Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

cosign-2.2.3-150400.3.17.1 RPM for s390x

From OpenSuSE Leap 15.6 for s390x

Name: cosign Distribution: SUSE Linux Enterprise 15
Version: 2.2.3 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150400.3.17.1 Build date: Tue Feb 6 15:42:41 2024
Group: Unspecified Build host: s390zl39
Size: 84764902 Source RPM: cosign-2.2.3-150400.3.17.1.src.rpm
Packager: https://www.suse.com/
Url: https://github.com/sigstore/cosign
Summary: Container Signing, Verification and Storage in an OCI registry
Cosign aims to make signatures invisible infrastructure.

Cosign supports:

- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)

Provides

Requires

License

Apache-2.0

Changelog

* Fri Feb 02 2024 meissner@suse.com
  - updated to 2.2.3 (jsc#SLE-23879)
    Bug Fixes:
    * Fix race condition on verification with multiple signatures attached to image (#3486)
    * fix(clean): Fix clean cmd for private registries (#3446)
    * Fixed BYO PKI verification (#3427)
    Features:
    * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
    * Add support for OpenVEX predicate type (#3405)
    Documentation:
    * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
    * add examples for cosign attach signature cmd (#3468)
    Misc:
    * Remove CertSubject function (#3467)
    * Use local rekor and fulcio instances in e2e tests (#3478)
  - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
* Tue Dec 12 2023 marcos.bjoerkelund@suse.com
  - updated to 2.2.2 (jsc#SLE-23879)
    v2.2.2 adds a new container with a shell,
    gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
    container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
    For private deployments, we have also added an alias for
    - -insecure-skip-log, --private-infrastructure.
    Bug Fixes:
    * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
    * Don't require CT log keys if using a key/sk (#3415)
    * Fix copy without any flag set (#3409)
    * Update cosign generate cmd to not include newline (#3393)
    * Fix idempotency error with signing (#3371)
    Features:
    * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
    * Use the timeout flag value in verify* commands. (#3391)
    * add --private-infrastructure flag (#3369)
    Container Updates:
    * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
    Documentation:
    * Update SBOM_SPEC.md (#3358)
* Tue Nov 07 2023 meissner@suse.com
  - updated to 2.2.1 (jsc#SLE-23879)
    This release comes with a fix for
    CVE-2023-46737 / bsc#1216933 described in this [Github Security
    Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
    Enhancements:
    * feat: Support basic auth and bearer auth login to registry (#3310)
    * add support for ignoring certificates with pkcs11 (#3334)
    * Support ReplaceOp in Signatures (#3315)
    * feat: added ability to get image digest back via triangulate (#3255)
    * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
    * feat: add support attaching a Rekor bundle to a container (#3246)
    * feat: add support outputting rekor response on signing (#3248)
    * feat: improve dockerfile verify subcommand (#3264)
    * Add guard flag for experimental OCI 1.1 verify. (#3272)
    * Deprecate SBOM attachments (#3256)
    * feat: dedent line in cosign copy doc (#3244)
    * feat: add platform flag to cosign copy command (#3234)
    * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
    * attest: pass OCI remote opts to att resolver. (#3225)
    Bug Fixes:
    * Merge pull request from GHSA-vfp6-jrw2-99g9
    * fix: allow cosign download sbom when image is absent (#3245)
    * ci: add a OCI registry test for referrers support (#3253)
    * Fix ReplaceSignatures (#3292)
    * Stop using deprecated in_toto.ProvenanceStatement (#3243)
    * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
    * fix: update error in `SignedEntity` to be more descriptive (#3233)
    * Fail timestamp verification if no root is provided (#3224)
    Documentation:
    * Add some docs about verifying in an air-gapped environment (#3321)
    * Update CONTRIBUTING.md (#3268)
    * docs: improves the Contribution guidelines (#3257)
    * Remove security policy (#3230)
    Others:
    * Set go to min 1.21 and update dependencies  (#3327)
    * Update contact for code of conduct (#3266)
    * Update .ko.yaml (#3240)
* Fri Sep 01 2023 meissner@suse.com
  - updated to 2.2.0 (jsc#SLE-23879)
    - Enhancements
    * switch to uploading DSSE types to rekor instead of intoto (#3113)
    * add 'cosign sign' command-line parameters for mTLS (#3052)
    * improve error messages around bundle != payload hash (#3146)
    * make VerifyImageAttestation function public (#3156)
    * Switch to cryptoutils function for SANS (#3185)
    * Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
    - Bug Fixes
    * Fix nondeterminsitic timestamps (#3121)
    - Documentation
    * doc: Add example of sign-blob with key in env var (#3152)
    * add deprecation notice for cosign-releases GCS bucket (#3148)
    * update doc links (#3186)
* Tue Jun 27 2023 meissner@suse.com
  - updated to 2.1.1 (jsc#SLE-23879)
    - Bug Fixes
    - wait for the workers become available again to continue the execution (#3084)
    - fix help text when in a container (#3082)
  - updated to 2.1.0 (jsc#SLE-23879)
    - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
    - Enhancements
    - Verify sigs and attestations in parallel (#3066)
    - Deep inspect attestations when filtering download (#3031)
    - refactor bundle validation code, add support for DSSE rekor type (#3016)
    - Allow overriding remote options (#3049)
    - feat: adds no cert found on sig exit code (#3038)
    - Make predicate a required flag in attest commands (#3033)
    - Added support for attaching Time stamp authority Response in attach command (#3001)
    - Add sign --sign-container-identity CLI (#2984)
    - Feature: Allow cosign to sign digests before they are uploaded. (#2959)
    - accepts attachment-tag-prefix for cosign copy (#3014)
    - Feature: adds '--allow-insecure-registry' for cosign load (#3000)
    - download attestation: support --platform flag (#2980)
    - Cleanup: Add Digest to the SignedEntity interface. (#2960)
    - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
    - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
    - Bug Fixes
    - Fix pkg/cosign/errors (#3050)
    - Fix: update doc to refer to github-actions oidc provider (#3040)
    - Fix: prefer GitHub OIDC provider if enabled (#3044)
    - Fix --sig-only in cosign copy (#3074)
    - Documentation
    - Fix links to sigstore/docs in markdown files (#3064)
* Sun May 07 2023 meissner@suse.com
  - update to 2.0.2 (jsc#SLE-23879)
    Enhancements
    - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
    - feat: Make cosign copy faster (#2901)
    - remove sget (#2885)
    - Require a payload to be provided with a signature (#2785)
    Bug Fixes
    - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
    - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
    Documentation
    - Remove experimental warning from Fulcio flags (#2923)
    - add missing oidc provider (#2922)
    - Add zot as a supported registry (#2920)
    - deprecates kms_support docs (#2900)
    - chore(docs) deprecate note for usage docs (#2906)
    - adds note of deprecation for examples.md docs (#2899)
* Mon Apr 17 2023 meissner@suse.com
  - update to 2.0.1 (jsc#SLE-23879)
    Enhancements
    - Add environment variable token provider (#2864)
    - Remove cosign policy command (#2846)
    - Allow customising 'go' executable with GOEXE var (#2841)
    - Consistent tlog warnings during verification (#2840)
    - Add riscv64 arch (#2821)
    - Default generated PEM labels to SIGSTORE (#2735)
    - Update privacy statement and confirmation (#2797)
    - Add exit codes for verify errors (#2766)
    - Add Buildkite provider (#2779)
    - verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
    Bug Fixes
    - PKCS11 sessions are now opened read only (#2853)
    - Makefile: date format of log should not show signatures (#2835)
    - Add missing flags to cosign verify dockerfile/manifest (#2830)
    - Add a warning to remember how to configure a custom Gitlab host (#2816)
    - Remove tag warning message from save/copy commands (#2799)
    - Mark keyless pem files with b64 (#2671)
* Tue Apr 04 2023 dmueller@suse.com
  - fix buildtags
  - build against a maintained golang version (upstream uses go1.20)
* Mon Feb 27 2023 meissner@suse.com
  - update to 2.0.0 (jsc#SLE-23879)
    Breaking Changes:
    * insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
    * Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
    Enhancements:
    * Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
    * Allow users to pass in a path for the --identity-token flag (#2538)
    * Breaking change: Respect tlog-upload=false, default to true (#2505)
    * Support outputing a certificate without uploading to the tlog (#2506)
    * Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
    * respect tlog-upload flag with TSA (#2474)
    * Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
    * Support TSA and Rekor verifications (#2463)
    * add support for tsa signing and verification of images (#2460)
    * cosign policy sign: remove experimental flag and make keyless signing default (#2459)
    * Remove experimental mode from cosign attest and verify-attestation (#2458)
    * Remove experimental mode from sign-blob and verify-blob (#2457)
    * Add --offline flag to force offline verification (#2427)
    * Air gap support (#2299)
    * Breaking change: Change SCT verification behavior to default to enforcement (#2400)
    * Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
    * Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
    * Remove experimental flag from cosign sign and cosign verify (#2387)
    * verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
    * Add warning to use digest instead of tags to other cosign commands (#2650)
    * Fix up UI messages (#2629)
    * Remove hardcoded Fulcio from output (#2621)
    * Fix missing privacy statement, print in multiple locations (#2622)
    * feat: allows custom key names for import-key-pair (#2587)
    * feat: support keyless verification for verify-blob-attestation (#2525)
    * attest-blob: add functionality for keyless signing (#2515)
    * Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
    * feat: add debug information to cert validation error (#2579)
    * Support non-Sigstore TSA requests (#2708)
    * Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
    * Output certificate in bundle when entry is not uploaded to Rekor (#2715)
    * attach signature and attach sbom must use STDIN to upload raw string (#2637)
    * add generate-key-pair GitHub Enterprise server support (#2676)
    * add in format string for warning (#2699)
    * Support for fetching Fulcio certs with self-managed key (#2532)
    * 2476 predicate type download (#2484)
    Bug Fixes:
    * Fix the file existence check. (#2552)
    * Fix timestamp verification, add verify-blob tests (#2527)
    * Fix(verify): Consolidate certificate expiry logic (#2504)
    * Updates to Timestamp signing and verification (#2499)
    * Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
    * Fix path for e2e-tests badge (#2490)
    * Fix spdx json media type (#2479)
    * Fix sct verificaction (#2426)
    * Fix: panic with unsigned local image (#2656)
    * Make sure a cert passed in via --cert matches the bundle cert (#2652)
    * Fix: fix github oidc post submit test (#2594)
    * Fix: add enhanced error messages for failing verification with TUF targets (#2589)
    * Fix: Add missing schemes to cosign predicate types. (#2717)
    * Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
    * Fix prompts with Windows line endings (#2674)
* Tue Oct 18 2022 meissner@suse.com
  - update to 1.13.1:
    * verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
    * Nits for #2337 (#2342)
    * Add verify-blob-attestation command and tests (#2337)
    * Update warning when users sign images by tag. (#2313)
    * Remove experimental flags from attest-blob and refactor (#2338)
    * Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
    * Add attest-blob command (#2286)
    * Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
    * Update Dockerfile section of README (#2323)
    * Fix option description: "sign" --> "verify" (#2306)
  - update to 1.13.0:
    * feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269
    * feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268
    * use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280
    * fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282
    * Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284
    * Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285
    * Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287
    * Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283
    * Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291
    * fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297
    * Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308
    * Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311
    * Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188
    * replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314
    * update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315
* Tue Sep 27 2022 dmueller@suse.com
  - update to 1.12.1:
    * fix: Pulls Fulcio root and intermediate when --certificate-chain is not
      passed into verify-blob command. The v1.12.0 release introduced a
      regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
      check a --certificate (without a --certificate-chain provided) against the
      operating system root CA bundle. In this release, Cosign checks the
      certificate against Fulcio's CA root instead (restoring the earlier
      behavior).
    * fix: fix cert chain validation for verify-blob in non-experimental mode
    * fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
    * Fix BYO-root with intermediate to fetch intermediates from annotation
    * fix: fixing breaking changes in rekor v1.12.0 upgrade
  - use go-modules service to generate the vendor.tar and use zstd
* Thu Sep 15 2022 meissner@suse.com
  - updated to 1.12.0 (jsc#SLE-23879)
    - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
    - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
    - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
    - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
    - Clarify error when KMS provider fails to load by @znewman01 in #2220
    - feat: set annotations to generate additional bash completion information by @dirien in #2221
    - Add deprecation warning for sget CLI and packages by @imjasonh in #2019
    - upgrade setup-ko to point to new repo by @imjasonh in #2225
    - Temp fix for e2e test by @haydentherapper in #2247
    - update kind to use release v0.15.0 and some version comments by @cpanato in #2246
    - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
    - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
  - updated to 1.11.1
    - add stale workflow using the workflow template by @cpanato in #2175
    - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
    - add release cadence section in the readme by @cpanato in #2179
    - feat: Rework fig autocomplete command by @dirien in #2187
    - fix: fix typo that caused attestation verification failure by @asraa in #2199
  - updated to 1.11.0
    - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
    - Add notes to clarify registry use. by @bendory in #2145
    - Use TUF from scaffolding for validating cosign. by @vaikas in #2146
    - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
    - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
    - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
    - fix handling of verify-attestation types for URIs by @otms61 in #2159
    - fix oidc post-merge job by @cpanato in #2164
    - Remove third_party by @imjasonh in #2166
    - use updated device flow logic with PKCE by @bobcallaway in #2163
    - fix: rekor get tlog entry with uuid by @asraa in #2058
    - update e2e job to run only when push to main by @cpanato in #2169
    - fix: add env cmd to root by @developer-guy in #2171
    - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162
* Fri Aug 05 2022 meissner@suse.com
  - updated to 1.10.1 (jsc#SLE-23879)
    - CVE-2022-35929: Fixed that cosign verify-attestaton --type can
      report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
      (bsc#1202157)
  - What else changed:
    - add flag to allow skipping upload to transparency log by @k4leung4 in #2089
    - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
    - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
    - Fix field names in the vulnerability attestation by @otms61 in #2099
    - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
    - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
    - Resolves #522 set Created date to time of execution by @Lerentis in #2108
    - Introduce a custom error type to classify errors. by @mattmoor in #2114
    - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
    - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
    - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
    - Correct the type used for attest by @mattmoor in #2128
* Wed Jul 27 2022 meissner@suse.com
  - updated to 1.10.0
    - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
    - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
    - tuf: improve TUF client concurrency and caching by @asraa in #1953
    - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
    - feat(fulcioroots): singleton error pattern by @developer-guy in #1965
    - Drop tuf client dependency on GCS client library by @imjasonh in #1967
    - Add spdxjson predicate type for attestations by @jdolitsky in #1974
    - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
    - cleanup: unexport kubernetes.Client method by @imjasonh in #1973
    - cleanup ci job and remove policy-controller references by @cpanato in #1981
    - fix/update post build job by @cpanato in #1983
    - docs: updated Azure kms commands. by @JBrejnholt in #1972
    - Add cyclonedx predicate type for attestations by @jdolitsky in #1977
    - Route deprecated -version to version subcommand by @puerco in #1854
    - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
    - Add --platform flag to cosign sbom download by @puerco in #1975
    - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
    - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
    - encrypt values to create the github action secret by @cpanato in #1990
    - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
    - Attempt to clean up pkg/cosign by @imjasonh in #2018
    - public-key: fix command description by @Dentrax in #2024
    - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
    - feat: cert-extensions verify by @developer-guy in #1626
    - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
    - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
    - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
    - Fix OIDC test by @cpanato in #2050
    - Add env subcommand. by @wlynch in #2051
    - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
    - update ct/otel and etcd by @cpanato in #2054
    - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
    - Remove replace directives in go.mod. by @wlynch in #2070
    - update design doc link by @bobcallaway in #2077
    - Remove hack/tools.go by @imjasonh in #2080
    - fix missing quote by @cpanato in #2090
  - removed cosigned and webhook
* Sat Jun 18 2022 meissner@suse.com
  - updated to 1.9.0
    - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
    - [Cosigned] Add signature pull secrets by @DennyHoang in #1805
    - feat: add rego policy support by @hectorj2f in #1817
    - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
    - cosigned: Test unsupported KMS providers by @imjasonh in #1820
    - chore(deps): Included dependency review by @naveensrinivasan in #1792
    - Add auth flow option to KeyOpts. by @wlynch in #1827
    - Document Staging instance usage with Keyless by @k4leung4 in #1824
    - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
    - Validate tlog entry when verifying signature via public key. by @wlynch in #1833
    - Add function to explicitly request a certain provider by @priyawadhwa in #1837
    - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
    - remove exclude from go.mod by @cpanato in #1846
    - [Cosigned] Glob matching improvement by @DennyHoang in #1842
    - sget: Enable KMS providers for sget by @imjasonh in #1852
    - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
    - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
    - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
    - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
    - Normalize certificate flag names by @haydentherapper in #1868
    - Check certificate policy flags with only a certificate by @haydentherapper in #1869
    - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
    - Point git commmit FUN.md to gitsign! by @wlynch in #1874
    - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
    - go.mod: format go.mod by @zchee in #1879
    - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
    - tree: only report artifacts that are present by @ribbybibby in #1872
    - update README with ebpf modules by @EItanya in #1888
    - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
    - v1beta1 API for cosigned by @vaikas in #1890
    - tree: support --attachment-tag-prefix by @ribbybibby in #1900
    - [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
    - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
    - The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
    - [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
    - Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
    - Add support for "**" in image glob matching by @imjasonh in #1914
    - Add privacy statement for PII storage by @haydentherapper in #1909
    - Do not push to public rekor. by @vaikas in #1931
    - fix: fix fetching updated targets from TUF root by @asraa in #1921
    - fix: fix #1930 for AWS KMS formats by @vaikas in #1946
    - update cross-builder image to use go1.17.11 by @cpanato in #1950
    - remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
    - add changelog for v1.9.0 by @cpanato in #1955
    - add parallelism for goreleaser by @cpanato in #1957
* Sat May 21 2022 meissner@suse.com
  - updated to 1.8.0
    - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
    - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
    - Refactor policy related code, add support for vuln verify by @vaikas in #1747
    - Use bundle log ID to find verification key by @haydentherapper in #1748
    - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
    - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
    - test: create fake TUF test root and create test SETs for verification by @asraa in #1750
    - Implement identities, fix bug in webhook validation. by @vaikas in #1759
    - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
    - chore: add warning when attaching sBOMs by @hectorj2f in #1756
    - Verify embedded SCTs by @haydentherapper in #1731
    - chore: add warning when downloading a sBOM by @hectorj2f in #1763
    - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
    - Break the CIP action tests into a sh script. by @vaikas in #1767
    - tuf: add debug info if tuf update fails by @asraa in #1766
    - cosigned: add support for rsa keys by @hectorj2f in #1768
    - Cosigned validate against remote sig src by @DennyHoang in #1754
    - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
    - fix: more informative error by @ybelMekk in #1778
    - Run update-codegen. by @wlynch in #1789
    - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
    - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
    - test: add cue unit tests by @hectorj2f in #1791
    - Attestations + policy in cip. by @vaikas in #1772
    - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
    - Add parallelization for processing policies / authorities. by @vaikas in #1795
    - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
    - Handle context cancelled properly + tests. by @vaikas in #1796
    - Fix a bug where an error would send duplicate results. by @vaikas in #1797
    - Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
    - cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
    - Don't fail open in VerifyBundle by @mtrmac in #1648
    - Load in intermediate cert pool from TUF by @haydentherapper in #1804
    - Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806
* Tue Apr 26 2022 meissner@suse.com
  - updated to 1.7.2
    - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
    - fix: add permissions to patch events by @hectorj2f in #1722
    - Make public all types required to use ValidatePolicy by @jdolitsky in #1727
    - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
    - Remove newline from download sbom output by @ribbybibby in #1732
    - Fix packages name and binary in the packages by @cpanato in #1734
    - Fix fulcioroots test and linter error by @haydentherapper in #1741
    - Support non-ECDSA public keys in certificates by @haydentherapper in #1740
    - bug: remove old fulcio root and fix fallback target code by @asraa in #1738
  - updated to 1.7.1
    - pkcs11: fix build instructions by @rgerganov in #1550
    - add definition for artifact hub to verify the ownership by @cpanato in #1563
    - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
    - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
    - Support deletion of ClusterImagePolicy by @vaikas in #1580
    - 1417 policy validations by @kkavitha in #1548
    - Don't lowercase input image refs, just fail by @imjasonh in #1586
    - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
    - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
    - Fix #1592 move authorities as siblings of images. by @vaikas in #1593
    - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
    - Fix copy/paste mistake in repo name. by @k4leung4 in #1600
    - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
    - Add public key validation by @kkavitha in #1598
    - Validate a public key in a secret is valid. by @vaikas in #1602
    - Ensure entry is removed from CM on secret error. by @vaikas in #1605
    - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
    - Init entity from ociremote when signing a digest ref by @puerco in #1616
    - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
    - improve cosigned validation error messages by @cpanato in #1618
    - Use latest knative/pkg's configmap informer by @tcnghia in #1615
    - Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
    - FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
    - update crane to v0.8.0 release by @cpanato in #1635
    - push latest tag when building a release by @cpanato in #1636
    - Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
    - Document Elastic container registry support by @mgreau in #1641
    - Validate authority keys by @coyote240 in #1623
    - feat: tree command utility by @developer-guy in #1603
    - fix build date format for version command by @cpanato in #1644
    - Add support for intermediate certificates when verifiying by @haydentherapper in #1631
    - Prompt user before running cosign clean by @priyawadhwa in #1649
    - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
    - KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
    - Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
    - Add support for certificate chain to verify certificate by @haydentherapper in #1659
    - First batch of followups to #1650 by @vaikas in #1664
    - Add certificate chain flag for signing by @haydentherapper in #1656
    - [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
    - update font when output the cosign version by @cpanato in #1668
    - feat: add ability to override registry keychain by @noamichael in #1666
    - remove replace directive by @cpanato in #1669
    - Refactor based on discussions in #1650 by @vaikas in #1674
    - Find all valid entries in verify-blob by @priyawadhwa in #1673
    - Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
    - Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
    - Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
    - Make cosign copy copy metadata attached to child images. by @mattmoor in #1682
    - change file_name_template to PackageName by @strongjz in #1683
    - Update error message for verify/verify attestation by @haydentherapper in #1686
    - cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
    - verify: add leaf hash verification for tlog entries by @asraa in #1688
    - Fix handling of policy in verify-attestation by @lcarva in #1672
    - Add e2e test for attest / verify-attestation by @vaikas in #1685
    - verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
    - Remove the hardcoded sigstore audience by @mattmoor in #1698
    - Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676
    - Use the github actions from sigstore/scaffolding. by @vaikas in #1699
    - sign: set the oidc redirect uri by @hectorj2f in #1675
    - add back the go mod proxy by @cpanato in #1701
    - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702
    - Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704
    - Make CLI flag for OIDC client secret take a path by @znewman01 in #1705
    - cosigned: read the public key from the kms authority by @hectorj2f in #1706
    - fix latest tag when running a release job by @cpanato in #1707
    - [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681
    - Dont overwrite token set in keyOpts by @puerco in #1709
    - refactor release job by @cpanato in #1710
* Fri Apr 01 2022 meissner@suse.com
  - updated to 1.6.0
    - Fix double time import in e2e tests by @saschagrunert in #1388
    - Add --timeout support to sign command by @saschagrunert in #1379
    - Fix comparison in replace option for attestation by @bburky in #1366
    - Add Cosign logo to README by @nsmith5 in #1395
    - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
    - Fix a link of SECURITY.md by @knqyf263 in #1399
    - update cosign and cross-build image for the release job by @cpanato in #1400
    - feat: login command by @developer-guy in #1398
    - TUF: Add root status output by @asraa in #1404
    - Add a newline after password input by @knqyf263 in #1407
    - make imageRef lowercase before parsing by @bobcallaway in #1409
    - Improve error message when image is not found in registry by @imjasonh in #1410
    - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
    - Fix incorrect error check when verifying SCT by @haydentherapper in #1422
    - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
    - Allow PassFunc to be nil by @saschagrunert in #1426
    - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
    - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
    - Add docs on API stability and deprecation table by @priyawadhwa in #1429
    - update cross-build image which adds goimports by @cpanato in #1435
    - feat: enhance clean cmd capability by @developer-guy in #1430
    - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
    - Improve log lines to match with implementation by @marcofranssen in #1432
    - feat: fig autocomplete feature by @developer-guy in #1360
    - update cross-build to use go 1.17.7 by @cpanato in #1446
    - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
    - feat: add -buildid= to ldflags by @developer-guy in #1451
    - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
    - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
    - Fix tkn link in readme by @Yongxuanzhang in #1459
    - Print message when verifying with old TUF targets by @haydentherapper in #1468
    - fix(sign): refactor unsupported provider log by @Dentrax in #1464
    - tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470
    - Double goreleaser timeout by @znewman01 in #1472
    - increase timeout for goreleaser snapshot by @cpanato in #1473
    - fix(sign): kms unspported message by @Dentrax in #1475
    - refactor release cloudbuild job by @cpanato in #1476
    - Fix wording on attach attestation help by @luhring in #1480
    - update go-tuf and simplify TUF client code by @asraa in #1455
    - add initial changelog for 1.5.2 by @cpanato in #1483
    - Fix linter error on main by @priyawadhwa in #1484
    - Update Changelog for Security Advisory by @cpanato in #1485
    - chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
    - Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
    - feat: support other types in copy cmd by @developer-guy in #1493
    - Pick up some of the shared workflows by @mattmoor in #1490
    - feat: nominate Dentrax as codeowner by @developer-guy in #1492
    - add correct layer media type to cosign attach attestation by @spiffcs in #1503
    - This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504
    - use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
    - Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
    - bug fix: import ed25519 keys and fix error handling by @asraa in #1518
    - optimize codeql speed by using caching and tracing by @bobcallaway in #1519
    - Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
    - Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
    - chore(ci): add artifact hub support by @Dentrax in #1522
    - Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529
    - Add codecov as github action, set permissions to read content only by @k4leung4 in #1530
    - images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533
    - Quay OCI Support in README by @sabre1041 in #1539
    - add rpm,deb and apks for cosign packages by @strongjz in #1537
    - Consistent parenthesis use in Makefile by @k4leung4 in #1541
    - add changelog for 1.6.0 by @cpanato in #1535
    - update golang cross image by @cpanato in #1543
    - Add fields in policy CRD by @kkavitha in #1540
    - Disable for now due some issues when downloading the knative module by @cpanato in #1546
* Mon Feb 21 2022 meissner@suse.com
  - updated to 1.5.2:
    - This release contains fixes for CVE-2022-23649, affecting signature
      validations with Rekor. Only validation is affected, it is not necessary
      to re-sign any artifacts. (bsc#1196239)
  - updated to 1.5.1:
    - Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
    - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
    - expose dafaults fulcio, rekor, oidc issuer urls (#1368)
    - add check to make sure the go modules are in sync (#1369)
    - README: fix link to race conditions (#1367)
    - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
    - docs: verify-attestation cue and rego policy doc (#1362)
    - Update verify-blob to support DSSEs (#1355)
    - organize, update select deps (#1358)
    - Bump go-containerregistry to pick up ACR keychain fix (#1357)
    - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
    - sync go modules (#1353)
* Tue Jan 25 2022 meissner@suse.com
  - updated to 1.5.0
    [#]# Highlights
    * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
    * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
    * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
    * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
    * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
    * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
    * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
    [#]# Enhancements
    * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
    * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
    * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
    * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
    * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
    * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
    * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
    * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
    * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
    * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
    * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
    * add error message (https://github.com/sigstore/cosign/pull/1296)
    * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
    * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
    * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
    * refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
    * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
    * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
    * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
    * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
    * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
    * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
    * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
    * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
    * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
    * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
    * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
    * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
    * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
    * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
    * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
    * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
    [#]# Bug Fixes
    * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
    * fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
    * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
    * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
    * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
    * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
    * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
    * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
    * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
    * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
  - vendor.tar.bz2: go mod vendor
* Tue Jan 25 2022 bwiedemann@suse.com
  - Fix BUILD_DATE for reproducible build results (boo#1047218)
* Thu Jan 06 2022 meissner@suse.com
  - cosign 1.4.1 release, initial import
  - provides signing / verification support for sigstore

Files

/usr/bin/cosign
/usr/share/doc/packages/cosign
/usr/share/doc/packages/cosign/ALUMNI.md
/usr/share/doc/packages/cosign/CHANGELOG.md
/usr/share/doc/packages/cosign/CLI.md
/usr/share/doc/packages/cosign/CODE_OF_CONDUCT.md
/usr/share/doc/packages/cosign/CONTRIBUTING.md
/usr/share/doc/packages/cosign/EXAMPLES.md
/usr/share/doc/packages/cosign/FEATURES.md
/usr/share/doc/packages/cosign/FUN.md
/usr/share/doc/packages/cosign/IMPORT.md
/usr/share/doc/packages/cosign/KEYLESS.md
/usr/share/doc/packages/cosign/KMS.md
/usr/share/doc/packages/cosign/PKCS11.md
/usr/share/doc/packages/cosign/README.md
/usr/share/doc/packages/cosign/TOKENS.md
/usr/share/doc/packages/cosign/USAGE.md
/usr/share/doc/packages/cosign/VERSIONING.md
/usr/share/licenses/cosign
/usr/share/licenses/cosign/LICENSE


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 20:22:04 2024