strict (https://github.com/sigstore/cosign/pull/1956)
906
907## Documention
908
909* update design doc link (https://github.com/sigstore/cosign/pull/2077)
910* specs: fix list formatting on SIGNATURE_SPEC (https://github.com/sigstore/cosign/pull/2030)
911* public-key: fix command description (https://github.com/sigstore/cosign/pull/2024)
912* docs(readme): add installation steps for container image for cosign binary (https://github.com/sigstore/cosign/pull/1986)
913* Add Cloudsmith Container Registry to tested registry list (https://github.com/sigstore/cosign/pull/1966)
914
915
916## Bug Fixes
917
918* Fix OIDC test (https://github.com/sigstore/cosign/pull/2050)
919* Use cosign.ConfirmPrompt more consistently (https://github.com/sigstore/cosign/pull/2039)
920* chore: add note about SIGSTORE_REKOR_PUBLIC_KEY (https://github.com/sigstore/cosign/pull/2040)
921* Fix #1378 create new attestation signature in replace mode if not existent (https://github.com/sigstore/cosign/pull/2014)
922* encrypt values to create the github action secret (https://github.com/sigstore/cosign/pull/1990)
923* fix/update post build job (https://github.com/sigstore/cosign/pull/1983)
924* fix typos (https://github.com/sigstore/cosign/pull/1982)
925
926## Others
927
928* Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 (https://github.com/sigstore/cosign/pull/2079)
929* Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (https://github.com/sigstore/cosign/pull/2078)
930* Bump google.golang.org/api from 0.87.0 to 0.88.0 (https://github.com/sigstore/cosign/pull/2081)
931* Remove hack/tools.go (https://github.com/sigstore/cosign/pull/2080)
932* Remove replace directives in go.mod. (https://github.com/sigstore/cosign/pull/2070)
933* Bump mikefarah/yq from 4.25.3 to 4.26.1 (https://github.com/sigstore/cosign/pull/2076)
934* Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 (https://github.com/sigstore/cosign/pull/2075)
935* Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (https://github.com/sigstore/cosign/pull/2073)
936* Bump google.golang.org/api from 0.86.0 to 0.87.0 (https://github.com/sigstore/cosign/pull/2064)
937* chore(deps): CycloneDX PredicateType changed to use in-toto-golang (https://github.com/sigstore/cosign/pull/2067)
938* Bump github.com/open-policy-agent/opa from 0.42.0 to 0.42.2 (https://github.com/sigstore/cosign/pull/2063)
939* Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (https://github.com/sigstore/cosign/pull/2062)
940* Bump actions/setup-go from 3.2.0 to 3.2.1 (https://github.com/sigstore/cosign/pull/2060)
941* Bump github/codeql-action from 2.1.15 to 2.1.16 (https://github.com/sigstore/cosign/pull/2065)
942* Bump actions/cache from 3.0.4 to 3.0.5 (https://github.com/sigstore/cosign/pull/2066)
943* update to go 1.18 (https://github.com/sigstore/cosign/pull/2059)
944* Bump github.com/open-policy-agent/opa from 0.35.0 to 0.42.0 (https://github.com/sigstore/cosign/pull/2046)
945* update ct/otel and etcd (https://github.com/sigstore/cosign/pull/2054)
946* remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 (https://github.com/sigstore/cosign/pull/2055)
947* Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (https://github.com/sigstore/cosign/pull/2042)
948* Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 (https://github.com/sigstore/cosign/pull/2032)
949* Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 (https://github.com/sigstore/cosign/pull/2037)
950* Bump github/codeql-action from 2.1.14 to 2.1.15 (https://github.com/sigstore/cosign/pull/2038)
951* Bump google.golang.org/api from 0.85.0 to 0.86.0 (https://github.com/sigstore/cosign/pull/2036)
952* Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (https://github.com/sigstore/cosign/pull/2035)
953* Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (https://github.com/sigstore/cosign/pull/2033)
954* Bump github.com/xanzy/go-gitlab from 0.68.0 to 0.68.2 (https://github.com/sigstore/cosign/pull/2029)
955* Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (https://github.com/sigstore/cosign/pull/2026)
956* Attempt to clean up pkg/cosign (https://github.com/sigstore/cosign/pull/2018)
957* Bump github/codeql-action from 2.1.13 to 2.1.14 (https://github.com/sigstore/cosign/pull/2023)
958* Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 (https://github.com/sigstore/cosign/pull/2021)
959* Bump mikefarah/yq from 4.25.2 to 4.25.3 (https://github.com/sigstore/cosign/pull/2022)
960* Bump google.golang.org/api from 0.84.0 to 0.85.0 (https://github.com/sigstore/cosign/pull/2015)
961* Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 (https://github.com/sigstore/cosign/pull/2010)
962* Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 (https://github.com/sigstore/cosign/pull/2011)
963* Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (https://github.com/sigstore/cosign/pull/2012)
964* Bump github/codeql-action from 2.1.12 to 2.1.13 (https://github.com/sigstore/cosign/pull/2013)
965* Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 (https://github.com/sigstore/cosign/pull/2009)
966* Bump actions/dependency-review-action from 2.0.1 to 2.0.2 (https://github.com/sigstore/cosign/pull/2001)
967* Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 (https://github.com/sigstore/cosign/pull/1996)
968* Bump actions/dependency-review-action from 1.0.2 to 2.0.1 (https://github.com/sigstore/cosign/pull/2000)
969* Bump google.golang.org/api from 0.83.0 to 0.84.0 (https://github.com/sigstore/cosign/pull/1999)
970* Bump sigstore/sigstore to HEAD (https://github.com/sigstore/cosign/pull/1995)
971* Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 (https://github.com/sigstore/cosign/pull/1988)
972* cleanup ci job and remove policy-controller references (https://github.com/sigstore/cosign/pull/1981)
973* Bump google.golang.org/api from 0.82.0 to 0.83.0 (https://github.com/sigstore/cosign/pull/1979)
974* cleanup: unexport kubernetes.Client method (https://github.com/sigstore/cosign/pull/1973)
975* Remove policy-controller now that it lives in sigstore/policy-controller (https://github.com/sigstore/cosign/pull/1976)
976* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (https://github.com/sigstore/cosign/pull/1980)
977* Bump actions/cache from 3.0.3 to 3.0.4 (https://github.com/sigstore/cosign/pull/1970)
978* Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 (https://github.com/sigstore/cosign/pull/1968)
979* Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (https://github.com/sigstore/cosign/pull/1963)
980* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (https://github.com/sigstore/cosign/pull/1943)
981* Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 (https://github.com/sigstore/cosign/pull/1958)
982* replace gcr.io/distroless/ to use ghcr.io/distroless/ (https://github.com/sigstore/cosign/pull/1961)
983* Bump github/codeql-action from 2.1.11 to 2.1.12 (https://github.com/sigstore/cosign/pull/1951)
984* Bump google.golang.org/api from 0.81.0 to 0.82.0 (https://github.com/sigstore/cosign/pull/1948)
985
986## Contributors
987
988* Adolfo García Veytia (@puerco)
989* Asra Ali (@asraa)
990* Batuhan Apaydın (@developer-guy)
991* Billy Lynch (@wlynch)
992* Bob Callaway (@bobcallaway)
993* Carlos Tadeu Panato Junior (@cpanato)
994* Ciara Carey (@ciaracarey)
995* Frederik Boster (@Syquel)
996* Furkan Türkal (@Dentrax)
997* Hector Fernandez (@hectorj2f)
998* Jason Hall (@imjasonh)
999* Jinhong Brejnholt (@JBrejnholt)
1000* Josh Dolitsky (@jdolitsky)
1001* Masahiro331 (@masahiro331)
1002* Priya Wadhwa (@priyawadhwa)
1003* Ville Aikas (@vaikas)
1004* William Woodruff (@woodruffw)
1005
1006# v1.9.0
1007
1008## Enhancements
1009
1010* Do not push to public rekor. (https://github.com/sigstore/cosign/pull/1931)
1011* Add privacy statement for PII storage (https://github.com/sigstore/cosign/pull/1909)
1012* Add support for "**" in image glob matching (https://github.com/sigstore/cosign/pull/1914)
1013* [cosigned] Rename cosigned references to policy-controller (https://github.com/sigstore/cosign/pull/1893)
1014* [cosigned] Remove undefined apiGroups from policy clusterrole (https://github.com/sigstore/cosign/pull/1896)
1015* tree: support --attachment-tag-prefix (https://github.com/sigstore/cosign/pull/1900)
1016* v1beta1 API for cosigned (https://github.com/sigstore/cosign/pull/1890)
1017* tree: only report artifacts that are present (https://github.com/sigstore/cosign/pull/1872)
1018* Check certificate policy flags with only a certificate (https://github.com/sigstore/cosign/pull/1869)
1019* Normalize certificate flag names (https://github.com/sigstore/cosign/pull/1868)
1020* Add rekor.0.pub TUF target to unit tests (https://github.com/sigstore/cosign/pull/1860)
1021* If SBOM ref has .json suffix, assume JSON mediatype (https://github.com/sigstore/cosign/pull/1859)
1022* sget: Enable KMS providers for sget (https://github.com/sigstore/cosign/pull/1852)
1023* Use filepath match instead of glob (https://github.com/sigstore/cosign/pull/1842)
1024* cosigned: Fix podAntiAffinity labels (https://github.com/sigstore/cosign/pull/1841)
1025* Add function to explictly request a certain provider (https://github.com/sigstore/cosign/pull/1837)
1026* Validate tlog entry when verifying signature via public key. (https://github.com/sigstore/cosign/pull/1833)
1027* New flag --oidc-providers-disable to disable OIDC providers (https://github.com/sigstore/cosign/pull/1832)
1028* Add auth flow option to KeyOpts. (https://github.com/sigstore/cosign/pull/1827)
1029* cosigned: Test unsupported KMS providers (https://github.com/sigstore/cosign/pull/1820)
1030* Refactor fulcio signer to take in KeyOpts (take 2) (https://github.com/sigstore/cosign/pull/1818)
1031* feat: add rego policy support (https://github.com/sigstore/cosign/pull/1817)
1032* [Cosigned] Add signature pull secrets (https://github.com/sigstore/cosign/pull/1805)
1033* Check failure message of policy that fails with issuer mismatch (https://github.com/sigstore/cosign/pull/1815)
1034* Support PKCS1 encoded and non-ECDSA CT log public keys (https://github.com/sigstore/cosign/pull/1806)
1035
1036## Documention
1037
1038* update README with ebpf modules (https://github.com/sigstore/cosign/pull/1888)
1039* Point git commmit FUN.md to gitsign! (https://github.com/sigstore/cosign/pull/1874)
1040* Add IBM Cloud Container Registry to tested registry list (https://github.com/sigstore/cosign/pull/1856)
1041* Document Staging instance usage with Keyless (https://github.com/sigstore/cosign/pull/1824)
1042
1043## Bug Fixes
1044
1045* fix: fix #1930 for AWS KMS formats (https://github.com/sigstore/cosign/pull/1946)
1046* fix: fix fetching updated targets from TUF root (https://github.com/sigstore/cosign/pull/1921)
1047* Fix piv-tool generate-key command in TOKENS doc (https://github.com/sigstore/cosign/pull/1850)
1048
1049## Others
1050
1051* remove deprecation (https://github.com/sigstore/cosign/pull/1952)
1052* Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 (https://github.com/sigstore/cosign/pull/1949)
1053* update cross-builder image to use go1.17.11 (https://github.com/sigstore/cosign/pull/1950)
1054* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (https://github.com/sigstore/cosign/pull/1945)
1055* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/cosign/pull/1944)
1056* Bump actions/cache from 3.0.2 to 3.0.3 (https://github.com/sigstore/cosign/pull/1937)
1057* Bump mikefarah/yq from 4.25.1 to 4.25.2 (https://github.com/sigstore/cosign/pull/1933)
1058* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (https://github.com/sigstore/cosign/pull/1924)
1059* Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 (https://github.com/sigstore/cosign/pull/1926)
1060* Bump actions/setup-go from 3.1.0 to 3.2.0 (https://github.com/sigstore/cosign/pull/1927)
1061* Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (https://github.com/sigstore/cosign/pull/1915)
1062* Bump google-github-actions/auth from 0.7.3 to 0.8.0 (https://github.com/sigstore/cosign/pull/1916)
1063* Bump ossf/scorecard-action from 1.0.4 to 1.1.0 (https://github.com/sigstore/cosign/pull/1922)
1064* Bump google.golang.org/api from 0.80.0 to 0.81.0 (https://github.com/sigstore/cosign/pull/1918)
1065* Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 (https://github.com/sigstore/cosign/pull/1919)
1066* Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 (https://github.com/sigstore/cosign/pull/1920)
1067* Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 (https://github.com/sigstore/cosign/pull/1913)
1068* Move deprecated dependency: google/trillian/merkle to transparency-dev (https://github.com/sigstore/cosign/pull/1910)
1069* Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 (https://github.com/sigstore/cosign/pull/1902)
1070* Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 (https://github.com/sigstore/cosign/pull/1883)
1071* Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 (https://github.com/sigstore/cosign/pull/1906)
1072* Bump actions/upload-artifact from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1907)
1073* The timeout arg in golangci-lint has been moved to the generic args param. (https://github.com/sigstore/cosign/pull/1901)
1074* Update go-tuf (https://github.com/sigstore/cosign/pull/1894)
1075* Bump google.golang.org/api from 0.79.0 to 0.80.0 (https://github.com/sigstore/cosign/pull/1897)
1076* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (https://github.com/sigstore/cosign/pull/1898)
1077* Bump github/codeql-action from 2.1.10 to 2.1.11 (https://github.com/sigstore/cosign/pull/1891)
1078* Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d (https://github.com/sigstore/cosign/pull/1889)
1079* Remove dependency on deprecated github.com/pkg/errors (https://github.com/sigstore/cosign/pull/1887)
1080* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (https://github.com/sigstore/cosign/pull/1884)
1081* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (https://github.com/sigstore/cosign/pull/1886)
1082* go.mod: format go.mod (https://github.com/sigstore/cosign/pull/1879)
1083* chore: remove regex from image pattern (https://github.com/sigstore/cosign/pull/1873)
1084* Bump actions/dependency-review-action (https://github.com/sigstore/cosign/pull/1875)
1085* Bump actions/github-script from 6.0.0 to 6.1.0 (https://github.com/sigstore/cosign/pull/1876)
1086* Bump actions/setup-go from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1870)
1087* Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go (https://github.com/sigstore/cosign/pull/1861)
1088* Bump github/codeql-action from 2.1.9 to 2.1.10 (https://github.com/sigstore/cosign/pull/1863)
1089* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (https://github.com/sigstore/cosign/pull/1864)
1090* Bump google.golang.org/api from 0.78.0 to 0.79.0 (https://github.com/sigstore/cosign/pull/1858)
1091* Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 (https://github.com/sigstore/cosign/pull/1857)
1092* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (https://github.com/sigstore/cosign/pull/1851)
1093* remove exclude from go.mod (https://github.com/sigstore/cosign/pull/1846)
1094* Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 (https://github.com/sigstore/cosign/pull/1843)
1095* Bump google.golang.org/api from 0.77.0 to 0.78.0 (https://github.com/sigstore/cosign/pull/1838)
1096* Bump mikefarah/yq from 4.24.5 to 4.25.1 (https://github.com/sigstore/cosign/pull/1831)
1097* Bump google.golang.org/api from 0.76.0 to 0.77.0 (https://github.com/sigstore/cosign/pull/1829)
1098* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (https://github.com/sigstore/cosign/pull/1830)
1099* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 (https://github.com/sigstore/cosign/pull/1828)
1100* chore(deps): Included dependency review (https://github.com/sigstore/cosign/pull/1792)
1101* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (https://github.com/sigstore/cosign/pull/1813)
1102* Bump github/codeql-action from 2.1.8 to 2.1.9 (https://github.com/sigstore/cosign/pull/1814)
1103* Bump google.golang.org/api from 0.75.0 to 0.76.0 (https://github.com/sigstore/cosign/pull/1810)
1104* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (https://github.com/sigstore/cosign/pull/1809)
1105* Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 (https://github.com/sigstore/cosign/pull/1808)
1106
1107## Contributors
1108
1109* Asra Ali (@asraa)
1110* Adolfo García Veytia (@puerco)
1111* Andrés Torres (@elfotografo007)
1112* Billy Lynch (@wlynch)
1113* Carlos Tadeu Panato Junior (@cpanato)
1114* Dan Lorenc (@dlorenc)
1115* Denny (@DennyHoang)
1116* Eitan Yarmush (@EItanya)
1117* Hayden Blauzvern (@haydentherapper)
1118* Hector Fernandez (@hectorj2f)
1119* Jack Baines (@bainsy88)
1120* Jason Hall (@imjasonh)
1121* Josh Dolitsky (@jdolitsky)
1122* Kenny Leung (@k4leung4)
1123* Koichi Shiraishi (@zchee)
1124* Naveen Srinivasan (@naveensrinivasan)
1125* Neal McBurnett (@nealmcb)
1126* Priya Wadhwa (@priyawadhwa)
1127* Rob Best (@ribbybibby)
1128* Tomasz Janiszewski (@janisz)
1129* Ville Aikas (@vaikas)
1130* Vladimir Nachev (@vpnachev)
1131
1132
1133# v1.8.0
1134
1135_NOTE_: If you use Fulcio to issue certificates you will need to use this release.
1136
1137## Enhancements
1138
1139* Support PKCS1 encoded and non-ECDSA CT log public keys (https://github.com/sigstore/cosign/pull/1806)
1140* Load in intermediate cert pool from TUF (https://github.com/sigstore/cosign/pull/1804)
1141* Don't fail open in VerifyBundle (https://github.com/sigstore/cosign/pull/1648)
1142* Handle context cancelled properly + tests. (https://github.com/sigstore/cosign/pull/1796)
1143* Allow passing keys via environment variables (`env://` refs) (https://github.com/sigstore/cosign/pull/1794)
1144* Add parallelization for processing policies / authorities. (https://github.com/sigstore/cosign/pull/1795)
1145* Attestations + policy in cip. (https://github.com/sigstore/cosign/pull/1772)
1146* Refactor fulcio signer to take in KeyOpts. (https://github.com/sigstore/cosign/pull/1788)
1147* Remove the dependency on v1alpha1.Identity which brings in (https://github.com/sigstore/cosign/pull/1790)
1148* Add Fulcio intermediate CA certificate to intermediate pool (https://github.com/sigstore/cosign/pull/1774)
1149* Cosigned validate against remote sig src (https://github.com/sigstore/cosign/pull/1754)
1150* tuf: add debug info if tuf update fails (https://github.com/sigstore/cosign/pull/1766)
1151* Break the CIP action tests into a sh script. (https://github.com/sigstore/cosign/pull/1767)
1152* [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags (https://github.com/sigstore/cosign/pull/1757)
1153* Verify embedded SCTs (https://github.com/sigstore/cosign/pull/1731)
1154* Validate issuer/subject regexp in validate webhook. (https://github.com/sigstore/cosign/pull/1761)
1155* Add intermediate CA certificate pool for Fulcio (https://github.com/sigstore/cosign/pull/1749)
1156* [cosigned] The webhook name is now configurable via --webhook-name flag (https://github.com/sigstore/cosign/pull/1726)
1157* Use bundle log ID to find verification key (https://github.com/sigstore/cosign/pull/1748)
1158* Refactor policy related code, add support for vuln verify (https://github.com/sigstore/cosign/pull/1747)
1159* Create convert functions for internal CIP (https://github.com/sigstore/cosign/pull/1736)
1160* Move the KMS integration imports into the binary entrypoints (https://github.com/sigstore/cosign/pull/1744)
1161
1162## Bug Fixes
1163
1164* Fix a bug where an error would send duplicate results. (https://github.com/sigstore/cosign/pull/1797)
1165* fix: more informative error (https://github.com/sigstore/cosign/pull/1778)
1166* fix: add support for rsa keys (https://github.com/sigstore/cosign/pull/1768)
1167* Implement identities, fix bug in webhook validation. (https://github.com/sigstore/cosign/pull/1759)
1168
1169## Others
1170
1171* update changelog for 1.8.0 (https://github.com/sigstore/cosign/pull/1807)
1172* add changelog for release v1.8.0 (https://github.com/sigstore/cosign/pull/1803)
1173* Bump github.com/hashicorp/go-retryablehttp from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1758)
1174* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/cosign/pull/1801)
1175* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/cosign/pull/1800)
1176* Bump github.com/xanzy/go-gitlab from 0.63.0 to 0.64.0 (https://github.com/sigstore/cosign/pull/1799)
1177* Revert "Refactor fulcio signer to take in KeyOpts. (https://github.com/sigstore/cosign/pull/1788)" (https://github.com/sigstore/cosign/pull/1798)
1178* chore: add rego function to consume modules (https://github.com/sigstore/cosign/pull/1787)
1179* test: add cue unit tests (https://github.com/sigstore/cosign/pull/1791)
1180* Run update-codegen. (https://github.com/sigstore/cosign/pull/1789)
1181* Bump actions/checkout from 3.0.1 to 3.0.2 (https://github.com/sigstore/cosign/pull/1783)
1182* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (https://github.com/sigstore/cosign/pull/1782)
1183* Bump k8s.io/code-generator from 0.23.5 to 0.23.6 (https://github.com/sigstore/cosign/pull/1781)
1184* Bump google.golang.org/api from 0.74.0 to 0.75.0 (https://github.com/sigstore/cosign/pull/1780)
1185* Bump cuelang.org/go from 0.4.2 to 0.4.3 (https://github.com/sigstore/cosign/pull/1779)
1186* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1784)
1187* Bump actions/checkout from 3.0.0 to 3.0.1 (https://github.com/sigstore/cosign/pull/1764)
1188* Bump mikefarah/yq from 4.24.4 to 4.24.5 (https://github.com/sigstore/cosign/pull/1765)
1189* chore: add warning when downloading a sBOM (https://github.com/sigstore/cosign/pull/1763)
1190* chore: add warn when attaching sBOM (https://github.com/sigstore/cosign/pull/1756)
1191* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (https://github.com/sigstore/cosign/pull/1752)
1192* update go builder and cosign images (https://github.com/sigstore/cosign/pull/1755)
1193* test: create fake TUF test root and create test SETs for verification (https://github.com/sigstore/cosign/pull/1750)
1194* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (https://github.com/sigstore/cosign/pull/1751)
1195* Bump mikefarah/yq from 4.24.2 to 4.24.4 (https://github.com/sigstore/cosign/pull/1746)
1196* Bump github.com/xanzy/go-gitlab from 0.62.0 to 0.63.0 (https://github.com/sigstore/cosign/pull/1745)
1197
1198## Contributors
1199
1200* Asra Ali (@asraa)
1201* Billy Lynch (@wlynch)
1202* Carlos Tadeu Panato Junior (@cpanato)
1203* Denny (@DennyHoang)
1204* Hayden Blauzvern (@haydentherapper)
1205* Hector Fernandez (@hectorj2f)
1206* Matt Moore (@mattmoor)
1207* Ville Aikas (@vaikas)
1208* Vladimir Nachev (@vpnachev)
1209* Youssef Bel Mekki (@ybelMekk)
1210* Zack Newman (@znewman01)
1211
1212# v1.7.2
1213
1214## Bug Fixes
1215
1216* Make public all types required to use ValidatePolicy (https://github.com/sigstore/cosign/pull/1727)
1217* fix: add permissions to patch events (https://github.com/sigstore/cosign/pull/1722)
1218* Fix publicKey unmarshal (https://github.com/sigstore/cosign/pull/1719)
1219* Update release job (https://github.com/sigstore/cosign/pull/1720)
1220* Makefile: fix directory not found error (https://github.com/sigstore/cosign/pull/1718)
1221
1222## Others
1223
1224* Remove newline from download sbom output (https://github.com/sigstore/cosign/pull/1732)
1225* Bump github.com/hashicorp/go-uuid from 1.0.2 to 1.0.3 (https://github.com/sigstore/cosign/pull/1724)
1226* Add unit tests for IntotoAttestation verifier. (https://github.com/sigstore/cosign/pull/1728)
1227* Bump github/codeql-action from 2.1.7 to 2.1.8 (https://github.com/sigstore/cosign/pull/1725)
1228* Bump cloud.google.com/go/storage from 1.21.0 to 1.22.0 (https://github.com/sigstore/cosign/pull/1721)
1229* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (https://github.com/sigstore/cosign/pull/1723)
1230* Bump github.com/xanzy/go-gitlab from 0.61.0 to 0.62.0 (https://github.com/sigstore/cosign/pull/1711)
1231* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (https://github.com/sigstore/cosign/pull/1712)
1232* Bump github/codeql-action from 2.1.6 to 2.1.7 (https://github.com/sigstore/cosign/pull/1713)
1233* Bump codecov/codecov-action from 2.1.0 to 3 (https://github.com/sigstore/cosign/pull/1714)
1234
1235## Contributors
1236
1237* Carlos Tadeu Panato Junior (@cpanato)
1238* Denny (@DennyHoang)
1239* Hector Fernandez (@hectorj2f)
1240* Josh Dolitsky (@jdolitsky)
1241* Rob Best (@ribbybibby)
1242* Ville Aikas (@vaikas)
1243
1244# v1.7.1
1245
1246## Bug Fixes
1247
1248* commenting out the copy from gcr to ghcr due issues on github side (https://github.com/sigstore/cosign/pull/1715)
1249
1250# v1.7.0
1251
1252## Enhancements
1253
1254* sign: set the oidc redirect uri (https://github.com/sigstore/cosign/pull/1675)
1255* Use ValidatePubKey from sigstore/sigstore (https://github.com/sigstore/cosign/pull/1676)
1256* Remove the hardcoded sigstore audience (https://github.com/sigstore/cosign/pull/1698)
1257* verify: remove extra calls to rekor for verify and verify-blob (https://github.com/sigstore/cosign/pull/1694)
1258* add leaf hash verification (https://github.com/sigstore/cosign/pull/1688)
1259* cosign clean: Don't log failure if the registry responds with 404 (https://github.com/sigstore/cosign/pull/1687)
1260* Update error message for verify/verify attestation (https://github.com/sigstore/cosign/pull/1686)
1261* change file_name_template to PackageName (https://github.com/sigstore/cosign/pull/1683)
1262* Make `cosign copy` copy metadata attached to child images. (https://github.com/sigstore/cosign/pull/1682)
1263* Add support for cert and cert chain flags with PKCS11 tokens (https://github.com/sigstore/cosign/pull/1671)
1264* Find all valid entries in verify-blob (https://github.com/sigstore/cosign/pull/1673)
1265* Refactor based on discussions in #1650 (https://github.com/sigstore/cosign/pull/1674)
1266* feat: add ability to override registry keychain (https://github.com/sigstore/cosign/pull/1666)
1267* Add specific suffixes mediaTypes to sboms (https://github.com/sigstore/cosign/pull/1663)
1268* Add certificate chain flag for signing (https://github.com/sigstore/cosign/pull/1656)
1269* First batch of followups to #1650 (https://github.com/sigstore/cosign/pull/1664)
1270* Add support for certificate chain to verify certificate (https://github.com/sigstore/cosign/pull/1659)
1271* Use syscall.Stdin for input handle. Fixes #1153 (https://github.com/sigstore/cosign/pull/1657)
1272* Shorten example OAuth URL (https://github.com/sigstore/cosign/pull/1661)
1273* Prompt user before running `cosign clean` (https://github.com/sigstore/cosign/pull/1649)
1274* Add support for intermediate certificates when verifiying (https://github.com/sigstore/cosign/pull/1631)
1275* feat: tree command utility (https://github.com/sigstore/cosign/pull/1603)
1276* Validate authority keys (https://github.com/sigstore/cosign/pull/1623)
1277* improve cosigned validation error messages (https://github.com/sigstore/cosign/pull/1618)
1278* Init entity from ociremote when signing a digest ref (https://github.com/sigstore/cosign/pull/1616)
1279* Add two env variables. One for using Rekor public key from OOB and (https://github.com/sigstore/cosign/pull/1610)
1280* Ensure entry is removed from CM on secret error. (https://github.com/sigstore/cosign/pull/1605)
1281* Validate a public key in a secret is valid. (https://github.com/sigstore/cosign/pull/1602)
1282* Add public key validation (https://github.com/sigstore/cosign/pull/1598)
1283* Add ability to inline secrets from SecretRef to configmap. (https://github.com/sigstore/cosign/pull/1595)
1284* 1417 policy validations (https://github.com/sigstore/cosign/pull/1548)
1285* Support deletion of ClusterImagePolicy (https://github.com/sigstore/cosign/pull/1580)
1286* Start of the necessary pieces to get #1418 and #1419 implemented (https://github.com/sigstore/cosign/pull/1562)
1287
1288## Bug Fixes
1289
1290* Fix handling of policy in verify-attestation (https://github.com/sigstore/cosign/pull/1672)
1291* Fix relative paths in Gitub OIDC blob test (https://github.com/sigstore/cosign/pull/1677)
1292* fix build date format for version command (https://github.com/sigstore/cosign/pull/1644)
1293* Fix 1608, 1613 (https://github.com/sigstore/cosign/pull/1617)
1294* Fix copy/paste mistake in repo name. (https://github.com/sigstore/cosign/pull/1600)
1295* Fix #1592 move authorities as siblings of images. (https://github.com/sigstore/cosign/pull/1593)
1296* Fix piping 'cosign verify' using fulcio/rekor (https://github.com/sigstore/cosign/pull/1590)
1297* Fix #1583 #1582. Disallow regex now until implemented. (https://github.com/sigstore/cosign/pull/1584)
1298* Don't lowercase input image refs, just fail (https://github.com/sigstore/cosign/pull/1586)
1299
1300## Documention
1301
1302* Document Elastic container registry support (https://github.com/sigstore/cosign/pull/1641)
1303* FUN.md broke when RecordObj changed to HashedRecordObj (https://github.com/sigstore/cosign/pull/1633)
1304* Add example using AWS Key Management Service (KMS) (https://github.com/sigstore/cosign/pull/1564)
1305
1306
1307## Others
1308
1309* Use the github actions from sigstore/scaffolding. (https://github.com/sigstore/cosign/pull/1699)
1310* Bump google.golang.org/api from 0.73.0 to 0.74.0 (https://github.com/sigstore/cosign/pull/1695)
1311* Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/cosign/pull/1690)
1312* Bump actions/cache from 3.0.0 to 3.0.1 (https://github.com/sigstore/cosign/pull/1689)
1313* Add e2e test for attest / verify-attestation (https://github.com/sigstore/cosign/pull/1685)
1314* Use cosign @ HEAD for Github OIDC sign blob test (https://github.com/sigstore/cosign/pull/1678)
1315* Bump mikefarah/yq from 4.23.1 to 4.24.2 (https://github.com/sigstore/cosign/pull/1670)
1316* remove replace directive (https://github.com/sigstore/cosign/pull/1669)
1317* update font when output the cosign version (https://github.com/sigstore/cosign/pull/1668)
1318* Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind (https://github.com/sigstore/cosign/pull/1650)
1319* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/cosign/pull/1646)
1320* Bump mikefarah/yq from 4.22.1 to 4.23.1 (https://github.com/sigstore/cosign/pull/1639)
1321* Bump actions/cache from 2.1.7 to 3 (https://github.com/sigstore/cosign/pull/1640)
1322* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/cosign/pull/1638)
1323* Add extra label and change the latest tag to unstable for non tagged releases (https://github.com/sigstore/cosign/pull/1637)
1324* push latest tag when building a release (https://github.com/sigstore/cosign/pull/1636)
1325* update crane to v0.8.0 release (https://github.com/sigstore/cosign/pull/1635)
1326* Bump github.com/xanzy/go-gitlab from 0.59.0 to 0.60.0 (https://github.com/sigstore/cosign/pull/1634)
1327* Included OpenSSF Best Practices Badge (https://github.com/sigstore/cosign/pull/1628)
1328* Use latest knative/pkg's configmap informer (https://github.com/sigstore/cosign/pull/1615)
1329* Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (https://github.com/sigstore/cosign/pull/1621)
1330* Bump google.golang.org/api from 0.72.0 to 0.73.0 (https://github.com/sigstore/cosign/pull/1619)
1331* Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/cosign/pull/1622)
1332* Bump ecr-login to pick up WithLogger rename (https://github.com/sigstore/cosign/pull/1624)
1333* Bump to knative pkg 1.3 (https://github.com/sigstore/cosign/pull/1614)
1334* Bump google.golang.org/api from 0.71.0 to 0.72.0 (https://github.com/sigstore/cosign/pull/1612)
1335* Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/cosign/pull/1599)
1336* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.12 to 2.0.0 (https://github.com/sigstore/cosign/pull/1597)
1337* Bump mikefarah/yq from 4.21.1 to 4.22.1 (https://github.com/sigstore/cosign/pull/1589)
1338* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/cosign/pull/1587)
1339* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/cosign/pull/1588)
1340* Bump github.com/xanzy/go-gitlab from 0.58.0 to 0.59.0 (https://github.com/sigstore/cosign/pull/1579)
1341* Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 (https://github.com/sigstore/cosign/pull/1578)
1342* Bump github.com/hashicorp/go-hclog from 1.1.0 to 1.2.0 (https://github.com/sigstore/cosign/pull/1576)
1343* Bump google.golang.org/api from 0.70.0 to 0.71.0 (https://github.com/sigstore/cosign/pull/1577)
1344* Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/cosign/pull/1565)
1345* add definition for artifact hub to verify the ownership (https://github.com/sigstore/cosign/pull/1563)
1346* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/cosign/pull/1561)
1347* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/cosign/pull/1559)
1348* Bump github.com/xanzy/go-gitlab from 0.57.0 to 0.58.0 (https://github.com/sigstore/cosign/pull/1560)
1349* Update hashicorp/parseutil to v0.1.3. (https://github.com/sigstore/cosign/pull/1557)
1350* Mirror signed release images from GCR to GHCR as part of release with Cloud Build. (https://github.com/sigstore/cosign/pull/1547)
1351* Bump github.com/xanzy/go-gitlab from 0.56.0 to 0.57.0 (https://github.com/sigstore/cosign/pull/1552)
1352* Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/cosign/pull/1553)
1353* pkcs11: fix build instructions (https://github.com/sigstore/cosign/pull/1550)
1354* Update images for release job (https://github.com/sigstore/cosign/pull/1551)
1355
1356## Contributors
1357
1358* Adam A.G. Shamblin (@coyote240)
1359* Adolfo García Veytia (@puerco)
1360* Asra Ali (@asraa)
1361* Batuhan Apaydın (@developer-guy)
1362* Carlos Tadeu Panato Junior (@cpanato)
1363* Dan Lorenc (@dlorenc)
1364* Davi Garcia (@davivcgarcia)
1365* Hayden Blauzvern (@haydentherapper)
1366* Hector Fernandez (@hectorj2f)
1367* James Strong (@strongjz)
1368* Jason Hall (@imjasonh)
1369* Kavitha (@kkavitha)
1370* Kenny Leung (@k4leung4)
1371* Luiz Carvalho (@lcarva)
1372* Marco Franssen (@marcofranssen)
1373* Mark Percival (@mdp)
1374* Matt Moore (@mattmoor)
1375* Maxime Gréau (@mgreau)
1376* Mitch Thomas (@MitchellJThomas)
1377* Naveen Srinivasan (@naveensrinivasan)
1378* Nghia Tran (@tcnghia)
1379* Priya Wadhwa (@priyawadhwa)
1380* Radoslav Gerganov (@rgerganov)
1381* Thomas Strömberg (@tstromberg)
1382* Ville Aikas (@vaikas)
1383* noamichael (@noamichael)
1384
1385# v1.6.0
1386
1387## Security Fixes
1388
1389* CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
1390
1391## Enhancements
1392
1393* Change Fulcio URL default to be fulcio.sigstore.dev (https://github.com/sigstore/cosign/pull/1529)
1394* Add CertExtensions func to extract all extensions (https://github.com/sigstore/cosign/pull/1515)
1395* Add a dummy.go file to allow vendoring config (https://github.com/sigstore/cosign/pull/1520)
1396* Add skeleton reconciler for cosigned API CRD. (https://github.com/sigstore/cosign/pull/1513)
1397* use v6 api calls (https://github.com/sigstore/cosign/pull/1511)
1398* This sets up the scaffolding for the `cosigned` CRD types. (https://github.com/sigstore/cosign/pull/1504)
1399* add correct layer media type to attach attestation (https://github.com/sigstore/cosign/pull/1503)
1400* Pick up some of the shared workflows (https://github.com/sigstore/cosign/pull/1490)
1401* feat: support other types in copy cmd (https://github.com/sigstore/cosign/pull/1493)
1402* Pick up a change to quiet ECR-login logging. (https://github.com/sigstore/cosign/pull/1491)
1403* Merge pull request from GHSA-ccxc-vr6p-4858
1404* fix(sign): refactor unsupported provider log (https://github.com/sigstore/cosign/pull/1464)
1405* Print message when verifying with old TUF targets (https://github.com/sigstore/cosign/pull/1468)
1406* convert release cosigned to also generate yaml artifact. (https://github.com/sigstore/cosign/pull/1453)
1407* Streamline `SignBlobCmd` API with `SignCmd` (https://github.com/sigstore/cosign/pull/1454)
1408* feat: add -buildid= to ldflags (https://github.com/sigstore/cosign/pull/1451)
1409* Fetch verification targets by TUF custom metadata (https://github.com/sigstore/cosign/pull/1423)
1410* feat: fig autocomplete feature (https://github.com/sigstore/cosign/pull/1360)
1411* Improve log lines to match with implementation (https://github.com/sigstore/cosign/pull/1432)
1412* use the upstream kubernetes version lib and ldflags (https://github.com/sigstore/cosign/pull/1413)
1413* feat: enhance clean cmd capability (https://github.com/sigstore/cosign/pull/1430)
1414* Remove TUF timestamp from OCI signature bundle (https://github.com/sigstore/cosign/pull/1428)
1415* Allow `PassFunc` to be `nil` (https://github.com/sigstore/cosign/pull/1426)
1416* Add ability to override the Spiffe socket via environmental variable: (https://github.com/sigstore/cosign/pull/1421)
1417* Improve error message when image is not found in registry (https://github.com/sigstore/cosign/pull/1410)
1418* add root status output (https://github.com/sigstore/cosign/pull/1404)
1419* feat: login command (https://github.com/sigstore/cosign/pull/1398)
1420* Minor refactor to verify SCT and Rekor entry with multiple keys (https://github.com/sigstore/cosign/pull/1396)
1421* Add Cosign logo to README (https://github.com/sigstore/cosign/pull/1395)
1422* Add `--timeout` support to `sign` command (https://github.com/sigstore/cosign/pull/1379)
1423
1424## Bug Fixes
1425
1426* bug fix: import ed25519 keys and fix error handling (https://github.com/sigstore/cosign/pull/1518)
1427* Fix wording on attach attestation help (https://github.com/sigstore/cosign/pull/1480)
1428* fix(sign): kms unspported message (https://github.com/sigstore/cosign/pull/1475)
1429* Fix incorrect error check when verifying SCT (https://github.com/sigstore/cosign/pull/1422)
1430* make imageRef lowercase before parsing (https://github.com/sigstore/cosign/pull/1409)
1431* Add a new line after password input (https://github.com/sigstore/cosign/pull/1407)
1432* Fix comparison in replace option for attestation (https://github.com/sigstore/cosign/pull/1366)
1433
1434## Documention
1435
1436* Quay OCI Support in README (https://github.com/sigstore/cosign/pull/1539)
1437* feat: nominate Dentrax as codeowner (https://github.com/sigstore/cosign/pull/1492)
1438* add initial changelog for 1.5.2 (https://github.com/sigstore/cosign/pull/1483)
1439* fix tkn link in readme (https://github.com/sigstore/cosign/pull/1459)
1440* Add FEATURES.md and DEPRECATIONS.md (https://github.com/sigstore/cosign/pull/1429)
1441* Update the cosign keyless documentation to point to the GA release. (https://github.com/sigstore/cosign/pull/1427)
1442* Fix link for SECURITY.md (https://github.com/sigstore/cosign/pull/1399)
1443
1444## Others
1445
1446* Consistent parenthesis use in Makefile (https://github.com/sigstore/cosign/pull/1541)
1447* Bump github.com/xanzy/go-gitlab from 0.55.1 to 0.56.0 (https://github.com/sigstore/cosign/pull/1538)
1448* add rpm,deb and apks for cosign packages (https://github.com/sigstore/cosign/pull/1537)
1449* update github.com/hashicorp/vault/sdk, codegen and go module to 1.17 (https://github.com/sigstore/cosign/pull/1536)
1450* images: remove --bare flags that conflict with --base-import-paths (https://github.com/sigstore/cosign/pull/1533)
1451* Bump actions/checkout from 2 to 3 (https://github.com/sigstore/cosign/pull/1531)
1452* Add codecov as github action, set permissions to read content only (https://github.com/sigstore/cosign/pull/1530)
1453* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.11 to 2.0.0-beta.12 (https://github.com/sigstore/cosign/pull/1528)
1454* Bump actions/setup-go from 2 to 3 (https://github.com/sigstore/cosign/pull/1527)
1455* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/cosign/pull/1526)
1456* Bump mikefarah/yq from 4.20.2 to 4.21.1 (https://github.com/sigstore/cosign/pull/1525)
1457* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/cosign/pull/1524)
1458* chore(ci): add artifact hub support (https://github.com/sigstore/cosign/pull/1522)
1459* optimize codeql speed by using caching and tracing (https://github.com/sigstore/cosign/pull/1519)
1460* Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/cosign/pull/1516)
1461* Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/cosign/pull/1512)
1462* Bump mikefarah/yq from 4.16.2 to 4.20.2 (https://github.com/sigstore/cosign/pull/1510)
1463* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/cosign/pull/1507)
1464* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1509)
1465* Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/cosign/pull/1495)
1466* Bump google-github-actions/auth from 0.4.4 to 0.6.0 (https://github.com/sigstore/cosign/pull/1501)
1467* Bump ossf/scorecard-action (https://github.com/sigstore/cosign/pull/1502)
1468* Bump google.golang.org/api from 0.69.0 to 0.70.0 (https://github.com/sigstore/cosign/pull/1500)
1469* Bump sigstore/cosign-installer from 1.4.1 to 2.0.1 (https://github.com/sigstore/cosign/pull/1496)
1470* Bump actions/github-script from 4.1.1 to 6 (https://github.com/sigstore/cosign/pull/1497)
1471* Update github/codeql-action requirement to d39d5d5c9707b926d517b1b292905ef4c03aa777 (https://github.com/sigstore/cosign/pull/1498)
1472* Bump google-github-actions/setup-gcloud from 0.3.0 to 0.5.1 (https://github.com/sigstore/cosign/pull/1499)
1473* chore(makefile): use kocache, convert publish to build (https://github.com/sigstore/cosign/pull/1488)
1474* Bump cloud.google.com/go/storage from 1.20.0 to 1.21.0 (https://github.com/sigstore/cosign/pull/1481)
1475* update changelog (https://github.com/sigstore/cosign/pull/1485)
1476* fix lint (https://github.com/sigstore/cosign/pull/1484)
1477* update go-tuf and simplify TUF client code (https://github.com/sigstore/cosign/pull/1455)
1478* Bump sigstore/sigstore to pick up the kms change and the monkey-patch work. (https://github.com/sigstore/cosign/pull/1479)
1479* refactor release cloudbuild job (https://github.com/sigstore/cosign/pull/1476)
1480* increase timeout for goreleaser snapshot (https://github.com/sigstore/cosign/pull/1473)
1481* Double goreleaser timeout (https://github.com/sigstore/cosign/pull/1472)
1482* Bump google.golang.org/api from 0.68.0 to 0.69.0 (https://github.com/sigstore/cosign/pull/1469)
1483* tests: `/bin/bash` -> `/usr/bin/env bash` (https://github.com/sigstore/cosign/pull/1470)
1484* Bump the gitlab library and add a nil opt for the API change. (https://github.com/sigstore/cosign/pull/1466)
1485* Bump webhook timeout. (https://github.com/sigstore/cosign/pull/1465)
1486* update cross-build to use go 1.17.7 (https://github.com/sigstore/cosign/pull/1446)
1487* Bump go-containerregistry, pick up new features (https://github.com/sigstore/cosign/pull/1442)
1488* update cross-build image which adds goimports (https://github.com/sigstore/cosign/pull/1435)
1489* Bump google.golang.org/api from 0.67.0 to 0.68.0 (https://github.com/sigstore/cosign/pull/1434)
1490* Skip the ReadWrite test that flakes on Windows. (https://github.com/sigstore/cosign/pull/1415)
1491* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/cosign/pull/1411)
1492* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/cosign/pull/1412)
1493* Bump cloud.google.com/go/storage from 1.19.0 to 1.20.0 (https://github.com/sigstore/cosign/pull/1403)
1494* Bump google.golang.org/api from 0.66.0 to 0.67.0 (https://github.com/sigstore/cosign/pull/1402)
1495* Bump cuelang.org/go from 0.4.1 to 0.4.2 (https://github.com/sigstore/cosign/pull/1401)
1496* update cosign and cross-build image for the release job (https://github.com/sigstore/cosign/pull/1400)
1497* Bump github.com/xanzy/go-gitlab from 0.54.3 to 0.54.4 (https://github.com/sigstore/cosign/pull/1391)
1498* Bump github.com/go-openapi/swag from 0.20.0 to 0.21.1 (https://github.com/sigstore/cosign/pull/1386)
1499* Fix double `time` import in e2e tests (https://github.com/sigstore/cosign/pull/1388)
1500* Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (https://github.com/sigstore/cosign/pull/1383)
1501* Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (https://github.com/sigstore/cosign/pull/1382)
1502* add changelog for 1.5.1 release (https://github.com/sigstore/cosign/pull/1376)
1503
1504## Contributors
1505
1506* Andrew Block (@sabre1041)
1507* Asra Ali (@asraa)
1508* Batuhan Apaydın (@developer-guy)
1509* Blake Burkhart (@bburky)
1510* Bob Callaway (@bobcallaway)
1511* Carlos Tadeu Panato Junior (@cpanato)
1512* Christian Kotzbauer (@ckotzbauer)
1513* Christopher Angelo Phillips (@spiffcs)
1514* Dan Lorenc (@dlorenc)
1515* Dan Luhring (@luhring)
1516* Furkan Türkal (@Dentrax)
1517* Hayden Blauzvern (@haydentherapper)
1518* Jason Hall (@imjasonh)
1519* Josh Dolitsky (@jdolitsky)
1520* Kenny Leung (@k4leung4)
1521* Matt Moore (@mattmoor)
1522* Marco Franssen (@marcofranssen)
1523* Nathan Smith (@nsmith5)
1524* Priya Wadhwa (@priyawadhwa)
1525* Sascha Grunert (@saschagrunert)
1526* Scott Nichols (@n3wscott)
1527* Teppei Fukuda (@knqyf263)
1528* Ville Aikas (@vaikas)
1529* Yongxuan Zhang (@Yongxuanzhang)
1530* Zack Newman (@znewman01)
1531
1532# v1.5.2
1533
1534## Security Fixes
1535
1536* CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified
1537
1538## Others
1539
1540* refactor release cloudbuild job (https://github.com/sigstore/cosign/pull/1476)
1541* increase timeout for goreleaser snapshot (https://github.com/sigstore/cosign/pull/1473)
1542* Double goreleaser timeout (https://github.com/sigstore/cosign/pull/1472)
1543* Bump webhook timeout. (https://github.com/sigstore/cosign/pull/1465)
1544* convert release cosigned to also generate yaml artifact. (https://github.com/sigstore/cosign/pull/1453)
1545* feat: add -buildid= to ldflags (https://github.com/sigstore/cosign/pull/1451)
1546* update cross-build to use go 1.17.7 (https://github.com/sigstore/cosign/pull/1446)
1547
1548## Contributors
1549
1550* Batuhan Apaydın (@developer-guy)
1551* Carlos Tadeu Panato Junior (@cpanato)
1552* Dan Lorenc (@dlorenc)
1553* Kenny Leung (@k4leung4)
1554* Matt Moore (@mattmoor)
1555* Nathan Smith (@nsmith5)
1556* Priya Wadhwa (@priyawadhwa)
1557* Zack Newman (@znewman01)
1558
1559# v1.5.1
1560
1561## Bug Fixes
1562
1563* add check to make sure the go modules are in sync (https://github.com/sigstore/cosign/pull/1369)
1564* Update verify-blob to support DSSEs (https://github.com/sigstore/cosign/pull/1355)
1565
1566## Documention
1567
1568* docs: verify-attestation cue and rego policy doc (https://github.com/sigstore/cosign/pull/1362)
1569* README: fix link to race conditions (https://github.com/sigstore/cosign/pull/1367)
1570
1571## Others
1572
1573* Bump sigstore/sigstore to pick up oidc login for vault. (https://github.com/sigstore/cosign/pull/1377)
1574* Bump google.golang.org/api from 0.65.0 to 0.66.0 (https://github.com/sigstore/cosign/pull/1371)
1575* expose dafaults fulcio, rekor, oidc issuer urls (https://github.com/sigstore/cosign/pull/1368)
1576* Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (https://github.com/sigstore/cosign/pull/1365)
1577* organize, update select deps (https://github.com/sigstore/cosign/pull/1358)
1578* Bump go-containerregistry to pick up ACR keychain fix (https://github.com/sigstore/cosign/pull/1357)
1579* Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (https://github.com/sigstore/cosign/pull/1352)
1580* sync go modules (https://github.com/sigstore/cosign/pull/1353)
1581
1582## Contributors
1583
1584* Batuhan Apaydın (@developer-guy)
1585* Carlos Tadeu Panato Junior (@cpanato)
1586* Dan Lorenc (@dlorenc)
1587* Jake Sanders (@dekkagaijin)
1588* Jason Hall (@imjasonh)
1589* Mark Lodato (@MarkLodato)
1590* Rémy Greinhofer (@rgreinho)
1591
1592# v1.5.0
1593
1594## Highlights
1595
1596* enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
1597* feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
1598* feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
1599* feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
1600* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
1601* feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
1602* feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
1603* feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
1604* feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
1605
1606## Enhancements
1607
1608* Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
1609* Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
1610* Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
1611* Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
1612* Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
1613* Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
1614* add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
1615* Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
1616* Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
1617* Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
1618* Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
1619* add error message (https://github.com/sigstore/cosign/pull/1296)
1620* Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
1621* Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
1622* One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
1623* refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
1624* Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
1625* Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
1626* Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
1627* Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
1628* Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
1629* Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
1630* Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
1631* Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
1632* clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
1633* create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
1634* use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
1635* create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
1636* add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
1637* signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
1638* Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
1639* create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
1640
1641## Bug Fixes
1642
1643* fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
1644* fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
1645* Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
1646* Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
1647* Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
1648* Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
1649* Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
1650* fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
1651* Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
1652* Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
1653
1654## Others
1655
1656* Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (https://github.com/sigstore/cosign/pull/1343)
1657* Bump recommended Go development version in README (https://github.com/sigstore/cosign/pull/1340)
1658* Bump the snapshot and timestamp roles metadata from root signing. (https://github.com/sigstore/cosign/pull/1339)
1659* Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (https://github.com/sigstore/cosign/pull/1336)
1660* update go-github to v42 release (https://github.com/sigstore/cosign/pull/1335)
1661* install latest release for ko instead of head of main branch (https://github.com/sigstore/cosign/pull/1333)
1662* remove wrong settings in the gco auth for gh actions (https://github.com/sigstore/cosign/pull/1332)
1663* update gcp setup for the GH action (https://github.com/sigstore/cosign/pull/1330)
1664* update some dependencies (https://github.com/sigstore/cosign/pull/1326)
1665* Verify checksum of downloaded utilities during CI (https://github.com/sigstore/cosign/pull/1322)
1666* pin github actions by digest (https://github.com/sigstore/cosign/pull/1319)
1667* Bump google.golang.org/api from 0.64.0 to 0.65.0 (https://github.com/sigstore/cosign/pull/1303)
1668* Bump cuelang.org/go from 0.4.0 to 0.4.1 (https://github.com/sigstore/cosign/pull/1302)
1669* Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (https://github.com/sigstore/cosign/pull/1292)
1670* update import documentation (https://github.com/sigstore/cosign/pull/1290)
1671* update release image to use go 1.17.6 (https://github.com/sigstore/cosign/pull/1284)
1672* Bump google.golang.org/api. (https://github.com/sigstore/cosign/pull/1283)
1673* Bump opa and go-gitlab. (https://github.com/sigstore/cosign/pull/1281)
1674* Update SBOM spec to indicate compat for syft (https://github.com/sigstore/cosign/pull/1278)
1675* Bump miekg/pkcs11 (https://github.com/sigstore/cosign/pull/1275)
1676* Update signature spec with timestamp annotation (https://github.com/sigstore/cosign/pull/1274)
1677* Pick up latest knative.dev/pkg, and k8s 0.22 libs (https://github.com/sigstore/cosign/pull/1269)
1678* Bump sigstore/sigstore. (https://github.com/sigstore/cosign/pull/1247)
1679* Spelling (https://github.com/sigstore/cosign/pull/1246)
1680* Use ${{github.repository}} placeholder in OIDC GitHub workflow (https://github.com/sigstore/cosign/pull/1244)
1681* update codeowners list with missing codeowners (https://github.com/sigstore/cosign/pull/1238)
1682* update build images for release and bump cosign in the release job (https://github.com/sigstore/cosign/pull/1234)
1683* update deps (https://github.com/sigstore/cosign/pull/1222)
1684* nit: add comments to `Signer` interface (https://github.com/sigstore/cosign/pull/1228)
1685* update google.golang.org/api from 0.62.0 to 0.63.0 (https://github.com/sigstore/cosign/pull/1214)
1686* update snapshot and timestamp (https://github.com/sigstore/cosign/pull/1211)
1687* Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (https://github.com/sigstore/cosign/pull/1198)
1688* Bump the DSSE library and handle manual changes in the API. (https://github.com/sigstore/cosign/pull/1191)
1689* nit: drop every section title down a level (https://github.com/sigstore/cosign/pull/1188)
1690
1691## Contributors
1692
1693* Andrew Block (@sabre1041)
1694* Asra Ali (@asraa)
1695* Batuhan Apaydın (@developer-guy)
1696* Bob Callaway (@bobcallaway)
1697* Carlos Alexandro Becker (@caarlos0)
1698* Carlos Tadeu Panato Junior (@cpanato)
1699* Dan Lorenc (@dlorenc)
1700* Hayden Blauzvern (@haydentherapper)
1701* Hector Fernandez (@hectorj2f)
1702* Itxaka (@Itxaka)
1703* Ivan Wallis (@venafi-iw)
1704* Jake Sanders (@dekkagaijin)
1705* Jason Hall (@imjasonh)
1706* Josh Dolitsky (@jdolitsky)
1707* Josh Soref (@jsoref)
1708* Matt Moore (@mattmoor)
1709* Morten Linderud (@Foxboron)
1710* Priya Wadhwa (@priyawadhwa)
1711* Radoslav Gerganov (@rgerganov)
1712* Rob Best (@ribbybibby)
1713* Sambhav Kothari (@samj1912)
1714* Ville Aikas (@vaikas)
1715* Zack Newman (@znewman01)
1716
1717# v1.4.1
1718
1719## Highlights
1720
1721A whole buncha bugfixes!
1722
1723## Enhancements
1724
1725* Files created with `--output-signature` and `--output-certificate` now created with 0600 permissions (https://github.com/sigstore/cosign/pull/1151)
1726* Added `cosign verify-attestation --local-image` for verifying signed images with attestations from disk (https://github.com/sigstore/cosign/pull/1174)
1727* Added the ability to fetch the TUF root over HTTP with `cosign initialize --mirror` (https://github.com/sigstore/cosign/pull/1185)
1728
1729## Bug Fixes
1730
1731* Fixed saving and loading a signed image index to disk (https://github.com/sigstore/cosign/pull/1147)
1732* Fixed `sign-blob --output-certificate` writing an empty file (https://github.com/sigstore/cosign/pull/1149)
1733* Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (https://github.com/sigstore/cosign/pull/1157)
1734
1735## Contributors
1736
1737* Carlos Alexandro Becker (@caarlos0)
1738* Carlos Panato (@cpanato)
1739* Hayden Blauzvern (@haydentherapper)
1740* Jake Sanders (@dekkagaijin)
1741* Matt Moore (@mattmoor)
1742* Priya Wadhwa (@priyawadhwa)
1743* Radoslav Gerganov (@rgerganov)
1744
1745# v1.4.0
1746
1747## Highlights
1748
1749* BREAKING [COSIGN_EXPERIMENTAL]: This and future `cosign` releases will generate signatures that do not validate in older versions of `cosign`. This only applies to "keyless" experimental mode. To opt out of this behavior, use: `--fulcio-url=https://fulcio.sigstore.dev` when signing payloads (https://github.com/sigstore/cosign/pull/1127)
1750* BREAKING [cosign/pkg]: `SignedEntryTimestamp` is now of type `[]byte`. To get the previous behavior, call `strfmt.Base64(SignedEntryTimestamp)` (https://github.com/sigstore/cosign/pull/1083)
1751* `cosign-linux-pivkey-amd64` releases are now of the form `cosign-linux-pivkey-pkcs11key-amd64` (https://github.com/sigstore/cosign/pull/1052)
1752* Releases are now additionally signed using the keyless workflow (https://github.com/sigstore/cosign/pull/1073, https://github.com/sigstore/cosign/pull/1111)
1753
1754## Enhancements
1755
1756* Validate the whole attestation statement, not just the predicate (https://github.com/sigstore/cosign/pull/1035)
1757* Added the options to replace attestations using `cosign attest --replace` (https://github.com/sigstore/cosign/pull/1039)
1758* Added URI to `cosign verify-blob` output (https://github.com/sigstore/cosign/pull/1047)
1759* Signatures and certificates created by `cosign sign` and `cosign sign-blob` can be output to file using the `--output-signature` and `--output-certificate` flags, respectively (https://github.com/sigstore/cosign/pull/1016, https://github.com/sigstore/cosign/pull/1093, https://github.com/sigstore/cosign/pull/1066, https://github.com/sigstore/cosign/pull/1095)
1760* [cosign/pkg] Added the `pkg/oci/layout` package for storing signatures and attestations on disk (https://github.com/sigstore/cosign/pull/1040, https://github.com/sigstore/cosign/pull/1096)
1761* [cosign/pkg] Added `mutate` methods to attach `oci.File`s to `oci.Signed*` objects (https://github.com/sigstore/cosign/pull/1084)
1762* Added the `--signature-digest-algorithm` flag to `cosign verify`, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (https://github.com/sigstore/cosign/pull/1071)
1763* Builds should now be reproducible (https://github.com/sigstore/cosign/pull/1053)
1764* Allows base64 files as `--cert` in `cosign verify-blob` (https://github.com/sigstore/cosign/pull/1088)
1765* Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (https://github.com/sigstore/cosign/pull/1091)
1766* Added `cosign save` and `cosign load` commands to save and upload container images and associated signatures to disk (https://github.com/sigstore/cosign/pull/1094)
1767* `cosign sign` will no longer fail to sign private images in keyless mode without `--force` (https://github.com/sigstore/cosign/pull/1116)
1768* `cosign verify` now supports signatures stored in files and remote URLs with `--signature` (https://github.com/sigstore/cosign/pull/1068)
1769* `cosign verify` now supports certs stored in files (https://github.com/sigstore/cosign/pull/1095)
1770* Added support for `syft` format in `cosign attach sbom` (https://github.com/sigstore/cosign/pull/1137)
1771
1772## Bug Fixes
1773
1774* Fixed verification of Rekor bundles for InToto attestations (https://github.com/sigstore/cosign/pull/1030)
1775* Fixed a potential memory leak when signing and verifying with security keys (https://github.com/sigstore/cosign/pull/1113)
1776
1777## Contributors
1778
1779* Ashley Davis (@SgtCoDFish)
1780* Asra Ali (@asraa)
1781* Batuhan Apaydın (@developer-guy)
1782* Brandon Philips (@philips)
1783* Carlos Alexandro Becker (@caarlos0)
1784* Carlos Panato (@cpanato)
1785* Christian Rebischke (@shibumi)
1786* Dan Lorenc (@dlorenc)
1787* Erkan Zileli (@erkanzileli)
1788* Furkan Türkal (@Dentrax)
1789* garantir-km (@garantir-km)
1790* Jake Sanders (@dekkagaijin)
1791* jbpratt (@jbpratt)
1792* Matt Moore (@mattmoor)
1793* Mikey Strauss (@houdini91)
1794* Naveen Srinivasan (@naveensrinivasan)
1795* Priya Wadhwa (@priyawadhwa)
1796* Sambhav Kothari (@samj1912)
1797
1798# v1.3.1
1799
1800* BREAKING [cosign/pkg]: `cosign.Verify` has been removed in favor of explicit `cosign.VerifyImageSignatures` and `cosign.VerifyImageAttestations`
1801 (https://github.com/sigstore/cosign/pull/1026)
1802
1803## Enhancements
1804
1805* Add ability for verify-blob to find signing cert in transparency log (https://github.com/sigstore/cosign/pull/991)
1806* root policy: add optional issuer to maintainer keys (https://github.com/sigstore/cosign/pull/999)
1807* PKCS11 signing support (https://github.com/sigstore/cosign/pull/985)
1808* Included timeout option for uploading to Rekor (https://github.com/sigstore/cosign/pull/1001)
1809
1810## Bug Fixes
1811
1812* Bump sigstore/sigstore to pickup a fix for azure kms (https://github.com/sigstore/cosign/pull/1011 / https://github.com/sigstore/cosign/pull/1028)
1813
1814## Contributors
1815
1816* Asra Ali (@asraa)
1817* Batuhan Apaydın (@developer-guy)
1818* Carlos Panato (@cpanato)
1819* Dan Lorenc (@dlorenc)
1820* Dennis Leon (@DennisDenuto)
1821* Erkan Zileli (@erkanzileli)
1822* Furkan Türkal (@Dentrax)
1823* garantir-km (@garantir-km)
1824* Jake Sanders (@dekkagaijin)
1825* Naveen (@naveensrinivasan)
1826
1827# v1.3.0
1828
1829* BREAKING: `verify-manifest` is now `manifest verify` (https://github.com/sigstore/cosign/pull/712)
1830* BREAKING: `/pkg` has been heavily refactored. [Further refactoring work](https://github.com/sigstore/cosign/issues/844) will make its way into 1.4.0
1831* WARNING: The CLI now uses POSIX-style (double-dash `--flag`) for long-form flags. It will temporarily accept the single-dash `-flag` form with a warning, which will become an error in a future release (https://github.com/sigstore/cosign/pull/835)
1832* Added `sget` as part of Cosign's releases (https://github.com/sigstore/cosign/pull/752)
1833* The `copasetic` utility was unceremoniously [baleeted](https://www.youtube.com/watch?v=07h0ksKx5sM) (https://github.com/sigstore/cosign/pull/785)
1834
1835## Enhancements
1836
1837* Began reworking `/pkg` around new abstractions for signing, verification, and storage (https://github.com/sigstore/cosign/issues/666)
1838 * Notice: refactoring of `/pkg` will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with `cosign` as a library and found it lacking (https://github.com/sigstore/cosign/issues/844)
1839 * [GGCR-style libraries](https://github.com/google/go-containerregistry#philosophy) for interacting with images now exist under `pkg/oci` (https://github.com/sigstore/cosign/pull/770)
1840 * `pkg/cosign/remote.UploadSignature` API was been removed in favor of new `pkg/oci/remote` APIs (https://github.com/sigstore/cosign/pull/774)
1841 * The function signature of `cosign.Verify` was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see also `cosign.Verify{Signatures,Attestations}` (https://github.com/sigstore/cosign/pull/782)
1842 * Removed `cremote.UploadFile` in favor of `static.NewFile` and `remote.Write` (https://github.com/sigstore/cosign/pull/797)
1843* Innumerable other improvements to the codebase and automation ([Makin me look bad, @mattmoor](https://github.com/sigstore/cosign/commits?author=mattmoor))
1844* Migrated the CLI to `cobra` ([Welcome to the team, @n3wscott](https://github.com/sigstore/cosign/commits?author=n3wscott))
1845* Added the `--allow-insecure-registry` flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (https://github.com/sigstore/cosign/pull/669)
1846* 🔒 `cosigned` now includes a mutating webhook that resolves image tags to digests (https://github.com/sigstore/cosign/pull/800)
1847* 🔒 The `cosigned` validating webhook now requires image digest references (https://github.com/sigstore/cosign/pull/799)
1848* The `cosigned` webhook now ignores resources that are being deleted (https://github.com/sigstore/cosign/pull/803)
1849* The `cosigned` webhook now supports resolving private images that are authenticated via `imagePullSecrets` (https://github.com/sigstore/cosign/pull/804)
1850* `manifest verify` now supports verifying images in all Kubernetes objects that fit within `PodSpec`, `PodSpecTemplate`, or `JobSpecTemplate`, including CRDs (https://github.com/sigstore/cosign/pull/697)
1851* Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! https://github.com/sigstore/cosign/pull/836)
1852* `cosign` has generated Markdown docs available in the `doc/` directory (https://github.com/sigstore/cosign/pull/839)
1853* Added support for verifying with secrets from a GitLab project (https://github.com/sigstore/cosign/pull/934)
1854* Added a `--k8s-keychain` option that enables cosign to support ambient registry credentials based on the "k8schain" library (https://github.com/sigstore/cosign/pull/972)
1855* CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (https://github.com/sigstore/cosign/pull/973)
1856* `attest`: replaced `--upload` flag with a `--no-upload` flag (https://github.com/sigstore/cosign/pull/979)
1857
1858## Bug Fixes
1859
1860* `cosigned` now verifies `CronJob` images (Terve, @vaikas https://github.com/sigstore/cosign/pull/809)
1861* Fixed the `verify` `--cert-email` option to actually work (Sweet as, @passcod https://github.com/sigstore/cosign/pull/821)
1862* `public-key -sk` no longer causes `error: x509: unsupported public key type: *crypto.PublicKey` (https://github.com/sigstore/cosign/pull/864)
1863* Fixed interactive terminal support in Windows (https://github.com/sigstore/cosign/pull/871)
1864* The `-ct` flag is no longer ignored in `upload blob` (https://github.com/sigstore/cosign/pull/910)
1865
1866## Contributors
1867
1868* Aditya Sirish (@adityasaky)
1869* Asra Ali (@asraa)
1870* Axel Simon (@axelsimon)
1871* Batuhan Apaydın (@developer-guy)
1872* Brandon Mitchell (@sudo-bmitch)
1873* Carlos Panato (@cpanato)
1874* Chao Lin (@blackcat-lin)
1875* Dan Lorenc (@dlorenc)
1876* Dan Luhring (@luhring)
1877* Eng Zer Jun (@Juneezee)
1878* Erkan Zileli (@erkanzileli)
1879* Félix Saparelli (@passcod)
1880* Furkan Türkal (@Dentrax)
1881* Hector Fernandez (@hectorj2f)
1882* Ivan Font (@font)
1883* Jake Sanders (@dekkagaijin)
1884* Jason Hall (@imjasonh)
1885* Jim Bugwadia (@JimBugwadia)
1886* Joel Kamp (@mrjoelkamp)
1887* Luke Hinds (@lukehinds)
1888* Matt Moore (@mattmoor)
1889* Naveen (@naveensrinivasan)
1890* Olivier Gaumond (@oliviergaumond)
1891* Priya Wadhwa (@priyawadhwa)
1892* Radoslav Gerganov (@rgerganov)
1893* Ramkumar Chinchani (@rchincha)
1894* Rémy Greinhofer (@rgreinho)
1895* Scott Nichols (@n3wscott)
1896* Shubham Palriwala (@ShubhamPalriwala)
1897* Viacheslav Vasilyev (@avoidik)
1898* Ville Aikas (@vaikas)
1899
1900# v1.2.0
1901
1902## Enhancements
1903* BREAKING: move `verify-dockerfile` to `dockerfile verify` (https://github.com/sigstore/cosign/pull/662)
1904* Have the keyless `cosign sign` flow use a single 3LO. (https://github.com/sigstore/cosign/pull/665)
1905* Allow to `verify-blob` from urls (https://github.com/sigstore/cosign/pull/646)
1906* Support GCP environments without workload identity (GCB). (https://github.com/sigstore/cosign/pull/652)
1907* Switch the release cosign container to debug. (https://github.com/sigstore/cosign/pull/649)
1908* Add logic to detect and use ambient OIDC from exec envs. (https://github.com/sigstore/cosign/pull/644)
1909* Add `-cert-email` flag to provide the email expected from a fulcio cert to be valid (https://github.com/sigstore/cosign/pull/622)
1910* Add support for downloading signature from remote (https://github.com/sigstore/cosign/pull/629)
1911* Add sbom and attestations to triangulate (https://github.com/sigstore/cosign/pull/628)
1912* Add cosign attachment signing and verification (https://github.com/sigstore/cosign/pull/615)
1913* Embed CT log public key (https://github.com/sigstore/cosign/pull/607)
1914* Verify SCTs returned by fulcio (https://github.com/sigstore/cosign/pull/600)
1915* Add extra replacement variables and GCP's role identifier (https://github.com/sigstore/cosign/pull/597)
1916* Store attestations in the layer (payload) rather than the annotation. (https://github.com/sigstore/cosign/pull/579)
1917* Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (https://github.com/sigstore/cosign/pull/583)
1918* Upgrade in-toto-golang to adapt SLSA Provenance (https://github.com/sigstore/cosign/pull/582)
1919
1920## Bug Fixes
1921* Fix verify-dockerfile to allow lowercase FROM (https://github.com/sigstore/cosign/pull/643)
1922* Fix signing for the cosigned image. (https://github.com/sigstore/cosign/pull/634)
1923* Make sure generate-key-pair doesn't overwrite existing key-pair (https://github.com/sigstore/cosign/pull/623)
1924* helm/ci: update helm repo before installing the dependency (https://github.com/sigstore/cosign/pull/598)
1925* Set the correct predicate type/URI for each supported predicate type. (https://github.com/sigstore/cosign/pull/592)
1926* Warnings on admissionregistration version (https://github.com/sigstore/cosign/pull/581)
1927* Remove unnecessary COSIGN_PASSWORD (https://github.com/sigstore/cosign/pull/572)
1928
1929## Contributors
1930* Batuhan Apaydın
1931* Ben Walding
1932* Carlos Alexandro Becker
1933* Carlos Tadeu Panato Junior
1934* Erkan Zileli
1935* Hector Fernandez
1936* Jake Sanders
1937* Jason Hall
1938* Matt Moore
1939* Michael Lieberman
1940* Naveen Srinivasan
1941* Pradeep Chhetri
1942* Sambhav Kothari
1943* dlorenc
1944* priyawadhwa
1945
1946
1947# v1.1.0
1948
1949## Enhancements
1950
1951* BREAKING: The `-attestation` flag has been renamed to `-predicate` in `attest` (https://github.com/sigstore/cosign/pull/500)
1952* Added `verify-manifest` command (https://github.com/sigstore/cosign/pull/490)
1953* Added the ability to specify and validate well-known attestation types in `attest` with the `-type` flag (https://github.com/sigstore/cosign/pull/504)
1954* Added `cosign init` command to setup the trusted local repository of SigStore's TUF root metadata (https://github.com/sigstore/cosign/pull/520)
1955* Added timestamps to Cosign's custom In-Toto predicate (https://github.com/sigstore/cosign/pull/533)
1956* `verify` now always verifies that the image exists (even when referenced by digest) before verification (https://github.com/sigstore/cosign/pull/543)
1957
1958## Bug Fixes
1959
1960* `verify-dockerfile` no longer fails on `FROM scratch` (https://github.com/sigstore/cosign/pull/509)
1961* Fixed reading from STDIN with `attach sbom` (https://github.com/sigstore/cosign/pull/517)
1962* Fixed broken documentation and implementation of `-output` for `verify` and `verify-attestation` (https://github.com/sigstore/cosign/pull/546)
1963* Fixed nil pointer error when calling `upload blob` without specifying `-f` (https://github.com/sigstore/cosign/pull/563)
1964
1965## Contributors
1966
1967* Adolfo García Veytia (@puerco)
1968* Anton Semjonov (@ansemjo)
1969* Asra Ali (@asraa)
1970* Batuhan Apaydın (@developer-guy)
1971* Carlos Panato (@cpanato)
1972* Dan Lorenc (@dlorenc)
1973* @gkovan
1974* Hector Fernandez (@hectorj2f)
1975* Jake Sanders (@dekkagaijin)
1976* Jim Bugwadia (@JimBugwadia)
1977* Jose Donizetti (@josedonizetti)
1978* Joshua Hansen (@joshes)
1979* Jason Hall (@imjasonh)
1980* Priya Wadhwa (@priyawadhwa)
1981* Russell Brown (@rjbrown57)
1982* Stephan Renatus (@srenatus)
1983* Li Yi (@denverdino)
1984
1985# v1.0.0
1986
1987## Enhancements
1988
1989* BREAKING: The default HSM key slot is now "signature" instead of "authentication" (https://github.com/sigstore/cosign/pull/450)
1990* BREAKING: `--fulcio-server` is now `--fulcio-url` (https://github.com/sigstore/cosign/pull/471)
1991* Added `-cert` flag to `sign` to allow the explicit addition of a signature certificate (https://github.com/sigstore/cosign/pull/451)
1992* Added the `attest` command (https://github.com/sigstore/cosign/pull/458)
1993* Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (https://github.com/sigstore/cosign/pull/462)
1994* `cosign` will now send its version string as part of the `user-agent` when interacting with a container registry (https://github.com/sigstore/cosign/pull/479)
1995* Files containing certificates for custom Fulcio endpoints can now be specified via the `COSIGN_ROOT` environment variable (https://github.com/sigstore/cosign/pull/477)
1996
1997## Bug Fixes
1998
1999* Fixed a situation where lower-case `as` would break `verify-dockerfile` (Complements to @Dentrax https://github.com/sigstore/cosign/pull/433)
2000
2001## Contributors
2002
2003* Appu Goundan (@loosebazooka)
2004* Batuhan Apaydın (@developer-guy)
2005* Carlos Panato (@cpanato)
2006* Dan Lorenc (@dlorenc)
2007* Furkan Türkal (@Dentrax)
2008* Hector Fernandez (@hectorj2f)
2009* Jake Sanders (@dekkagaijin)
2010* James Alseth (@jalseth)
2011* Jason Hall (@imjasonh)
2012* João Pereira (@joaodrp)
2013* Luke Hinds (@lukehinds)
2014* Tom Hennen (@TomHennen)
2015
2016# v0.6.0
2017
2018## Enhancements
2019
2020* BREAKING: Moved `cosign upload-blob` to `cosign upload blob` (https://github.com/sigstore/cosign/pull/378)
2021* BREAKING: Moved `cosign upload` to `cosign attach signature` (https://github.com/sigstore/cosign/pull/378)
2022* BREAKING: Moved `cosign download` to `cosign download signature` (https://github.com/sigstore/cosign/pull/392)
2023* Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz https://github.com/sigstore/cosign/pull/369)
2024* Added `cosign verify-dockerfile` command (https://github.com/sigstore/cosign/pull/395)
2025* Added SBOM support in `cosign attach` and `cosign download sbom` (https://github.com/sigstore/cosign/pull/387)
2026* Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax https://github.com/sigstore/cosign/pull/398)
2027* Added support for AWS KMS (谢谢, @codysoyland https://github.com/sigstore/cosign/pull/426)
2028* Numerous enhancements to our build & release process, courtesy @cpanato
2029
2030## Bug Fixes
2031
2032* Verify entry timestamp signatures of fetched Tlog entries (https://github.com/sigstore/cosign/pull/371)
2033
2034## Contributors
2035
2036* Asra Ali (@asraa)
2037* Batuhan Apaydın (@developer-guy)
2038* Carlos Panato (@cpanato)
2039* Cody Soyland (@codysoyland)
2040* Dan Lorenc (@dlorenc)
2041* Dino A. Dai Zovi (@ddz)
2042* Furkan Türkal (@Dentrax)
2043* Jake Sanders (@dekkagaijin)
2044* Jason Hall (@imjasonh)
2045* Paris Zoumpouloglou (@zuBux)
2046* Priya Wadhwa (@priyawadhwa)
2047* Rémy Greinhofer (@rgreinho)
2048* Russell Brown (@rjbrown57)
2049
2050# v0.5.0
2051
2052## Enhancements
2053
2054* Added `cosign copy` to easily move images and signatures between repositories (https://github.com/sigstore/cosign/pull/317)
2055* Added `-r` flag to `cosign sign` for recursively signing multi-arch images (https://github.com/sigstore/cosign/pull/320)
2056* Added `cosign clean` to delete signatures for an image (Thanks, @developer-guy! https://github.com/sigstore/cosign/pull/324)
2057* Added `-k8s` flag to `cosign generate-key-pair` to create a Kubernetes secret (Hell yeah, @priyawadhwa! https://github.com/sigstore/cosign/pull/345)
2058
2059## Bug Fixes
2060
2061* Fixed an issue with misdirected image signatures when `COSIGN_REPOSITORY` was used (https://github.com/sigstore/cosign/pull/323)
2062
2063## Contributors
2064
2065* Balazs Zachar (@Cajga)
2066* Batuhan Apaydın (@developer-guy)
2067* Dan Lorenc (@dlorenc)
2068* Furkan Turkal (@Dentrax)
2069* Jake Sanders (@dekkagaijin)
2070* Jon Johnson (@jonjohnsonjr)
2071* Priya Wadhwa (@priyawadhwa)
2072
2073# v0.4.0
2074
2075## Action Required
2076
2077* Signatures created with `cosign` before v0.4.0 are not compatible with those created after
2078 * The signature image's manifest now uses OCI mediaTypes ([#300](https://github.com/sigstore/cosign/pull/300))
2079 * The signature image's tag is now terminated with `.sig` (instead of `.cosign`, [#287](https://github.com/sigstore/cosign/pull/287))
2080
2081## Enhancements
2082
2083* 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! [#285](https://github.com/sigstore/cosign/pull/285))
2084* Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! [sigstore/sigstore #44](https://github.com/sigstore/sigstore/pull/44), [sigstore/sigstore #49](https://github.com/sigstore/sigstore/pull/44))
2085
2086## Bug Fixes
2087
2088* GCP KMS URIs now include the key version ([#45](https://github.com/sigstore/sigstore/pull/45))
2089
2090## Contributors
2091
2092* Christian Pearce (@pearcec)
2093* Dan Lorenc (@dlorenc)
2094* Jake Sanders (@dekkagaijin)
2095* Priya Wadhwa (@priyawadhwa)
2096* Richard Simpson (@RichiCoder1)
2097* Ross Timson (@rosstimson)
2098
2099# v0.3.1
2100
2101## Bug Fixes
2102
2103* Fixed CI container image breakage introduced in v0.3.0
2104* Fixed lack of version information in release binaries
2105
2106# v0.3.0
2107
2108This is the third release of `cosign`!
2109
2110We still expect many flags, commands, and formats to change going forward, but we're getting closer.
2111No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release.
2112See [#254](https://github.com/sigstore/cosign/issues/254) for more info.
2113
2114## Enhancements
2115
2116* The `-output-file` flag supports writing output to a specific file
2117* The `-key` flag now supports `kms` references and URLs, the `kms` specific flag has been removed
2118* Yubikey/PIV hardware support is now included!
2119* Support for signing and verifying multiple images in one invocation
2120
2121## Bug Fixes
2122
2123* Bug fixes in KMS keypair generation
2124* Bug fixes in key type parsing
2125
2126## Contributors
2127
2128* Dan Lorenc
2129* Priya Wadhwa
2130* Ivan Font
2131* Dependabot!
2132* Mark Bestavros
2133* Jake Sanders
2134* Carlos Tadeu Panato Junior
2135
2136# v0.2.0
2137
2138This is the second release of `cosign`!
2139
2140We still expect many flags, commands, and formats to change going forward, but we're getting closer.
2141No backwards compatibility is promised or implied.
2142
2143## Enhancements
2144
2145* The password for private keys can now be passed via the `COSIGN_PASSWORD`
2146* KMS keys can now be used to sign and verify blobs
2147* The `version` command can now be used to return the release version
2148* The `public-key` command can now be used to extract the public key from KMS or a private key
2149* The `COSIGN_REPOSITORY` environment variable can be used to store signatures in an alternate location
2150* Tons of new EXAMPLES in our help text
2151
2152## Bug Fixes
2153
2154* Improved error messages for command line flag verification
2155* TONS more unit and integration testing
2156* Too many others to count :)
2157
2158## Contributors
2159
2160We would love to thank the contributors:
2161
2162* Dan Lorenc
2163* Priya Wadhwa
2164* Ahmet Alp Balkan
2165* Naveen Srinivasan
2166* Chris Norman
2167* Jon Johnson
2168* Kim Lewandowski
2169* Luke Hinds
2170* Bob Callaway
2171* Dan POP
2172* eminks
2173* Mark Bestavros
2174* Jake Sanders
2175
2176# v0.1.0
2177
2178This is the first release of `cosign`!
2179
2180The main goal of this release is to release something we can start using to sign other releases of [sigstore](sigstore.dev) projects, including `cosign` itself.
2181
2182We expect many flags, commands, and formats to change going forward.
2183No backwards compatibility is promised or implied.
2184
2185## Enhancements
2186
2187This release added a feature to `cosign` called `cosign`.
2188The `cosign` feature can be used to sign container images and blobs.
2189Detailed documentation can be found in the [README](README.md) and the [Detailed Usage](USAGE.md).
2190
2191## Bug Fixes
2192
2193There was no way to sign container images. Now there is!
2194
2195## Contributors
2196
2197We would love to thank the contributors:
2198
2199* dlorenc
2200* priyawadhwa
2201* Ahmet Alp Balkan
2202* Ivan Font
2203* Jason Hall
2204* Chris Norman
2205* Jon Johnson
2206* Kim Lewandowski
2207* Luke Hinds
2208* Bob Callaway
View as plain text