v1.4.0

Highlights

• BREAKING [COSIGN_EXPERIMENTAL]: This and future cosign releases will generate signatures that do not validate in older versions of cosign. This only applies to "keyless" experimental mode. To opt out of this behavior, use: --fulcio-url=https://fulcio.sigstore.dev when signing payloads (#1127)
• BREAKING [cosign/pkg]: SignedEntryTimestamp is now of type []byte. To get the previous behavior, call strfmt.Base64(SignedEntryTimestamp) (#1083)
• cosign-linux-pivkey-amd64 releases are now of the form cosign-linux-pivkey-pkcs11key-amd64 (#1052)
• Releases are now additionally signed using the keyless workflow (#1073, #1111)

Enhancements

• Validate the whole attestation statement, not just the predicate (#1035)
• Added the options to replace attestations using cosign attest --replace (#1039)
• Added URI to cosign verify-blob output (#1047)
• Signatures and certificates created by cosign sign and cosign sign-blob can be output to file using the --output-signature and --output-certificate flags, respectively (#1016, #1093, #1066, #1095)
• [cosign/pkg] Added the pkg/oci/layout package for storing signatures and attestations on disk (#1040, #1096)
• [cosign/pkg] Added mutate methods to attach oci.Files to oci.Signed* objects (#1084)
• Added the --signature-digest-algorithm flag to cosign verify, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (#1071)
• Builds should now be reproducible (#1053)
• Allows base64 files as --cert in cosign verify-blob (#1088)
• Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (#1091)
• Added cosign save and cosign load commands to save and upload container images and associated signatures to disk (#1094)
• cosign sign will no longer fail to sign private images in keyless mode without --force (#1116)
• cosign verify now supports signatures stored in files and remote URLs with --signature (#1068)
• cosign verify now supports certs stored in files (#1095)
• Added support for syft format in cosign attach sbom (#1137)

Bug Fixes

• Fixed verification of Rekor bundles for InToto attestations (#1030)
• Fixed a potential memory leak when signing and verifying with security keys (#1113)

Contributors

• Ashley Davis (@SgtCoDFish)
• Asra Ali (@asraa)
• Batuhan Apaydın (@developer-guy)
• Brandon Philips (@philips)
• Carlos Alexandro Becker (@caarlos0)
• Carlos Panato (@cpanato)
• Christian Rebischke (@shibumi)
• Dan Lorenc (@dlorenc)
• Erkan Zileli (@erkanzileli)
• Furkan Türkal (@Dentrax)
• garantir-km (@garantir-km)
• Jake Sanders (@dekkagaijin)
• jbpratt (@jbpratt)
• Matt Moore (@mattmoor)
• Mikey Strauss (@houdini91)
• Naveen Srinivasan (@naveensrinivasan)
• Priya Wadhwa (@priyawadhwa)
• Sambhav Kothari (@samj1912)

Changelog

• 50315fc remove obsolete --output flag (#1146)
• a1efb18 add relnotes for v1.4.0 (#1145)
• a47a835 feat: enable --check flag of addlicense (#1135)
• e48db5a Add support for syft json type to cosign (#1137)
• 7de7387 Use --recursive flag in sign example (#1143)
• 6d8cec1 Fixed a typo in README.md (#1142)
• 63e9342 cjson - Move to go-securesystemslib (#1141)
• e233ce8 update ghcr.io/gythialy/golang-cross to use go 1.17.4 (#1133)
• a05dc7b Bump deps (#1132)
• 7e5ff00 send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)
• dbb2a17 Switch (temporarily) the fulcio endpoint to our new v1 service. (#1127)
• 9076d71 feat: sign --output-certificate and verify --cert (#1095)
• 034e946 Update output to note when signatures are pushed (#1117)
• 54fb569 feat: support signature file in verify cmd (#1068)
• ec00f69 Make the transparency log upload non-fatal. (#1116)
• 1da6742 have rekor.NewSigner accept a *client.Rekor instead of a URL (#1115)
• ac7e33c call Close() on security keys before returning error (#1113)
• 2294fd4 Add Fulcio v1 root to the cosign (#1112)
• 304c2b2 continued sign refacc (#1098)
• a035b27 add keyless to the binaries and send to tlog and update release docs (#1111)
• 9555f33 use hashed rekord type for tlog upload (#1081)
• 6fc942b plumb context through to tlog requests (#1103)
• fcc8256 minor: supply ShouldUploadToTlog with context (#1104)
• 690853e Bump non-k8s deps (#1102)
• 040ed3d feat(ci): Add Gofish support (#996)
• 79f0247 Bump go-containerregistry to pickup the update to image-spec (#1092)
• 2dc6e4f Add support for storing attestations in oci/layout (#1096)
• 98cf544 Update slsa-provenance predicate to v0.2 (#1054)
• 7ec91a4 Add cosign save and cosign load commands (#1094)
• e1141af refactoring signature logic (#1065)
• 4274149 fix: alias output to output-signature on sign-blob (#1093)
• 86bf37f feat(k8s): set secret immutable by default for 1.21 (#1091)
• 2cc9c9a Bump client-go and viper. (#1089)
• aff2e37 feat: verify-blob --cert base64 (#1088)
• 5586790 fix: reproducible builds (#1053)
• 1974064 Add flag for manually specifying a hash algo when verifying (#1071)
• 90e2dcf Prune a few dependencies from ./pkg/oci (#1085)
• eed3e12 Add mutate.AttachFileTo* for attaching SBOMs. (#1084)
• e1acd18 Drop strfmt.Base64 from pkg/oci. (#1083)
• f8f0f6d Add layout package for writing and loading signatures from disk (#1040)
• 9cf8c3f Bump some deps that dependabot missed. (#1079)
• 18318ba implement output-signature and output-certificate flags (#1016)
• 857d9a5 adding keyless (#1073)
• 01b6c8f sync go mod (#1072)
• 943e824 feat: add output flag for signCmd (#1066)
• d673477 Add PKCS11 tag in releaser and Makefile for Mac and Windows (#1052)
• 413d06e fix root path (#1062)
• e868a54 cmd: update triangulate help command (#1061)
• d48fe25 verify-blob: add URI to verify-blob output (#1047)
• c5e3393 cmd: update clean command help (#1058)
• bada59e remove reverseDSSEVerifier in favor of using DSSE utilities directly (#1056)
• 3e43108 Remove img field from sigLayer (#1042)
• ccc4468 feat: replace option for same attestation (#1039)
• 5468ddc Patch support attestation log search and bundle to payload hash check (#1030)
• fe00315 README: simplify the install section (#1049)
• cd7e6a8 verify-blob: make the signature flag mandatory (#1045)
• 6ed55d6 split private signature and attestation verification fns (#1043)
• c338616 PKCS11: Fix certificate check (#1041)
• f1ec3a6 update ggcr to HEAD to eliminate (false) vuln finding (#1044)
• 89f3590 Adds a test to the cosigned e2e suite with multiple keys. (#943)
• c85db3a release: update cosign to 1.3.1 (#1038)
• 84c94b6 feat: validate whole statement not just predicate part (#1035)

Thanks for all contributors!