Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

cosign-1.12.0-150400.3.6.1 RPM for ppc64le

From OpenSuSE Leap 15.5 for ppc64le

Name: cosign Distribution: SUSE Linux Enterprise 15
Version: 1.12.0 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150400.3.6.1 Build date: Fri Sep 16 10:44:52 2022
Group: Unspecified Build host: xinomavro
Size: 170499962 Source RPM: cosign-1.12.0-150400.3.6.1.src.rpm
Packager: https://www.suse.com/
Url: https://github.com/sigstore/cosign
Summary: Container Signing, Verification and Storage in an OCI registry
 
Cosign aims to make signatures invisible infrastructure.

Cosign supports:

- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)

Provides

Requires

License

Apache-2.0

Changelog

* Thu Sep 15 2022 meissner@suse.com
  - updated to 1.12.0 (jsc#SLE-23879)
    - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430)
    - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203
    - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008
    - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205
    - Clarify error when KMS provider fails to load by @znewman01 in #2220
    - feat: set annotations to generate additional bash completion information by @dirien in #2221
    - Add deprecation warning for sget CLI and packages by @imjasonh in #2019
    - upgrade setup-ko to point to new repo by @imjasonh in #2225
    - Temp fix for e2e test by @haydentherapper in #2247
    - update kind to use release v0.15.0 and some version comments by @cpanato in #2246
    - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248
    - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249
  - updated to 1.11.1
    - add stale workflow using the workflow template by @cpanato in #2175
    - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177
    - add release cadence section in the readme by @cpanato in #2179
    - feat: Rework fig autocomplete command by @dirien in #2187
    - fix: fix typo that caused attestation verification failure by @asraa in #2199
  - updated to 1.11.0
    - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139
    - Add notes to clarify registry use. by @bendory in #2145
    - Use TUF from scaffolding for validating cosign. by @vaikas in #2146
    - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152
    - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157
    - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118
    - fix handling of verify-attestation types for URIs by @otms61 in #2159
    - fix oidc post-merge job by @cpanato in #2164
    - Remove third_party by @imjasonh in #2166
    - use updated device flow logic with PKCE by @bobcallaway in #2163
    - fix: rekor get tlog entry with uuid by @asraa in #2058
    - update e2e job to run only when push to main by @cpanato in #2169
    - fix: add env cmd to root by @developer-guy in #2171
    - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162
* Fri Aug 05 2022 meissner@suse.com
  - updated to 1.10.1 (jsc#SLE-23879)
    - CVE-2022-35929: Fixed that cosign verify-attestaton --type can
      report a false positive if any attestation exists (GHSA-vjxv-45g9-9296
      (bsc#1202157)
  - What else changed:
    - add flag to allow skipping upload to transparency log by @k4leung4 in #2089
    - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101
    - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096
    - Fix field names in the vulnerability attestation by @otms61 in #2099
    - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105
    - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109
    - Resolves #522 set Created date to time of execution by @Lerentis in #2108
    - Introduce a custom error type to classify errors. by @mattmoor in #2114
    - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085
    - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119
    - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124
    - Correct the type used for attest by @mattmoor in #2128
* Wed Jul 27 2022 meissner@suse.com
  - updated to 1.10.0
    - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961
    - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956
    - tuf: improve TUF client concurrency and caching by @asraa in #1953
    - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966
    - feat(fulcioroots): singleton error pattern by @developer-guy in #1965
    - Drop tuf client dependency on GCS client library by @imjasonh in #1967
    - Add spdxjson predicate type for attestations by @jdolitsky in #1974
    - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976
    - cleanup: unexport kubernetes.Client method by @imjasonh in #1973
    - cleanup ci job and remove policy-controller references by @cpanato in #1981
    - fix/update post build job by @cpanato in #1983
    - docs: updated Azure kms commands. by @JBrejnholt in #1972
    - Add cyclonedx predicate type for attestations by @jdolitsky in #1977
    - Route deprecated -version to version subcommand by @puerco in #1854
    - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986
    - Add --platform flag to cosign sbom download by @puerco in #1975
    - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866
    - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998
    - encrypt values to create the github action secret by @cpanato in #1990
    - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016
    - Attempt to clean up pkg/cosign by @imjasonh in #2018
    - public-key: fix command description by @Dentrax in #2024
    - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030
    - feat: cert-extensions verify by @developer-guy in #1626
    - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014
    - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039
    - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040
    - Fix OIDC test by @cpanato in #2050
    - Add env subcommand. by @wlynch in #2051
    - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055
    - update ct/otel and etcd by @cpanato in #2054
    - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067
    - Remove replace directives in go.mod. by @wlynch in #2070
    - update design doc link by @bobcallaway in #2077
    - Remove hack/tools.go by @imjasonh in #2080
    - fix missing quote by @cpanato in #2090
  - removed cosigned and webhook
* Sat Jun 18 2022 meissner@suse.com
  - updated to 1.9.0
    - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
    - [Cosigned] Add signature pull secrets by @DennyHoang in #1805
    - feat: add rego policy support by @hectorj2f in #1817
    - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
    - cosigned: Test unsupported KMS providers by @imjasonh in #1820
    - chore(deps): Included dependency review by @naveensrinivasan in #1792
    - Add auth flow option to KeyOpts. by @wlynch in #1827
    - Document Staging instance usage with Keyless by @k4leung4 in #1824
    - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
    - Validate tlog entry when verifying signature via public key. by @wlynch in #1833
    - Add function to explicitly request a certain provider by @priyawadhwa in #1837
    - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
    - remove exclude from go.mod by @cpanato in #1846
    - [Cosigned] Glob matching improvement by @DennyHoang in #1842
    - sget: Enable KMS providers for sget by @imjasonh in #1852
    - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
    - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
    - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
    - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
    - Normalize certificate flag names by @haydentherapper in #1868
    - Check certificate policy flags with only a certificate by @haydentherapper in #1869
    - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
    - Point git commmit FUN.md to gitsign! by @wlynch in #1874
    - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
    - go.mod: format go.mod by @zchee in #1879
    - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
    - tree: only report artifacts that are present by @ribbybibby in #1872
    - update README with ebpf modules by @EItanya in #1888
    - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
    - v1beta1 API for cosigned by @vaikas in #1890
    - tree: support --attachment-tag-prefix by @ribbybibby in #1900
    - [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
    - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
    - The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
    - [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
    - Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
    - Add support for "**" in image glob matching by @imjasonh in #1914
    - Add privacy statement for PII storage by @haydentherapper in #1909
    - Do not push to public rekor. by @vaikas in #1931
    - fix: fix fetching updated targets from TUF root by @asraa in #1921
    - fix: fix #1930 for AWS KMS formats by @vaikas in #1946
    - update cross-builder image to use go1.17.11 by @cpanato in #1950
    - remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
    - add changelog for v1.9.0 by @cpanato in #1955
    - add parallelism for goreleaser by @cpanato in #1957
* Sat May 21 2022 meissner@suse.com
  - updated to 1.8.0
    - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744
    - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736
    - Refactor policy related code, add support for vuln verify by @vaikas in #1747
    - Use bundle log ID to find verification key by @haydentherapper in #1748
    - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726
    - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749
    - test: create fake TUF test root and create test SETs for verification by @asraa in #1750
    - Implement identities, fix bug in webhook validation. by @vaikas in #1759
    - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761
    - chore: add warning when attaching sBOMs by @hectorj2f in #1756
    - Verify embedded SCTs by @haydentherapper in #1731
    - chore: add warning when downloading a sBOM by @hectorj2f in #1763
    - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757
    - Break the CIP action tests into a sh script. by @vaikas in #1767
    - tuf: add debug info if tuf update fails by @asraa in #1766
    - cosigned: add support for rsa keys by @hectorj2f in #1768
    - Cosigned validate against remote sig src by @DennyHoang in #1754
    - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774
    - fix: more informative error by @ybelMekk in #1778
    - Run update-codegen. by @wlynch in #1789
    - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790
    - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788
    - test: add cue unit tests by @hectorj2f in #1791
    - Attestations + policy in cip. by @vaikas in #1772
    - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787
    - Add parallelization for processing policies / authorities. by @vaikas in #1795
    - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794
    - Handle context cancelled properly + tests. by @vaikas in #1796
    - Fix a bug where an error would send duplicate results. by @vaikas in #1797
    - Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798
    - cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793
    - Don't fail open in VerifyBundle by @mtrmac in #1648
    - Load in intermediate cert pool from TUF by @haydentherapper in #1804
    - Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806
* Tue Apr 26 2022 meissner@suse.com
  - updated to 1.7.2
    - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719
    - fix: add permissions to patch events by @hectorj2f in #1722
    - Make public all types required to use ValidatePolicy by @jdolitsky in #1727
    - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728
    - Remove newline from download sbom output by @ribbybibby in #1732
    - Fix packages name and binary in the packages by @cpanato in #1734
    - Fix fulcioroots test and linter error by @haydentherapper in #1741
    - Support non-ECDSA public keys in certificates by @haydentherapper in #1740
    - bug: remove old fulcio root and fix fallback target code by @asraa in #1738
  - updated to 1.7.1
    - pkcs11: fix build instructions by @rgerganov in #1550
    - add definition for artifact hub to verify the ownership by @cpanato in #1563
    - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564
    - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562
    - Support deletion of ClusterImagePolicy by @vaikas in #1580
    - 1417 policy validations by @kkavitha in #1548
    - Don't lowercase input image refs, just fail by @imjasonh in #1586
    - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584
    - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590
    - Fix #1592 move authorities as siblings of images. by @vaikas in #1593
    - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595
    - Fix copy/paste mistake in repo name. by @k4leung4 in #1600
    - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599
    - Add public key validation by @kkavitha in #1598
    - Validate a public key in a secret is valid. by @vaikas in #1602
    - Ensure entry is removed from CM on secret error. by @vaikas in #1605
    - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610
    - Init entity from ociremote when signing a digest ref by @puerco in #1616
    - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617
    - improve cosigned validation error messages by @cpanato in #1618
    - Use latest knative/pkg's configmap informer by @tcnghia in #1615
    - Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628
    - FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633
    - update crane to v0.8.0 release by @cpanato in #1635
    - push latest tag when building a release by @cpanato in #1636
    - Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637
    - Document Elastic container registry support by @mgreau in #1641
    - Validate authority keys by @coyote240 in #1623
    - feat: tree command utility by @developer-guy in #1603
    - fix build date format for version command by @cpanato in #1644
    - Add support for intermediate certificates when verifiying by @haydentherapper in #1631
    - Prompt user before running cosign clean by @priyawadhwa in #1649
    - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650
    - KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661
    - Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657
    - Add support for certificate chain to verify certificate by @haydentherapper in #1659
    - First batch of followups to #1650 by @vaikas in #1664
    - Add certificate chain flag for signing by @haydentherapper in #1656
    - [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663
    - update font when output the cosign version by @cpanato in #1668
    - feat: add ability to override registry keychain by @noamichael in #1666
    - remove replace directive by @cpanato in #1669
    - Refactor based on discussions in #1650 by @vaikas in #1674
    - Find all valid entries in verify-blob by @priyawadhwa in #1673
    - Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677
    - Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671
    - Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678
    - Make cosign copy copy metadata attached to child images. by @mattmoor in #1682
    - change file_name_template to PackageName by @strongjz in #1683
    - Update error message for verify/verify attestation by @haydentherapper in #1686
    - cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687
    - verify: add leaf hash verification for tlog entries by @asraa in #1688
    - Fix handling of policy in verify-attestation by @lcarva in #1672
    - Add e2e test for attest / verify-attestation by @vaikas in #1685
    - verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694
    - Remove the hardcoded sigstore audience by @mattmoor in #1698
    - Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676
    - Use the github actions from sigstore/scaffolding. by @vaikas in #1699
    - sign: set the oidc redirect uri by @hectorj2f in #1675
    - add back the go mod proxy by @cpanato in #1701
    - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702
    - Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704
    - Make CLI flag for OIDC client secret take a path by @znewman01 in #1705
    - cosigned: read the public key from the kms authority by @hectorj2f in #1706
    - fix latest tag when running a release job by @cpanato in #1707
    - [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681
    - Dont overwrite token set in keyOpts by @puerco in #1709
    - refactor release job by @cpanato in #1710
* Fri Apr 01 2022 meissner@suse.com
  - updated to 1.6.0
    - Fix double time import in e2e tests by @saschagrunert in #1388
    - Add --timeout support to sign command by @saschagrunert in #1379
    - Fix comparison in replace option for attestation by @bburky in #1366
    - Add Cosign logo to README by @nsmith5 in #1395
    - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396
    - Fix a link of SECURITY.md by @knqyf263 in #1399
    - update cosign and cross-build image for the release job by @cpanato in #1400
    - feat: login command by @developer-guy in #1398
    - TUF: Add root status output by @asraa in #1404
    - Add a newline after password input by @knqyf263 in #1407
    - make imageRef lowercase before parsing by @bobcallaway in #1409
    - Improve error message when image is not found in registry by @imjasonh in #1410
    - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421
    - Fix incorrect error check when verifying SCT by @haydentherapper in #1422
    - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415
    - Allow PassFunc to be nil by @saschagrunert in #1426
    - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427
    - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428
    - Add docs on API stability and deprecation table by @priyawadhwa in #1429
    - update cross-build image which adds goimports by @cpanato in #1435
    - feat: enhance clean cmd capability by @developer-guy in #1430
    - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413
    - Improve log lines to match with implementation by @marcofranssen in #1432
    - feat: fig autocomplete feature by @developer-guy in #1360
    - update cross-build to use go 1.17.7 by @cpanato in #1446
    - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423
    - feat: add -buildid= to ldflags by @developer-guy in #1451
    - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454
    - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453
    - Fix tkn link in readme by @Yongxuanzhang in #1459
    - Print message when verifying with old TUF targets by @haydentherapper in #1468
    - fix(sign): refactor unsupported provider log by @Dentrax in #1464
    - tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470
    - Double goreleaser timeout by @znewman01 in #1472
    - increase timeout for goreleaser snapshot by @cpanato in #1473
    - fix(sign): kms unspported message by @Dentrax in #1475
    - refactor release cloudbuild job by @cpanato in #1476
    - Fix wording on attach attestation help by @luhring in #1480
    - update go-tuf and simplify TUF client code by @asraa in #1455
    - add initial changelog for 1.5.2 by @cpanato in #1483
    - Fix linter error on main by @priyawadhwa in #1484
    - Update Changelog for Security Advisory by @cpanato in #1485
    - chore(makefile): use kocache, convert publish to build by @developer-guy in #1488
    - Pick up a change to quiet ECR-login logging. by @mattmoor in #1491
    - feat: support other types in copy cmd by @developer-guy in #1493
    - Pick up some of the shared workflows by @mattmoor in #1490
    - feat: nominate Dentrax as codeowner by @developer-guy in #1492
    - add correct layer media type to cosign attach attestation by @spiffcs in #1503
    - This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504
    - use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511
    - Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513
    - bug fix: import ed25519 keys and fix error handling by @asraa in #1518
    - optimize codeql speed by using caching and tracing by @bobcallaway in #1519
    - Add a dummy.go file to allow vendoring config by @jdolitsky in #1520
    - Add CertExtensions func to extract all extensions by @ckotzbauer in #1515
    - chore(ci): add artifact hub support by @Dentrax in #1522
    - Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529
    - Add codecov as github action, set permissions to read content only by @k4leung4 in #1530
    - images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533
    - Quay OCI Support in README by @sabre1041 in #1539
    - add rpm,deb and apks for cosign packages by @strongjz in #1537
    - Consistent parenthesis use in Makefile by @k4leung4 in #1541
    - add changelog for 1.6.0 by @cpanato in #1535
    - update golang cross image by @cpanato in #1543
    - Add fields in policy CRD by @kkavitha in #1540
    - Disable for now due some issues when downloading the knative module by @cpanato in #1546
* Mon Feb 21 2022 meissner@suse.com
  - updated to 1.5.2:
    - This release contains fixes for CVE-2022-23649, affecting signature
      validations with Rekor. Only validation is affected, it is not necessary
      to re-sign any artifacts. (bsc#1196239)
  - updated to 1.5.1:
    - Bump sigstore/sigstore to pick up oidc login for vault. (#1377)
    - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371)
    - expose dafaults fulcio, rekor, oidc issuer urls (#1368)
    - add check to make sure the go modules are in sync (#1369)
    - README: fix link to race conditions (#1367)
    - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365)
    - docs: verify-attestation cue and rego policy doc (#1362)
    - Update verify-blob to support DSSEs (#1355)
    - organize, update select deps (#1358)
    - Bump go-containerregistry to pick up ACR keychain fix (#1357)
    - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352)
    - sync go modules (#1353)
* Tue Jan 25 2022 meissner@suse.com
  - updated to 1.5.0
    [#]# Highlights
    * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261)
    * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260)
    * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253)
    * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237)
    * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168)
    * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220)
    * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236)
    * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216)
    [#]# Enhancements
    * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279)
    * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334)
    * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267)
    * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310)
    * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306)
    * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308)
    * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318)
    * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316)
    * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305)
    * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294)
    * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300)
    * add error message (https://github.com/sigstore/cosign/pull/1296)
    * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295)
    * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286)
    * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268)
    * refactor common utilities (https://github.com/sigstore/cosign/pull/1266)
    * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050)
    * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252)
    * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255)
    * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256)
    * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251)
    * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241)
    * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243)
    * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230)
    * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225)
    * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221)
    * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213)
    * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199)
    * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209)
    * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200)
    * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201)
    * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189)
    [#]# Bug Fixes
    * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328)
    * fix missing goimports (https://github.com/sigstore/cosign/pull/1327)
    * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320)
    * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287)
    * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280)
    * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270)
    * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264)
    * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250)
    * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249)
    * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248)
  - vendor.tar.bz2: go mod vendor
* Tue Jan 25 2022 bwiedemann@suse.com
  - Fix BUILD_DATE for reproducible build results (boo#1047218)
* Thu Jan 06 2022 meissner@suse.com
  - cosign 1.4.1 release, initial import
  - provides signing / verification support for sigstore

Files

/usr/bin/cosign
/usr/bin/sget
/usr/share/doc/packages/cosign
/usr/share/doc/packages/cosign/CHANGELOG.md
/usr/share/doc/packages/cosign/CODE_OF_CONDUCT.md
/usr/share/doc/packages/cosign/DEPRECATIONS.md
/usr/share/doc/packages/cosign/EXAMPLES.md
/usr/share/doc/packages/cosign/FEATURES.md
/usr/share/doc/packages/cosign/FUN.md
/usr/share/doc/packages/cosign/IMPORT.md
/usr/share/doc/packages/cosign/KEYLESS.md
/usr/share/doc/packages/cosign/KMS.md
/usr/share/doc/packages/cosign/PKCS11.md
/usr/share/doc/packages/cosign/README.md
/usr/share/doc/packages/cosign/TOKENS.md
/usr/share/doc/packages/cosign/USAGE.md
/usr/share/licenses/cosign
/usr/share/licenses/cosign/LICENSE

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 9 19:50:46 2024