v2.2.4

v2.2.4

Bug Fixes

• Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
• ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
• fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
• Honor creation timestamp for signatures again (#3549)

Features

• Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)

Documentation

• add oci bundle spec (#3622)
• Correct help text of triangulate cmd (#3551)
• Correct help text of verify-attestation policy argument (#3527)
• feat: add OVHcloud MPR registry tested with cosign (#3639)

Testing

• Refactor e2e-tests.yml workflow (#3627)
• Clean up and clarify e2e scripts (#3628)
• Don't ignore transparency log in tests if possible (#3528)
• Make E2E tests hermetic (#3499)
• add e2e test for pkcs11 token signing (#3495)

Full Changelog: v2.2.3...v2.2.4

v1.13.6

What's Changed

• V1 go tuf update in #3598

CI workflow fixes

• Update cloud build script to latest for v1.13.x in #3615
• 1.13.x release: Fix spacing in #3617
• release 1.13.x: fix goreleaser in #3619

Full Changelog: v1.13.2...v1.13.6

v2.2.3

v2.2.3

Bug Fixes

• Fix race condition on verification with multiple signatures attached to image (#3486)
• fix(clean): Fix clean cmd for private registries (#3446)
• Fixed BYO PKI verification (#3427)

Features

• Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
• Add support for OpenVEX predicate type (#3405)

Documentation

• Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
• add examples for cosign attach signature cmd (#3468)

Misc

• Remove CertSubject function (#3467)
• Use local rekor and fulcio instances in e2e tests (#3478)

Full Changelog: v2.2.2...v2.2.3

v2.2.2

v2.2.2

v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.

Bug Fixes

• chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
• Don't require CT log keys if using a key/sk (#3415)
• Fix copy without any flag set (#3409)
• Update cosign generate cmd to not include newline (#3393)
• Fix idempotency error with signing (#3371)

Features

• Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
• Use the timeout flag value in verify* commands. (#3391)
• add --private-infrastructure flag (#3369)

Container Updates

• Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)

Documentation

• Update SBOM_SPEC.md (#3358)

Contributors

• Carlos Tadeu Panato Junior
• Dylan Richardson
• Hayden B
• Lily Sturmann
• Nikos Fotiou
• Yonghe Zhao

Full Changelog: v2.2.1...v2.2.2

v1.13.2

What's Changed

• [release-1.13] update builder image that uses go 1.19.4 by @cpanato in #2521
• Backport GHSA-vfp6-jrw2-99g9 by @cpanato in #3364

Full Changelog: v1.13.1...v1.13.2

v2.2.1

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

• feat: Support basic auth and bearer auth login to registry (#3310)
• add support for ignoring certificates with pkcs11 (#3334)
• Support ReplaceOp in Signatures (#3315)
• feat: added ability to get image digest back via triangulate (#3255)
• feat: add --only flag in cosign copy to copy sign, att & sbom (#3247)
• feat: add support attaching a Rekor bundle to a container (#3246)
• feat: add support outputting rekor response on signing (#3248)
• feat: improve dockerfile verify subcommand (#3264)
• Add guard flag for experimental OCI 1.1 verify. (#3272)
• Deprecate SBOM attachments (#3256)
• feat: dedent line in cosign copy doc (#3244)
• feat: add platform flag to cosign copy command (#3234)
• Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
• attest: pass OCI remote opts to att resolver. (#3225)

Bug Fixes

• Merge pull request from GHSA-vfp6-jrw2-99g9
• fix: allow cosign download sbom when image is absent (#3245)
• ci: add a OCI registry test for referrers support (#3253)
• Fix ReplaceSignatures (#3292)
• Stop using deprecated in_toto.ProvenanceStatement (#3243)
• Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
• fix: update error in SignedEntity to be more descriptive (#3233)
• Fail timestamp verification if no root is provided (#3224)

Documentation

• Add some docs about verifying in an air-gapped environment (#3321)
• Update CONTRIBUTING.md (#3268)
• docs: improves the Contribution guidelines (#3257)
• Remove security policy (#3230)

Others

• Set go to min 1.21 and update dependencies (#3327)
• Update contact for code of conduct (#3266)
• Update .ko.yaml (#3240)

Contributors

• AdamKorcz
• Andres Galante
• Appu
• Billy Lynch
• Bob Callaway
• Caleb Woodbine
• Carlos Tadeu Panato Junior
• Dylan Richardson
• Gareth Healy
• Hayden B
• John Kjell
• Jon Johnson
• jonvnadelberg
• Luiz Carvalho
• Priya Wadhwa
• Ramkumar Chinchani
• Tosone
• Ville Aikas
• Vishal Choudhary
• ziel

New Contributors

• @vishal-chdhry made their first contribution in #3233
• @jkjell made their first contribution in #3237
• @ziel made their first contribution in #3219
• @andresgalante made their first contribution in #3257
• @BobyMCbobs made their first contribution in #3264
• @garethahealy made their first contribution in #3255
• @jonvnadelberg made their first contribution in #3268
• @dylrich made their first contribution in #3334
• @tosone made their first contribution in #3310

Full Changelog: v2.2.0...v2.2.1

v2.2.0

v2.2.0

Enhancements

• switch to uploading DSSE types to rekor instead of intoto (#3113)
• add 'cosign sign' command-line parameters for mTLS (#3052)
• improve error messages around bundle != payload hash (#3146)
• make VerifyImageAttestation function public (#3156)
• Switch to cryptoutils function for SANS (#3185)
• Handle HTTP_1_1_REQUIRED errors in github provider (#3172)

Bug Fixes

• Fix nondeterminsitic timestamps (#3121)

Documentation

• doc: Add example of sign-blob with key in env var (#3152)
• add deprecation notice for cosign-releases GCS bucket (#3148)
• update doc links (#3186)

Others

• Upgrade to go1.21 (#3188)
• Updates ci tests (#3142)
• test using latest release of scaffolding (#3187)
• ci: free up disk space for the gh runner (#3169)
• update go-github to v53 (#3116)
• call e2e test for cosign attach (#3112)
• bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)

v2.1.1

v2.1.1

Bug Fixes

• wait for the workers become available again to continue the execution (#3084)
• fix help text when in a container (#3082)

Documentation

• update changelog (#3080)
• Add CHANGELOG for v2.1.0 (#3068)

Contributors

• Carlos Tadeu Panato Junior
• priyawadhwa

Full Changelog: v2.1.0...v2.1.1

v2.1.0

v2.1.0

Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.

Enhancements

• Verify sigs and attestations in parallel (#3066)
• Deep inspect attestations when filtering download (#3031)
• refactor bundle validation code, add support for DSSE rekor type (#3016)
• Allow overriding remote options (#3049)
• feat: adds no cert found on sig exit code (#3038)
• Make predicate a required flag in attest commands (#3033)
• Added support for attaching Time stamp authority Response in attach command (#3001)
• Add sign --sign-container-identity CLI (#2984)
• Feature: Allow cosign to sign digests before they are uploaded. (#2959)
• accepts attachment-tag-prefix for cosign copy (#3014)
• Feature: adds '--allow-insecure-registry' for cosign load (#3000)
• download attestation: support --platform flag (#2980)
• Cleanup: Add Digest to the SignedEntity interface. (#2960)
• verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
• verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)

Bug Fixes

• Fix pkg/cosign/errors (#3050)
• fix: update doc to refer to github-actions oidc provider (#3040)
• fix: prefer GitHub OIDC provider if enabled (#3044)
• Fix --sig-only in cosign copy (#3074)

Documentation

• Fix links to sigstore/docs in markdown files (#3064)
• Update release readme (#2942)

Thanks to all contributors!

• Bob Callaway
• Carlos Tadeu Panato Junior
• Chok Yip Lau
• Chris Burns
• Dmitry Savintsev
• Enyinna Ochulor
• Hayden B
• Hector Fernandez
• Jakub Hrozek
• Jason Hall
• Jon Johnson
• Luiz Carvalho
• Matt Moore
• Mritunjay Kumar Sharma
• Mukuls77
• Ramkumar Chinchani
• Sascha Grunert
• Yolanda Robla Mota
• priyawadhwa

v2.0.2

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.2

Enhancements

• Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
• feat: Make cosign copy faster (#2901)
• remove sget (#2885)
• Require a payload to be provided with a signature (#2785)

Bug Fixes

• cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
• Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)

Documentation

• Remove experimental warning from Fulcio flags (#2923)
• add missing oidc provider (#2922)
• Add zot as a supported registry (#2920)
• deprecates kms_support docs (#2900)
• chore(docs) deprecate note for usage docs (#2906)
• adds note of deprecation for examples.md docs (#2899)

Contributors

• Carlos Tadeu Panato Junior
• Chris Burns
• Dmitry Savintsev
• eiffel-fl
• Hayden B
• Hector Fernandez
• Jon Johnson
• Miloslav Trmač
• priyawadhwa
• Ramkumar Chinchani

Full Changelog: v2.0.1...v2.0.2