github.com/venafi-iw/cosign@v1.3.4/CHANGELOG.md (about) 1 # v1.4.1 2 3 ## Highlights 4 5 A whole buncha bugfixes! 6 7 ## Enhancements 8 9 * Files created with `--output-signature` and `--output-certificate` now created with 0600 permissions (https://github.com/sigstore/cosign/pull/1151) 10 * Added `cosign verify-attestation --local-image` for verifying signed images with attestations from disk (https://github.com/sigstore/cosign/pull/1174) 11 * Added the ability to fetch the TUF root over HTTP with `cosign initialize --mirror` (https://github.com/sigstore/cosign/pull/1185) 12 13 ## Bug Fixes 14 15 * Fixed saving and loading a signed image index to disk (https://github.com/sigstore/cosign/pull/1147) 16 * Fixed `sign-blob --output-certificate` writing an empty file (https://github.com/sigstore/cosign/pull/1149) 17 * Fixed assorted issues related to the initialization and use of Sigstore's TUF root of trust (https://github.com/sigstore/cosign/pull/1157) 18 19 ## Contributors 20 21 * Carlos Alexandro Becker (@caarlos0) 22 * Carlos Panato (@cpanato) 23 * Hayden Blauzvern (@haydentherapper) 24 * Jake Sanders (@dekkagaijin) 25 * Matt Moore (@mattmoor) 26 * Priya Wadhwa (@priyawadhwa) 27 * Radoslav Gerganov (@rgerganov) 28 29 # v1.4.0 30 31 ## Highlights 32 33 * BREAKING [COSIGN_EXPERIMENTAL]: This and future `cosign` releases will generate signatures that do not validate in older versions of `cosign`. This only applies to "keyless" experimental mode. To opt out of this behavior, use: `--fulcio-url=https://fulcio.sigstore.dev` when signing payloads (https://github.com/sigstore/cosign/pull/1127) 34 * BREAKING [cosign/pkg]: `SignedEntryTimestamp` is now of type `[]byte`. To get the previous behavior, call `strfmt.Base64(SignedEntryTimestamp)` (https://github.com/sigstore/cosign/pull/1083) 35 * `cosign-linux-pivkey-amd64` releases are now of the form `cosign-linux-pivkey-pkcs11key-amd64` (https://github.com/sigstore/cosign/pull/1052) 36 * Releases are now additionally signed using the keyless workflow (https://github.com/sigstore/cosign/pull/1073, https://github.com/sigstore/cosign/pull/1111) 37 38 ## Enhancements 39 40 * Validate the whole attestation statement, not just the predicate (https://github.com/sigstore/cosign/pull/1035) 41 * Added the options to replace attestations using `cosign attest --replace` (https://github.com/sigstore/cosign/pull/1039) 42 * Added URI to `cosign verify-blob` output (https://github.com/sigstore/cosign/pull/1047) 43 * Signatures and certificates created by `cosign sign` and `cosign sign-blob` can be output to file using the `--output-signature` and `--output-certificate` flags, respectively (https://github.com/sigstore/cosign/pull/1016, https://github.com/sigstore/cosign/pull/1093, https://github.com/sigstore/cosign/pull/1066, https://github.com/sigstore/cosign/pull/1095) 44 * [cosign/pkg] Added the `pkg/oci/layout` package for storing signatures and attestations on disk (https://github.com/sigstore/cosign/pull/1040, https://github.com/sigstore/cosign/pull/1096) 45 * [cosign/pkg] Added `mutate` methods to attach `oci.File`s to `oci.Signed*` objects (https://github.com/sigstore/cosign/pull/1084) 46 * Added the `--signature-digest-algorithm` flag to `cosign verify`, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (https://github.com/sigstore/cosign/pull/1071) 47 * Builds should now be reproducible (https://github.com/sigstore/cosign/pull/1053) 48 * Allows base64 files as `--cert` in `cosign verify-blob` (https://github.com/sigstore/cosign/pull/1088) 49 * Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (https://github.com/sigstore/cosign/pull/1091) 50 * Added `cosign save` and `cosign load` commands to save and upload container images and associated signatures to disk (https://github.com/sigstore/cosign/pull/1094) 51 * `cosign sign` will no longer fail to sign private images in keyless mode without `--force` (https://github.com/sigstore/cosign/pull/1116) 52 * `cosign verify` now supports signatures stored in files and remote URLs with `--signature` (https://github.com/sigstore/cosign/pull/1068) 53 * `cosign verify` now supports certs stored in files (https://github.com/sigstore/cosign/pull/1095) 54 * Added support for `syft` format in `cosign attach sbom` (https://github.com/sigstore/cosign/pull/1137) 55 56 ## Bug Fixes 57 58 * Fixed verification of Rekor bundles for InToto attestations (https://github.com/sigstore/cosign/pull/1030) 59 * Fixed a potential memory leak when signing and verifying with security keys (https://github.com/sigstore/cosign/pull/1113) 60 61 ## Contributors 62 63 * Ashley Davis (@SgtCoDFish) 64 * Asra Ali (@asraa) 65 * Batuhan Apaydın (@developer-guy) 66 * Brandon Philips (@philips) 67 * Carlos Alexandro Becker (@caarlos0) 68 * Carlos Panato (@cpanato) 69 * Christian Rebischke (@shibumi) 70 * Dan Lorenc (@dlorenc) 71 * Erkan Zileli (@erkanzileli) 72 * Furkan Türkal (@Dentrax) 73 * garantir-km (@garantir-km) 74 * Jake Sanders (@dekkagaijin) 75 * jbpratt (@jbpratt) 76 * Matt Moore (@mattmoor) 77 * Mikey Strauss (@houdini91) 78 * Naveen Srinivasan (@naveensrinivasan) 79 * Priya Wadhwa (@priyawadhwa) 80 * Sambhav Kothari (@samj1912) 81 82 # v1.3.1 83 84 * BREAKING [cosign/pkg]: `cosign.Verify` has been removed in favor of explicit `cosign.VerifyImageSignatures` and `cosign.VerifyImageAttestations` 85 (https://github.com/sigstore/cosign/pull/1026) 86 87 ## Enhancements 88 89 * Add ability for verify-blob to find signing cert in transparency log (https://github.com/sigstore/cosign/pull/991) 90 * root policy: add optional issuer to maintainer keys (https://github.com/sigstore/cosign/pull/999) 91 * PKCS11 signing support (https://github.com/sigstore/cosign/pull/985) 92 * Included timeout option for uploading to Rekor (https://github.com/sigstore/cosign/pull/1001) 93 94 ## Bug Fixes 95 96 * Bump sigstore/sigstore to pickup a fix for azure kms (https://github.com/sigstore/cosign/pull/1011 / https://github.com/sigstore/cosign/pull/1028) 97 98 ## Contributors 99 100 * Asra Ali (@asraa) 101 * Batuhan Apaydın (@developer-guy) 102 * Carlos Panato (@cpanato) 103 * Dan Lorenc (@dlorenc) 104 * Dennis Leon (@DennisDenuto) 105 * Erkan Zileli (@erkanzileli) 106 * Furkan Türkal (@Dentrax) 107 * garantir-km (@garantir-km) 108 * Jake Sanders (@dekkagaijin) 109 * Naveen (@naveensrinivasan) 110 111 # v1.3.0 112 113 * BREAKING: `verify-manifest` is now `manifest verify` (https://github.com/sigstore/cosign/pull/712) 114 * BREAKING: `/pkg` has been heavily refactored. [Further refactoring work](https://github.com/sigstore/cosign/issues/844) will make its way into 1.4.0 115 * WARNING: The CLI now uses POSIX-style (double-dash `--flag`) for long-form flags. It will temporarily accept the single-dash `-flag` form with a warning, which will become an error in a future release (https://github.com/sigstore/cosign/pull/835) 116 * Added `sget` as part of Cosign's releases (https://github.com/sigstore/cosign/pull/752) 117 * The `copasetic` utility was unceremoniously [baleeted](https://www.youtube.com/watch?v=07h0ksKx5sM) (https://github.com/sigstore/cosign/pull/785) 118 119 ## Enhancements 120 121 * Began reworking `/pkg` around new abstractions for signing, verification, and storage (https://github.com/sigstore/cosign/issues/666) 122 * Notice: refactoring of `/pkg` will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with `cosign` as a library and found it lacking (https://github.com/sigstore/cosign/issues/844) 123 * [GGCR-style libraries](https://github.com/google/go-containerregistry#philosophy) for interacting with images now exist under `pkg/oci` (https://github.com/sigstore/cosign/pull/770) 124 * `pkg/cosign/remote.UploadSignature` API was been removed in favor of new `pkg/oci/remote` APIs (https://github.com/sigstore/cosign/pull/774) 125 * The function signature of `cosign.Verify` was changed so that callers must be explicit about which signatures (or attestations) to verify. For matching signatures, see also `cosign.Verify{Signatures,Attestations}` (https://github.com/sigstore/cosign/pull/782) 126 * Removed `cremote.UploadFile` in favor of `static.NewFile` and `remote.Write` (https://github.com/sigstore/cosign/pull/797) 127 * Innumerable other improvements to the codebase and automation ([Makin me look bad, @mattmoor](https://github.com/sigstore/cosign/commits?author=mattmoor)) 128 * Migrated the CLI to `cobra` ([Welcome to the team, @n3wscott](https://github.com/sigstore/cosign/commits?author=n3wscott)) 129 * Added the `--allow-insecure-registry` flag to disable TLS verification when interacting with insecure (e.g. self-signed) container registries (https://github.com/sigstore/cosign/pull/669) 130 * 🔒 `cosigned` now includes a mutating webhook that resolves image tags to digests (https://github.com/sigstore/cosign/pull/800) 131 * 🔒 The `cosigned` validating webhook now requires image digest references (https://github.com/sigstore/cosign/pull/799) 132 * The `cosigned` webhook now ignores resources that are being deleted (https://github.com/sigstore/cosign/pull/803) 133 * The `cosigned` webhook now supports resolving private images that are authenticated via `imagePullSecrets` (https://github.com/sigstore/cosign/pull/804) 134 * `manifest verify` now supports verifying images in all Kubernetes objects that fit within `PodSpec`, `PodSpecTemplate`, or `JobSpecTemplate`, including CRDs (https://github.com/sigstore/cosign/pull/697) 135 * Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! https://github.com/sigstore/cosign/pull/836) 136 * `cosign` has generated Markdown docs available in the `doc/` directory (https://github.com/sigstore/cosign/pull/839) 137 * Added support for verifying with secrets from a GitLab project (https://github.com/sigstore/cosign/pull/934) 138 * Added a `--k8s-keychain` option that enables cosign to support ambient registry credentials based on the "k8schain" library (https://github.com/sigstore/cosign/pull/972) 139 * CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (https://github.com/sigstore/cosign/pull/973) 140 * `attest`: replaced `--upload` flag with a `--no-upload` flag (https://github.com/sigstore/cosign/pull/979) 141 142 ## Bug Fixes 143 144 * `cosigned` now verifies `CronJob` images (Terve, @vaikas https://github.com/sigstore/cosign/pull/809) 145 * Fixed the `verify` `--cert-email` option to actually work (Sweet as, @passcod https://github.com/sigstore/cosign/pull/821) 146 * `public-key -sk` no longer causes `error: x509: unsupported public key type: *crypto.PublicKey` (https://github.com/sigstore/cosign/pull/864) 147 * Fixed interactive terminal support in Windows (https://github.com/sigstore/cosign/pull/871) 148 * The `-ct` flag is no longer ignored in `upload blob` (https://github.com/sigstore/cosign/pull/910) 149 150 ## Contributors 151 152 * Aditya Sirish (@adityasaky) 153 * Asra Ali (@asraa) 154 * Axel Simon (@axelsimon) 155 * Batuhan Apaydın (@developer-guy) 156 * Brandon Mitchell (@sudo-bmitch) 157 * Carlos Panato (@cpanato) 158 * Chao Lin (@blackcat-lin) 159 * Dan Lorenc (@dlorenc) 160 * Dan Luhring (@luhring) 161 * Eng Zer Jun (@Juneezee) 162 * Erkan Zileli (@erkanzileli) 163 * Félix Saparelli (@passcod) 164 * Furkan Türkal (@Dentrax) 165 * Hector Fernandez (@hectorj2f) 166 * Ivan Font (@font) 167 * Jake Sanders (@dekkagaijin) 168 * Jason Hall (@imjasonh) 169 * Jim Bugwadia (@JimBugwadia) 170 * Joel Kamp (@mrjoelkamp) 171 * Luke Hinds (@lukehinds) 172 * Matt Moore (@mattmoor) 173 * Naveen (@naveensrinivasan) 174 * Olivier Gaumond (@oliviergaumond) 175 * Priya Wadhwa (@priyawadhwa) 176 * Radoslav Gerganov (@rgerganov) 177 * Ramkumar Chinchani (@rchincha) 178 * Rémy Greinhofer (@rgreinho) 179 * Scott Nichols (@n3wscott) 180 * Shubham Palriwala (@ShubhamPalriwala) 181 * Viacheslav Vasilyev (@avoidik) 182 * Ville Aikas (@vaikas) 183 184 # v1.2.0 185 186 ## Enhancements 187 * BREAKING: move `verify-dockerfile` to `dockerfile verify` (https://github.com/sigstore/cosign/pull/662) 188 * Have the keyless `cosign sign` flow use a single 3LO. (https://github.com/sigstore/cosign/pull/665) 189 * Allow to `verify-blob` from urls (https://github.com/sigstore/cosign/pull/646) 190 * Support GCP environments without workload identity (GCB). (https://github.com/sigstore/cosign/pull/652) 191 * Switch the release cosign container to debug. (https://github.com/sigstore/cosign/pull/649) 192 * Add logic to detect and use ambient OIDC from exec envs. (https://github.com/sigstore/cosign/pull/644) 193 * Add `-cert-email` flag to provide the email expected from a fulcio cert to be valid (https://github.com/sigstore/cosign/pull/622) 194 * Add support for downloading signature from remote (https://github.com/sigstore/cosign/pull/629) 195 * Add sbom and attestations to triangulate (https://github.com/sigstore/cosign/pull/628) 196 * Add cosign attachment signing and verification (https://github.com/sigstore/cosign/pull/615) 197 * Embed CT log public key (https://github.com/sigstore/cosign/pull/607) 198 * Verify SCTs returned by fulcio (https://github.com/sigstore/cosign/pull/600) 199 * Add extra replacement variables and GCP's role identifier (https://github.com/sigstore/cosign/pull/597) 200 * Store attestations in the layer (payload) rather than the annotation. (https://github.com/sigstore/cosign/pull/579) 201 * Improve documentation about predicate type and change predicate type from provenance to slsaprovenance (https://github.com/sigstore/cosign/pull/583) 202 * Upgrade in-toto-golang to adapt SLSA Provenance (https://github.com/sigstore/cosign/pull/582) 203 204 ## Bug Fixes 205 * Fix verify-dockerfile to allow lowercase FROM (https://github.com/sigstore/cosign/pull/643) 206 * Fix signing for the cosigned image. (https://github.com/sigstore/cosign/pull/634) 207 * Make sure generate-key-pair doesn't overwrite existing key-pair (https://github.com/sigstore/cosign/pull/623) 208 * helm/ci: update helm repo before installing the dependency (https://github.com/sigstore/cosign/pull/598) 209 * Set the correct predicate type/URI for each supported predicate type. (https://github.com/sigstore/cosign/pull/592) 210 * Warnings on admissionregistration version (https://github.com/sigstore/cosign/pull/581) 211 * Remove unnecessary COSIGN_PASSWORD (https://github.com/sigstore/cosign/pull/572) 212 213 ## Contributors 214 * Batuhan Apaydın 215 * Ben Walding 216 * Carlos Alexandro Becker 217 * Carlos Tadeu Panato Junior 218 * Erkan Zileli 219 * Hector Fernandez 220 * Jake Sanders 221 * Jason Hall 222 * Matt Moore 223 * Michael Lieberman 224 * Naveen Srinivasan 225 * Pradeep Chhetri 226 * Sambhav Kothari 227 * dlorenc 228 * priyawadhwa 229 230 231 # v1.1.0 232 233 ## Enhancements 234 235 * BREAKING: The `-attestation` flag has been renamed to `-predicate` in `attest` (https://github.com/sigstore/cosign/pull/500) 236 * Added `verify-manifest` command (https://github.com/sigstore/cosign/pull/490) 237 * Added the ability to specify and validate well-known attestation types in `attest` with the `-type` flag (https://github.com/sigstore/cosign/pull/504) 238 * Added `cosign init` command to setup the trusted local repository of SigStore's TUF root metadata (https://github.com/sigstore/cosign/pull/520) 239 * Added timestamps to Cosign's custom In-Toto predicate (https://github.com/sigstore/cosign/pull/533) 240 * `verify` now always verifies that the image exists (even when referenced by digest) before verification (https://github.com/sigstore/cosign/pull/543) 241 242 ## Bug Fixes 243 244 * `verify-dockerfile` no longer fails on `FROM scratch` (https://github.com/sigstore/cosign/pull/509) 245 * Fixed reading from STDIN with `attach sbom` (https://github.com/sigstore/cosign/pull/517) 246 * Fixed broken documentation and implementation of `-output` for `verify` and `verify-attestation` (https://github.com/sigstore/cosign/pull/546) 247 * Fixed nil pointer error when calling `upload blob` without specifying `-f` (https://github.com/sigstore/cosign/pull/563) 248 249 ## Contributors 250 251 * Adolfo García Veytia (@puerco) 252 * Anton Semjonov (@ansemjo) 253 * Asra Ali (@asraa) 254 * Batuhan Apaydın (@developer-guy) 255 * Carlos Panato (@cpanato) 256 * Dan Lorenc (@dlorenc) 257 * @gkovan 258 * Hector Fernandez (@hectorj2f) 259 * Jake Sanders (@dekkagaijin) 260 * Jim Bugwadia (@JimBugwadia) 261 * Jose Donizetti (@josedonizetti) 262 * Joshua Hansen (@joshes) 263 * Jason Hall (@imjasonh) 264 * Priya Wadhwa (@priyawadhwa) 265 * Russell Brown (@rjbrown57) 266 * Stephan Renatus (@srenatus) 267 * Li Yi (@denverdino) 268 269 # v1.0.0 270 271 ## Enhancements 272 273 * BREAKING: The default HSM key slot is now "signature" instead of "authentication" (https://github.com/sigstore/cosign/pull/450) 274 * BREAKING: `--fulcio-server` is now `--fulcio-url` (https://github.com/sigstore/cosign/pull/471) 275 * Added `-cert` flag to `sign` to allow the explicit addition of a signature certificate (https://github.com/sigstore/cosign/pull/451) 276 * Added the `attest` command (https://github.com/sigstore/cosign/pull/458) 277 * Added numerous flags for specifying parameters when interacting with Rekor and Fulcio (https://github.com/sigstore/cosign/pull/462) 278 * `cosign` will now send its version string as part of the `user-agent` when interacting with a container registry (https://github.com/sigstore/cosign/pull/479) 279 * Files containing certificates for custom Fulcio endpoints can now be specified via the `COSIGN_ROOT` environment variable (https://github.com/sigstore/cosign/pull/477) 280 281 ## Bug Fixes 282 283 * Fixed a situation where lower-case `as` would break `verify-dockerfile` (Complements to @Dentrax https://github.com/sigstore/cosign/pull/433) 284 285 ## Contributors 286 287 * Appu Goundan (@loosebazooka) 288 * Batuhan Apaydın (@developer-guy) 289 * Carlos Panato (@cpanato) 290 * Dan Lorenc (@dlorenc) 291 * Furkan Türkal (@Dentrax) 292 * Hector Fernandez (@hectorj2f) 293 * Jake Sanders (@dekkagaijin) 294 * James Alseth (@jalseth) 295 * Jason Hall (@imjasonh) 296 * João Pereira (@joaodrp) 297 * Luke Hinds (@lukehinds) 298 * Tom Hennen (@TomHennen) 299 300 # v0.6.0 301 302 ## Enhancements 303 304 * BREAKING: Moved `cosign upload-blob` to `cosign upload blob` (https://github.com/sigstore/cosign/pull/378) 305 * BREAKING: Moved `cosign upload` to `cosign attach signature` (https://github.com/sigstore/cosign/pull/378) 306 * BREAKING: Moved `cosign download` to `cosign download signature` (https://github.com/sigstore/cosign/pull/392) 307 * Added flags to specify slot, PIN, and touch policies for security keys (Thank you @ddz https://github.com/sigstore/cosign/pull/369) 308 * Added `cosign verify-dockerfile` command (https://github.com/sigstore/cosign/pull/395) 309 * Added SBOM support in `cosign attach` and `cosign download sbom` (https://github.com/sigstore/cosign/pull/387) 310 * Sign & verify images using Kubernetes secrets (A muchas muchas gracias to @developer-guy and @Dentrax https://github.com/sigstore/cosign/pull/398) 311 * Added support for AWS KMS (谢谢, @codysoyland https://github.com/sigstore/cosign/pull/426) 312 * Numerous enhancements to our build & release process, courtesy @cpanato 313 314 ## Bug Fixes 315 316 * Verify entry timestamp signatures of fetched Tlog entries (https://github.com/sigstore/cosign/pull/371) 317 318 ## Contributors 319 320 * Asra Ali (@asraa) 321 * Batuhan Apaydın (@developer-guy) 322 * Carlos Panato (@cpanato) 323 * Cody Soyland (@codysoyland) 324 * Dan Lorenc (@dlorenc) 325 * Dino A. Dai Zovi (@ddz) 326 * Furkan Türkal (@Dentrax) 327 * Jake Sanders (@dekkagaijin) 328 * Jason Hall (@imjasonh) 329 * Paris Zoumpouloglou (@zuBux) 330 * Priya Wadhwa (@priyawadhwa) 331 * Rémy Greinhofer (@rgreinho) 332 * Russell Brown (@rjbrown57) 333 334 # v0.5.0 335 336 ## Enhancements 337 338 * Added `cosign copy` to easily move images and signatures between repositories (https://github.com/sigstore/cosign/pull/317) 339 * Added `-r` flag to `cosign sign` for recursively signing multi-arch images (https://github.com/sigstore/cosign/pull/320) 340 * Added `cosign clean` to delete signatures for an image (Thanks, @developer-guy! https://github.com/sigstore/cosign/pull/324) 341 * Added `-k8s` flag to `cosign generate-key-pair` to create a Kubernetes secret (Hell yeah, @priyawadhwa! https://github.com/sigstore/cosign/pull/345) 342 343 ## Bug Fixes 344 345 * Fixed an issue with misdirected image signatures when `COSIGN_REPOSITORY` was used (https://github.com/sigstore/cosign/pull/323) 346 347 ## Contributors 348 349 * Balazs Zachar (@Cajga) 350 * Batuhan Apaydın (@developer-guy) 351 * Dan Lorenc (@dlorenc) 352 * Furkan Turkal (@Dentrax) 353 * Jake Sanders (@dekkagaijin) 354 * Jon Johnson (@jonjohnsonjr) 355 * Priya Wadhwa (@priyawadhwa) 356 357 # v0.4.0 358 359 ## Action Required 360 361 * Signatures created with `cosign` before v0.4.0 are not compatible with those created after 362 * The signature image's manifest now uses OCI mediaTypes ([#300](https://github.com/sigstore/cosign/pull/300)) 363 * The signature image's tag is now terminated with `.sig` (instead of `.cosign`, [#287](https://github.com/sigstore/cosign/pull/287)) 364 365 ## Enhancements 366 367 * 🎉 Added support for "offline" verification of Rekor signatures 🎉 (ありがとう, priyawadhwa! [#285](https://github.com/sigstore/cosign/pull/285)) 368 * Support for Hashicorp vault as a KMS provider has been added (Danke, RichiCoder1! [sigstore/sigstore #44](https://github.com/sigstore/sigstore/pull/44), [sigstore/sigstore #49](https://github.com/sigstore/sigstore/pull/44)) 369 370 ## Bug Fixes 371 372 * GCP KMS URIs now include the key version ([#45](https://github.com/sigstore/sigstore/pull/45)) 373 374 ## Contributors 375 376 * Christian Pearce (@pearcec) 377 * Dan Lorenc (@dlorenc) 378 * Jake Sanders (@dekkagaijin) 379 * Priya Wadhwa (@priyawadhwa) 380 * Richard Simpson (@RichiCoder1) 381 * Ross Timson (@rosstimson) 382 383 # v0.3.1 384 385 ## Bug Fixes 386 387 * Fixed CI container image breakage introduced in v0.3.0 388 * Fixed lack of version information in release binaries 389 390 # v0.3.0 391 392 This is the third release of `cosign`! 393 394 We still expect many flags, commands, and formats to change going forward, but we're getting closer. 395 No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release. 396 See [#254](https://github.com/sigstore/cosign/issues/254) for more info. 397 398 ## Enhancements 399 400 * The `-output-file` flag supports writing output to a specific file 401 * The `-key` flag now supports `kms` references and URLs, the `kms` specific flag has been removed 402 * Yubikey/PIV hardware support is now included! 403 * Support for signing and verifying multiple images in one invocation 404 405 ## Bug Fixes 406 407 * Bug fixes in KMS keypair generation 408 * Bug fixes in key type parsing 409 410 ## Contributors 411 412 * Dan Lorenc 413 * Priya Wadhwa 414 * Ivan Font 415 * Dependabot! 416 * Mark Bestavros 417 * Jake Sanders 418 * Carlos Tadeu Panato Junior 419 420 # v0.2.0 421 422 This is the second release of `cosign`! 423 424 We still expect many flags, commands, and formats to change going forward, but we're getting closer. 425 No backwards compatibility is promised or implied. 426 427 ## Enhancements 428 429 * The password for private keys can now be passed via the `COSIGN_PASSWORD` 430 * KMS keys can now be used to sign and verify blobs 431 * The `version` command can now be used to return the release version 432 * The `public-key` command can now be used to extract the public key from KMS or a private key 433 * The `COSIGN_REPOSITORY` environment variable can be used to store signatures in an alternate location 434 * Tons of new EXAMPLES in our help text 435 436 ## Bug Fixes 437 438 * Improved error messages for command line flag verification 439 * TONS more unit and integration testing 440 * Too many others to count :) 441 442 ## Contributors 443 444 We would love to thank the contributors: 445 446 * Dan Lorenc 447 * Priya Wadhwa 448 * Ahmet Alp Balkan 449 * Naveen Srinivasan 450 * Chris Norman 451 * Jon Johnson 452 * Kim Lewandowski 453 * Luke Hinds 454 * Bob Callaway 455 * Dan POP 456 * eminks 457 * Mark Bestavros 458 * Jake Sanders 459 460 # v0.1.0 461 462 This is the first release of `cosign`! 463 464 The main goal of this release is to release something we can start using to sign other releases of [sigstore](sigstore.dev) projects, including `cosign` itself. 465 466 We expect many flags, commands, and formats to change going forward. 467 No backwards compatibility is promised or implied. 468 469 ## Enhancements 470 471 This release added a feature to `cosign` called `cosign`. 472 The `cosign` feature can be used to sign container images and blobs. 473 Detailed documentation can be found in the [README](README.md) and the [Detailed Usage](USAGE.md). 474 475 ## Bug Fixes 476 477 There was no way to sign container images. Now there is! 478 479 ## Contributors 480 481 We would love to thank the contributors: 482 483 * dlorenc 484 * priyawadhwa 485 * Ahmet Alp Balkan 486 * Ivan Font 487 * Jason Hall 488 * Chris Norman 489 * Jon Johnson 490 * Kim Lewandowski 491 * Luke Hinds 492 * Bob Callaway