v1.5.0
Changelog
- 7572520 add ascii art when using the version command (#1349)
- 4c23b55 update cross builder image - the image is now signed using keyless method (#1348)
- 03a2778 Add vaikas to CODEOWNERS (#1347)
- f186ee3 add changelog for v1.5.0 (#1345)
- 9acdf64 Cache the location of the remote repository when running cosign initialize (#1315)
- e534409 Fix minor typo (a missing verb) in README (#1346)
- 22007e5 Don't use k8schain, statically link cloud cred helpers in cosign (#1279)
- a50bc9d Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1343)
- 1a92b50 Bump recommended Go development version in README (#1340)
- 1560c64 Bump the snapshot and timestamp roles metadata from root signing. (#1339)
- bca7ba6 Export function to verify individual signature (#1334)
- b0e81eb Bump github.com/spiffe/go-spiffe/v2 from 2.0.0-beta.10 to 2.0.0-beta.11 (#1336)
- a7838c5 update go-github to v42 release (#1335)
- b0848d1 install latest release for ko instead of head of main branch (#1333)
- 2f8c22e remove wrong settings in the gco auth for gh actions (#1332)
- fbf8dcb update gcp setup for the GH action (#1330)
- 888b392 fix: cosign verify for vault (#1328)
- e64cc10 update some dependencies (#1326)
- 461b032 fix missing goimports (#1327)
- 78ee720 Add suffix with digest to signature file output for recursive signing (#1267)
- 0532601 Take OIDC client secret into account (#1310)
- 475c99d Verify checksum of downloaded utilities during CI (#1322)
- 97509b9 pin github actions by digest (#1319)
- 4592c23 Fix TestSignBlobBundle (#1320)
- bad18e5 Add --bundle flag to sign-blob and verify-blob (#1306)
- 079e28d Add flag to verify OIDC issuer in certificate (#1308)
- 2c96cf3 Bump google.golang.org/api from 0.64.0 to 0.65.0 (#1303)
- 24914ac add OSSF scorecard action (#1318)
- 244c07a Add TUF timestamp to attestation bundle (#1316)
- 46cf94b Provide certificate flags to all verify commands (#1305)
- d58fc63 Bundle TUF timestamp with signature on signing (#1294)
- c49ba0b Bump cuelang.org/go from 0.4.0 to 0.4.1 (#1302)
- 754d33e Add support for importing PKCS#8 private keys, and add validation (#1300)
- aa0b8c1 add error message (#1296)
- a7bd67c Move bundle out of
oci
and intobundle
package (#1295) - 9368996 Bump github.com/xanzy/go-gitlab from 0.54.2 to 0.54.3 (#1292)
- ef380f0 update import documentation (#1290)
- e671216 Fix a couple bugs in cert verification for blobs (#1287)
- 76e691b Fix a few bugs in cosign initialize (#1280)
- b9d0d4a Reorganize verify-blob code and add a unit test (#1286)
- 419be8a update release image to use go 1.17.6 (#1284)
- 809b091 Bump google.golang.org/api. (#1283)
- 4376cca Bump opa and go-gitlab. (#1281)
- b6aaddc Update SBOM spec to indicate compat for syft (#1278)
- f19f4f7 Update signature spec with timestamp annotation (#1274)
- 7f54a8f Bump miekg/pkcs11 (#1275)
- 36cc106 Pick up latest knative.dev/pkg, and k8s 0.22 libs (#1269)
- 6af964c Fix the unit tests with expired TUF metadata. (#1270)
- 242f586 One-to-one mapping of invocation to scan result (#1268)
- 1a7f9d6 refactor common utilities (#1266)
- d89eb8e Fix output-file flag. (#1264)
- 9a27e1f Importing RSA and EC keypairs (#1050)
- 8194edd enable sbom generation when releasing (#1261)
- 0a4a68a feat: log error to stderr (#1260)
- 591601c feat: support attach attestation (#1253)
- 2e99320 Refactor the tuf client code. (#1252)
- dfc0347 Moved certificate output before checking for upload during signing (#1255)
- c09d682 Remove remaining ioutil usage (#1256)
- 894a3bc Update the embedded TUF metadata. (#1251)
- 645c259 Bump sigstore/sigstore. (#1247)
- 4ecb43d fix: typo in the error message (#1250)
- 1df7fe4 Fix semantic bugs in attestation verifification. (#1249)
- f32c1d7 Fix semantic bug in DSSE specification. (#1248)
- 4e4bbf6 Spelling (#1246)
- 7e5abbf feat: resolve --cert from URL (#1245)
- c360535 Add support for other public key types for SCT verification, allow override for testing. (#1241)
- 6f41b4b Log the proper remote repo for the signatures on verify (#1243)
- 24d43bd feat: generate/upload sbom for cosign projects (#1237)
- b3bd158 Use ${{github.repository}} placeholder in OIDC GitHub workflow (#1244)
- 47d936c update codeowners list with miissing codeowners (#1238)
- 3dd690e feat: vuln attest support (#1168)
- 6a4afef feat: add ambient credential detection with spiffe/spire (#1220)
- 1104dfd feat: generate/upload sbom for cosign projects (#1236)
- 0c25819 update build images for release and bump cosign in the release job (#1234)
- ac8a7e9 feat: implement cosign download attestation (#1216)
- d318979 Do not require multiple Fulcio certs in the TUF root (#1230)
- 9da74c9 update deps (#1222)
- b2d6393 nit: add comments to
Signer
interface (#1228) - f2e034d clean up references to 'keyless' in
ephemeral.Signer
(#1225) - acf5900 create
DSSEAttestor
interface,payload.DSSEAttestor
implementation (#1221) - ca4544c update google.golang.org/api from 0.62.0 to 0.63.0 (#1214)
- 1feacab use
mutate.Signature
in the newSigner
s (#1213) - 28b03f7 create
mutate
functions foroci.Signature
(#1199) - 500cd40 update snapshot and timestamp (#1211)
- cbdc1b3 add a writeable
$HOME
for thenonroot
cosigned user (#1209) - 4d4c830 signing attestation should private key (#1200)
- 6e397c2 Remove the "upload" flag for "cosign initialize" (#1201)
- 008f860 create KeylessSigner (#1189)
- 2ad95b3 Bump github.com/spf13/viper from 1.9.0 to 1.10.0 (#1198)
- 3dac54a Bump the DSSE library and handle manual changes in the API. (#1191)
- cfd981e nit: drop every section title down a level (#1188)