CHANGELOG.md

v0.2.0

Enhancements

• Use fulcio-system ns and drop -dev suffix for sa (sigstore#418)
• Return an error if we fail get get the Root cert. (sigstore#416)
• Add unit tests for oidc-EmailFromIDToken method (sigstore#413)
• extract CA/KMS support info to separate file (sigstore#409)
• add securityContext to deployment (sigstore#420)
• Count HTTP request error codes with prometheus (sigstore#396)
• Remove organization from subject for GCP CAS issuer (sigstore#391)
• Update warning text. (sigstore#389)
• Improve error messages returned by SigningCert (sigstore#388)
• Allow parameterized application/json content types (sigstore#386)
• Add AKS MetaIssuer (sigstore#384)
• Move CTL logging logic over to CTL package (sigstore#353)
• Move OID information to docs directory and reformat (sigstore#378)
• Upgrade miekg/pkcs11 using 'go get github.com/miekg/pkcs11@v1.1.1' (sigstore#376)
• Address signingCert panic with the last-byte calculation of finalChainPEM (sigstore#370)
• Include instructions to download verify the fulcio root certificate with TUF (sigstore#361)
• Make CA explicit dependency of API handler (sigstore#354)
• Improve error message when an invalid OIDC issuer is provided (sigstore#357)
• Make the the invalid CA error message actionable (sigstore#356)
• Initialize CT log client once (sigstore#350)
• Generate subject key ID correctly for non-GCP certs (sigstore#345)
• Add chain in response for all CAs, fix newlines in response (sigstore#341)
• Add some reasonable timeouts to API server (sigstore#337)
• fileca: add support for intermediate certificates (sigstore#320)
• Set max request size to 4MiB (sigstore#338)
• Extract additional claims from github-workflow token (sigstore#306)
• Enable server settings via config file and env vars (sigstore#315)
• Add file backed certificate authority (sigstore#280)
• Handle error when there are no roots returned by CA Service (sigstore#298)
• Add RootCert method to client + tests (sigstore#290)
• Add back support for building with CGO_ENABLED=0 (sigstore#293)
• add usersnames list to the codeonwers to make it easier to check (sigstore#295)
• Add a Root Cert method to the CA interface, and implement it. (sigstore#287)
• Update readme for V1 CA Service (sigstore#286)
• Fail fast if private key is not found when using PKCS11 CA (sigstore#285)
• Do not close the PKCS11 context on startup (sigstore#282)
• Localize flags to each subcommand (sigstore#274)
• Make client request timeout configurable with WithTimeout client option (sigstore#272)
• add the ability to set the user-agent string on requests from the Client (sigstore#264)
• Consolidate the source-of-truth. (sigstore#263)
• Move the deployment to the new v1 cert. (sigstore#261)
• The v1 GCP CA requires this field to be set. (sigstore#260)
• Experiment with FulcioConfig pulling from context.Context (sigstore#249)
• Upgrade fulcios to use of the google privateca api at v1 (sigstore#218)
• plumb through !cgo golang tags that removes pkcs11 support (sigstore#244)
• break out CA-specific implementation from common API class (sigstore#220)
• Add support for recoginizing allow.pub as an spiffe issuer (sigstore#228)
• Various nits trying SoftHSM (sigstore#217)
• Use MetaIssuers to simular EKS / GKE in e2e test. (sigstore#225)
• Add support for "meta issuers". (sigstore#223)
• Remove the cluster-local block by default. (sigstore#224)
• Refactor the way we access Config (sigstore#222)
• Enable Fulcio e2e testing. (sigstore#219)
• use sigstore/sigstore instead of directly calling RSA/ECDSA verify calls (sigstore#221)
• Refactor the kind e2e test. (sigstore#215)
• Add issuer information to code signing certificates (sigstore#204)
• Extract the OIDC issuer URL. (sigstore#211)
• use request ID logger where possible (sigstore#209)
• Rewrite "FulcioCA" to "PKCS11CA" and add AWS support (sigstore#187)
• add pkcs11-config-path command line parameter (sigstore#192)
• Add GitHub OIDC to Fulcio (sigstore#181)
• Changes fulcio-server to fulcio (sigstore#186)
• Add Github to fulcioca path. (sigstore#184)
• Add support for Github OIDC (sigstore#180)
• Generate client code with swagger in Makefile (sigstore#176)
• Switch to the JSON logger in prod (sigstore#175)
• add SCT as HTTP response header (sigstore#163)
• fulcio: add version command (sigstore#155)
• Script and process to generate OIDC config from federation directory. (sigstore#139)

Bug Fixes

• Fix the SCT header return value from the API to base64 encode it. (sigstore#288)
• Fix the k8s subject parsing. (sigstore#254)
• [Correction] Upgrade fulcios to use of the google privateca api at v1 (sigstore#252)
• fix: go get complain missing version when dir not in module (sigstore#248)
• Fix street-address and postal-code descriptions to be more descriptive. (sigstore#245)
• fix cutpaste error, sets cpu correctly (sigstore#237)
• Fix nil pointer, update dev docs (sigstore#236)
• Fix the Github OIDC challenge endpoint (sigstore#206)
• Fix misspellings. (sigstore#177)

Documentation

• extract development documentation from README (sigstore#410)
• fixing link to external resources (sigstore#411)
• Add feature stability and deprecation docs (sigstore#400)
• docs: overview of certificate issuing (sigstore#383)
• Add Logo to README (sigstore#381)
• Move sec model out of readme (sigstore#382)
• Update README for V1 Fulcio cert (sigstore#355)
• fix link for SECURITY.md (sigstore#340)
• Remove root CA whitespaces on README.md (sigstore#325)
• Add Locust load test and README (sigstore#311)
• add oid documentation (sigstore#307)
• Add documentation for testing with ephemeralca as well as document (sigstore#296)

Others

• Bump actions/upload-artifact from 2.3.1 to 3 (sigstore#452)
• Go update to 1.17.8 and cosign to 1.6.0 (sigstore#453)
• add missing target name (sigstore#450)
• Bump cloud.google.com/go/security from 1.2.1 to 1.3.0 (sigstore#448)
• Bump golang from c2ca472 to b983574 (sigstore#447)
• Move CI private-ca YAML to subdir (sigstore#446)
• Add step in release to mirror signed image to ghcr (sigstore#441)
• Bump actions/checkout from 2 to 3 (sigstore#443)
• Bump golang from e06c834 to c2ca472 (sigstore#442)
• Bump actions/setup-go from 2.2.0 to 3.0.0 (sigstore#440)
• Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (sigstore#439)
• Bump golangci/golangci-lint-action from 2.5.2 to 3 (sigstore#438)
• Bump github/codeql-action from 1.1.2 to 1.1.3 (sigstore#435)
• Bump github.com/magiconair/properties from 1.8.5 to 1.8.6 (sigstore#436)
• add indent to fix yaml error (sigstore#434)
• Bump cloud.google.com/go/security from 1.2.0 to 1.2.1 (sigstore#431)
• explicitly set permissions for github workflows (sigstore#433)
• Bump google.golang.org/api from 0.69.0 to 0.70.0 (sigstore#432)
• Add missing testing dependency (sigstore#429)
• Workflow to kick off release. (sigstore#407)
• Take advantage of Chainguard maintained versions of various actions. (sigstore#427)
• Bump golang from 2c92978 to e06c834 (sigstore#426)
• create namespace as part of config yaml (sigstore#422)
• Bump golang from 1a35cc2 to 2c92978 (sigstore#423)
• Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (sigstore#425)
• Bump github/codeql-action from 1.1.0 to 1.1.2 (sigstore#424)
• Bump google.golang.org/api from 0.68.0 to 0.69.0 (sigstore#412)
• Bump cloud.google.com/go/security from 1.1.1 to 1.2.0 (sigstore#408)
• Bump github/codeql-action from 1.0.32 to 1.1.0 (sigstore#406)
• update cross-build to use go 1.17.7 (sigstore#404)
• Bump golang from 1.17.6 to 1.17.7 (sigstore#403)
• Bump golang from 301609e to fff998d (sigstore#401)
• Bump actions/setup-go from 2.1.5 to 2.2.0 (sigstore#402)
• Bump google.golang.org/api from 0.67.0 to 0.68.0 (sigstore#399)
• Bump go.uber.org/zap from 1.20.0 to 1.21.0 (sigstore#393)
• Bump github/codeql-action from 1.0.31 to 1.0.32 (sigstore#392)
• Bump google.golang.org/api from 0.66.0 to 0.67.0 (sigstore#385)
• Bump github/codeql-action from 1.0.30 to 1.0.31 (sigstore#366)
• Bump ossf/scorecard-action from 1.0.2 to 1.0.3 (sigstore#367)
• Bump go.step.sm/crypto from 0.15.0 to 0.15.1 (sigstore#377)
• Bump google.golang.org/api from 0.65.0 to 0.66.0 (sigstore#363)
• Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (sigstore#362)
• Bump golang from d7f2f6f to 301609e (sigstore#358)
• Bump go.step.sm/crypto from 0.14.0 to 0.15.0 (sigstore#359)
• Bump golang from 0fa6504 to d7f2f6f (sigstore#352)
• createca: Address panic when no private key pair matches (sigstore#351)
• update version marker (sigstore#346)
• Remove Google CA v1beta1 API and associated config (sigstore#349)
• Bump ossf/scorecard-action from 1.0.1 to 1.0.2 (sigstore#347)
• update to v1.0.29 of codeql-action (sigstore#344)
• Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (sigstore#333)
• Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (sigstore#334)
• Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 (sigstore#332)
• Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 (sigstore#331)
• pin one additional set of actions (sigstore#329)
• Bump google.golang.org/api from 0.64.0 to 0.65.0 (sigstore#321)
• add OSSF scorecard action (sigstore#328)
• Bump golang from 8c0269d to 0fa6504 (sigstore#326)
• pin github actions by digest instead of tag (sigstore#323)
• release: add cloudbuild to run the release for fulcio (sigstore#322)
• Fix docker-compose dexidp startup (sigstore#316)
• Bump go.step.sm/crypto from 0.13.0 to 0.14.0 (sigstore#319)
• Bump golang from 1.17.5 to 1.17.6 (sigstore#317)
• Switch to use fileca in e2e tests (sigstore#309)
• Bump google.golang.org/api from 0.63.0 to 0.64.0 (sigstore#318)
• Remove hack/tools (sigstore#308)
• Bump cloud.google.com/go/security from 1.1.0 to 1.1.1 (sigstore#312)
• Bump go.uber.org/zap from 1.19.1 to 1.20.0 (sigstore#313)
• Bump github.com/sigstore/sigstore from 1.0.1 to 1.1.0 (sigstore#299)
• Change ports for docker compose to avoid conflict with Rekor (sigstore#297)
• Bump github.com/spf13/viper from 1.10.0 to 1.10.1 (sigstore#283)
• Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (sigstore#278)
• Bump golang from 1.17.4 to 1.17.5 (sigstore#269)
• Bump github.com/prometheus/common from 0.29.0 to 0.32.1 (sigstore#270)
• Bump golang from 1.17.3 to 1.17.4 (sigstore#265)
• Wrap the server with the Prometheus so we get metrics + add an e2e te… (sigstore#267)
• While working on #267 noticed this, but didn't want to bake into it. (sigstore#268)
• Drop OpenAPI from Fulcio (sigstore#262)
• Drop useless package. (sigstore#259)
• Drop gratuitous sync.Once in google CAs. (sigstore#258)
• Remove viper from pkg/. (sigstore#257)
• Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 (sigstore#256)
• Consolidate viper usage in pkg/ca/ca.go (sigstore#255)
• Bump cloud.google.com/go/security from 0.1.0 to 1.1.0 (sigstore#246)
• Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (sigstore#247)
• Use CGO_ENABLED=1 via .ko.yaml. (sigstore#242)
• Bump github.com/sigstore/sigstore from 1.0.0 to 1.0.1 (sigstore#239)
• Add commit sha and trigger to github workflow (sigstore#232)
• Bump golang from 1.17.2 to 1.17.3 (sigstore#234)
• Bump actions/checkout from 2.3.5 to 2.4.0 (sigstore#233)
• Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 (sigstore#229)
• Bump github.com/go-openapi/strfmt from 0.20.3 to 0.21.0 (sigstore#226)
• Bump github.com/hashicorp/golang-lru from 0.5.3 to 0.5.4 (sigstore#227)
• bump go-swagger to v0.28.0 (sigstore#213)
• Reproducible builds with trimpath (sigstore#210)
• Bump actions/checkout from 2.3.4 to 2.3.5 (sigstore#207)
• Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 (sigstore#202)
• Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 (sigstore#201)
• Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 (sigstore#198)
• update go.sum (sigstore#205)
• Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 (sigstore#200)
• Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 (sigstore#199)
• Bump golang from 1.17.1 to 1.17.2 (sigstore#197)
• Bump github.com/spf13/viper from 1.8.1 to 1.9.0 (sigstore#189)
• Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 (sigstore#188)
• Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 (sigstore#185)
• Bump github.com/ThalesIgnite/crypto11 from 1.2.4 to 1.2.5 (sigstore#182)
• Bump golang from 1.17.0 to 1.17.1 (sigstore#179)
• Bump go.uber.org/zap from 1.19.0 to 1.19.1 (sigstore#178)
• Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 (sigstore#171)
• Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (sigstore#169)
• Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 (sigstore#168)
• Bump golang from 1.16.7 to 1.17.0 (sigstore#166)
• Bump cloud.google.com/go from 0.91.1 to 0.92.3 (sigstore#167)
• Bump cloud.google.com/go from 0.90.0 to 0.91.1 (sigstore#162)
• Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (sigstore#161)
• Bump go.uber.org/zap from 1.18.1 to 1.19.0 (sigstore#160)
• Bump golang from 1.16.6 to 1.16.7 (sigstore#159)
• Bump cloud.google.com/go from 0.89.0 to 0.90.0 (sigstore#158)
• Bump cloud.google.com/go from 0.88.0 to 0.89.0 (sigstore#156)
• makefile: add rule to download and set swagger and make rule to build the dist (sigstore#154)
• Add missing code of conduct (stock sigstore one) (sigstore#153)

Contributors

• Appu (@loosebazooka)
• Asra Ali (@asraa)
• Bob Callaway (@bobcallaway)
• Carlos Tadeu Panato Junior (@cpanato)
• Christian Kotzbauer (@ckotzbauer)
• Dan Lorenc (@dlorenc)
• Elizabeth Thomas (@elizabetht)
• Evan Phoenix (@evanphx)
• Hayden Blauzvern (@haydentherapper)
• Jake Sanders (@dekkagaijin)
• Josh Dolitsky (@jdolitsky)
• Jyotsna (@jyotsna-penumaka)
• Kenny Leung (@k4leung4)
• Luke Hinds (@lukehinds)
• Mark Bestavros (@mbestavros)
• Matt Moore (@mattmoor)
• Matthew Suozzo (@msuozzo)
• Nathan Smith (@nsmith5)
• Naveen (@naveensrinivasan)
• Nghia Tran (@tcnghias)
• Priya Wadhwa (@priyawadhwa)
• Radoslav Gerganov (@rgerganov)
• Rafael Fernández López (@ereslibre)
• Scott Nichols (@n3wscott)
• Thomas Strömberg (@tstromberg)
• Tuan Anh Tran (@tuananh)
• Viacheslav Vasilyev (@avoidik)
• Ville Aikas (@vaikas)
• Zack Newman (@znewman01)
• endorama (@endorama)