- BREAKING: The
-attestation
flag has been renamed to-predicate
inattest
(sigstore#500) - Added
verify-manifest
command (sigstore#490) - Added the ability to specify and validate well-known attestation types in
attest
with the-type
flag (sigstore#504) - Added
cosign init
command to setup the trusted local repository of SigStore's TUF root metadata (sigstore#520) - Added timestamps to Cosign's custom In-Toto predicate (sigstore#533)
verify
now always verifies that the image exists (even when referenced by digest) before verification (sigstore#543)
verify-dockerfile
no longer fails onFROM scratch
(sigstore#509)- Fixed reading from STDIN with
attach sbom
(sigstore#517) - Fixed broken documentation and implementation of
-output
forverify
andverify-attestation
(sigstore#546) - Fixed nil pointer error when calling
upload blob
without specifying-f
(sigstore#563)
- Adolfo García Veytia (@puerco)
- Anton Semjonov (@ansemjo)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- @gkovan
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- Jim Bugwadia (@JimBugwadia)
- Jose Donizetti (@josedonizetti)
- Joshua Hansen (@joshes)
- Jason Hall (@imjasonh)
- Priya Wadhwa (@priyawadhwa)
- Russell Brown (@rjbrown57)
- Stephan Renatus (@srenatus)
- Li Yi (@denverdino)
- BREAKING: The default HSM key slot is now "signature" instead of "authentication" (sigstore#450)
- BREAKING:
--fulcio-server
is now--fulcio-url
(sigstore#471) - Added
-cert
flag tosign
to allow the explicit addition of a signature certificate (sigstore#451) - Added the
attest
command (sigstore#458) - Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (sigstore#462)
cosign
will now send its version string as part of theuser-agent
when interacting with a container registry (sigstore#479)- Files containing certificates for custom Fulcio endpoints can now be specified via the
COSIGN_ROOT
environment variable (sigstore#477)
- Fixed a situation where lower-case
as
would breakverify-dockerfile
(Complements to @Dentrax sigstore#433)
- Appu Goundan (@loosebazooka)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Dan Lorenc (@dlorenc)
- Furkan Türkal (@Dentrax)
- Hector Fernandez (@hectorj2f)
- Jake Sanders (@dekkagaijin)
- James Alseth (@jalseth)
- Jason Hall (@imjasonh)
- João Pereira (@joaodrp)
- Luke Hinds (@lukehinds)
- Tom Hennen (@TomHennen)
- BREAKING: Moved
cosign upload-blob
tocosign upload blob
(sigstore#378) - BREAKING: Moved
cosign upload
tocosign attach signature
(sigstore#378) - BREAKING: Moved
cosign download
tocosign download signature
(sigstore#392) - Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz sigstore#369)
- Added
cosign verify-dockerfile
command (sigstore#395) - Added SBOM support in
cosign attach
andcosign download sbom
(sigstore#387) - Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax sigstore#398)
- Added support for AWS KMS (谢谢, @codysoyland sigstore#426)
- Numerous enhancements to our build & release process, courtesy @cpanato
- Verify entry timestamp signatures of fetched Tlog entries (sigstore#371)
- Asra Ali (@asraa)
- Batuhan Apaydın (@developer-guy)
- Carlos Panato (@cpanato)
- Cody Soyland (@codysoyland)
- Dan Lorenc (@dlorenc)
- Dino A. Dai Zovi (@ddz)
- Furkan Türkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jason Hall (@imjasonh)
- Paris Zoumpouloglou (@zuBux)
- Priya Wadhwa (@priyawadhwa)
- Rémy Greinhofer (@rgreinho)
- Russell Brown (@rjbrown57)
- Added
cosign copy
to easily move images and signatures between repositories (sigstore#317) - Added
-r
flag tocosign sign
for recursively signing multi-arch images (sigstore#320) - Added
cosign clean
to delete signatures for an image (Thanks, @developer-guy! sigstore#324) - Added
-k8s
flag tocosign generate-key-pair
to create a Kubernetes secret (Hell yeah, @priyawadhwa! sigstore#345)
- Fixed an issue with misdirected image signatures when
COSIGN_REPOSITORY
was used (sigstore#323)
- Balazs Zachar (@Cajga)
- Batuhan Apaydın (@developer-guy)
- Dan Lorenc (@dlorenc)
- Furkan Turkal (@Dentrax)
- Jake Sanders (@dekkagaijin)
- Jon Johnson (@jonjohnsonjr)
- Priya Wadhwa (@priyawadhwa)
- Signatures created with
cosign
before v0.4.0 are not compatible with those created after
- 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! #285)
- Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! sigstore/sigstore #44, sigstore/sigstore #49)
- GCP KMS URIs now include the key version (#45)
- Christian Pearce (@pearcec)
- Dan Lorenc (@dlorenc)
- Jake Sanders (@dekkagaijin)
- Priya Wadhwa (@priyawadhwa)
- Richard Simpson (@RichiCoder1)
- Ross Timson (@rosstimson)
- Fixed CI container image breakage introduced in v0.3.0
- Fixed lack of version information in release binaries
This is the third release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release. See #254 for more info.
- The
-output-file
flag supports writing output to a specific file - The
-key
flag now supportskms
references and URLs, thekms
specific flag has been removed - Yubikey/PIV hardware support is now included!
- Support for signing and verifying multiple images in one invocation
- Bug fixes in KMS keypair generation
- Bug fixes in key type parsing
- Dan Lorenc
- Priya Wadhwa
- Ivan Font
- Depandabot!
- Mark Bestavros
- Jake Sanders
- Carlos Tadeu Panato Junior
This is the second release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer. No backwards compatiblity is promised or implied.
- The password for private keys can now be passed via the
COSIGN_PASSWORD
- KMS keys can now be used to sign and verify blobs
- The
version
command can now be used to return the release version - The
public-key
command can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORY
environment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders
This is the first release of cosign
!
The main goal of this release is to release something we can start using to sign other releases of sigstore projects, including cosign
itself.
We expect many flags, commands, and formats to change going forward. No backwards compatiblity is promised or implied.
This release added a feature to cosign
called cosign
.
The cosign
feature can be used to sign container images and blobs.
Detailed documentation can be found in the README and the Detailed Usage.
There was no way to sign container images. Now there is!
We would love to thank the contributors:
- dlorenc
- priyawadhwa
- Ahmet Alp Balkan
- Ivan Font
- Jason Hall
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway