Skip to content

v2.3.0

Compare
Choose a tag to compare
@sigstore-bot sigstore-bot released this 22 Jul 17:34
· 76 commits to main since this release
v2.3.0
deed363

v2.3.0

Features

  • Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
  • add registry options to cosign save (#3645)
  • Add debug providers command. (#3728)
  • Make config layers in ociremote mountable (#3741)
  • upgrade to go1.22 (#3739)
  • adds tsa cert chain check for env var or tuf targets. (#3600)
  • add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
  • add handling of keyless verification for all verify commands (#3761)

Bug Fixes

  • fix: close attestationFile (#3679)
  • Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)

Documentation

  • Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)

Testing

  • Refactor KMS E2E tests (#3684)
  • Remove sign_blob_test.sh test (#3707)
  • Remove KMS E2E test script (#3702)
  • Refactor insecure registry E2E tests (#3701)

Contributors

  • Billy Lynch
  • bminahan73
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Dmitry Savintsev
  • guangwu
  • Hayden B
  • Hector Fernandez
  • ian hundere
  • Jason Power
  • Jon Johnson
  • Max Lambrecht
  • Meeki1l

Full Changelog: v2.2.4...v2.3.0