Release v5.24.0

Now supports both creating and verifying sigstore signatures that use
Fulcio and Rekor.
A New API for signing images during copy.
docker-archive: now can read non-seekable streams.
Improved error messages for registry errors.

- Introduce oci/{archive,layout}.ImageNotFoundError
- Don't use any default path fallbacks if the user specified a path
- Introduce signature/sigstore.NewSigner
- Introduce signature/simplesigning.NewSigner
- Add pkg/cli/sigstore
- Add functional-option NewPRSigstoreSigned
- Add signature/sigstore.GenerateKeyPair
- Avoid confusion about 404 on lookaside
- Heuristically warn about lookaside servers serving HTML
- Add a limit for the total number of signatures in lookaside
- Update the public.ecr.aws error with current data
- Add a test for isManifestUnknownError
- Consolidate handleErrorResponse calls to registryHTTPResponseToError
- Discard any but the first element of errcode.Errors
- Add more detailed error tests
- Make invalid HTTP bodies unwrappable as unexpectedHTTPResponseError
- Use registryHTTPResponseToError on /tags/list failure
- Simplify error messages using the default error text
- Use registryHttpResponseToError in many more places
- set directory transport destination as thread-safe
- Recognize invalid error responses of registry.redhat.io
- Make the pseudo-config used in sigstore attachments a bit more valid
- Convert TestSignatureStorageBaseURL to table-based
- Don't call net/url.URL.Parse when we mean net/url.Parse
- Rename all "url" variables to something else
- Fix documentation comment of the stubs package
- Simplify ociReference.getManifestDescriptor
- Simplify ociReference.getManifestDescriptor a bit
- Fix typos
- Remove unnecessary conversions
- Actually test the caller-requested function
- Remove ineffective assignments
- Fix an always-true condition
- Fix unordered list formatting in containers-policy.json(5)
-  docker/reference: reduce regex compilations
- docker/reference/regexp.go: constify strings
- docker/reference.literal: return QuoteMeta directly
- docker/reference.expression: use strings.Join()
- Run (gofmt -s)
- Don't incorrectly report success on failure paths
- Clarify the semantics of the optional.creator field in simple signature payload
- Call x509.SystemCertPool directly instead of tlsconfig.SystemCertPool
- Remove sockets.DialerFromEnvironment
- Use io.SeekStart instead of a hard-coded 0
- Add support for non-seekable files in docker-archive: sources
- Add comments to BlobInfo to warn against adding more edit fields
- Split test data from TestV1RegistriesConfNonempty and TestV2RegistriesConfNonempty
- Reject files mixing v1 and v2 registries.conf, even with empty fields
- Fix a typo
- Move the "human-readable description" of a helper into setAuthToCredHelper
- Correctly report a credHelpers location in SetCredentials
- Add missing documentation of build tags
- Fix comments about exponential backoff with Retry-After
- storage source: Don't store small blobs on disk in GetBlob()
- config: use `authPath` struct consistently
- config: Make parsing function a method on authFile
- storage: Immediately unlink tmpfile
- Don't duplicate the getPathToAuth rules for user-specified paths in getAuthPaths
- Move killGPGAgent into a helper package
- Terminate the GPG agent spawned by c/image/signature tests
- Speed up pkg/blobcache tests
- Turn copy.TestCreateSignature into a table-based test
- Reorder the tests in copy.TestCreateSignature
- Add a test case for signing dir: with an explicit identity
- Fix a documentation typo
- Return a generic signature.Signature from SignDockerManifestWithPrivateKeyFileUnstable
- Introduce Signer = internal/signer.Signer, and internal/signer.SignerImplementation
- Introduce signature/sigstore/internal.SigstoreSigner
- Make SigstoreSigner implement signer.SignerImplementation
- Rename signature/sigstore/sign.go to signer.go
- Consolidate the two signing implementations to copier.createSignatureWithSigner
- Refactor copy.Image to sign using []*signer.Signer
- Add copy.Options.Signers
- Don't use GPG in copy.TestCreateSignatures
- Make sure value types also implement json.Marshaler
- Add signature/internal.UntrustedRekor{SET,Payload}
- Refactor SigstoreSigner.SignImageManifest a bit
- Rekor upload
- Move the docker client User-Agent value to a shared subpackage
- Add Fulcio with OIDC authentication
- Add Fulcio with user-provided OIDC token
- Drop dead code that causes a regex compilation on init
- Do not preallocate regex in init program
- Replace copy&pasted code by a shared modifiedJSON function
- Add VerifyRekorSET
- manifest: pull Variant from an OCI config
- Remove left-over logging from test development
- Cirrus: Use F37 CI VM Image
- Add Fulcio certificate acceptance logic
- Split loadBytesFromDataOrPath and prepareTrustRoot in prSigstoreSigned
- Make a part of TestPRSigstoreSignedIsSignatureAccepted table-driven
- Split sigstore configuration parsing and API into separate files
- Add tests to reject neither of keyPath / keyData being set
- Add support for Fulcio and Rekor to sigstoreSigned

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

version/version.go

@@ -11,7 +11,7 @@ const (
 	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-dev"
+	VersionDev = ""
 )
 
 // Version is the specification version that the package types support.