v3.1.1

Compare Source

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

• Initialize PKCS11 slots Before Getting Token Info in #​4803
• Sign exclusively via sigstore-go in #​4618
• bundle create: Prevent IgnoreTlog when bundle contains SET in #​4829
• Require bundle output or registry upload in #​4785
• fix(load): pass NameOptions to name.ParseReference in #​4786
• fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #​4813
• Deprecate Flags for v4: Certificates in #​4822
• Deprecate flags signing config in #​4844
• Deprecate flags bundle in #​4838
• Fix typo in map of verify command fields unsupported for new bundle format in #​4853
• Add bundle upgrade command in #​4820
• Deprecate Flags for v4 in #​4854
• fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #​4869
• fix: use Header.Set to prevent duplicate Authorization on retry in #​4870
• feat(cli): add Rekor v2 flag to cosign signing-config create in #​4868
• Fix crash verifying timestamps when no timestamp was verified in #​4881
• Deprecate Flags for v4: OCI Referrers in #​4804
• Use the configured Target Repository more consistently in #​4836
• fix: check HTTP status code in LoadFileOrURL in #​4877
• Fix unsafe type assertion in Rego policy evaluation by in #​4882
• Fix Ed25519ph check to respect custom signing configs in sign-blob in #​4880
• Enable initialize command output in conformance in #​4892
• verify: return TUF errors for new bundle trusted roots in #​4878
• Deprecate subcommands in #​4894
• Remove docstring references to deprecated flags in #​4910
• fix(verify): Attach detached certificates to static signatures via wrapped verifier in #​4737
• fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #​4917
• Update sigstore-go to v1.2.0 in #​4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

v3.0.6

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

• f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#​4801)
• a09afa9 Handle whitespace-only certificate annotation (#​4760)
• 5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#​4761)
• 2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#​4762)
• 36f4008 support managed keys in conformance testing (#​4728)
• 3274cf9 Add support for GCE metadata server env var (#​4732)
• 2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#​4709)
• dece275 Fix parsing of in-toto for string predicates
• bd4f0fd Mark batch of flags for deprecation (#​4698)
• 9b259ff disallow key and cert identity being used together during verification (#​4636)
• 95eb1c3 support key creation in GitLab group (#​4704)

Thanks to all contributors!

v3.0.5

Compare Source

Deprecations

• Deprecate rekor-entry-type flag (#​4691)
• Deprecate cosign triangulate (#​4676)
• Deprecate cosign copy (#​4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#​4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
• Add mTLS support for TSA client connections when signing with a signing config (#​4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
• fix: avoid panic on malformed attestation payload (#​4651)
• fix: avoid panic on malformed tlog entries (#​4649)
• fix: avoid panic on malformed replace payload (#​4653)
• Gracefully fail if bundle payload body is not a string (#​4648)
• Verify validity of chain rather than just certificate (#​4663)
• fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#​4642)
• Fix typo in CLI help (#​4701)

v3.0.4

Compare Source

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#​4623)
• Optimize cosign tree performance by caching digest resolution (#​4612)
• Don't require a trusted root to verify offline with a key (#​4613)
• Support default services for trusted-root and signing-config creation (#​4592)