1.12.0 release notes don't mention breaking changes to fix vulnerability

[znewman01]

The v1.12.0 release contains a fix for GHSA-8gw7-4j42-w388 which is technically a breaking change (something that used to work no longer does).

While the advisory is called out at the top, it may not be clear to someone reading the release notes that this might cause issues without clicking through. Further, there's no guidance for how to fix it if their workflow was affected.

CC @cpanato @puerco any ideas on process fixes here?

[asraa]

Here's some guidance:

• When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

[znewman01]

A good note for this might be:

Note: This release comes with a fix for CVE-2022-36056 described in this [Github Security Advisory]> (GHSA-8gw7-4j42-w388). Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

• When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

EDIT: I'm cribbing @asraa's wording

[cpanato]

Thank you

Will update the release notes with this

[cpanato]

Updated

https://github.com/sigstore/cosign/releases/tag/v1.12.0

[znewman01]

Great, thanks for the quick fix @cpanato 😄

Now, the long-run question: does our existing release notes tooling handle security advisory fixes? Is there a process fix here? I can imagine the same thing happening for any fix to an advisory.

[cpanato]

we will improve in the release notes for sure, and i think in this case was a miscommunication :(

[cpanato]

will close this