A whole buncha bugfixes!
- Files created with
--output-signatureand--output-certificatenow created with 0600 permissions (sigstore#1151) - Added
cosign verify-attestation --local-imagefor verifying signed images with attestations from disk (sigstore#1174) - Added the ability to fetch the TUF root over HTTP with
cosign initialize --mirror(sigstore#1185)
- Fixed saving and loading a signed image index to disk (sigstore#1147)
- Fixed
sign-blob --output-certificatewriting an empty file (sigstore#1149) - Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (sigstore#1157)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Hayden Blauzvern (@haydentherapper)
- Jake Sanders (@dekkagaijin)
- Matt Moore (@mattmoor)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- BREAKING [COSIGN_EXPERIMENTAL]: This and future
cosignreleases will generate signatures that do not validate in older versions ofcosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use:--fulcio-url=https://fulcio.sigstore.devwhen signing payloads (sigstore#1127) - BREAKING [cosign/pkg]:
SignedEntryTimestampis now of type[]byte. To get the previous behavior, callstrfmt.Base64(SignedEntryTimestamp)(sigstore#1083) cosign-linux-pivkey-amd64releases are now of the formcosign-linux-pivkey-pkcs11key-amd64(sigstore#1052)- Releases are now additionally signed using the keyless workflow (sigstore#1073, sigstore#1111)
- Validate the whole attestation statement, not just the predicate (sigstore#1035)
- Added the options to replace attestations using
cosign attest --replace(sigstore#1039) - Added URI to
cosign verify-bloboutput (sigstore#1047) - Signatures and certificates created by
cosign signandcosign sign-blobcan be output to file using the--output-signatureand--output-certificateflags, respectively (sigstore#1016, sigstore#1093, sigstore#1066, sigstore#1095) - [cosign/pkg] Added the
pkg/oci/layoutpackage for storing signatures and attestations on disk (sigstore#1040, sigstore#1096) - [cosign/pkg] Added
mutatemethods to attachoci.Files tooci.Signed*objects (sigstore#1084) - Added the
--signature-digest-algorithmflag tocosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (sigstore#1071) - Builds should now be reproducible (sigstore#1053)
- Allows base64 files as
--certincosign verify-blob(sigstore#1088) - Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (sigstore#1091)
- Added
cosign saveandcosign loadcommands to save and upload container images and associated signatures to disk (sigstore#1094) cosign signwill no longer fail to sign private images in keyless mode without--force(sigstore#1116)cosign verifynow supports signatures stored in files and remote URLs with--signature(sigstore#1068)cosign verifynow supports certs stored in files (sigstore#1095)- Added support for
syftformat incosign attach sbom(sigstore#1137)
- Fixed verification of Rekor bundles for InToto attestations (sigstore#1030)
- Fixed a potential memory leak when signing and verifying with security keys (sigstore#1113)
- Ashley Davis (@SgtCoDFish)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Brandon Philips (@philips)
- Carlos Alexandro Becker (@caarlos0)
- Carlos Panato (@cpanato)
- Christian Rebischke (@shibumi)
- Dan Lorenc (@dlorenc)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- jbpratt (@jbpratt)
- Matt Moore (@mattmoor)
- Mikey Strauss (@houdini91)
- Naveen Srinivasan (@naveensrinivasan)
- Priya Wadhwa (@priyawadhwa)
- Sambhav Kothari (@samj1912)
- BREAKING [cosign/pkg]:
cosign.Verifyhas been removed in favor of explicitcosign.VerifyImageSignaturesandcosign.VerifyImageAttestations(sigstore#1026)
- Add ability for verify-blob to find signing cert in transparency log (sigstore#991)
- root policy: add optional issuer to maintainer keys (sigstore#999)
- PKCS11 signing support (sigstore#985)
- Included timeout option for uploading to Rekor (sigstore#1001)
- Bump sigstore/sigstore to pickup a fix for azure kms (sigstore#1011 / sigstore#1028)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Dennis Leon (@DennisDenuto)
- Erkan Zileli (@erkanzileli)
- Furkan Türkal (@Dentrax)
- garantir-km (@garantir-km)
- Jake Sanders (@dekkagaijin)
- Naveen (@naveensrinivasan)
- BREAKING:
verify-manifestis nowmanifest verify(sigstore#712) - BREAKING:
/pkghas been heavily refactored. Further refactoring work will make its way into 1.4.0 - WARNING: The CLI now uses POSIX-style (double-dash
--flag) for long-form flags. It will temporarily accept the single-dash-flagform with a warning, which will become an error in a future release (sigstore#835) - Added
sgetas part of Cosign's releases (sigstore#752) - The
copaseticutility was unceremoniously baleeted (sigstore#785)
- Began reworking
/pkgaround new abstractions for signing, verification, and storage (sigstore#666)- Notice: refactoring of
/pkgwill continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting withcosignas a library and found it lacking (sigstore#844) - GGCR-style libraries for interacting with images now exist under
pkg/oci(sigstore#770) pkg/cosign/remote.UploadSignatureAPI was been removed in favor of newpkg/oci/remoteAPIs (sigstore#774)- The function signature of
cosign.Verifywas changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see alsocosign.Verify{Signatures,Attestations}(sigstore#782) - Removed
cremote.UploadFilein favor ofstatic.NewFileandremote.Write(sigstore#797)
- Notice: refactoring of
- Innumerable other improvements to the codebase and automation (Makin me look bad, @mattmoor)
- Migrated the CLI to
cobra(Welcome to the team, @n3wscott) - Added the
--allow-insecure-registryflag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (sigstore#669) - 🔒
cosignednow includes a mutating webhook that resolves image tags to digests (sigstore#800) - 🔒 The
cosignedvalidating webhook now requires image digest references (sigstore#799) - The
cosignedwebhook now ignores resources that are being deleted (sigstore#803) - The
cosignedwebhook now supports resolving private images that are authenticated viaimagePullSecrets(sigstore#804) manifest verifynow supports verifying images in all Kubernetes objects that fit withinPodSpec,PodSpecTemplate, orJobSpecTemplate, including CRDs (sigstore#697)- Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! sigstore#836)
cosignhas generated Markdown docs available in thedoc/directory (sigstore#839)- Added support for verifying with secrets from a GitLab project (sigstore#934)
- Added a
--k8s-keychainoption that enables cosign to support ambient registry credentials based on the "k8schain" library (sigstore#972) - CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (sigstore#973)
attest: replaced--uploadflag with a--no-uploadflag (sigstore#979)
cosignednow verifiesCronJobimages (Terve, @vaikas sigstore#809)- Fixed the
verify--cert-emailoption to actually work (Sweet as, @passcod sigstore#821) public-key -skno longer causeserror: x509: unsupported public key type: *crypto.PublicKey(sigstore#864)- Fixed interactive terminal support in Windows (sigstore#871)
- The
-ctflag is no longer ignored inupload blob(sigstore#910)
- Aditya Sirish (@adityasaky)
- Asra Ali (@asraa)
- Axel Simon (@axelsimon)
- Batuhan Apaydın (@developer-guy)
- Brandon Mitchell (@sudo-bmitch)
- Carlos Panato (@cpanato)
- Chao Lin (@blackcat-lin)
- Dan Lorenc (@dlorenc)
- Dan Luhring (@luhring)
- Eng Zer Jun (@Juneezee)
- Erkan Zileli (@erkanzileli)
- Félix Saparelli (@passcod)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Ivan Font (@font)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Jim Bugwadia (@JimBugwadia)
- Joel Kamp (@mrjoelkamp)
- Luke Hinds (@lukehinds)
- Matt Moore (@mattmoor)
- Naveen (@naveensrinivasan)
- Olivier Gaumond (@oliviergaumond)
- Priya Wadhwa (@priyawadhwa)
- Radoslav Gerganov (@rgerganov)
- Ramkumar Chinchani (@rchincha)
- Rémy Greinhofer (@rgreinho)
- Scott Nichols (@n3wscott)
- Shubham Palriwala (@ShubhamPalriwala)
- Viacheslav Vasilyev (@avoidik)
- Ville Aikas (@vaikas)
- BREAKING: move
verify-dockerfiletodockerfile verify(sigstore#662) - Have the keyless
cosign signflow use a single 3LO. (sigstore#665) - Allow to
verify-blobfrom urls (sigstore#646) - Support GCP environments without workload identity (GCB). (sigstore#652)
- Switch the release cosign container to debug. (sigstore#649)
- Add logic to detect and use ambient OIDC from exec envs. (sigstore#644)
- Add
-cert-emailflag to provide the email expected from a fulcio cert to be valid (sigstore#622) - Add support for downloading signature from remote (sigstore#629)
- Add sbom and attestations to triangulate (sigstore#628)
- Add cosign attachment signing and verification (sigstore#615)
- Embed CT log public key (sigstore#607)
- Verify SCTs returned by fulcio (sigstore#600)
- Add extra replacement variables and GCP's role identifier (sigstore#597)
- Store attestations in the layer (payload) rather than the annotation. (sigstore#579)
- Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (sigstore#583)
- Upgrade in-toto-golang to adapt SLSA Provenance (sigstore#582)
- Fix verify-dockerfile to allow lowercase FROM (sigstore#643)
- Fix signing for the cosigned image. (sigstore#634)
- Make sure generate-key-pair doesn't overwrite existing key-pair (sigstore#623)
- helm/ci: update helm repo before installing the dependency (sigstore#598)
- Set the correct predicate type/URI for each supported predicate type. (sigstore#592)
- Warnings on admissionregistration version (sigstore#581)
- Remove unnecessary COSIGN_PASSWORD (sigstore#572)
- Batuhan Apaydın
- Ben Walding
- Carlos Alexandro Becker
- Carlos Tadeu Panato Junior
- Erkan Zileli
- Hector Fernandez
- Jake Sanders
- Jason Hall
- Matt Moore
- Michael Lieberman
- Naveen Srinivasan
- Pradeep Chhetri
- Sambhav Kothari
- dlorenc
- priyawadhwa
- BREAKING: The
-attestationflag has been renamed to-predicateinattest(sigstore#500) - Added
verify-manifestcommand (sigstore#490) - Added the ability to specify and validate well-known attestation types in
attestwith the-typeflag (sigstore#504) - Added
cosign initcommand to setup the trusted local repository of SigStore's TUF root metadata (sigstore#520) - Added timestamps to Cosign's custom In-Toto predicate (sigstore#533)
verifynow always verifies that the image exists (even when referenced by digest) before verification (sigstore#543)
verify-dockerfileno longer fails onFROM scratch(sigstore#509)- Fixed reading from STDIN with
attach sbom(sigstore#517) - Fixed broken documentation and implementation of
-outputforverifyandverify-attestation(sigstore#546) - Fixed nil pointer error when calling
upload blobwithout specifying-f(sigstore#563)
- Adolfo García Veytia (@puerco)
- Anton Semjonov (@ansemjo)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- @gkovan
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- Jim Bugwadia (@JimBugwadia)
- Jose Donizetti (@josedonizetti)
- Joshua Hansen (@joshes)
- Jason Hall (@imjasonh)
- Priya Wadhwa (@priyawadhwa)
- Russell Brown (@rjbrown57)
- Stephan Renatus (@srenatus)
- Li Yi (@denverdino)
- BREAKING: The default HSM key slot is now "signature" instead of "authentication" (sigstore#450)
- BREAKING:
--fulcio-serveris now--fulcio-url(sigstore#471) - Added
-certflag tosignto allow the explicit addition of a signature certificate (sigstore#451) - Added the
attestcommand (sigstore#458) - Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (sigstore#462)
cosignwill now send its version string as part of theuser-agentwhen interacting with a container registry (sigstore#479)- Files containing certificates for custom Fulcio endpoints can now be specified via the
COSIGN_ROOTenvironment variable (sigstore#477)
- Fixed a situation where lower-case
aswould breakverify-dockerfile(Complements to @Dentrax sigstore#433)
- Appu Goundan (@loosebazooka)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- James Alseth (@jalseth)
- Jason Hall (@imjasonh)
- João Pereira (@joaodrp)
- Luke Hinds (@lukehinds)
- Tom Hennen (@TomHennen)
- BREAKING: Moved
cosign upload-blobtocosign upload blob(sigstore#378) - BREAKING: Moved
cosign uploadtocosign attach signature(sigstore#378) - BREAKING: Moved
cosign downloadtocosign download signature(sigstore#392) - Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz sigstore#369)
- Added
cosign verify-dockerfilecommand (sigstore#395) - Added SBOM support in
cosign attachandcosign download sbom(sigstore#387) - Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax sigstore#398)
- Added support for AWS KMS (谢谢, @codysoyland sigstore#426)
- Numerous enhancements to our build & release process, courtesy @cpanato
- Verify entry timestamp signatures of fetched Tlog entries (sigstore#371)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Cody Soyland (@codysoyland)
- Dan Lorenc (@dlorenc)
- Dino A. Dai Zovi (@ddz)
- Furkan Türkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Paris Zoumpouloglou (@zuBux)
- Priya Wadhwa (@priyawadhwa)
- Rémy Greinhofer (@rgreinho)
- Russell Brown (@rjbrown57)
- Added
cosign copyto easily move images and signatures between repositories (sigstore#317) - Added
-rflag tocosign signfor recursively signing multi-arch images (sigstore#320) - Added
cosign cleanto delete signatures for an image (Thanks, @developer-guy! sigstore#324) - Added
-k8sflag tocosign generate-key-pairto create a Kubernetes secret (Hell yeah, @priyawadhwa! sigstore#345)
- Fixed an issue with misdirected image signatures when
COSIGN_REPOSITORYwas used (sigstore#323)
- Balazs Zachar (@Cajga)
- Batuhan Apaydın (@developer-guy)
- Dan Lorenc (@dlorenc)
- Furkan Turkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jon Johnson (@jonjohnsonjr)
- Priya Wadhwa (@priyawadhwa)
- Signatures created with
cosignbefore v0.4.0 are not compatible with those created after
- 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! #285)
- Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
- GCP KMS URIs now include the key version (#45)
- Christian Pearce (@pearcec)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Priya Wadhwa (@priyawadhwa)
- Richard Simpson (@RichiCoder1)
- Ross Timson (@rosstimson)
- Fixed CI container image breakage introduced in v0.3.0
- Fixed lack of version information in release binaries
This is the third release of cosign!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release. See #254 for more info.
- The
-output-fileflag supports writing output to a specific file - The
-keyflag now supportskmsreferences and URLs, thekmsspecific flag has been removed - Yubikey/PIV hardware support is now included!
- Support for signing and verifying multiple images in one invocation
- Bug fixes in KMS keypair generation
- Bug fixes in key type parsing
- Dan Lorenc
- Priya Wadhwa
- Ivan Font
- Dependabot!
- Mark Bestavros
- Jake Sanders
- Carlos Tadeu Panato Junior
This is the second release of cosign!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatibility is promised or implied.
- The password for private keys can now be passed via the
COSIGN_PASSWORD - KMS keys can now be used to sign and verify blobs
- The
versioncommand can now be used to return the release version - The
public-keycommand can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORYenvironment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders
This is the first release of cosign!
The main goal of this release is to release something we can start using to sign other releases of sigstore projects, including cosign itself.
We expect many flags, commands, and formats to change going forward. No backwards compatibility is promised or implied.
This release added a feature to cosign called cosign.
The cosign feature can be used to sign container images and blobs.
Detailed documentation can be found in the README and the Detailed Usage.
There was no way to sign container images. Now there is!
We would love to thank the contributors:
- dlorenc
- priyawadhwa
- Ahmet Alp Balkan
- Ivan Font
- Jason Hall
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway