v1.12.0

Note: This release comes with a fix for CVE-2022-36056 described in this Github Security Advisory. Please upgrade to this release ASAP

Highlights

BREAKING: The fix for GHSA-GHSA-8gw7-4j42-w388 (CVE-2022-36056) means that some verify-blob commands that used to work may not anymore. In particular:

• When using verify-blob with signatures created with keyless mode, we require either COSIGN_EXPERIMENTAL=1 or a valid Rekor bundle for offline verification passed with --bundle.

If you upgrade and encounter other issues, please read the advisory in full; your prior checks may have been passing inappropriately.

What's Changed

• use scaffolding v0.4.6. by @vaikas in #2201
• Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
• feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
• remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
• Upgrade to go1.19 by @cpanato in #2213
• Clarify error when KMS provider fails to load by @znewman01 in #2220
• feat: set annotations to generate additional bash completion information by @dirien in #2221
• Add deprecation warning for sget CLI and packages by @imjasonh in #2019
• upgrade setup-ko to point to new repo by @imjasonh in #2225
• update go builder to go1.19.1 by @cpanato in #2241
• Temp fix for e2e test by @haydentherapper in #2247
• update kind to use release v0.15.0 and some version comments by @cpanato in #2246
• Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
• fix: fix secret test, non-experimental bundle should pass by @asraa in #2249

New Contributors

• @mozillazg made their first contribution in #2008

Full Changelog: v1.11.1...v1.12.0