Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump sops version to 3.9.3 #1625

Merged
merged 2 commits into from
Jan 2, 2025
Merged

Bump sops version to 3.9.3 #1625

merged 2 commits into from
Jan 2, 2025

Conversation

jenkins-infra-updatecli[bot]
Copy link
Contributor

@jenkins-infra-updatecli jenkins-infra-updatecli bot commented Dec 31, 2024
edited
Loading

Bump sops version

Update the `sops` version in the tools-versions.yml file

change detected: * key "$.sops_version" updated from "3.9.2" to "3.9.3", in file "provisioning/tools-versions.yml"

3.9.3 
Release published on the 2024-12-31 12:54:35 +0000 UTC at the url https://github.com/getsops/sops/releases/tag/v3.9.3

## Installation

To install `sops`, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:

```shell
# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.linux.amd64

# Move the binary in to your PATH
mv sops-v3.9.3.linux.amd64 /usr/local/bin/sops

# Make the binary executable
chmod +x /usr/local/bin/sops
```

### Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:

```shell
# Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.sig

# Verify the checksums file
cosign verify-blob sops-v3.9.3.checksums.txt \
  --certificate sops-v3.9.3.checksums.pem \
  --signature sops-v3.9.3.checksums.sig \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

### Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:

```shell
# Verify the binary using the checksums file
sha256sum -c sops-v3.9.3.checksums.txt --ignore-missing
```

### Verify artifact provenance

The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `sops-v3.9.3.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool:

```shell
# Download the metadata file
curl -LO  https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.intoto.jsonl

# Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
  --provenance-path sops-v3.9.3.intoto.jsonl \
  --source-uri github.com/getsops/sops \
  --source-tag v3.9.3
```

## Container Images

The `sops` binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.

These container images are available for the following architectures: `linux/amd64` and `linux/arm64`.

### GitHub Container Registry

- `ghcr.io/getsops/sops:v3.9.3`
- `ghcr.io/getsops/sops:v3.9.3-alpine`

### Quay.io

- `quay.io/getsops/sops:v3.9.3`
- `quay.io/getsops/sops:v3.9.3-alpine`

### Verify container image signature

The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of an image, run the following command:

```shell
cosign verify ghcr.io/getsops/sops:v3.9.3 \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  -o text
```

### Verify container image provenance

The container images include [SLSA provenance](https://slsa.dev/provenance/v0.2) attestations. For more information around the verification of this, please refer to the [`slsa-verifier` documentation](https://github.com/slsa-framework/slsa-verifier#containers).

## Software Bill of Materials

The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an [SPDX](https://spdx.dev/) JSON file, formatted as `<binary>.spdx.sbom.json`.

## What's Changed
* build(deps): Bump the go group with 10 updates by @dependabot in https://github.com/getsops/sops/pull/1699
* build(deps): Bump the ci group with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1698
* build(deps): Bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in https://github.com/getsops/sops/pull/1703
* build(deps): Bump the ci group with 4 updates by @dependabot in https://github.com/getsops/sops/pull/1708
* build(deps): Bump the rust group in /functional-tests with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1707
* CI: add 'persist-credentials: false' to checkout actions by @felixfontein in https://github.com/getsops/sops/pull/1704
* build(deps): Bump filippo.io/age from 1.2.0 to 1.2.1 by @dependabot in https://github.com/getsops/sops/pull/1710
* Bump golang.org/x/net to 0.33.0 to address CVE-2024-45338 by @felixfontein in https://github.com/getsops/sops/pull/1714
* build(deps): Bump the go group across 1 directory with 13 updates by @dependabot in https://github.com/getsops/sops/pull/1715
* build(deps): Bump serde_json from 1.0.133 to 1.0.134 in /functional-tests in the rust group by @dependabot in https://github.com/getsops/sops/pull/1716
* build(deps): Bump the ci group with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1717
* GnuPG: do not incorrectly trim fingerprint in presence of exclamation marks for specfic subkey selection by @felixfontein in https://github.com/getsops/sops/pull/1720
* Tests: use container images from https://github.com/getsops/ci-container-images by @felixfontein in https://github.com/getsops/sops/pull/1722
* updatekeys subcommand: fix input-type CLI flag being ignored by @felixfontein in https://github.com/getsops/sops/pull/1721
* Update all Go dependencies by @felixfontein in https://github.com/getsops/sops/pull/1723
* build(deps): Bump the rust group in /functional-tests with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1725
* Release 3.9.3 by @felixfontein in https://github.com/getsops/sops/pull/1724


**Full Changelog**: https://github.com/getsops/sops/compare/v3.9.2...v3.9.3
Update the `sops` version in the goss test

change detected: * key "$.command.sops.stdout[0]" updated from "3.9.2" to "3.9.3", in file "tests/goss-linux.yaml"

3.9.3 
Release published on the 2024-12-31 12:54:35 +0000 UTC at the url https://github.com/getsops/sops/releases/tag/v3.9.3

## Installation

To install `sops`, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:

```shell
# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.linux.amd64

# Move the binary in to your PATH
mv sops-v3.9.3.linux.amd64 /usr/local/bin/sops

# Make the binary executable
chmod +x /usr/local/bin/sops
```

### Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:

```shell
# Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.checksums.sig

# Verify the checksums file
cosign verify-blob sops-v3.9.3.checksums.txt \
  --certificate sops-v3.9.3.checksums.pem \
  --signature sops-v3.9.3.checksums.sig \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

### Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:

```shell
# Verify the binary using the checksums file
sha256sum -c sops-v3.9.3.checksums.txt --ignore-missing
```

### Verify artifact provenance

The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `sops-v3.9.3.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool:

```shell
# Download the metadata file
curl -LO  https://github.com/getsops/sops/releases/download/v3.9.3/sops-v3.9.3.intoto.jsonl

# Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
  --provenance-path sops-v3.9.3.intoto.jsonl \
  --source-uri github.com/getsops/sops \
  --source-tag v3.9.3
```

## Container Images

The `sops` binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.

These container images are available for the following architectures: `linux/amd64` and `linux/arm64`.

### GitHub Container Registry

- `ghcr.io/getsops/sops:v3.9.3`
- `ghcr.io/getsops/sops:v3.9.3-alpine`

### Quay.io

- `quay.io/getsops/sops:v3.9.3`
- `quay.io/getsops/sops:v3.9.3-alpine`

### Verify container image signature

The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of an image, run the following command:

```shell
cosign verify ghcr.io/getsops/sops:v3.9.3 \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  -o text
```

### Verify container image provenance

The container images include [SLSA provenance](https://slsa.dev/provenance/v0.2) attestations. For more information around the verification of this, please refer to the [`slsa-verifier` documentation](https://github.com/slsa-framework/slsa-verifier#containers).

## Software Bill of Materials

The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an [SPDX](https://spdx.dev/) JSON file, formatted as `<binary>.spdx.sbom.json`.

## What's Changed
* build(deps): Bump the go group with 10 updates by @dependabot in https://github.com/getsops/sops/pull/1699
* build(deps): Bump the ci group with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1698
* build(deps): Bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in https://github.com/getsops/sops/pull/1703
* build(deps): Bump the ci group with 4 updates by @dependabot in https://github.com/getsops/sops/pull/1708
* build(deps): Bump the rust group in /functional-tests with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1707
* CI: add 'persist-credentials: false' to checkout actions by @felixfontein in https://github.com/getsops/sops/pull/1704
* build(deps): Bump filippo.io/age from 1.2.0 to 1.2.1 by @dependabot in https://github.com/getsops/sops/pull/1710
* Bump golang.org/x/net to 0.33.0 to address CVE-2024-45338 by @felixfontein in https://github.com/getsops/sops/pull/1714
* build(deps): Bump the go group across 1 directory with 13 updates by @dependabot in https://github.com/getsops/sops/pull/1715
* build(deps): Bump serde_json from 1.0.133 to 1.0.134 in /functional-tests in the rust group by @dependabot in https://github.com/getsops/sops/pull/1716
* build(deps): Bump the ci group with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1717
* GnuPG: do not incorrectly trim fingerprint in presence of exclamation marks for specfic subkey selection by @felixfontein in https://github.com/getsops/sops/pull/1720
* Tests: use container images from https://github.com/getsops/ci-container-images by @felixfontein in https://github.com/getsops/sops/pull/1722
* updatekeys subcommand: fix input-type CLI flag being ignored by @felixfontein in https://github.com/getsops/sops/pull/1721
* Update all Go dependencies by @felixfontein in https://github.com/getsops/sops/pull/1723
* build(deps): Bump the rust group in /functional-tests with 2 updates by @dependabot in https://github.com/getsops/sops/pull/1725
* Release 3.9.3 by @felixfontein in https://github.com/getsops/sops/pull/1724


**Full Changelog**: https://github.com/getsops/sops/compare/v3.9.2...v3.9.3
Jenkins pipeline link
Updatecli logo

Created automatically by Updatecli

Options:

Most of Updatecli configuration is done via its manifest(s).

  • If you close this pull request, Updatecli will automatically reopen it, the next time it runs.
  • If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.

Feel free to report any issues at github.com/updatecli/updatecli.
If you find this tool useful, do not hesitate to star our GitHub repository as a sign of appreciation, and/or to tell us directly on our chat!

@jenkins-infra-updatecli jenkins-infra-updatecli bot added enhancement New feature or request sops labels Dec 31, 2024
@jenkins-infra-updatecli jenkins-infra-updatecli bot force-pushed the updatecli_main_d433cba4cd86de2e572f9a7635de798000df70e4bdbf2f5ef6f16d1b88433d86 branch 2 times, most recently from d7e9418 to 09560aa Compare January 2, 2025 08:18
@jenkins-infra-updatecli jenkins-infra-updatecli bot force-pushed the updatecli_main_d433cba4cd86de2e572f9a7635de798000df70e4bdbf2f5ef6f16d1b88433d86 branch from f004a20 to 23f4220 Compare January 2, 2025 08:20
@dduportal dduportal enabled auto-merge January 2, 2025 08:22
@dduportal dduportal disabled auto-merge January 2, 2025 09:30
@dduportal dduportal merged commit aa99401 into main Jan 2, 2025
1 of 2 checks passed
@dduportal dduportal deleted the updatecli_main_d433cba4cd86de2e572f9a7635de798000df70e4bdbf2f5ef6f16d1b88433d86 branch January 2, 2025 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduportal dduportal dduportal approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request sops
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dduportal @jenkins-infra-bot