v2.1.0

v2.1.0

Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.

Enhancements

• Verify sigs and attestations in parallel (#3066)
• Deep inspect attestations when filtering download (#3031)
• refactor bundle validation code, add support for DSSE rekor type (#3016)
• Allow overriding remote options (#3049)
• feat: adds no cert found on sig exit code (#3038)
• Make predicate a required flag in attest commands (#3033)
• Added support for attaching Time stamp authority Response in attach command (#3001)
• Add sign --sign-container-identity CLI (#2984)
• Feature: Allow cosign to sign digests before they are uploaded. (#2959)
• accepts attachment-tag-prefix for cosign copy (#3014)
• Feature: adds '--allow-insecure-registry' for cosign load (#3000)
• download attestation: support --platform flag (#2980)
• Cleanup: Add Digest to the SignedEntity interface. (#2960)
• verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
• verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)

Bug Fixes

• Fix pkg/cosign/errors (#3050)
• fix: update doc to refer to github-actions oidc provider (#3040)
• fix: prefer GitHub OIDC provider if enabled (#3044)
• Fix --sig-only in cosign copy (#3074)

Documentation

• Fix links to sigstore/docs in markdown files (#3064)
• Update release readme (#2942)

Thanks to all contributors!

• Bob Callaway
• Carlos Tadeu Panato Junior
• Chok Yip Lau
• Chris Burns
• Dmitry Savintsev
• Enyinna Ochulor
• Hayden B
• Hector Fernandez
• Jakub Hrozek
• Jason Hall
• Jon Johnson
• Luiz Carvalho
• Matt Moore
• Mritunjay Kumar Sharma
• Mukuls77
• Ramkumar Chinchani
• Sascha Grunert
• Yolanda Robla Mota
• priyawadhwa

v2.0.2

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.2

Enhancements

• Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
• feat: Make cosign copy faster (#2901)
• remove sget (#2885)
• Require a payload to be provided with a signature (#2785)

Bug Fixes

• cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
• Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)

Documentation

• Remove experimental warning from Fulcio flags (#2923)
• add missing oidc provider (#2922)
• Add zot as a supported registry (#2920)
• deprecates kms_support docs (#2900)
• chore(docs) deprecate note for usage docs (#2906)
• adds note of deprecation for examples.md docs (#2899)

Contributors

• Carlos Tadeu Panato Junior
• Chris Burns
• Dmitry Savintsev
• eiffel-fl
• Hayden B
• Hector Fernandez
• Jon Johnson
• Miloslav Trmač
• priyawadhwa
• Ramkumar Chinchani

Full Changelog: v2.0.1...v2.0.2

v2.0.1

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.1

Enhancements

• Add environment variable token provider (#2864)
• Remove cosign policy command (#2846)
• Allow customising 'go' executable with GOEXE var (#2841)
• Consistent tlog warnings during verification (#2840)
• Add riscv64 arch (#2821)
• Default generated PEM labels to SIGSTORE (#2735)
• Update privacy statement and confirmation (#2797)
• Add exit codes for verify errors (#2766)
• Add Buildkite provider (#2779)
• verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)

Bug Fixes

• PKCS11 sessions are now opened read only (#2853)
• Makefile: date format of log should not show signatures (#2835)
• Add missing flags to cosign verify dockerfile/manifest (#2830)
• Add a warning to remember how to configure a custom Gitlab host (#2816)
• Remove tag warning message from save/copy commands (#2799)
• Mark keyless pem files with b64 (#2671)

Contributors

• Aleksandr Razumov
• Batuhan Apaydın
• Billy Lynch
• Carlos Tadeu Panato Junior
• Chris Burns
• Derek Burdick
• Dmitry Savintsev
• favonia
• Hayden B
• Hector Fernandez
• Ivana Atanasova
• joe miller
• Luiz Carvalho
• Paolo Mainardi
• priyawadhwa
• Radoslav Dimitrov
• Steve Winslow
• Vincent Batts
• Zack Newman

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Cosign v2.0.0 is out!

There are many improvments and breaking changes from Cosign 1.x. To see a full list, please see the Sigstore blog and the cosign CHANGELOG.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0

Thanks to all contributors!

• Anish Shah
• Arnaud J Le Hors
• Arthur Lutz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Chris Burns
• Christian Loos
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Huang Huang
• Jan Wozniak
• Josh Dolitsky
• Josh Wolf
• Kenny Leung
• Marko Mudrinić
• Matt Moore
• Matthias Glastra
• Miloslav Trmač
• Mukuls77
• Priya Wadhwa
• Puerco
• Stefan Zhelyazkov
• Tim Seagren
• Tom Meadows
• Ville Aikas
• Zack Newman
• asraa
• kpk47
• priyawadhwa

v2.0.0-rc.3

v2.0.0-rc.3

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.3

Enhancements

• Support non-Sigstore TSA requests (#2708)
• Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
• Output certificate in bundle when entry is not uploaded to Rekor (#2715)
• attach signature and attach sbom must use STDIN to upload raw string (#2637)

Bug Fixes

• Fix: Add missing schemes to cosign predicate types. (#2717)
• Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)

Documentation

• Adds deprecation note for keyless docs (#2716)

v2.0.0-rc.2

v2.0.0-rc.2

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Enhancements

• add generate-key-pair GitHub Enterprise server support (#2676)
• add in format string for warning (#2699)
• Support for fetching Fulcio certs with self-managed key (#2532)
• 2476 predicate type download (#2484)
• Upgrade to go1.20 (#2689)

Bug Fixes

• Fix prompts with Windows line endings (#2674)

Documentation

• docs(README): verify example failing on latest (#2694)

Contributors

• Anish Shah
• Arthur Lutz
• Carlos Tadeu Panato Junior
• Christian Loos
• Tim Seagren
• Zack Newman
• priyawadhwa

New Contributors

• @chaospuppy made their first contribution in #2484
• @arthurzenika made their first contribution in #2694
• @netsandbox made their first contribution in #2676

Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2

v2.0.0-rc.1

v2.0.0-rc.1

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Critical breaking changes include:

• Certificate issuer and subject are now required on cosign verify

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.1

Breaking Changes

• insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
• Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)

Enhancements

• Add warning to use digest instead of tags to other cosign commands (#2650)
• Fix up UI messages (#2629)
• Remove hardcoded Fulcio from output (#2621)
• Fix missing privacy statement, print in multiple locations (#2622)
• feat: allows custom key names for import-key-pair (#2587)
• feat: support keyless verification for verify-blob-attestation (#2525)
• attest-blob: add functionality for keyless signing (#2515)
• Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
• feat: add debug information to cert validation error (#2579)

Bug Fixes

• fix: panic with unsigned local image (#2656)
• Make sure a cert passed in via --cert matches the bundle cert (#2652)
• fix: fix github oidc post submit test (#2594)
• fix: add enhanced error messages for failing verification with TUF targets (#2589)

Contributors

• Carlos Tadeu Panato Junior
• Chris Burns
• Hayden B
• Hector Fernandez
• Huang Huang
• Kenny Leung
• Priya Wadhwa
• Stefan Zhelyazkov
• Ville Aikas
• Zack Newman
• asraa
• dependabot[bot]
• kpk47
• priyawadhwa

v2.0.0-rc.0

v2.0.0-rc.0

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Installation

go install github.com/sigstore/cosign/v2/cmd/cosign@v2.0.0-rc.0

Enhancements

• Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
• Allow users to pass in a path for the --identity-token flag (#2538)
• Breaking change: Respect tlog-upload=false, default to true (#2505)
• Support outputing a certificate without uploading to the tlog (#2506)
• Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
• respect tlog-upload flag with TSA (#2474)
• Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
• Support TSA and Rekor verifications (#2463)
• add support for tsa signing and verification of images (#2460)
• cosign policy sign: remove experimental flag and make keyless signing default (#2459)
• Remove experimental mode from cosign attest and verify-attestation (#2458)
• Remove experimental mode from sign-blob and verify-blob (#2457)
• Add --offline flag to force offline verification (#2427)
• Air gap support (#2299)
• Breaking change: Change SCT verification behavior to default to enforcement (#2400)
• Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
• Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
• Remove experimental flag from cosign sign and cosign verify (#2387)
• verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)

Bug Fixes

• Fix the file existence check. (#2552)
• Fix timestamp verification, add verify-blob tests (#2527)
• fix(verify): Consolidate certificate expiry logic (#2504)
• Updates to Timestamp signing and verification (#2499)
• fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
• Fix path for e2e-tests badge (#2490)
• Fix spdx json media type (#2479)
• fix sct verificaction (#2426)

Others

• update builder image that uses go 1.19.4 (#2520)

Contributors

• Anish Shah
• Arnaud J Le Hors
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Emmanuel T Odeke
• Hayden B
• Hector Fernandez
• Jan Wozniak
• Matthias Glastra
• Miloslav Trmač
• Puerco
• Tom Meadows
• Ville Aikas
• Zack Newman
• asraa
• priyawadhwa

v1.13.1

What's Changed

• add changelog for v1.13.0 release by @cpanato in #2310
• Fix option description: "sign" --> "verify" by @ChristianCiach in #2306
• Update Dockerfile section of README by @tetsuo-cpp in #2323
• Add '--cert-identity' flag to support subject alternate names for ver… by @kpk47 in #2278
• Add attest-blob command by @priyawadhwa in #2286
• Add --output-attestation flag to attest-blob and remove experimental signing by @priyawadhwa in #2332
• Remove experimental flags from attest-blob and refactor by @priyawadhwa in #2338
• Update warning when users sign images by tag. by @znewman01 in #2313
• Add verify-blob-attestation command and tests by @priyawadhwa in #2337
• Nits for #2337 by @vaikas in #2342
• verify-blob-attestation: allow multiple subjects in in_toto attestation by @priyawadhwa in #2341
• chore(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.1 by @dependabot in #2340
• Add CHANGELOG for v1.13.1 by @priyawadhwa in #2349

New Contributors

• @tetsuo-cpp made their first contribution in #2323
• @kpk47 made their first contribution in #2278

Full Changelog: v1.13.0...v1.13.1

v1.13.0

Highlights

• For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

What's Changed

• add changelog for v1.12.1 by @cpanato in #2270
• deps: update sigstore/sigstore by @asraa in #2271
• chore(deps): bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #2274
• feat: use stdin as an input for predicate by @developer-guy in #2269
• feat: improve the verification message by @developer-guy in #2268
• use scaffolding 0.4.8 for tests. by @vaikas in #2280
• chore(deps): bump actions/dependency-review-action from 2.3.0 to 2.4.0 by @dependabot in #2281
• fix pivtool generate key touch policy by @cpanato in #2282
• Check error on chain verification failure by @haydentherapper in #2284
• Fix: Remove an extra registry request from verification path. by @mattmoor in #2285
• Fix: Create a static copy of signatures as part of verification. by @mattmoor in #2287
• Data race in FetchSignaturesForReference by @RTann in #2283
• Add support for Fulcio username identity in SAN by @haydentherapper in #2291
• fix: make tlog entry lookups for online verification shard-aware by @asraa in #2297
• Better help text to sign and verify SBOM by @ChristianCiach in #2308
• Adding warning to pin to digest by @ChaosInTheCRD in #2311
• Add annotations for upload blob. by @cldmnky in #2188
• replace deprecate package by @cpanato in #2314
• update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in #2315

New Contributors

• @RTann made their first contribution in #2283
• @ChristianCiach made their first contribution in #2308
• @ChaosInTheCRD made their first contribution in #2311
• @cldmnky made their first contribution in #2188

Full Changelog: v1.12.1...v1.13.0