Releases: in-toto/go-witness
Releases · in-toto/go-witness
v0.6.0
What's Changed
- feat: add vex attestor from @testifysec/judge@v1.3.0-760cb10.0 by @kriscoleman in #280
- SBOM Attestor Improvements by @jkjell in #281
Full Changelog: v0.5.2...v0.6.0
v0.5.2
fix: disable omnitrail attestor on windows (#278) Currently omnitrail expects a POSIX filesystem, which windows does not supply. This causes windows builds to break when compiled with the omnitrail attestor. This PR adds a build flag to skip the omnitrail attestor when building for windows. Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
v0.5.1
What's Changed
Full Changelog: v0.5.0...v0.5.1
v0.5.0
What's Changed
- chore: bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #249
- chore: bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #250
- chore: bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #251
- chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.31.1 to 1.31.3 by @dependabot in #252
- chore: bump k8s.io/apimachinery from 0.29.4 to 0.29.5 by @dependabot in #253
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.13 to 1.27.15 by @dependabot in #255
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.15 to 1.27.16 by @dependabot in #258
- chore: bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #259
- chore: bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #263
- chore: bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @dependabot in #262
- feat: add git refs to go witness git attestor by @kriscoleman in #265
- Added issues and PR template in .github by @DarikshaAnsari in #261
- chore: bump step-security/harden-runner from 2.8.0 to 2.8.1 by @dependabot in #273
- chore: bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @dependabot in #272
- chore: bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #271
- Feat/SBOM attestor by @jkjell in #268
- Step analyze fix by @jkjell in #257
- Parallel attestors per type by @matglas in #228
- feat: adding omnitrail attestor by @fkautz in #256
- Working Dir support for SBOM attestor by @jkjell in #274
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.18 by @dependabot in #269
- Bump archivista, golang, and go-jose by @jkjell in #276
New Contributors
- @DarikshaAnsari made their first contribution in #261
- @matglas made their first contribution in #228
Full Changelog: v0.4.0...v0.5.0
v0.4.0
What's Changed
- chore: bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #175
- chore: bump actions/download-artifact from 4.1.2 to 4.1.4 by @dependabot in #176
- chore: bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @dependabot in #178
- chore: bump github.com/aws/aws-sdk-go from 1.50.27 to 1.50.30 by @dependabot in #177
- chore: bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 by @dependabot in #180
- chore: bump gopkg.in/go-jose/go-jose.v2 from 2.6.2 to 2.6.3 by @dependabot in #179
- chore: bump softprops/action-gh-release from 1 to 2 by @dependabot in #181
- chore: bump google.golang.org/grpc from 1.62.0 to 1.62.1 by @dependabot in #182
- chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.29.1 to 1.29.2 by @dependabot in #183
- chore: bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #186
- chore: bump github/codeql-action from 3.24.6 to 3.24.8 by @dependabot in #187
- chore: bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #188
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.8 by @dependabot in #189
- chore: bump github/codeql-action from 3.24.8 to 3.24.9 by @dependabot in #190
- chore: bump softprops/action-gh-release from 2.0.3 to 2.0.4 by @dependabot in #191
- chore: bump actions/dependency-review-action from 4.1.3 to 4.2.4 by @dependabot in #192
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.8 to 1.27.9 by @dependabot in #193
- chore: bump cloud.google.com/go/kms from 1.15.7 to 1.15.8 by @dependabot in #194
- chore: bump k8s.io/apimachinery from 0.29.2 to 0.29.3 by @dependabot in #195
- chore: bump github.com/aws/aws-sdk-go from 1.50.30 to 1.50.38 by @dependabot in #196
- chore: bump actions/dependency-review-action from 4.2.4 to 4.2.5 by @dependabot in #198
- chore: bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 by @dependabot in #199
- chore: bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #201
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.10 by @dependabot in #200
- unmarshal the time in the attestation collection correctly by @colek42 in #203
- chore: bump github/codeql-action from 3.24.9 to 3.25.0 by @dependabot in #211
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.10 to 1.27.11 by @dependabot in #207
- chore: bump google.golang.org/grpc from 1.62.1 to 1.62.2 by @dependabot in #206
- chore: bump github.com/sigstore/fulcio from 1.4.4 to 1.4.5 by @dependabot in #205
- chore: bump golang.org/x/net from 0.22.0 to 0.23.0 in the go_modules group by @dependabot in #212
- chore: bump k8s.io/apimachinery from 0.29.3 to 0.29.4 by @dependabot in #213
- chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.30.0 to 1.30.1 by @dependabot in #214
- chore: bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #216
- chore: bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in #217
- chore: bump go.step.sm/crypto from 0.44.2 to 0.44.8 by @dependabot in #220
- chore: bump actions/download-artifact from 4.1.4 to 4.1.7 by @dependabot in #221
- chore: bump github/codeql-action from 3.25.0 to 3.25.3 by @dependabot in #222
- chore: bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #224
- chore: bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 by @dependabot in #225
- chore: bump google.golang.org/api from 0.176.0 to 0.176.1 by @dependabot in #226
- chore: bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in #232
- chore: bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in #233
- chore: bump actions/setup-go from 5.0.0 to 5.0.1 by @dependabot in #234
- chore: bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 by @dependabot in #235
- chore: bump cloud.google.com/go/kms from 1.15.8 to 1.15.9 by @dependabot in #236
- Improve Verify Error Responses by @ChaosInTheCRD in #210
- verification attestor by @mikhailswift in #55
- Link & SLSA attestor by @jkjell in #149
- JSON Schemas for attestors with generation scripts by @ChaosInTheCRD in #197
- Allow certificate inspection on policy signature verification (including fulcio extensions) by @ChaosInTheCRD in #246
- chore: bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 by @dependabot in #237
- chore: bump github/codeql-action from 3.25.3 to 3.25.5 by @dependabot in #238
- chore: bump actions/checkout from 4.1.2 to 4.1.5 by @dependabot in #239
- chore: bump softprops/action-gh-release from 2.0.4 to 2.0.5 by @dependabot in #240
- chore: bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #241
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.27.11 to 1.27.13 by @dependabot in #242
- chore: bump google.golang.org/protobuf from 1.34.0 to 1.34.1 by @dependabot in #244
- chore: bump github.com/in-toto/attestation from 1.0.1 to 1.0.2 by @dependabot in #245
- chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.31.0 to 1.31.1 by @dependabot in #243
- BUG:
verifyX509Time
should return the verifier even if the verify fails (we want to get information about it later) by @ChaosInTheCRD in #247 - Fix releaser permissions by @ChaosInTheCRD in #248
Full Changelog: v0.3.1...v0.4.0
v0.3.1
What's Changed
- Add Tom as an official maintainer by @jkjell in #156
- chore: bump testifysec/witness-run-action from 0.1.3 to 0.1.5 by @dependabot in #166
- chore: bump actions/dependency-review-action from 4.0.0 to 4.1.1 by @dependabot in #165
- chore: bump fossas/fossa-action from 1.3.1 to 1.3.3 by @dependabot in #164
- chore: bump actions/download-artifact from 4.1.1 to 4.1.2 by @dependabot in #163
- chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.20.4 to 1.20.12 by @dependabot in #157
- chore: bump cloud.google.com/go/kms from 1.15.2 to 1.15.7 by @dependabot in #158
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.45 by @dependabot in #160
- chore: bump k8s.io/apimachinery from 0.26.13 to 0.26.14 by @dependabot in #161
- chore: bump github/codeql-action from 3.24.0 to 3.24.3 by @dependabot in #162
- chore: bump github/codeql-action from 3.24.3 to 3.24.5 by @dependabot in #169
- chore: bump actions/dependency-review-action from 4.1.1 to 4.1.3 by @dependabot in #170
- chore: bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @dependabot in #171
- fix: reset verifier each iteration while loading pub keys from policy by @mikhailswift in #173
- #168 support all fulcio cert extensions by @jkjell in #174
Full Changelog: v0.3.0...v0.3.1
v0.3.0
What's Changed
- Improved the search to be concurrent by @naveensrinivasan in #62
- Adding policy intermediates option to verify function by @ChaosInTheCRD in #138
- refactor: move gitoid code to cyrptoutil, use digestvalue everywhere by @mikhailswift in #139
- chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #142
- chore: bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #143
- Adding job to auto cut releases by @ChaosInTheCRD in #141
- fixing error in github actions workflow by @ChaosInTheCRD in #147
- RunAttestors refactor by @ChaosInTheCRD in #131
- Adding workaround due to failing workflows by @ChaosInTheCRD in #145
- Checking policy signature against cert constraints by @ChaosInTheCRD in #144
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #148
- chore: bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #150
- chore: bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #155
- chore: bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #154
- chore: bump step-security/harden-runner from 2.6.1 to 2.7.0 by @dependabot in #152
- chore: bump actions/checkout from 3.6.0 to 4.1.1 by @dependabot in #151
- fix: vault warnings are an array, not a string by @mikhailswift in #153
- KMS Support by @ChaosInTheCRD in #120
Full Changelog: v0.2.2...v0.3.0
v0.2.3
What's Changed
- Improved the search to be concurrent by @naveensrinivasan in #62
- Adding policy intermediates option to verify function by @ChaosInTheCRD in #138
- refactor: move gitoid code to cyrptoutil, use digestvalue everywhere by @mikhailswift in #139
- chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #142
- chore: bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #143
- Adding job to auto cut releases by @ChaosInTheCRD in #141
Full Changelog: v0.2.2...v0.2.3
v0.2.2
⚠️ Warning ⚠️
go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness
What's Changed
- Adding support for supplying POM on Maven Attestor by @ChaosInTheCRD in #129
- Adding support for using timestamp authority and CA certificates for verifying policy by @ChaosInTheCRD in #124
- Included Tests for memory.go LoadEnvelope and Search by @neilnaveen in #59
- Included tests for GitHub attestations by @naveensrinivasan in #61
- chore: bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 by @dependabot in #133
- chore: bump k8s.io/apimachinery from 0.26.12 to 0.26.13 by @dependabot in #134
- chore: bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #135
- chore: bump github/codeql-action from 3.23.0 to 3.23.1 by @dependabot in #136
- chore: bump actions/dependency-review-action from 3.1.5 to 4.0.0 by @dependabot in #137
- Moving the timestamper interfaces to the timestamp directory by @ChaosInTheCRD in #132
New Contributors
- @neilnaveen made their first contribution in #59
Full Changelog: v0.2.1...v0.2.2
v0.2.1
⚠️ Warning ⚠️
go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness
What's Changed
- Create SECURITY.md by @jkjell in #107
- chore: bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #110
- chore: bump actions/download-artifact from 3.0.2 to 4.0.0 by @dependabot in #112
- chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #111
- chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #115
- chore: bump github.com/go-git/go-git/v5 from 5.5.2 to 5.11.0 by @dependabot in #119
- chore: bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #118
- chore: bump actions/download-artifact from 4.0.0 to 4.1.0 by @dependabot in #117
- chore: bump k8s.io/apimachinery from 0.26.11 to 0.26.12 by @dependabot in #116
- Update SECURITY-INSIGHTS.yml with additional information by @jkjell in #108
- chore: bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @dependabot in #121
- chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 by @dependabot in #123
- chore: bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #122
- fix: added oidc redirect url option for fulcio by @pkwiatkowski1 in #76
- chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #126
- chore: bump actions/download-artifact from 4.1.0 to 4.1.1 by @dependabot in #127
- Adding function to add a single attestor by @ChaosInTheCRD in #128
New Contributors
- @pkwiatkowski1 made their first contribution in #76
Full Changelog: v0.2.0...v0.2.1