Skip to content

Releases: sigstore/gitsign

v0.10.1

02 Apr 18:37
@github-actions github-actions
v0.10.1
337b099
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.10.1 Latest
Latest

Changelog

  • 337b099 update base image for gitsign to one with shell available (#484)

Thanks to all contributors!

Assets 72

v0.10.0

02 Apr 17:40
@github-actions github-actions
v0.10.0
6ee714f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.10.0

What's Changed

  • Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 by @dependabot in #468
  • Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @dependabot in #467
  • Bump anchore/sbom-action from 0.15.8 to 0.15.9 by @dependabot in #475
  • Bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in #474
  • Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #473
  • Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 by @dependabot in #472
  • Bump github.com/go-openapi/strfmt from 0.22.2 to 0.23.0 by @dependabot in #471
  • Bump github.com/go-openapi/swag from 0.22.9 to 0.23.0 by @dependabot in #470
  • Bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 by @dependabot in #469
  • Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #476
  • Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible by @dependabot in #477
  • Bump github.com/coreos/go-oidc/v3 from 3.9.0 to 3.10.0 by @dependabot in #479
  • Bump actions/cache from 4.0.1 to 4.0.2 by @dependabot in #478
  • Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #482
  • Bump anchore/sbom-action from 0.15.9 to 0.15.10 by @dependabot in #480
  • Bump github.com/go-git/go-git/v5 from 5.11.1-0.20240221104814-686a0f7a4928 to 5.12.0 by @dependabot in #481
  • add gitsign image by @cpanato in #483

Full Changelog: v0.9.0...v0.10.0

Contributors

cpanato and dependabot
Assets 72

v0.9.0

02 Apr 17:25
@github-actions github-actions
v0.9.0
e20deaa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.9.0

Changelog

  • e20deaa Add config options for Autoclose and AutocloseTimeout (#466)
  • 3f2e97e Bump actions/cache from 4.0.0 to 4.0.1 (#456)
  • 9ba5809 Bump github.com/go-openapi/strfmt from 0.22.0 to 0.22.2 (#464)
  • 98923e1 Update to use go1.22 and ci udpates (#465)
  • b3da2e6 Enable autoclose for sigstore confirmation page. (#455)
  • c2ac22d CI updates and fix lints (#461)
  • cedcc9d Remove GITSIGN_LOG env variable. (#463)
  • 2e63fd0 Run e2e Go tests first. (#462)
  • 6f20ffd Add go-git based signer implementation. (#454)
  • 66e0ff5 Bump github.com/sigstore/protobuf-specs from 0.2.1 to 0.3.0 (#453)
  • 57153a0 Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#450)
  • 3eafadd Bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (#449)
  • ae02bda Add GITSIGN_TOKEN_PROVIDER docs (#447)
  • ff05b31 Add tokenProvider configuration for forcing OIDC providers. (#446)

Thanks to all contributors!

Assets 72

v0.8.1

12 Feb 08:59
@wlynch wlynch
v0.8.1
bbd2c9c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.8.1

What's Changed

Not much! All dependency bumps. 😎

Full Changelog: v0.8.0...v0.8.1

Contributors

dependabot
Assets 72

v0.8.0

09 Nov 22:42
@github-actions github-actions
v0.8.0
cd66ccb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.8.0

Rekor: https://search.sigstore.dev/?commitSha=01375268d822f8299a3d9c23f4fbd796c84bcaa5

Highlights

  • cd66ccb Add options for Rekor client, make public key fetcher configurable. (#399)
  • 530e976 Add gitsign initialize. (#321)
  • 4bda12e Fix offline verification marshalling, add e2e tests. (#330)

Thanks to all contributors!

Assets 72

v0.7.1

31 May 18:27
@github-actions github-actions
v0.7.1
c5a1f43
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.7.1

Changelog

  • c5a1f43 Offline verification: refactor to make it clear no signature checks are happening. (#319)
  • 8a76ba2 Revoke v0.7.0 (#318)

Thanks to all contributors!

Assets 72

v0.7.0

31 May 18:26
@github-actions github-actions
v0.7.0
8955100
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.7.0

Changelog

  • 8955100 Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 (#316)
  • 5dd6092 Add offline verification (#220)
  • 295f8c1 Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 (#314)
  • fffe410 Bump sigstore/cosign-installer from 3.0.3 to 3.0.5 (#313)
  • e135d08 Bump actions/setup-go from 4.0.0 to 4.0.1 (#312)
  • dbeae80 Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#310)
  • 859b2ac Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#311)
  • ee39f77 Bump github.com/docker/distribution (#309)
  • 70e4dfd Bump github.com/cloudflare/circl from 1.3.1 to 1.3.3 (#308)
  • a454679 Bump github.com/sigstore/fulcio from 1.2.0 to 1.3.1 (#302)
  • 472a9d1 Bump github.com/sigstore/sigstore from 1.6.3 to 1.6.4 (#304)
  • 06cd545 Bump github.com/in-toto/in-toto-golang from 0.8.0 to 0.9.0 (#305)
  • 71800bf Bump anchore/sbom-action from 0.14.1 to 0.14.2 (#307)
  • d24ff29 Bump github.com/mattn/go-tty from 0.0.4 to 0.0.5 (#306)
  • 9f5a9e8 Bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#300)
  • a75b58a Bump github.com/in-toto/in-toto-golang from 0.7.1 to 0.8.0 (#298)
  • df022a6 Bump github.com/sigstore/cosign/v2 from 2.0.1 to 2.0.2 (#299)
  • 717e7e6 Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 (#297)
  • a8dc697 Bump actions/checkout from 3.5.0 to 3.5.2 (#289)
  • ebe8923 Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 (#296)
  • f374e54 Bump github.com/go-openapi/runtime from 0.25.0 to 0.26.0 (#295)
  • 71a9701 Bump dependabot/fetch-metadata from 1.3.6 to 1.4.0 (#294)
  • 23df870 Ensure that io writers are properly closed. (#292)
  • 04f9453 Bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 (#290)
  • 76c47d5 Fix e2e test for initializing cosign (#287)
  • d38cd0b Update e2e test to use CDN instead of GCS (#285)
  • f9e70b5 Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#283)

Thanks to all contributors!

Assets 72

v0.6.0

11 Apr 16:19
@wlynch wlynch
v0.6.0
31608c0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.6.0

Highlights

  • Added gitsign.matchCommitter option to verify certificate identity matches expected committer identity.
  • Added gitsign verify to verify commits with certificate verification options to match cosign (--certificate-identity, --certificate-oidc-issuer)
  • Added support for Buildkite and Environment Variable OIDC credential detection.

What's Changed

  • Bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 by @dependabot in #228
  • Bump goreleaser/goreleaser-action from 4.1.0 to 4.1.1 by @dependabot in #227
  • Bump anchore/sbom-action from 0.13.1 to 0.13.3 by @dependabot in #226
  • Bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.6.0 by @dependabot in #233
  • Bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 by @dependabot in #232
  • Bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 by @dependabot in #231
  • Bump actions/cache from 3.2.3 to 3.2.4 by @dependabot in #230
  • Bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 by @dependabot in #237
  • Bump actions/cache from 3.2.4 to 3.2.5 by @dependabot in #235
  • upgrade go to 1.20 by @cpanato in #234
  • Bump golang.org/x/crypto from 0.5.0 to 0.6.0 by @dependabot in #236
  • Update README.md by @y12studio in #239
  • Handle spaces in git config values by @adityasaky in #240
  • Bump github.com/sigstore/fulcio from 1.0.0 to 1.1.0 by @dependabot in #243
  • Bump golang.org/x/net from 0.6.0 to 0.7.0 by @dependabot in #245
  • Update --detached-sign to --detach-sign, remove "auto generated" line from docs by @adityasaky in #242
  • Add support for checking cert email against user config before signing. by @wlynch in #246
  • Bump sigstore cosign to v2, dep and workflows by @k4leung4 in #247
  • Bump actions/cache from 3.2.5 to 3.2.6 by @dependabot in #248
  • Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 by @dependabot in #255
  • Bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 by @dependabot in #252
  • Bump golang.org/x/crypto from 0.6.0 to 0.7.0 by @dependabot in #253
  • Bump sigstore/cosign-installer from 2.8.1 to 3.0.1 by @dependabot in #251
  • enable auto merge/approval for dependencies by @cpanato in #229
  • update some dependencies and use head of cosign for now by @cpanato in #250
  • Bump actions/cache from 3.2.6 to 3.3.1 by @dependabot in #256
  • Add matchCommitter to top level README table. by @wlynch in #257
  • Bump github.com/go-openapi/strfmt from 0.21.3 to 0.21.5 by @dependabot in #260
  • Bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 by @dependabot in #261
  • Bump actions/setup-go from 3.5.0 to 4.0.0 by @dependabot in #259
  • Bump actions/checkout from 3.3.0 to 3.4.0 by @dependabot in #258
  • Add gitsign verify by @wlynch in #262
  • Bump anchore/sbom-action from 0.13.3 to 0.13.4 by @dependabot in #266
  • Fix e2e tests by including --certificate-identity flag. by @wlynch in #264
  • Initialize staging TUF root for sigstage.dev. by @wlynch in #267
  • Add cosign to e2e tests, generalize e2e tests for forked repos. by @wlynch in #268
  • Fix verify flags in README by @wlynch in #263
  • Bump actions/checkout from 3.4.0 to 3.5.0 by @dependabot in #265
  • Bump github.com/go-openapi/strfmt from 0.21.5 to 0.21.7 by @dependabot in #272
  • Bump github.com/sigstore/fulcio from 1.1.0 to 1.2.0 by @dependabot in #273
  • Bump anchore/sbom-action from 0.13.4 to 0.14.1 by @dependabot in #269
  • Bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 by @dependabot in #270
  • Update logo URL by @wlynch in #274
  • Bump github.com/docker/docker from 20.10.23+incompatible to 20.10.24+incompatible by @dependabot in #275
  • bump cosign dependency to pick up buildkite OIDC provider by @imjasonh in #276
  • Bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible by @dependabot in #277
  • Revert change in Gitsign logo URL path by @sandipanpanda in #278
  • Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 by @dependabot in #281
  • Bump github.com/in-toto/in-toto-golang from 0.7.0 to 0.7.1 by @dependabot in #280
  • Bump github.com/sigstore/cosign/v2 from 2.0.1-0.20230404223517-fdeea9fd1574 to 2.0.1 by @dependabot in #279
  • Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 by @dependabot in #282
  • Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 by @dependabot in #284

New Contributors

Full Changelog: v0.5.2...v0.6.0

Contributors

imjasonh, y12studio, and 6 other contributors
Assets 72

v0.5.2

27 Jan 16:03
@github-actions github-actions
v0.5.2
3406c64
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.5.2

Highlights

gitsign

  • BREAKING CHANGE: URI schemes added to gitsign show attestations to comply with intoto spec. (i.e. gitsign.sigstore.dev/predicate/git/v0.1 -> https://gitsign.sigstore.dev/predicate/git/v0.1)

gitsign-credential-cache

  • Added support for systemd socket activation
  • Added support for opening interactive auth flow through the cache socket - this allows users to forward interactive flows over remote SSH sockets to their local machines.

Changelog

  • 3406c64 Remove usage of getopt to fix release. (#225)
  • aca7918 Bump dependencies (go get -u ./...) (#224)
  • ac61585 Add support for systemd socket activation (#223)
  • 615911c Bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 (#221)
  • f9c532b Update cache directory .sigstore -> sigstore. (#218)
  • 98ef482 Add interactive flow to credential cache. (#211)
  • 15447fe Add scheme to predicate type URI. (#217)
  • e20e829 Bump actions/checkout from 3.2.0 to 3.3.0 (#212)
  • ab6d26c Bump actions/cache from 3.2.2 to 3.2.3 (#213)
  • ec74e38 Bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 (#214)
  • 7a27e1d Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#215)
  • cc36fa9 Bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 (#216)
  • 6e4639c Bump actions/cache from 3.2.1 to 3.2.2 (#209)
  • 9f45bc1 Bump github.com/go-git/go-billy/v5 from 5.3.1 to 5.4.0 (#210)
  • cd97505 Bump actions/cache from 3.0.11 to 3.2.1 (#208)
  • fddac02 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#204)
  • 753bc4f Bump actions/setup-go from 3.4.0 to 3.5.0 (#206)
  • ec6825d Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#207)
  • 91da40f Bump actions/checkout from 3.1.0 to 3.2.0 (#205)
  • eca7ffc Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#203)
  • a086299 Bump actions/setup-go from 3.3.1 to 3.4.0 (#199)
  • b9208e3 Bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#201)

Thanks to all contributors!

Contributors

iavael and wlynch
Assets 72

v0.4.1

02 Dec 16:09
@github-actions github-actions
v0.4.1
4db581a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.4.1

What's Changed

  • Update README with correct TSA option values. by @wlynch in #197
  • Update TSA config names to match cosign. by @wlynch in #198

Full Changelog: v0.4.0...v0.4.1

Contributors

wlynch
Assets 72