v1.2.1

This release fixes compatibility issues between the v1.2.0 release and the Go toolchain.

Thanks, @luhring!

Changelog

be15523 Remove go.mod replace directive (#716) (#726)
03a1061 add changelog for 1.2.1 (#727)

Thanks for all contributors!

v1.2.0

v1.2.0

Enhancements

• BREAKING: move verify-dockerfile to dockerfile verify (#662)
• Have the keyless cosign sign flow use a single 3LO. (#665)
• Allow to verify-blob from urls (#646)
• Support GCP environments without workload identity (GCB). (#652)
• Switch the release cosign container to debug. (#649)
• Add logic to detect and use ambient OIDC from exec envs. (#644)
• Add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
• Add support for downloading signature from remote (#629)
• Add sbom and attestations to triangulate (#628)
• Add cosign attachment signing and verification (#615)
• Embed CT log public key (#607)
• Verify SCTs returned by fulcio (#600)
• Add extra replacement variables and GCP's role identifier (#597)
• Store attestations in the layer (payload) rather than the annotation. (#579)
• Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (#583)
• Upgrade in-toto-golang to adapt SLSA Provenance (#582)

Bug Fixes

• Fix verify-dockerfile to allow lowercase FROM (#643)
• Fix signing for the cosigned image. (#634)
• Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
• helm/ci: update helm repo before installing the dependency (#598)
• Set the correct predicate type/URI for each supported predicate type. (#592)
• Warnings on admissionregistration version (#581)
• Remove unnecessary COSIGN_PASSWORD (#572)

Contributors

• Batuhan Apaydın
• Ben Walding
• Carlos Alexandro Becker
• Carlos Tadeu Panato Junior
• Erkan Zileli
• Hector Fernandez
• Jake Sanders
• Jason Hall
• Matt Moore
• Michael Lieberman
• Naveen Srinivasan
• Pradeep Chhetri
• Sambhav Kothari
• dlorenc
• priyawadhwa

Thank you to all our contributors!!

Changelog

aa5d23b CHANGELOG for cosign 1.2 (#668)
1b1cafc move verify-dockerfile to dockerfile verify (#662)
275e015 Have the keyless cosign sign flow use a single 3LO. (#665)
152eefb Move LoadEcdsa... into pkg/cosign/keys.go (#667)
c37c20e feat: allow to verify-blob from urls (#646)
b1e7ca2 Extract a types package for media and payload types. (#664)
e14b69d small typo (#663)
e055194 Provide a mechanism for downstream folks to avoid _ imports. (#661)
b27c63a Split apart fulcioverifier for transparency log verification. (#660)
de598c1 Send log statement to STDERR (#659)
696a46a Remove unnecessary space after 'with index:' (#656)
3f83940 Support GCP environments without workload identity (GCB). (#652)
118399c Revert "Consistently use STDERR for output. (#647)" (#650)
60cf6b8 Refactor verification output. (#632)
f2a1276 Switch the release cosign container to debug. (#649)
f8f2e7a Pinned the dockerfile to sha256 (#619)
fefa881 Consistently use STDERR for output. (#647)
fb04df8 Refactor cosigned to take advantage of duck typing. (#637)
739947d Add logic to detect and use ambient OIDC from exec envs. (#644)
cb310df Fix verify-dockerfile to allow lowercase FROM (#643)
6d2fc54 docs: add remote url example for verify_blog cmd (#640)
248f849 add -cert-email flag to provide the email expected from a fulcio cert to be valid (#622)
59be0ee Break off a fulcioroot package. (#639)
56d7d96 Use a nonroot base image for ko-based images (#638)
efde83c Fix signing for the cosigned image. (#634)
508cc59 Drop the unused apiReader (#636)
6a1e1b5 Drop the distinction between Create/Update. (#635)
8d550b3 feat: add support for downloading signature from remote (#629)
cb0c46a Add ko targets for the webhook image. (#630)
53fbe01 Something changed in go 1.17 to make this a failure now. (#631)
a05fb65 Add sbom and attestations to triangulate (#628)
ff28387 Bump opa to v0.32.0 (#625)
b0e5c74 Bump k8s controller-runtime to v0.10.0. (#626)
de600d2 chore: cleanup Makefile targers (#627)
5abd51e Make sure generate-key-pair doesn't overwrite existing key-pair (#623)
40830f1 Modify golangci-lint installation (#624)
79fa380 Add cosign attachment signing and verification (#615)
de3f9d6 Bump go/storage. (#614)
c35f311 verify_blob: add missing help option to use teh pub kwy from a remote (#616)
9906181 helm/cosigned: remove helm charts (#609)
842a81a Embed CT log public key (#607)
54c956c Actually bump dependencies and get healthy on go 1.17. (#606)
cb9f980 Verify SCTs returned by fulcio (#600)
c79ba73 Add extra replacement variables and GCP's role identifier (#597)
c875b79 helm/ci: update helm repo before installing the dependency (#598)
b41d57f Set the correct predicate type/URI for each supported predicate type. (#592)
584e63f chore: add a new CODEOWNER (#593)
b1c033d Make the warning around TUF roots a little less scary. (#590)

cosigned-v0.0.3-dev

The Helm chart for Cosigned

cosigned-v0.0.2-dev

The Helm chart for Cosigned

cosigned-v0.0.1-dev

The Helm chart for Cosigned

v1.1.0

Enhancements

• BREAKING: The -attestation flag has been renamed to -predicate in attest (#500)
• Added verify-manifest command (#490)
• Added the ability to specify and validate well-known attestation types in attest with the -type flag (#504)
• Added cosign init command to setup the trusted local repository of SigStore's TUF root metadata (#520)
• Added timestamps to Cosign's custom In-Toto predicate (#533)
• verify now always verifies that the image exists (even when referenced by digest) before verification (#543)

Bug Fixes

• verify-dockerfile no longer fails on FROM scratch (#509)
• Fixed reading from STDIN with attach sbom (#517)
• Fixed broken documentation and implementation of -output for verify and verify-attestation (#546)
• Fixed nil pointer error when calling upload blob without specifying -f (#563)

Contributors

• Adolfo García Veytia (@puerco)
• Anton Semjonov (@ansemjo)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Dan Lorenc (@dlorenc)
• @gkovan
• Hector Fernandez (@hectorj2f)
• Jake Sanders (@dekkagaijin)
• Jim Bugwadia (@JimBugwadia)
• Jose Donizetti (@josedonizetti)
• Joshua Hansen (@joshes)
• Jason Hall (@imjasonh)
• Li Yi (@denverdino)
• Priya Wadhwa (@priyawadhwa)
• Russell Brown (@rjbrown57)
• Stephan Renatus (@srenatus)

Full Changelog

67934a6 remove unnecessary COSIGN_PASSWORD (#572)
7b5e931 add v1.1.0 relnotes (#571)
764a237 release: update golang-cross image to use go 1.17 (#569)
2f805aa update Go to 1.17.0 (#568)
7b08e21 Pin k8s.io dependencies to v0.20.7 (#567)
0783cc9 Make payload types public (#564)
8ce7d29 fix nil pointer deref in cli/upload.BlobCmd (#563)
92ce88e Fix some bugs in the attestation support and add a formal spec. (#561)
9479578 Bump k8s to 0.22.1. (#560)
4326cc1 Add a commented out list of OWNERS for transparency. (#558)
5c70fc4 fix: lint warning (#557)
5267dfd Add example of openssl signing. (#554)
6db6a90 Move the prompting/confirmation down into the password implementations. (#552)
3733e69 Fix verify and verify-attestation output flag (#546)
001d55f Improve Kubernetes examples in docs and commands (#551)
0d93915 Update google.golang.org/api (#544)
969aa80 always check remote image (#543)
4c755ad Refactor to avoid not necessary conversion (#539)
e2cafee Don't run e2e tests on PRs (#540)
3b5c238 Fix CI issues for forked repos (#537)
b2c649f Improve docs for keyless SA signing (#536)
03f3f4d Refactor upload-blob to use File interface (#535)
de056ab Bump google.golang.org/api from 0.52.0 to 0.53.0 (#534)
61b103b Add support for timestamps in the cosign custom predicate, and document it. (#533)
4c76ff3 'cosign init' minor enhancements (file or URL root, write to $HOME/.sigstore) (#530)
a7aff49 update go mods, tidy (#531)
9018c86 Explicitly disable auth for the sigstore-tuf-root. (#528)
bfd42e5 Add cosign init to initialize the SigStore root metadata (#520)
f83218b version: add way to display a version when using go get or go install (#526)
07bf0f2 Add Alibaba Cloud Container Registry (#524)
ce1648e update k8s deps for 1.22 release. Update sigstore. Tidy (#523)
c0f7371 add usage of the COSIGN_PASSWORD env var (#521)
6e535ce add Go Report Card badge to README (#518)
ef05414 lazy init fulcio root (#519)
fbc9831 fix for reading sbom file from stdin (#517)
749cd29 SIGNATURE_SPEC.md: fix typo (#516)
685f1a3 Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 (#515)
b505bb4 fix in-toto.io link (#513)
4877fbb Verify-dockerfile Ignore scratch images (#509)
f3cf4a2 fixing typos in the documentation of SBOM specification (#511)
1e4b330 verify-manifest: decode and use kubernetes resources (#510)
0fdfaa9 Add cosign verify-manifest command (#490)
7e9cdfb add well-known attestation specs support to the attest command (#504)
53f7cd4 some more readme updates (#505)
e42c08e SBOM specification! (#439)
03b1eda add installation via GitHub Action to README (#503)

Thanks for all contributors!

v1.0.0

Cosign 1.0!

This is the first production ready, non-pre-release version of the cosign tool!

Huge thanks to the entire sigstore community!

Enhancements

• BREAKING: The default HSM key slot is now "signature" instead of "authentication" (#450)
• BREAKING: --fulcio-server is now --fulcio-url (#471)
• Added -cert flag to sign to allow the explicit addition of a signature certificate (#451)
• Added the attest command (#458)
• Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (#462)
• cosign will now send its version string as part of the user-agent when interacting with a container registry (#479)
• Files containing certificates for custom Fulcio endpoints can now be specified via the COSIGN_ROOT environment variable (#477)

Bug Fixes

• Fixed a situation where lower-case as would break verify-dockerfile (Complements to @Dentrax #433)

Verification

The releases are signed using cosign, and can be verified with a previous release or openssl. The key used is currently stored in this repository (at the commit the build was done) in the release/release-cosign.pub file.

Each binary is signed, and the corresponding.sig file is uploaded here. For darwin-amd64, using openssl:

$ openssl dgst -sha256 -verify release/release-cosign.pub -signature <(cat cosign-darwin-amd64.sig | base64 -D) cosign-darwin-amd64
Verified OK

With cosign:

$ cosign verify-blob -key release/release-cosign.pub -signature cosign-darwin-amd64.sig cosign-darwin-amd64
Verified OK

Full Changelog

33973d0 Allow multiple files per archive. (#497)
302c339 v1.0.0 relnotes (#493)
90efb9f cloudbuild: remove not needed dependency library (#495)
cdd92da Add missing code of conduct (stock sigstore one) (#496)
14d1d0a Allow custom root PEM (#477)
1a660a2 Avoid remote.Gets when the ref contains a digest (#487)
ade62cd Update the docs to be explicit around 1.0! (#489)
edd65a8 Only run codeql post-merge. (#488)
d0d11ee Minor update to README.md (#486)
1f9d3d9 Chore fixes (#476)
6f42979 move fulcio utils out of pkg (#482)
4155550 Unexport pkg/cosign/remote.StaticLayer (#483)
c076106 use Fulcio's client creation utility (#480)
94d54b8 Add cosign/ to useragent for remote calls (#479)
5a426a5 add additional KMS use cases of cosign (#473)
364cadc Add "cosign attest" command! (#458)
d401496 fulcio-server -> fulcio-url, pkg/fulcio refactoring (#471)
5bb088d refactor attached image code (#470)
49a4227 fix sget (#468)
7068357 Infra flags for fulcio / rekor / oidc values (#462)
647606b release: update builder container to use go 1.16.6 (#466)
a7f1ef6 more refactoring to use cryptoutils (#465)
840f9a6 Fix/verify dockerfile parser (#433)
981d702 cosign.LoadCerts -> cryptoutils.LoadCertificatesFromPEM (#464)
da50a67 Do a few more cleanups to reuse sigstore/sigstore and refactor verification. (#463)
7393e96 Refactor to use sigstore/sigstore crypto utilities (#460)
b385d1b Refactor the verification logic a bit to support more verification types. (#459)
fe1a39e Refactor the way certs are handled. (#457)
d08c803 Drop the dupe detector, this isn't needed anymore with the new interfaces (#456)
9c0eb2e Refactor signing options a bit between blob/image. (#455)
2af7bd0 Fix USAGE.md link (#454)
9ef97c2 Reduce some of the noise in e2e tests by hiding the SBOM output unless the test fails. (#453)
9adaad5 cmd/sign: Add -cert flag (#451)
fd17d7f Update sigtore dependency to include Azure KMS (#452)
607a5fe pivkey: Change default slot to Signature (9c) (#450)
48a2f82 Readme fixes and improvements (#448)
9c61577 update sigstore modules, tidy (#447)
2123698 Bump k8s.io/client-go from 0.21.2 to 0.21.3 (#445)
dbf506e Bump k8s.io/api from 0.21.2 to 0.21.3 (#444)
268ce57 Move the specs to their own directory. (#440)
d0684ec Update the readme a bit. (#441)
7e256fd added Hashicorp Vault KMS support to the description of public-key sub-command (#438)
e6d91a7 make base image an arg, use distroless/static for releases (#436)
e68da41 update deps, run go mod tidy (#432)
f79accb update workflows (other than release) to go 1.16.6 (#431)
82d49dc Numerous updates to .goreleaser.yml & associated scripts

Container image available as well gcr.io/projectsigstore/cosign:v1.0.0@sha256:5e88d8f6162c04da4fa7d63b032bac34d8c906b48e88057263d67b059ace7de4

Thanks for all contributors!

For this 1.0 release, let's thank everyone that committed!

• Dan Lorenc (dlorenc)
• Jake Sanders (dekkagaijin)
• Priya Wadhwa (priyawadhwa)
• Carlos Tadeu Panato Junior (cpanato)
• Batuhan Apaydın (developer-guy)
• Luke Hinds (lukehinds)
• Ivan Font (font)
• Jason Hall (imjasonh)
• Naveen (naveensrinivasan)
• Chris Norman (chrnorm)
• Asra Ali (asraa)
• Christian Pearce (pearcec)
• Jon Johnson (jonjohnsonjr)
• Bob Callaway (bobcallaway)
• Appu (loosebazooka)
• James Alseth (jalseth)
• rjbrown57 (rjbrown57)
• Ahmet Alp Balkan (ahmetb)
• rotem-cider (rotem-cider)
• Balazs Zachar (Cajga)
• Cody Soyland (codysoyland)
• Dan POP (danpopSD)
• Dino Dai Zovi (ddz)
• Eminks (eminks)
• Furkan Türkal (Dentrax)
• Hector Fernandez (hectorj2f)
• João Pereira (joaodrp)
• Kim Lewandowski (kimsterv)
• Mark Bestavros (mbestavros)
• Paris Z (zuBux)
• Ross Timson (rosstimson)
• Rémy Greinhofer (rgreinho)
• Tom Hennen (TomHennen)

v0.6.0

v0.6.0

Enhancements

• BREAKING: Moved cosign upload-blob to cosign upload blob (#378)
• BREAKING: Moved cosign upload to cosign attach signature (#378)
• BREAKING: Moved cosign download to cosign download signature (#392)
• Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz #369)
• Added cosign verify-dockerfile command (#395)
• Added SBOM support in cosign attach and cosign download sbom (#387)
• Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax #398)
• Added support for AWS KMS (谢谢, @codysoyland #426)
• Numerous enhancements to our build & release process, courtesy @cpanato

Bug Fixes

• Verify entry timestamp signatures of fetched Tlog entries (#371)

Contributors

• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Carlos Panato (@cpanato)
• Cody Soyland (@codysoyland)
• Dan Lorenc (@dlorenc)
• Dino A. Dai Zovi (@ddz)
• Furkan Türkal (@Dentrax)
• Jason Hall (@imjasonh)
• Paris Zoumpouloglou (@zuBux)
• Priya Wadhwa (@priyawadhwa)
• Rémy Greinhofer (@rgreinho)
• Russell Brown (@rjbrown57)

cosign image available at gcr.io/projectsigstore/cosign:v0.6.0@sha256:2303322158802ec0452758578ac80801a3754ee9cb19c128fc5d1b2ec32fa2d2

Thanks for all contributors!

v0.5.0

Enhancements

• Added cosign copy to easily move images and signatures between repositories (#317)
• Added -r flag to cosign sign for recursively signing multi-arch images (#320)
• Added cosign clean to delete signatures for an image (Thanks, @developer-guy! #324)
• Added -k8s flag to cosign generate-key-pair to create a Kubernetes secret (Hell yeah, @priyawadhwa! #345)

Bug Fixes

• Fixed an issue with misdirected image signatures when COSIGN_REPOSITORY was used (#323)

Contributors

• Balazs Zachar (@Cajga)
• Batuhan Apaydın (@developer-guy)
• Dan Lorenc (@dlorenc)
• Furkan Turkal (@Dentrax)
• Jake Sanders (@dekkagaijin)
• Jon Johnson (@jonjohnsonjr)
• Priya Wadhwa (@priyawadhwa)

v0.4.0

The fourth installment in the Cosign technologic universe

Action Required

• Signatures created with cosign before v0.4.0 are not compatible with those created after
  • The signature image's manifest now uses OCI mediaTypes (#300)
  • The signature image's tag is now terminated with .sig (instead of .cosign, #287)

Enhancements

• 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, @priyawadhwa! #285)
• Support for Hashicorp vault as a KMS provider has been added (Danke, @RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
• Windows binaries! (Grazie, @pearcec #249)

Bug Fixes

• GCP KMS URIs now include the key version (sigstore/sigstore #45)

Contributors

• Christian Pearce (@pearcec)
• Dan Lorenc (@dlorenc)
• Jake Sanders (@dekkagaijin)
• Priya Wadhwa (@priyawadhwa)
• Richard Simpson (@RichiCoder1)
• Ross Timson (@rosstimson)