1# v1.3.6
2
3## New Features
4
5* Add support for IEEE P1363 encoded ECDSA signatures
6* Add index performance script (#2042)
7* Add support for ed25519ph user keys in hashedrekord (#1945)
8* Add metrics for index insertion (#2015)
9* Add TLS support for Redis Client implementation (#1998)
10
11## Bug Fixes
12
13* fix typo in remoteIp and set full name for trace field
14
15## Contributors
16
17* Bob Callaway
18* Colleen Murphy
19* cpanato
20* Hayden B
21* Mihkel Pärna
22* Riccardo Schirone
23
24# v1.3.5
25
26## New Features
27* output trace in slog and override correlation header name (#1986)
28* give log timestamps nanosecond precision (#1985)
29* Added support for sha384/sha512 hash algorithms in hashedrekords (#1959)
30* Change Redis value for locking mechanism (#1957)
31
32## Bug Fixes
33* Fix panic for DSSE canonicalization (#1923)
34* Drop conditional when verifying entry checkpoint (#1917)
35* Remove timestamp from checkpoint (#1888)
36* Additional unique index correction (#1885)
37
38## Quality Enhancements
39* bump trillian images to v1.6.0 (#1984)
40* remove trillian images from release process (#1983)
41* update builder to use go1.21
42
43## Contributors
44* Andrew Block
45* Bob Callaway
46* Carlos Tadeu Panato Junior
47* Hayden Blauzvern
48* Riccardo Schirone
49
50# v1.3.4
51
52## New Features
53* add mysql indexstorage backend
54* add s3 storage for attestations
55
56## Bug Fixes
57* fix: Do not check for pubsub.topics.get on initialization (#1853)
58* fix optional field in cose schema
59
60## Quality Enhancements
61* Update ranges.go (#1852)
62* update indexstorage interface to reduce roundtrips (#1838)
63* use a single validator library in rekor-cli (#1818)
64* Remove go-playground/validator dependency from pkg/pki (#1817)
65
66## Contributors
67* Bob Callaway
68* Carlos Tadeu Panato Junior
69* Hayden B
70* James Alseth
71* Kenny Leung
72* Noah Kreiger
73* Zach Steindler
74
75# v1.3.3
76
77## New Features
78* update trillian to 1.5.3 (#1803)
79* adds redis_auth (#1627)
80* Add method to get artifact hash for an entry (#1777)
81
82## Bug Fixes
83* Update signer flag description (#1804)
84* install go at correct version for codeql (#1762)
85
86## Quality Enhancements
87* make e2e tests more usable with docker-compose (#1770)
88
89## Contributors
90* Bob Callaway
91* Carlos Tadeu Panato Junior
92* Hayden B
93* ian hundere
94* Kenny Leung
95
96# v1.3.2
97
98* move to go 1.21.3 to pick up fixes for CVE-2023-39325
99
100## Bug Fixes
101* build(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1753)
102* build(deps): Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1755)
103* build(deps): Bump google/cloud-sdk from 449.0.0 to 450.0.0 (#1757)
104* build(deps): Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#1754)
105* update Dockerfile for go 1.21.3 (#1752)
106* update builder image to use go1.21.3 (#1751)
107
108## Contributors
109* Carlos Tadeu Panato Junior
110
111# v1.3.1
112
113## New Features
114* enable GCP cloud profiling on rekor-server (#1746)
115* move index storage into interface (#1741)
116* add info to readme to denote additional documentation sources (#1722)
117* Add type of ed25519 key for TUF (#1677)
118* Allow parsing base64-encoded TUF metadata and root content (#1671)
119
120## Quality Enhancements
121* disable quota in trillian in test harness (#1680)
122
123## Bug Fixes
124* Update contact for code of conduct (#1720)
125* fix: typo (#1711)
126* Fix panic when parsing SSH SK pubkeys (#1712)
127* Correct index creation (#1708)
128* Update .ko.yaml (#1682)
129* docs: fixzes a small typo on the readme (#1686)
130* chore: fix `backfill-redis` Makefile target (#1685)
131
132## Contributors
133* Andres Galante
134* Andrew Block
135* Appu
136* Bob Callaway
137* Carlos Tadeu Panato Junior
138* guangwu
139* Hayden B
140* jonvnadelberg
141* Lance Ball
142
143# v1.3.0
144
145## New Features
146* feat: Support publishing new log entries to Pub/Sub topics (#1580)
147* Change values of Identity.Raw, add fingerprints (#1628)
148* Extract all subjects from SANs for x509 verifier (#1632)
149* Fix type comment for Identity struct (#1619)
150* Refactor Identities API (#1611)
151* Refactor Verifiers to return multiple keys (#1601)
152
153## Quality Enhancements
154* set min go version to 1.21 (#1651)
155* Upgrade to go1.21 (#1636)
156
157## Bug Fixes
158* Update openapi.yaml (#1655)
159* pass transient errors through retrieveLogEntry (#1653)
160* return full entryID on HTTP 409 responses (#1650)
161* Update checkpoint link (#1597)
162* Use correct log index in inclusion proof (#1599)
163* remove instrumentation library (#1595)
164* pki: clean up fuzzer (#1594)
165* alpine: add max metadata size to fuzzer (#1571)
166
167## Contributors
168* AdamKorcz
169* Appu
170* Bob Callaway
171* Carlos Tadeu Panato Junior
172* Ceridwen Coghlan
173* Hayden B
174* James Alseth
175
176# v1.2.2
177
178## Quality Enhancements
179* swap killswitch for 'docker-compose restart' (#1562)
180* pass treeSize and rootHash to avoid trillian import (#1513)
181* Move github.com/sigstore/protobuf-specs users into a separate subpackage (#1511)
182
183## Bug Fixes
184* pass down error with message instead of nil (#1560)
185
186## Contributors
187* Bob Callaway
188* Carlos Tadeu Panato Junior
189* Eng Zer Jun
190* Miloslav Trmač
191
192# v1.2.1
193
194## Bug Fixes
195* run go mod tidy in hack/tools (#1510)
196
197## Contributors
198* Bob Callaway
199
200# v1.2.0
201
202## Functional Enhancements
203* add client method to generate TLE struct (#1498)
204* add dsse type (#1487)
205* support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
206* Add concurrency to backfill-redis (#1504)
207* omit informational message if machine-parseable output has been requested (#1486)
208* Publish stable checkpoint periodically to Redis (#1461)
209* Add intoto v0.0.2 to backfill script (#1500)
210* add new method to test insertability of proposed entries into log (#1410)
211
212## Quality Enhancements
213* use t.Skip() in fuzzers (#1506)
214* improve fuzzing coverage (#1499)
215* Remove watcher script (#1484)
216
217## Bug Fixes
218* Merge pull request from GHSA-frqx-jfcm-6jjr
219* Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
220* fix lint errors, bump linter up to 1.52 (#1485)
221* Remove dependencies from pkg/util (#1469)
222
223## Contributors
224* Bob Callaway
225* Carlos Tadeu Panato Junior
226* Ceridwen Coghlan
227* Cody Soyland
228* Hayden B
229* Miloslav Trmač
230
231# v1.1.1
232
233## Functional Enhancements
234* Refactor Trillian client with exported methods (#1454)
235* Switch to official redis-go client (#1459)
236* Remove replace in go.mod (#1444)
237* Add Rekor OID info. (#1390)
238
239## Quality Enhancements
240* remove legacy encrypted cosign key (#1446)
241* swap cjson dependency (#1441)
242* Update release readme (#1456)
243
244## Bug Fixes
245* Merge pull request from GHSA-2h5h-59f5-c5x9
246
247## Contributors
248* Billy Lynch
249* Bob Callaway
250* Carlos Tadeu Panato Junior
251* Ceridwen Coghlan
252* Hayden B
253
254# v1.1.0
255
256## Functional Enhancements
257* improve validation on intoto v0.0.2 type (#1351)
258* add feature to limit HTTP request body length to process (#1334)
259* add information about the file size limit (#1313)
260* Add script to backfill Redis from Rekor (#1163)
261* Feature: add search support for sha512 (#1142)
262
263## Quality Enhancements
264* fuzzing: refactor OSS-Fuzz build script (#1377)
265* Update cloudbuild for cosign 2.0 (#1375)
266* Tests - Additional sharding tests (#1180)
267* jar type: add fuzzer for 3rd-party dep (#1360)
268* update cosign to 2.0.0 and builder image and also cosign flags (#1368)
269* fuzzing: move alpine utils to fuzz utils (#1335)
270* fuzzing: add seed for alpine fuzzer (#1342)
271* jar: add v001 fuzzer (#1327)
272* fuzzing: open writer later in fuzz utils (#1326)
273* fuzzing: remove tar operations in alpine fuzzer (#1322)
274* alpine: add v001 fuzzer (#1316)
275* hashedrekord: add v001 fuzzer (#1315)
276* fuzzing: add call to IndexKeys in multiple fuzzers (#1302)
277* fuzzing: improve cose fuzzer (#1300)
278* fuzzing: improve fuzz utils (#1298)
279* fuzzing: improve alpine fuzzer (#1273)
280* fuzzing: go mod edit go-fuzz-headers (#1272)
281* fuzzing: add .options file (#1271)
282* fuzzing: build helm fuzzer from correct dir (#1264)
283* types: refactor multiple fuzzers (#1258)
284* helm: add fuzzer for provenance unmarshalling (#1243)
285* pki: add fuzzer (#1256)
286* Fuzzing: Add more bug detectors (#1253)
287* Refactor e2e - part 5 (#1236)
288* Removed unused tool/deps (#1244)
289* Fixed the invalid path (#1245)
290* Run latest fuzzers in OSS-Fuzz (#1221)
291* Fuzz tests - hashedrekord (#1224)
292* Update builder (#1228)
293* Revamping rekor e2e - part 4 of N (#1218)
294* types: add fuzzers (#1225)
295* jar type: add fuzzer (#1215)
296* Revamping rekor e2e - part 3 of N (#1177)
297* modify OSS-Fuzz build script (#1214)
298* move over oss-fuzz build script (#1204)
299* wrap redis client errors to aid debugging (#1176)
300* don't test release candidate builds in harness (#1183)
301* types/alpine: add fuzzer (#1200)
302* logging tweaks to improve usability (#1235)
303* Add backfill-redis to the release artifacts (#1174)
304* ensure jobs run on release branches (#1181)
305* update builder image and cosign (#1165)
306* Refactor e2e tests - x509 apk (#1152)
307* Sharding - Additional tests (#1156)
308* Ran gofmt and cleaned up (#1157)
309* Fuzz - Fuzz tests for sharding (#1147)
310* Revamping rekor e2e - part 1 of N (#1089)
311
312## Bug Fixes
313* remove goroutine usage from SearchLogQuery (#1407)
314* drop log messages regarding attestation storage to debug (#1408)
315* fix ko-local build (#1381)
316* disable blocking checks (#1353)
317* fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
318* fix: fix regex for multi-digit counts (#1321)
319* return NotFound if treesize is 0 rather than calling trillian (#1311)
320* enumerate slice to get sugared logs (#1312)
321* put a reasonable size limit on ssh key reader (#1288)
322* CLIENT: Fix Custom Host and Path Issue (#1306)
323* do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
324* correctly handle invalid or missing pki format (#1281)
325* Add Verifier to get public key/cert and identities for entry type (#1210)
326* fix goroutine leak in client; add insecure TLS option (#1238)
327* Fix - Remove the force-recreate flag (#1179)
328* trim whitespace around public keys before parsing (#1175)
329* stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
330* Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
331* remove double encoding of payload and signature fields for intoto (#1150)
332* fix SearchLogQuery behavior to conform to openapi spec (#1145)
333* Remove pem-certificate-chain from client (#1138)
334* fix flag type for operator in search (#1136)
335* use sigstore/community dep review (#1132)
336
337## Contributors
338* AdamKorcz
339* Batuhan Apaydın
340* Bob Callaway
341* Carlos Tadeu Panato Junior
342* Fabian Kammel
343* Fredrik Skogman
344* Hayden B
345* Joyce
346* Naveen
347* Noah Kreiger
348* Priya Wadhwa
349
350# v1.0.1
351
352## Enhancements
353* stop inserting envelope hash for intoto:0.0.2 types into index (#1171) (#1172)
354
355## Bug Fixes
356* ensure jobs run on release branches (#1181) (#1182)
357
358## Contributors
359* Bob Callaway
360
361# v1.0.0
362
363Rekor is 1.0!
364No changes, as this is tagged at the same commit as v1.0.0-rc.1.
365
366Thank you to all of the contributors to Rekor in the past couple years who helped make Rekor 1.0 possible!
367
368## Contributors
369* Aastha Bist
370* Aditya Sirish
371* Ahmet Alp Balkan
372* Andrew Block
373* Appu
374* Asra Ali
375* axel simon
376* Azeem Shaikh
377* Batuhan Apaydın
378* Bob Callaway
379* Carlos Tadeu Panato Junior
380* Ceridwen Driskill
381* Christian Rebischke
382* Dan Lorenc
383* Dan Luhring
384* Eddie Zaneski
385* Efe Barlas
386* Fredrik Skogman
387* Harry Fallows
388* Hayden B
389* Hector Fernandez
390* Jake Sanders
391* Jason Hall
392* Jehan Shah
393* John Speed Meyers
394* Kenny Leung
395* Koichi Shiraishi
396* Lily Sturmann
397* Luke Hinds
398* Mikhail Swift
399* Morten Linderud
400* Nathan Smith
401* Naveen
402* Olivier Cedric Barbier
403* Parth Patel
404* Priya Wadhwa
405* Robert James Hernandez
406* Romain Aviolat
407* Samsondeen
408* Sascha Grunert
409* Scott Nichols
410* Shiwei Zhang
411* Simon Kent
412* Sylvestre Ledru
413* Tiziano Santoro
414* Trishank Karthik Kuppusamy
415* Ville Aikas
416* dhaus67
417* endorama
418* kpcyrd
419
420# v1.0.0-rc.1
421
422## Enhancements
423* add retry command line flag on rekor-cli (#1097)
424* Add some info and debug logging to commonly used funcs (#1106)
425
426## Contributors
427* Bob Callaway
428* Priya Wadhwa
429
430
431# v1.0-rc
432
433## Enhancements
434* update swagger API version to 1.0.0 (#1102)
435* verify: verify checkpoint's STH against the inclusion proof root hash (#1092)
436* add ability to enable/disable specific rekor API endpoints (#1080)
437* enable configurable client retries with backoff in RekorClient (#1096)
438
439## Bug Fixes
440* remove unused RekorVersion API definition (#1101)
441* remove unused api-key and timestamp references (#1098)
442
443## Contributors
444* Bob Callaway
445* asraa
446
447# v0.12.2
448
449## Enhancements
450* add changelog for 0.12.0 and 0.12.1 (#1064)
451* add description on /api/v1/index/retrieve endpoint (#1073)
452* Adding e2e test coverage (#1071)
453* export rekor build/version information (#1074)
454
455## Bug Fixes
456* Search through all shards when searching by hash (#1082)
457* Use POST instead of GET for /api/log/entries/retrieve metrics (#1083)
458
459## Contributors
460* Bob Callaway
461* Carlos Tadeu Panato Junior
462* Ceridwen Driskill
463* Simon Kent
464* Priya Wadhwa
465
466# v0.12.1
467
468> ** Rekor `v0.12.1` comes with a breaking change to `rekor-cli v0.12.1`. Users of rekor-cli MUST upgrade to the latest version **
469> The addition of the intotov2 created a breaking change for the `rekor-cli`
470
471## Enhancements
472
473* Adds new rekor metrics for latency and QPS. (https://github.com/sigstore/rekor/pull/1059)
474* feat: add file based signer and password (https://github.com/sigstore/rekor/pull/1049)
475
476## Bug Fixes
477
478* fix: fix harness tests with intoto v0.0.2 (https://github.com/sigstore/rekor/pull/1052)
479
480## Contributors
481
482* Asra Ali (@asraa)
483* Simon Kent (@var-sdk)
484
485# v0.12.0
486
487## Enhancements
488
489* remove /api/v1/version endpoint (https://github.com/sigstore/rekor/pull/1022)
490* Include checkpoint (STH) in entry upload and retrieve responses (https://github.com/sigstore/rekor/pull/1015)
491* Validate tree ID on calls to /api/v1/log/entries/retrieve (https://github.com/sigstore/rekor/pull/1017)
492* feat: add verification functions (https://github.com/sigstore/rekor/pull/986)
493* Change Checkpoint origin to be "Hostname - Tree ID" (https://github.com/sigstore/rekor/pull/1013)
494* Add bounds on number of elements in api/v1/log/entries/retrieve (https://github.com/sigstore/rekor/pull/1011)
495* Intoto v0.0.2 (https://github.com/sigstore/rekor/pull/973)
496* api.SearchLogQueryHandler thread safety (https://github.com/sigstore/rekor/pull/1006)
497* enable blocking specific pluggable type versions from being inserted into the log (https://github.com/sigstore/rekor/pull/1004)
498* check supportedVersions list rather than directly reading from version map (https://github.com/sigstore/rekor/pull/1003)
499
500## Bug Fixes
501
502* fix retrieve endpoint response code and add testing (https://github.com/sigstore/rekor/pull/1043)
503* Fix harness tests @ main (https://github.com/sigstore/rekor/pull/1038)
504* Fix rekor-cli backwards incompatibility & run harness tests against HEAD (https://github.com/sigstore/rekor/pull/1030)
505* fix: use entry uuid uniformly (https://github.com/sigstore/rekor/pull/1012)
506
507## Others
508
509* Fetch all tags in harness tests (https://github.com/sigstore/rekor/pull/1039)
510
511## Contributors
512
513* Asra Ali (@asraa)
514* Bob Callaway (@bobcallaway)
515* Carlos Tadeu Panato Junior (@cpanato)
516* Ceridwen Driskill (@cdris)
517* Hayden Blauzvern (@haydentherapper)
518* Kenny Leung (@k4leung4)
519* Mikhail Swift (@mikhailswift)
520* Parth Patel (@pxp928)
521* Priya Wadhwa (@priyawadhwa)
522
523# v0.11.0
524
525## Enhancements
526
527* add support for `intersection` & `union` in search operations (https://github.com/sigstore/rekor/pull/968)
528* Allow sharding config to be written in yaml or json (https://github.com/sigstore/rekor/pull/974)
529* update field documentation on publicKey for hashedrekord (https://github.com/sigstore/rekor/pull/969)
530* compute payload and envelope hashes upon validating intoto proposed entries (https://github.com/sigstore/rekor/pull/967)
531* Add prometheus summary to track metric latency (https://github.com/sigstore/rekor/pull/966)
532* Add harness test for getting all entries by UUID and EntryID (https://github.com/sigstore/rekor/pull/957)
533* Persist and check attestations across harness tests (https://github.com/sigstore/rekor/pull/952)
534* Add rekor harness tests for adding and getting entries from previous versions (https://github.com/sigstore/rekor/pull/945)
535
536## Bug Fixes
537
538* fix: make rekor verify work with sharded uuids (https://github.com/sigstore/rekor/pull/970)
539* fix incorrect schema id for cose type (https://github.com/sigstore/rekor/pull/979)
540* fix nil-pointer error when artifact-hash is passed without artifact (https://github.com/sigstore/rekor/pull/965)
541* change default value for rekor_server.hostname to server's hostname (https://github.com/sigstore/rekor/pull/963)
542* api: fix inclusion proof verification flake (https://github.com/sigstore/rekor/pull/956)
543
544## Others
545
546* Update sccorecard-action to v2:alpha (https://github.com/sigstore/rekor/pull/987)
547* add changelog for v0.11.0 release (https://github.com/sigstore/rekor/pull/982)
548* remove trailing slash on directories (https://github.com/sigstore/rekor/pull/984)
549* update builder and cosign images (https://github.com/sigstore/rekor/pull/981)
550* Bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 (https://github.com/sigstore/rekor/pull/976)
551* Bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 (https://github.com/sigstore/rekor/pull/977)
552* Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 (https://github.com/sigstore/rekor/pull/978)
553* Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (https://github.com/sigstore/rekor/pull/975)
554* Bump github.com/mediocregopher/radix/v4 from 4.1.0 to 4.1.1 (https://github.com/sigstore/rekor/pull/972)
555* Bump actions/github-script from 6.1.0 to 6.1.1 (https://github.com/sigstore/rekor/pull/971)
556* Bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/964)
557* Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 (https://github.com/sigstore/rekor/pull/960)
558* Bump go.uber.org/zap from 1.21.0 to 1.22.0 (https://github.com/sigstore/rekor/pull/961)
559* Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 (https://github.com/sigstore/rekor/pull/959)
560* Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (https://github.com/sigstore/rekor/pull/958)
561* Bump github/codeql-action from 2.1.17 to 2.1.18 (https://github.com/sigstore/rekor/pull/955)
562* Bump golang from 1.18.4 to 1.18.5 (https://github.com/sigstore/rekor/pull/950)
563* Bump golang from `6e10f44` to `8a62670` (https://github.com/sigstore/rekor/pull/948)
564* Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (https://github.com/sigstore/rekor/pull/947)
565
566## Contributors
567
568* Asra Ali (@asraa)
569* Azeem Shaikh (@azeemshaikh38)
570* Bob Callaway (@bobcallaway)
571* Carlos Tadeu Panato Junior (@cpanato)
572* Samsondeen (@dsa0x)
573* Priya Wadhwa (@priyawadhwa)
574
575# v0.10.0
576
577** Note: Rekor will not send `application/yaml` responses anymore only `application/json` responses
578
579## Enhancements
580
581* Drop application/yaml content type (https://github.com/sigstore/rekor/pull/933)
582* Return 404 if entry isn't found in log (https://github.com/sigstore/rekor/pull/915)
583* reuse dsse signature wrappers instead of having a copy (https://github.com/sigstore/rekor/pull/912)
584
585## Others
586
587* update go mod in hack/tools to go1.18 (https://github.com/sigstore/rekor/pull/935)
588* Enable Scorecard badge (https://github.com/sigstore/rekor/pull/941)
589* Add rekor test harness to presubmit tests (https://github.com/sigstore/rekor/pull/921)
590* Bump imjasonh/setup-ko from 0.4 to 0.5 (https://github.com/sigstore/rekor/pull/940)
591* update go builder and cosign image (https://github.com/sigstore/rekor/pull/934)
592* Bump sigs.k8s.io/release-utils from 0.7.2 to 0.7.3 (https://github.com/sigstore/rekor/pull/937)
593* Bump github.com/google/trillian from 1.4.1 to 1.4.2 in /hack/tools (https://github.com/sigstore/rekor/pull/939)
594* Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (https://github.com/sigstore/rekor/pull/936)
595* Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (https://github.com/sigstore/rekor/pull/930)
596* Update cosign image in validate-release job (https://github.com/sigstore/rekor/pull/931)
597* Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.2 (https://github.com/sigstore/rekor/pull/927)
598* Bump github.com/veraison/go-cose from 1.0.0-alpha.1 to 1.0.0-rc.1 (https://github.com/sigstore/rekor/pull/928)
599* Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (https://github.com/sigstore/rekor/pull/925)
600* Bump github/codeql-action from 2.1.15 to 2.1.16 (https://github.com/sigstore/rekor/pull/924)
601* Bump golang from 1.18.3 to 1.18.4 (https://github.com/sigstore/rekor/pull/919)
602* Bump google.golang.org/grpc from 1.47.0 to 1.48.0 (https://github.com/sigstore/rekor/pull/920)
603* Bump actions/setup-go from 3.2.0 to 3.2.1 (https://github.com/sigstore/rekor/pull/916)
604* Updates on the release job/makefile cleanup (https://github.com/sigstore/rekor/pull/914)
605* add changelog for v0.9.1 (https://github.com/sigstore/rekor/pull/911)
606
607## Contributors
608
609* Azeem Shaikh (@azeemshaikh38)
610* Bob Callaway (@bobcallaway)
611* Carlos Tadeu Panato Junior (@cpanato)
612* Hayden Blauzvern (@haydentherapper)
613* Priya Wadhwa (@priyawadhwa)
614
615# v0.9.1
616
617## Enhancements
618
619* Optimize lookup of attestation from storage layer (https://github.com/sigstore/rekor/pull/909)
620* feat: add subject URIs to index for x509 certificates (https://github.com/sigstore/rekor/pull/897)
621* ensure log messages have requestID where possible (https://github.com/sigstore/rekor/pull/907)
622* Check inactive shards for UUID for /retrieve endpoint (https://github.com/sigstore/rekor/pull/905)
623
624## Bug Fixes
625
626* Fix bug where /retrieve endpoint returns wrong logIndex across shards (https://github.com/sigstore/rekor/pull/908)
627* fix: sql syntax in dbcreate script (https://github.com/sigstore/rekor/pull/903)
628
629## Others
630
631* cleanup makefile with generated code; cleanup unused files (https://github.com/sigstore/rekor/pull/910)
632* Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 (https://github.com/sigstore/rekor/pull/906)
633* Pin release-utils to v0.7.1 (https://github.com/sigstore/rekor/pull/904)
634* Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (https://github.com/sigstore/rekor/pull/898)
635
636## Contributors
637
638* Asra Ali (@asraa)
639* Bob Callaway (@bobcallaway)
640* Priya Wadhwa (@priyawadhwa)
641* Romain Aviolat (@xens)
642* Sascha Grunert (@saschagrunert)
643
644# v0.9.0
645
646## Enhancements
647
648* Add COSE support to Rekor (https://github.com/sigstore/rekor/pull/867)
649
650## Bug Fixes
651
652* Resolve virtual log index when calling /api/v1/log/entries/retrieve endpoint (https://github.com/sigstore/rekor/pull/894)
653* Fix intoto index keys (https://github.com/sigstore/rekor/pull/889)
654* ensure fallback logic executes if attestation key is empty when fetching attestation (https://github.com/sigstore/rekor/pull/878)
655
656## Others
657
658* Bump github/codeql-action from 2.1.14 to 2.1.15 (https://github.com/sigstore/rekor/pull/893)
659* Bump ossf/scorecard-action from 1.1.1 to 1.1.2 (https://github.com/sigstore/rekor/pull/888)
660* Bump github/codeql-action from 2.1.13 to 2.1.14 (https://github.com/sigstore/rekor/pull/885)
661* add changelog for v0.8.2 (https://github.com/sigstore/rekor/pull/882)
662* Bump github/codeql-action from 2.1.12 to 2.1.13 (https://github.com/sigstore/rekor/pull/880)
663* Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (https://github.com/sigstore/rekor/pull/881)
664
665## Contributors
666
667* Bob Callaway (@bobcallaway)
668* Carlos Tadeu Panato Junior (@cpanato)
669* Fredrik Skogman (@kommendorkapten)
670* Priya Wadhwa (@priyawadhwa)
671
672# v0.8.2
673
674## Bug Fixes
675
676* ensure fallback logic executes if attestation key is empty when fetching attestation (https://github.com/sigstore/rekor/pull/878)
677
678## Others
679
680* Bump github/codeql-action from 2.1.12 to 2.1.13 (https://github.com/sigstore/rekor/pull/880)
681* Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (https://github.com/sigstore/rekor/pull/881)
682* collect docker-compose logs if sharding tests fail, also trim IDs (https://github.com/sigstore/rekor/pull/869)
683
684## Contributors
685
686* Bob Callaway (@bobcallaway)
687
688# v0.8.1
689
690## Bug Fixes
691
692* Allow an expired certificate chain to be uploaded and verified (https://github.com/sigstore/rekor/pull/873)
693* Fix indexing bug for intoto attestations (https://github.com/sigstore/rekor/pull/870)
694
695## Others
696
697* Bump actions/dependency-review-action from 1.0.2 to 2 (https://github.com/sigstore/rekor/pull/871)
698* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (https://github.com/sigstore/rekor/pull/868)
699* add changelog for v0.8.0 (https://github.com/sigstore/rekor/pull/866)
700
701## Contributors
702
703* Carlos Tadeu Panato Junior (@cpanato)
704* Hayden Blauzvern (@haydentherapper)
705* Priya Wadhwa (@priyawadhwa)
706
707# v0.8.0
708
709## Enhancements
710
711* Print total tree size, including inactive shards in `rekor-cli loginfo` (https://github.com/sigstore/rekor/pull/864)
712* Allow retrieving entryIDs or UUIDs via `/api/v1/log/entries/retrieve` endpoint (https://github.com/sigstore/rekor/pull/859)
713* Improve error message when using ED25519 with HashedRekord type (https://github.com/sigstore/rekor/pull/862)
714
715## Others
716
717* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (https://github.com/sigstore/rekor/pull/844)
718* Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (https://github.com/sigstore/rekor/pull/863)
719* update go.mod to go1.17 (https://github.com/sigstore/rekor/pull/861)
720* update cross-builder image to use go1.17.11 and dockerfile base image (https://github.com/sigstore/rekor/pull/860)
721* Bump github/codeql-action from 2.1.11 to 2.1.12 (https://github.com/sigstore/rekor/pull/858)
722* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (https://github.com/sigstore/rekor/pull/857)
723* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (https://github.com/sigstore/rekor/pull/852)
724* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/853)
725* Configure rekor server in e2e tests via env variable (https://github.com/sigstore/rekor/pull/850)
726* Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (https://github.com/sigstore/rekor/pull/848)
727* Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (https://github.com/sigstore/rekor/pull/847)
728* Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (https://github.com/sigstore/rekor/pull/846)
729
730## Contributors
731
732* Carlos Tadeu Panato Junior (@cpanato)
733* dhaus67 (@dhaus67)
734* Hayden Blauzvern (@haydentherapper)
735* Priya Wadhwa (@priyawadhwa)
736
737# v0.7.0
738
739**Breaking Change**: Removed timestamping authority API. This is a breaking API change.
740If you are relying on the timestamping authority to issue signed timestamps, create signed timestamps using either OpenSSL or a service such as FreeTSA.
741
742## Enhancements
743
744* Remove timestamping authority (https://github.com/sigstore/rekor/pull/813)
745* Limit the number of certificates parsed in a chain (https://github.com/sigstore/rekor/pull/823)
746* Retrieve shard tree length if it isn't provided in the config (https://github.com/sigstore/rekor/pull/810)
747* Don't try to index on hash for intoto obj if one isn't available (https://github.com/sigstore/rekor/pull/800)
748* intoto: add index on materials digest of slsa provenance (https://github.com/sigstore/rekor/pull/793)
749* remove URL fetch of keys/artifacts server-side (https://github.com/sigstore/rekor/pull/735)
750
751## Others
752
753* all: remove dependency on deprecated github.com/pkg/errors (https://github.com/sigstore/rekor/pull/834)
754* Add back owners for rfc3161 package type (https://github.com/sigstore/rekor/pull/833)
755* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (https://github.com/sigstore/rekor/pull/832)
756* Bump github/codeql-action from 2.1.10 to 2.1.11 (https://github.com/sigstore/rekor/pull/829)
757* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (https://github.com/sigstore/rekor/pull/830)
758* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (https://github.com/sigstore/rekor/pull/828)
759* Bump actions/dependency-review-action (https://github.com/sigstore/rekor/pull/825)
760* Bump actions/github-script from 6.0.0 to 6.1.0 (https://github.com/sigstore/rekor/pull/826)
761* Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (https://github.com/sigstore/rekor/pull/827)
762* update go to 1.17.10 in the dockerfile (https://github.com/sigstore/rekor/pull/819)
763* Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (https://github.com/sigstore/rekor/pull/818)
764* Bump github.com/google/trillian from 1.4.0 to 1.4.1 (https://github.com/sigstore/rekor/pull/817)
765* Bump actions/setup-go from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/822)
766* Bump github/codeql-action (https://github.com/sigstore/rekor/pull/821)
767* update release builder images to use go 1.17.10 and cosign image to 1.18.0 (https://github.com/sigstore/rekor/pull/820)
768* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (https://github.com/sigstore/rekor/pull/815)
769* Bump github/codeql-action from 2.1.9 to 2.1.10 (https://github.com/sigstore/rekor/pull/816)
770* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (https://github.com/sigstore/rekor/pull/811)
771* Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (https://github.com/sigstore/rekor/pull/802)
772* Move trillian/merkly to transparency-dev (https://github.com/sigstore/rekor/pull/807)
773* Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (https://github.com/sigstore/rekor/pull/803)
774* chore(deps): Included dependency review (https://github.com/sigstore/rekor/pull/788)
775* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (https://github.com/sigstore/rekor/pull/799)
776* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (https://github.com/sigstore/rekor/pull/794)
777* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (https://github.com/sigstore/rekor/pull/795)
778* Bump github/codeql-action from 2.1.8 to 2.1.9 (https://github.com/sigstore/rekor/pull/796)
779* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/rekor/pull/791)
780* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/rekor/pull/790)
781* Bump actions/checkout from 3.0.1 to 3.0.2 (https://github.com/sigstore/rekor/pull/786)
782* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/785)
783* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (https://github.com/sigstore/rekor/pull/782)
784* Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (https://github.com/sigstore/rekor/pull/781)
785* Bump anchore/sbom-action from 0.10.0 to 0.11.0 (https://github.com/sigstore/rekor/pull/779)
786* Bump actions/checkout from 3.0.0 to 3.0.1 (https://github.com/sigstore/rekor/pull/778)
787* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (https://github.com/sigstore/rekor/pull/777)
788* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (https://github.com/sigstore/rekor/pull/776)
789
790## Contributors
791
792* Asra Ali (@asraa)
793* Bob Callaway (@bobcallaway)
794* Carlos Tadeu Panato Junior (@cpanato)
795* Hayden Blauzvern (@haydentherapper)
796* Koichi Shiraishi (@zchee)
797* Naveen Srinivasan (@naveensrinivasan)
798* Priya Wadhwa (@priyawadhwa)
799
800
801# v0.6.0
802
803Notice: The server side remote fetching of resources will be removed in the next release
804
805## Enhancements
806
807* Create EntryID for new artifacts and return EntryID to user (https://github.com/sigstore/rekor/pull/623)
808* Add search through inactive shards for GET by UUID (https://github.com/sigstore/rekor/pull/750)
809* Add in configmap to release for sharding config (https://github.com/sigstore/rekor/pull/766)
810* set p.Block after parsing; other cleanup (https://github.com/sigstore/rekor/pull/759)
811* Add index to hashed intoto envelope (https://github.com/sigstore/rekor/pull/761)
812* Add the SHA256 digest of the intoto payload into the rekor entry (https://github.com/sigstore/rekor/pull/764)
813* Add support for providing certificate chain for X509 signature types (https://github.com/sigstore/rekor/pull/747)
814* Specify public key for inactive shards in shard config (https://github.com/sigstore/rekor/pull/746)
815* Use active tree on server startup (https://github.com/sigstore/rekor/pull/727)
816* Require tlog_id when inactive shard config file is passed in (https://github.com/sigstore/rekor/pull/739)
817* Replace `trillian_log_server.log_id_ranges` flag with a config file (https://github.com/sigstore/rekor/pull/742)
818* Update loginfo API endpoint to return information about inactive shards (https://github.com/sigstore/rekor/pull/738)
819* Refactor rekor-cli loginfo (https://github.com/sigstore/rekor/pull/734)
820* Get log proofs by Tree ID (https://github.com/sigstore/rekor/pull/733)
821* Return virtual index when creating and getting a log entry (https://github.com/sigstore/rekor/pull/725)
822* Clearer logging for createAndInitTree (https://github.com/sigstore/rekor/pull/724)
823* Change TreeID to be of type `string` instead of `int64` (https://github.com/sigstore/rekor/pull/712)
824* Switch to using the swag library for pointer manipulation. (https://github.com/sigstore/rekor/pull/719)
825* Make the loginfo command a bit more future/backwards proof. (https://github.com/sigstore/rekor/pull/718)
826* Use logRangesFlag in API, route reads based on TreeID (https://github.com/sigstore/rekor/pull/671)
827* Set rekor-cli User-Agent header on requests (https://github.com/sigstore/rekor/pull/684)
828* create namespace for rekor config in yaml. (https://github.com/sigstore/rekor/pull/680)
829* add securityContext to deployment. (https://github.com/sigstore/rekor/pull/678)
830* Move k8s objects out of the default namespace (https://github.com/sigstore/rekor/pull/674)
831
832## Bug Fixes
833
834* Fix search without sha prefix (https://github.com/sigstore/rekor/pull/767)
835* Fix link in types README (https://github.com/sigstore/rekor/pull/765)
836* fix typo in filename (https://github.com/sigstore/rekor/pull/758)
837* fix build date format for version command (https://github.com/sigstore/rekor/pull/745)
838* fix merge conflict (https://github.com/sigstore/rekor/pull/720)
839
840## Documentation
841
842* Add documentation about Alpine type (https://github.com/sigstore/rekor/pull/697)
843* update security process link (https://github.com/sigstore/rekor/pull/685)
844* Add intoto type documentation (https://github.com/sigstore/rekor/pull/679)
845* Add docs about API stabilitly and deprecation policy (https://github.com/sigstore/rekor/pull/661)
846
847## Others
848
849* Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (https://github.com/sigstore/rekor/pull/768)
850* Bump anchore/sbom-action from 0.9.0 to 0.10.0 (https://github.com/sigstore/rekor/pull/763)
851* Bump github/codeql-action from 2.1.7 to 2.1.8 (https://github.com/sigstore/rekor/pull/762)
852* Update release jobs and trillian images (https://github.com/sigstore/rekor/pull/756)
853* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (https://github.com/sigstore/rekor/pull/757)
854* Bump anchore/sbom-action from 0.8.0 to 0.9.0 (https://github.com/sigstore/rekor/pull/754)
855* Bump codecov/codecov-action from 2.1.0 to 3 (https://github.com/sigstore/rekor/pull/753)
856* Bump github/codeql-action from 2.1.6 to 2.1.7 (https://github.com/sigstore/rekor/pull/752)
857* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/751)
858* Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/rekor/pull/748)
859* Bump anchore/sbom-action from 0.7.0 to 0.8.0 (https://github.com/sigstore/rekor/pull/743)
860* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/rekor/pull/744)
861* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/rekor/pull/740)
862* Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/rekor/pull/736)
863* Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/rekor/pull/729)
864* Fix copy/paste mistake in repo name. (https://github.com/sigstore/rekor/pull/730)
865* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/rekor/pull/728)
866* Bump golang from `ca70980` to `c7c9458` (https://github.com/sigstore/rekor/pull/722)
867* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/rekor/pull/723)
868* Add sharding e2e test to Github Actions (https://github.com/sigstore/rekor/pull/714)
869* Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (https://github.com/sigstore/rekor/pull/717)
870* Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/rekor/pull/716)
871* Add trillian container to existing release. (https://github.com/sigstore/rekor/pull/715)
872* Bump golang from `0168c35` to `ca70980` (https://github.com/sigstore/rekor/pull/707)
873* Mirror signed release images from GCR to GHCR as part of release (https://github.com/sigstore/rekor/pull/701)
874* Bump anchore/sbom-action from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/709)
875* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/rekor/pull/710)
876* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/rekor/pull/708)
877* Generate release yaml artifact. (https://github.com/sigstore/rekor/pull/702)
878* Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/rekor/pull/704)
879* Go update to 1.17.8 and cosign to 1.6.0 (https://github.com/sigstore/rekor/pull/705)
880* Consistent parenthesis use in Makefile (https://github.com/sigstore/rekor/pull/700)
881* add code coverage to pull request. (https://github.com/sigstore/rekor/pull/676)
882* Bump actions/checkout from 2.4.0 to 3 (https://github.com/sigstore/rekor/pull/698)
883* Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (https://github.com/sigstore/rekor/pull/696)
884* Bump actions/setup-go from 2.2.0 to 3.0.0 (https://github.com/sigstore/rekor/pull/694)
885* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/695)
886* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/693)
887* Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (https://github.com/sigstore/rekor/pull/692)
888* Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/rekor/pull/691)
889* Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/rekor/pull/690)
890* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/rekor/pull/689)
891* explicitly set permissions for github actions (https://github.com/sigstore/rekor/pull/687)
892* Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (https://github.com/sigstore/rekor/pull/686)
893* Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (https://github.com/sigstore/rekor/pull/683)
894* Bump github/codeql-action from 1.1.0 to 1.1.2 (https://github.com/sigstore/rekor/pull/682)
895* Bump actions/github-script from 5.1.0 to 6 (https://github.com/sigstore/rekor/pull/669)
896* Bump github/codeql-action from 1.0.32 to 1.1.0 (https://github.com/sigstore/rekor/pull/668)
897* update cross-build and dockerfile to use go 1.17.7 (https://github.com/sigstore/rekor/pull/666)
898* Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (https://github.com/sigstore/rekor/pull/664)
899* Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/rekor/pull/663)
900* Bump golang from `301609e` to `fff998d` (https://github.com/sigstore/rekor/pull/662)
901* use upstream k8s version lib (https://github.com/sigstore/rekor/pull/657)
902* Bump github/codeql-action from 1.0.31 to 1.0.32 (https://github.com/sigstore/rekor/pull/659)
903* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/rekor/pull/660)
904* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/rekor/pull/656)
905* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/rekor/pull/655)
906* Update the warning text for the GA release. (https://github.com/sigstore/rekor/pull/654)
907* attempting to fix codeowners file (https://github.com/sigstore/rekor/pull/653)
908* update release job (https://github.com/sigstore/rekor/pull/651)
909* Bump google-github-actions/auth from 0.5.0 to 0.6.0 (https://github.com/sigstore/rekor/pull/652)
910
911## Contributors
912
913* Asra Ali (@asraa)
914* Bob Callaway (@bobcallaway)
915* Carlos Tadeu Panato Junior (@cpanato)
916* Dan Lorenc (@dlorenc)
917* Eddie Zaneski (@eddiezane)
918* Hayden Blauzvern (@haydentherapper)
919* John Speed Meyers
920* Kenny Leung (@k4leung4)
921* Lily Sturmann (@lkatalin)
922* Priya Wadhwa (@priyawadhwa)
923* Scott Nichols (@n3wscott)
924
925# v0.5.0
926
927## Highlights
928
929* Add Rekor logo to README (https://github.com/sigstore/rekor/pull/650)
930* update API calls to v5 (https://github.com/sigstore/rekor/pull/591)
931* Refactor helm type to remove intermediate state. (https://github.com/sigstore/rekor/pull/575)
932* Refactor the shard map parsing so we can pass it down into the API object. (https://github.com/sigstore/rekor/pull/564)
933* Refactor the alpine type to reduce intermediate state. (https://github.com/sigstore/rekor/pull/573)
934
935## Enhancements
936
937* Add logic to GET artifacts via old or new UUID (https://github.com/sigstore/rekor/pull/587)
938* helpful error message for hashedrekord types (https://github.com/sigstore/rekor/pull/605)
939* Set Accept header in dynamic counter requests (https://github.com/sigstore/rekor/pull/594)
940* Add sharding package and update validators (https://github.com/sigstore/rekor/pull/583)
941* rekor-cli: show the url in case of error (https://github.com/sigstore/rekor/pull/581)
942* Enable parsing of incomplete minisign keys, to enable re-indexing. (https://github.com/sigstore/rekor/pull/567)
943* Cleanups on the TUF pluggable type. (https://github.com/sigstore/rekor/pull/563)
944* Refactor the RPM type to remove more intermediate state. (https://github.com/sigstore/rekor/pull/566)
945* Do some cleanups of the jar type to remove intermediate state. (https://github.com/sigstore/rekor/pull/561)
946
947## Others
948
949* Update Makefile (https://github.com/sigstore/rekor/pull/621)
950* update version comments since dependabot doesn't do it (https://github.com/sigstore/rekor/pull/617)
951* Use workload identity provider instead of GitHub Secret for GCR access (https://github.com/sigstore/rekor/pull/600)
952* add OSSF scorecard action (https://github.com/sigstore/rekor/pull/599)
953* enable the sbom for rekor releases (https://github.com/sigstore/rekor/pull/586)
954* Point to the official website (instead of a 404) (https://github.com/sigstore/rekor/pull/580)
955* add milestone to closed prs (https://github.com/sigstore/rekor/pull/574)
956* Add a Makefile target for the "ko apply" step. (https://github.com/sigstore/rekor/pull/572)
957* types/README.md: Corrected documentation link (https://github.com/sigstore/rekor/pull/568)
958
959## Dependencies Updates
960
961* Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (https://github.com/sigstore/rekor/pull/636)
962* Bump github.com/go-openapi/runtime from 0.21.1 to 0.22.0 (https://github.com/sigstore/rekor/pull/635)
963* Bump github.com/go-openapi/swag from 0.19.15 to 0.20.0 (https://github.com/sigstore/rekor/pull/634)
964* Bump golang from `f71d4ca` to `301609e` (https://github.com/sigstore/rekor/pull/627)
965* Bump golang from `0fa6504` to `f71d4ca` (https://github.com/sigstore/rekor/pull/624)
966* Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (https://github.com/sigstore/rekor/pull/622)
967* Bump github/codeql-action from 1.0.29 to 1.0.30 (https://github.com/sigstore/rekor/pull/619)
968* Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (https://github.com/sigstore/rekor/pull/618)
969* bump swagger and go mod tidy (https://github.com/sigstore/rekor/pull/616)
970* Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (https://github.com/sigstore/rekor/pull/614)
971* Bump github.com/go-openapi/errors from 0.20.1 to 0.20.2 (https://github.com/sigstore/rekor/pull/613)
972* Bump google-github-actions/auth from 0.4.4 to 0.5.0 (https://github.com/sigstore/rekor/pull/612)
973* Bump github/codeql-action from 1.0.28 to 1.0.29 (https://github.com/sigstore/rekor/pull/611)
974* Bump gopkg.in/ini.v1 from 1.66.2 to 1.66.3 (https://github.com/sigstore/rekor/pull/608)
975* Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (https://github.com/sigstore/rekor/pull/609)
976* Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (https://github.com/sigstore/rekor/pull/606)
977* Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (https://github.com/sigstore/rekor/pull/607)
978* Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (https://github.com/sigstore/rekor/pull/603)
979* Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (https://github.com/sigstore/rekor/pull/602)
980* Bump golang from `8c0269d` to `0fa6504` (https://github.com/sigstore/rekor/pull/597)
981* Pin dependencies in github action workflows and Dockerfile (https://github.com/sigstore/rekor/pull/595)
982* update release image to use go 1.17.6 (https://github.com/sigstore/rekor/pull/589)
983* Bump golang from 1.17.5 to 1.17.6 (https://github.com/sigstore/rekor/pull/588)
984* Bump go.uber.org/goleak from 1.1.11 to 1.1.12 (https://github.com/sigstore/rekor/pull/585)
985* Bump go.uber.org/zap from 1.19.1 to 1.20.0 (https://github.com/sigstore/rekor/pull/584)
986* Bump github.com/go-playground/validator/v10 from 10.9.0 to 10.10.0 (https://github.com/sigstore/rekor/pull/579)
987* Bump actions/github-script from 4 to 5 (https://github.com/sigstore/rekor/pull/577)
988
989## Contributors
990
991* Asra Ali (@asraa)
992* Bob Callaway (@bobcallaway)
993* Carlos Tadeu Panato Junior (@cpanato)
994* Dan Lorenc (@dlorenc)
995* Jason Hall (@imjasonh)
996* Lily Sturmann (@lkatalin)
997* Morten Linderud (@Foxboron)
998* Nathan Smith (@nsmith5)
999* Sylvestre Ledru (@sylvestre)
1000* Trishank Karthik Kuppusamy (@trishankatdatadog)
1001
1002# v0.4.0
1003
1004## Highlights
1005
1006* Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (https://github.com/sigstore/rekor/pull/501)
1007
1008## Enhancements
1009
1010* Update the schema to match that of Trillian repo. The map specific (https://github.com/sigstore/rekor/pull/528)
1011* allow setting the user-agent string sent from the client (https://github.com/sigstore/rekor/pull/521)
1012* update key usage for ts cert (https://github.com/sigstore/rekor/pull/504)
1013* api/index/retrieve: allow searching on indicies with sha1 hashes (https://github.com/sigstore/rekor/pull/499)
1014* Only include Attestation data if attestation storage enabled (https://github.com/sigstore/rekor/pull/494)
1015* Fuzzing RequestFromRekor API (https://github.com/sigstore/rekor/pull/488)
1016* Included pprof for profiling the application. (https://github.com/sigstore/rekor/pull/485)
1017* refactor release and add signing (https://github.com/sigstore/rekor/pull/483)
1018* More verbose error message for redis connection failure (https://github.com/sigstore/rekor/pull/479) (https://github.com/sigstore/rekor/pull/480)
1019* Fixed modtime for reproducible goreleaser (https://github.com/sigstore/rekor/pull/473)
1020* add goreleaser and cloudbuild for releases (https://github.com/sigstore/rekor/pull/443)
1021* Add dynamic JS tree size counter (https://github.com/sigstore/rekor/pull/468)
1022* check that entry UUID == leafHash of returned entry (https://github.com/sigstore/rekor/pull/469)
1023* chore: upgrade cosign version (https://github.com/sigstore/rekor/pull/465)
1024* Reproducible builds with trimpath (https://github.com/sigstore/rekor/pull/464)
1025* correct links, add Table of Contents of sorts (https://github.com/sigstore/rekor/pull/449)
1026* update go tuf for rsa key impl (https://github.com/sigstore/rekor/pull/446)
1027* Canonicalize JSON before inserting into trillian (https://github.com/sigstore/rekor/pull/445)
1028* Export search UUIDs field (https://github.com/sigstore/rekor/pull/438)
1029* Add a flag to start specifying log index ranges for virtual indices. (https://github.com/sigstore/rekor/pull/435)
1030* Cleanup some initialization/flag parsing in rekor-server. (https://github.com/sigstore/rekor/pull/433)
1031* Drop 404 errors down to a warning. (https://github.com/sigstore/rekor/pull/426)
1032* Cleanup the output of search (the text goes to stderr not stdout). (https://github.com/sigstore/rekor/pull/421)
1033* remove extradata field from types (https://github.com/sigstore/rekor/pull/418)
1034* Update usage of ./cmd/rekor-cli/ from `rekor` to `rekor-cli` (https://github.com/sigstore/rekor/pull/417)
1035* Add TUF type (https://github.com/sigstore/rekor/pull/383)
1036* Updates to INSTALLATION.md notes (https://github.com/sigstore/rekor/pull/415)
1037* Update snippets to use `console` type for snippets (https://github.com/sigstore/rekor/pull/410)
1038* version: add way to display a version when using go get or go install (https://github.com/sigstore/rekor/pull/405)
1039* Use an in memory timestamping key (https://github.com/sigstore/rekor/pull/402)
1040* Links are case sensitive (https://github.com/sigstore/rekor/pull/401)
1041* Installation guide (https://github.com/sigstore/rekor/pull/400)
1042* Add a SignedTimestampNote (https://github.com/sigstore/rekor/pull/397)
1043* Provide instructions on verifying releases (https://github.com/sigstore/rekor/pull/399)
1044* rekor-server: add html page when humans reach the server via the browser (https://github.com/sigstore/rekor/pull/394)
1045* use go modules to track tools (https://github.com/sigstore/rekor/pull/395)
1046
1047## Bug Fixes
1048
1049* bug: fix minisign prehashed entries (https://github.com/sigstore/rekor/pull/639)
1050* fix timestamp addition and unmarshal (https://github.com/sigstore/rekor/pull/525)
1051* Correct & parallelize tests (https://github.com/sigstore/rekor/pull/522)
1052* Fix fuzz go.sum issue (https://github.com/sigstore/rekor/pull/509)
1053* fix validation error (https://github.com/sigstore/rekor/pull/503)
1054* Correct Helm index keys (https://github.com/sigstore/rekor/pull/474)
1055* Fix a bug in x509 certificate handling. (https://github.com/sigstore/rekor/pull/461)
1056* Fix a conflict from parallel dependabot merges. (https://github.com/sigstore/rekor/pull/456)
1057* fix tuf metadata marshalling (https://github.com/sigstore/rekor/pull/447)
1058* Switch DSSE provider to go-securesystemslib (https://github.com/sigstore/rekor/pull/442)
1059* fix unmarshalling sth (https://github.com/sigstore/rekor/pull/409)
1060* Fix port flag override (https://github.com/sigstore/rekor/pull/396)
1061* makefile: small fix on the makefile for the rekor-server (https://github.com/sigstore/rekor/pull/393)
1062
1063## Dependencies Updates
1064
1065* Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (https://github.com/sigstore/rekor/pull/531)
1066* Bump sigstore/cosign-installer from 1.3.1 to 1.4.1 (https://github.com/sigstore/rekor/pull/530)
1067* Bump the DSSE signing library. (https://github.com/sigstore/rekor/pull/529)
1068* Bump golang from 1.17.4 to 1.17.5 (https://github.com/sigstore/rekor/pull/527)
1069* Bump golang from 1.17.3 to 1.17.4 (https://github.com/sigstore/rekor/pull/523)
1070* Bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (https://github.com/sigstore/rekor/pull/520)
1071* Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (https://github.com/sigstore/rekor/pull/517)
1072* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/516)
1073* Bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (https://github.com/sigstore/rekor/pull/513)
1074* Upgraded go-playground/validator module to v10 (https://github.com/sigstore/rekor/pull/507)
1075* Bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (https://github.com/sigstore/rekor/pull/495)
1076* Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (https://github.com/sigstore/rekor/pull/510)
1077* Bump the trillian import to v1.4.0. (https://github.com/sigstore/rekor/pull/502)
1078* Bump the trillian versions to v1.4.0 in our docker-compose setup. (https://github.com/sigstore/rekor/pull/500)
1079* update go.mod for go-fuzz (https://github.com/sigstore/rekor/pull/496)
1080* Bump sigstore/cosign-installer from 1.3.0 to 1.3.1 (https://github.com/sigstore/rekor/pull/491)
1081* Bump golang from 1.17.2 to 1.17.3 (https://github.com/sigstore/rekor/pull/482)
1082* Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (https://github.com/sigstore/rekor/pull/478)
1083* Bump actions/checkout from 2.3.5 to 2.4.0 (https://github.com/sigstore/rekor/pull/477)
1084* Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (https://github.com/sigstore/rekor/pull/470)
1085* bump go-swagger to v0.28.0 (https://github.com/sigstore/rekor/pull/463)
1086* Bump github.com/in-toto/in-toto-golang from 0.3.2 to 0.3.3 (https://github.com/sigstore/rekor/pull/459)
1087* Bump actions/checkout from 2.3.4 to 2.3.5 (https://github.com/sigstore/rekor/pull/458)
1088* Bump github.com/mediocregopher/radix/v4 from 4.0.0-beta.1 to 4.0.0 (https://github.com/sigstore/rekor/pull/460)
1089* Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (https://github.com/sigstore/rekor/pull/451)
1090* Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (https://github.com/sigstore/rekor/pull/454)
1091* Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/453)
1092* Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/452)
1093* Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (https://github.com/sigstore/rekor/pull/450)
1094* Bump golang from 1.17.1 to 1.17.2 (https://github.com/sigstore/rekor/pull/448)
1095* Bump google.golang.org/grpc from 1.40.0 to 1.41.0 (https://github.com/sigstore/rekor/pull/441)
1096* Bump golang.org/x/mod from 0.5.0 to 0.5.1 (https://github.com/sigstore/rekor/pull/440)
1097* Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (https://github.com/sigstore/rekor/pull/439)
1098* Bump gopkg.in/ini.v1 from 1.63.0 to 1.63.2 (https://github.com/sigstore/rekor/pull/437)
1099* Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (https://github.com/sigstore/rekor/pull/436)
1100* Bump gocloud to v0.24.0. (https://github.com/sigstore/rekor/pull/434)
1101* Bump golang from 1.17.0 to 1.17.1 (https://github.com/sigstore/rekor/pull/432)
1102* Bump go.uber.org/zap from 1.19.0 to 1.19.1 (https://github.com/sigstore/rekor/pull/431)
1103* Bump gopkg.in/ini.v1 from 1.62.0 to 1.63.0 (https://github.com/sigstore/rekor/pull/429)
1104* Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (https://github.com/sigstore/rekor/pull/425)
1105* Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (https://github.com/sigstore/rekor/pull/423)
1106* Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (https://github.com/sigstore/rekor/pull/422)
1107* Bump golang from 1.16.7 to 1.17.0 (https://github.com/sigstore/rekor/pull/413)
1108* Bump golang.org/x/mod from 0.4.2 to 0.5.0 (https://github.com/sigstore/rekor/pull/412)
1109* Bump google.golang.org/grpc from 1.39.1 to 1.40.0 (https://github.com/sigstore/rekor/pull/411)
1110* Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (https://github.com/sigstore/rekor/pull/408)
1111* Bump go.uber.org/zap from 1.18.1 to 1.19.0 (https://github.com/sigstore/rekor/pull/407)
1112* Bump golang from 1.16.6 to 1.16.7 (https://github.com/sigstore/rekor/pull/403)
1113* Bump google.golang.org/grpc from 1.39.0 to 1.39.1 (https://github.com/sigstore/rekor/pull/404)
1114
1115
1116## Contributors
1117
1118* Aditya Sirish (@adityasaky)
1119* Andrew Block (@sabre1041)
1120* Asra Ali (@asraa)
1121* Axel Simon (@axelsimon)
1122* Batuhan Apaydın (@developer-guy)
1123* Bob Callaway (@bobcallaway)
1124* Carlos Panato (@cpanato)
1125* Dan Lorenc (@dlorenc)
1126* Dan Luhring (@luhring)
1127* Harry Fallows (@harryfallows)
1128* Hector Fernandez (@hectorj2f)
1129* Jake Sanders (@dekkagaijin)
1130* Jason Hall (@imjasonh)
1131* Lily Sturmann (@lkatalin)
1132* Luke Hinds (@lukehinds)
1133* Marina Moore (@mnm678)
1134* Mikhail Swift (@mikhailswift)
1135* Naveen Srinivasan (@naveensrinivasan)
1136* Robert James Hernandez (@sarcasticadmin)
1137* Santiago Torres (@SantiagoTorres)
1138* Tiziano Santoro (@tiziano88)
1139* Trishank Karthik Kuppusamy (@trishankatdatadog)
1140* Ville Aikas (@vaikas)
1141* kpcyrd (@kpcyrd)
View as plain text