Skip to content

Releases: sigstore/cosign

v0.3.0

19 Apr 20:37
@dekkagaijin dekkagaijin
v0.3.0
5f83dcd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.3.0 Pre-release
Pre-release

This is the third release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release.
See #254 for more info.

Enhancements

  • The -output-file flag supports writing output to a specific file
  • The -key flag now supports kms references and URLs, the kms specific flag has been removed
  • Yubikey/PIV hardware support is now included!
  • Support for signing and verifying multiple images in one invocation

Bug Fixes

  • Bug fixes in KMS keypair generation
  • Bug fixes in key type parsing

Contributors

  • Dan Lorenc
  • Priya Wadhwa
  • Ivan Font
  • Depandabot!
  • Mark Bestavros
  • Jake Sanders
  • Carlos Tadeu Panato Junior
Assets 8
Loading

v0.2.0 Release

29 Mar 18:33
@dlorenc dlorenc
v0.2.0
64057e1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.2.0 Release Pre-release
Pre-release

This is the second release of cosign! If you came for puns, check out yesterday's Twitter thread.

The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. This release is now cross-platform, so be careful with installer scripts! You can find that here:

$ gsutil ls gs://cosign-releases/v0.2.0/
gs://cosign-releases/v0.2.0/cosign-darwin-amd64
gs://cosign-releases/v0.2.0/cosign-darwin-amd64.sig
gs://cosign-releases/v0.2.0/cosign-linux-amd64
gs://cosign-releases/v0.2.0/cosign-linux-amd64.sig

Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:

This is the second release of cosign!

We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied.

Enhancements

  • The password for private keys can now be passed via the COSIGN_PASSWORD
  • KMS keys can now be used to sign and verify blobs
  • The version command can now be used to return the release version
  • The public-key command can now be used to extract the public key from KMS or a private key
  • The COSIGN_REPOSITORY environment variable can be used to store signatures in an alternate location
  • Tons of new EXAMPLES in our help text

Bug Fixes

  • Improved error messages for command line flag verification
  • TONS more unit and integration testing
  • Too many others to count :)

Contributors

We would love to thank the contributors:

  • Dan Lorenc
  • Priya Wadhwa
  • Ahmet Alp Balkan
  • Naveen Srinivasan
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway
  • Dan POP
  • eminks
  • Mark Bestavros
  • Jake Sanders
Assets 8
Loading

v0.1.0

20 Mar 00:49
@dlorenc dlorenc
v0.1.0
083406c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.1.0 Pre-release
Pre-release

There were some ups and downs in today's release, but it's finally time to ride the cosign wave! After battling some last minute test flakes that were popping up at an alarming frequency and running in circles trying to squaring up loose ends, I couldn't find any other tangents to go off on. The first release is here!

My only regret is not thinking to get this release out on Pi day :(

The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. You can find that here:

$ gsutil ls gs://cosign-releases/v0.1.0
gs://cosign-releases/v0.1.0/cosign
gs://cosign-releases/v0.1.0/cosign.sha256
gs://cosign-releases/v0.1.0/cosign.sig

Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:

Enhancements

This release added a feature to cosign called cosign. The cosign feature can be used to sign container images and blobs.

Bug Fixes

There was no way to sign container images. Now there is!

Known Issues

This release only contains a linux/amd64 binary. You can build and install cosign on other platforms with go install, but the main goal of v0.1.0 is to get a working build we can start packing to make signing releases of other tools easier. We'll add other platforms to the next set of releases!

Contributors

Thanks to everyone who conributed to this release!

  • dlorenc
  • priyawadhwa
  • Ahmet Alp Balkan
  • Ivan Font
  • Jason Hall
  • Chris Norman
  • Jon Johnson
  • Kim Lewandowski
  • Luke Hinds
  • Bob Callaway

Verifying

This release was self-signed! It was built in this Action run: https://github.com/sigstore/cosign/actions/runs/669626925

The public key used to sign this release is located here: https://github.com/sigstore/cosign/blob/083406c6e85284ded34af96048361d1e8c887e50/.github/workflows/cosign.pub

You should be able to verify it with the cosign verify-blob command using this key. Good luck!

Assets 5
Loading