Patch x/crypto/ssh
This is a small patch release to fix x/crypto/ssh vulnerability https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
Changelog
Bug fixes
- 7e25a80: fix: lint issues (@caarlos0)
- eeb49ba: fix: lint issues (@caarlos0)
- 14c1425: fix: update codeowners (@caarlos0)
- 80b5f47: fix: update codeowners (@caarlos0)
Dependency updates
- b18eb8a: feat(deps): bump github.com/charmbracelet/bubbles from 0.18.0 to 0.19.0 (#322) (@dependabot[bot])
- 39c22e4: feat(deps): bump github.com/charmbracelet/bubbles from 0.19.0 to 0.20.0 (#333) (@dependabot[bot])
- c2d08d0: feat(deps): bump github.com/charmbracelet/bubbletea (#320) (@dependabot[bot])
- ae44821: feat(deps): bump github.com/charmbracelet/bubbletea (#324) (@dependabot[bot])
- 97e122a: feat(deps): bump github.com/charmbracelet/bubbletea from 0.27.1 to 1.0.0 (#326) (@dependabot[bot])
- e7eddab: feat(deps): bump github.com/charmbracelet/bubbletea from 1.0.0 to 1.0.1 (#327) (@dependabot[bot])
- 8bf04fb: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.0 to 1.1.1 (#334) (@dependabot[bot])
- 8bffd29: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.1 to 1.1.2 (#339) (@dependabot[bot])
- e1b5d9e: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.2 to 1.2.0 (#341) (@dependabot[bot])
- 9a618af: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.0 to 1.2.1 (#345) (@dependabot[bot])
- 1c2ac15: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.1 to 1.2.2 (#346) (@dependabot[bot])
- 42de0cc: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.2 to 1.2.3 (#347) (@dependabot[bot])
- 9d9366c: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.3 to 1.2.4 (#349) (@dependabot[bot])
- f2fc24c: feat(deps): bump github.com/charmbracelet/keygen from 0.5.0 to 0.5.1 (#319) (@dependabot[bot])
- ee65cec: feat(deps): bump github.com/charmbracelet/lipgloss from 0.12.1 to 0.13.0 (#323) (@dependabot[bot])
- b8b737b: feat(deps): bump github.com/charmbracelet/lipgloss from 0.13.0 to 0.13.1 (#338) (@dependabot[bot])
- b33eef0: feat(deps): bump github.com/charmbracelet/lipgloss from 0.13.1 to 1.0.0 (#340) (@dependabot[bot])
- edb3fad: feat(deps): bump github.com/charmbracelet/promwish from 0.7.0 to 0.8.0 (#354) (@dependabot[bot])
- 11302c6: feat(deps): bump github.com/charmbracelet/wish from 1.4.0 to 1.4.1 (#315) (@dependabot[bot])
- a053a78: feat(deps): bump github.com/charmbracelet/wish from 1.4.1 to 1.4.2 (#321) (@dependabot[bot])
- 4440724: feat(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#348) (@dependabot[bot])
- cc7a23b: feat(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#318) (@dependabot[bot])
- 9f9c9d4: feat(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#335) (@dependabot[bot])
- c338d99: feat(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#342) (@dependabot[bot])
- 8d4b19a: feat(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 (#350) (@dependabot[bot])
- faf0905: feat(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#352) (@dependabot[bot])
- 1684a1c: feat(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#316) (@dependabot[bot])
- 48a1104: feat(deps): bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#343) (@dependabot[bot])
- 2d662f5: feat(deps): bump golang.org/x/term from 0.24.0 to 0.25.0 (#336) (@dependabot[bot])
- 7853cce: feat(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 (#351) (@dependabot[bot])
Other work
- 6217c97: ci: fix dependabot config (@caarlos0)
- d7f058e: ci: fix goreleaser config (@caarlos0)
- f404231: ci: update (@caarlos0)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.