Releases: sigstore/rekor
Releases · sigstore/rekor
v1.1.0
v1.1.0
Functional Enhancements
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142)
Quality Enhancements
- fuzzing: refactor OSS-Fuzz build script (#1377)
- Update cloudbuild for cosign 2.0 (#1375)
- Tests - Additional sharding tests (#1180)
- jar type: add fuzzer for 3rd-party dep (#1360)
- update cosign to 2.0.0 and builder image and also cosign flags (#1368)
- fuzzing: move alpine utils to fuzz utils (#1335)
- fuzzing: add seed for alpine fuzzer (#1342)
- jar: add v001 fuzzer (#1327)
- fuzzing: open writer later in fuzz utils (#1326)
- fuzzing: remove tar operations in alpine fuzzer (#1322)
- alpine: add v001 fuzzer (#1316)
- hashedrekord: add v001 fuzzer (#1315)
- fuzzing: add call to IndexKeys in multiple fuzzers (#1302)
- fuzzing: improve cose fuzzer (#1300)
- fuzzing: improve fuzz utils (#1298)
- fuzzing: improve alpine fuzzer (#1273)
- fuzzing: go mod edit go-fuzz-headers (#1272)
- fuzzing: add .options file (#1271)
- fuzzing: build helm fuzzer from correct dir (#1264)
- types: refactor multiple fuzzers (#1258)
- helm: add fuzzer for provenance unmarshalling (#1243)
- pki: add fuzzer (#1256)
- Fuzzing: Add more bug detectors (#1253)
- Refactor e2e - part 5 (#1236)
- Removed unused tool/deps (#1244)
- Fixed the invalid path (#1245)
- Run latest fuzzers in OSS-Fuzz (#1221)
- Fuzz tests - hashedrekord (#1224)
- Update builder (#1228)
- Revamping rekor e2e - part 4 of N (#1218)
- types: add fuzzers (#1225)
- jar type: add fuzzer (#1215)
- Revamping rekor e2e - part 3 of N (#1177)
- modify OSS-Fuzz build script (#1214)
- move over oss-fuzz build script (#1204)
- wrap redis client errors to aid debugging (#1176)
- don't test release candidate builds in harness (#1183)
- types/alpine: add fuzzer (#1200)
- logging tweaks to improve usability (#1235)
- Add backfill-redis to the release artifacts (#1174)
- ensure jobs run on release branches (#1181)
- update builder image and cosign (#1165)
- Refactor e2e tests - x509 apk (#1152)
- Sharding - Additional tests (#1156)
- Ran gofmt and cleaned up (#1157)
- Fuzz - Fuzz tests for sharding (#1147)
- Revamping rekor e2e - part 1 of N (#1089)
Bug Fixes
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix ko-local build (#1381)
- disable blocking checks (#1353)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136)
- use sigstore/community dep review (#1132)
Contributors
- AdamKorcz
- Batuhan Apaydın
- Bob Callaway
- Carlos Tadeu Panato Junior
- Fabian Kammel
- Fredrik Skogman
- Hayden B
- Joyce
- Naveen
- Noah Kreiger
- Priya Wadhwa
v1.0.1
What's Changed
- ensure jobs run on release branches (#1181) by @bobcallaway in #1182
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171) by @bobcallaway in #1172
- Cherry pick #1163 and #1174 into release-1.0 by @haydentherapper in #1194
- Cherry pick #1145 into the release-1.0 branch by @priyawadhwa in #1191
- [cherrypick #1165] update builder and cosign image by @cpanato in #1196
Full Changelog: v1.0.0...v1.0.1
v1.0.0
What's Changed
- add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
- add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
- Adding e2e test coverage by @cdris in #1071
- export rekor build/version information by @cpanato in #1074
- Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
- Search through all shards when searching by hash by @priyawadhwa in #1082
- Update CHANGELOG.md for 0.12.2 release by @priyawadhwa in #1085
- verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in #1092
- add ability to enable/disable specific rekor API endpoints by @bobcallaway in #1080
- enable configurable client retries with backoff in RekorClient by @bobcallaway in #1096
- remove dead code around api-key and timestamp references by @bobcallaway in #1098
- update swagger API version to 1.0.0 by @bobcallaway in #1102
- remove unused RekorVersion API definition by @bobcallaway in #1101
- install gocovmerge in hack/tools by @bobcallaway in #1103
- Cut 1.0 prerelease by @priyawadhwa in #1105
- add retry command line flag on rekor-cli by @bobcallaway in #1097
- Add some info and debug logging to commonly used funcs by @priyawadhwa in #1106
- Add CHANGELOG.md for v1.0.0-rc.1 by @priyawadhwa in #1110
- update builder images and cosign by @cpanato in #1114
- Add Rekor 1.0 CHANGELOG by @priyawadhwa in #1122
Full Changelog: v0.12.1...v1.0.0
v1.0.0-rc.1
What's Changed
- add retry command line flag on rekor-cli by @bobcallaway in #1097
- Add some info and debug logging to commonly used funcs by @priyawadhwa in #1106
- Add CHANGELOG.md for v1.0.0-rc.1 by @priyawadhwa in #1110
Full Changelog: v1.0-rc...v1.0.0-rc.1
v1.0-rc
What's Changed
- add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
- add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
- Adding e2e test coverage by @cdris in #1071
- export rekor build/version information by @cpanato in #1074
- Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
- Search through all shards when searching by hash by @priyawadhwa in #1082
- Update CHANGELOG.md for 0.12.2 release by @priyawadhwa in #1085
- verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in #1092
- add ability to enable/disable specific rekor API endpoints by @bobcallaway in #1080
- enable configurable client retries with backoff in RekorClient by @bobcallaway in #1096
- remove dead code around api-key and timestamp references by @bobcallaway in #1098
- update swagger API version to 1.0.0 by @bobcallaway in #1102
- remove unused RekorVersion API definition by @bobcallaway in #1101
- install gocovmerge in hack/tools by @bobcallaway in #1103
- Cut 1.0 prerelease by @priyawadhwa in #1105
Full Changelog: v0.12.1...v1.0-rc
v0.12.2
What's Changed
- add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
- add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
- Adding e2e test coverage by @cdris in #1071
- export rekor build/version information by @cpanato in #1074
- Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
- Search through all shards when searching by hash by @priyawadhwa in #1082
Full Changelog: v0.12.1...v0.12.2
v0.12.1
Highlights
** Rekor **
v0.12.1
comes with a breaking change torekor-cli v0.12.1
. Users of rekor-cli MUST upgrade to the latest version
The addition of the intotov2 created a breaking change for therekor-cli
What's Changed
- fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
- feat: add file based signer and password by @asraa in #1049
- Adds new rekor metrics for latency and QPS. by @var-sdk in #1059
New Contributors
Full Changelog: v0.12.0...v0.12.1
Thanks for all contributors!
v0.12.0
What's Changed
- update changelog for 0.11.0 by @cpanato in #989
- bump sigstore/sigstore from 1.2.1 to 1.4.0 by @k4leung4 in #985
- check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
- enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
- api.SearchLogQueryHandler thread safety by @cdris in #1006
- 'docker compose' to 'docker-compose' by @bobcallaway in #1009
- Intoto v0.0.2 by @pxp928 in #973
- Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
- Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
- feat: add verification functions by @asraa in #986
- Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
- Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
- fix: use entry uuid uniformly in return responses by @asraa in #1012
- remove /api/v1/version endpoint by @bobcallaway in #1022
- upgrade to go1.19 by @cpanato in #1018
- update to go-swagger v0.30.2 by @bobcallaway in #1028
- Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
- Fix harness tests @ main by @priyawadhwa in #1038
- Fetch all tags in harness tests by @priyawadhwa in #1039
- fix retrieve endpoint response code and add testing by @asraa in #1043
- update go builder to go1.19.1 by @cpanato in #1044
New Contributors
Full Changelog: v0.11.0...v0.12.0
v0.11.0
What's Changed
- Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #946
- Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #947
- Bump golang from
6e10f44
to8a62670
by @dependabot in #948 - Bump golang from 1.18.4 to 1.18.5 by @dependabot in #950
- Add rekor harness tests by @priyawadhwa in #945
- Persist and check attestations across harness tests by @priyawadhwa in #952
- Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #955
- Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 by @dependabot in #958
- Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 by @dependabot in #959
- Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
- Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in #961
- Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 by @dependabot in #960
- api: fix inclusion proof verification flake by @asraa in #956
- change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
- Bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 by @dependabot in #964
- fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
- Add prometheus summary to track metric latency by @priyawadhwa in #966
- compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
- update field documentation on publicKey for hashedrekord by @bobcallaway in #969
- Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #971
- Bump github.com/mediocregopher/radix/v4 from 4.1.0 to 4.1.1 by @dependabot in #972
- Allow sharding config to be written in yaml or json by @priyawadhwa in #974
- Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #975
- Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 by @dependabot in #978
- Bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 by @dependabot in #977
- fix incorrect schema id for cose type by @bobcallaway in #979
- Bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 by @dependabot in #976
- fix: make rekor verify work with sharded uuids by @asraa in #970
- update builder and cosign images by @cpanato in #981
- remove trailing slash on directories by @bobcallaway in #984
- add changelog for v0.11.0 release by @cpanato in #982
- add support for
intersection
&union
in search operations by @dsa0x in #968 - Update scorecard-action to v2:alpha by @azeemshaikh38 in #987
New Contributors
Full Changelog: v0.10.0...v0.11.0
v0.10.0
** Note: Rekor will not send application/yaml responses anymore only application/json responses
What's Changed
- reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912
- Updates on the release job/makefile cleanup by @cpanato in #914
- Return 404 if entry isn't found in log by @priyawadhwa in #915
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #916
- Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #920
- Bump golang from 1.18.3 to 1.18.4 by @dependabot in #919
- Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #924
- Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #925
- Bump github.com/veraison/go-cose from 1.0.0-alpha.1 to 1.0.0-rc.1 by @dependabot in #928
- Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.2 by @dependabot in #927
- Update cosign image in validate-release job by @priyawadhwa in #931
- Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #930
- Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #936
- Bump github.com/google/trillian from 1.4.1 to 1.4.2 in /hack/tools by @dependabot in #939
- Bump sigs.k8s.io/release-utils from 0.7.2 to 0.7.3 by @dependabot in #937
- update go builder and cosign image by @cpanato in #934
- Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #940
- Drop application/yaml content type by @haydentherapper in #933
- Add rekor test harness to presubmit tests by @priyawadhwa in #921
- ✨ Enable Scorecard badge by @azeemshaikh38 in #941
- update go mod in hack/tools to go1.18 by @cpanato in #935
- update changelog in preparation of v0.10.0 release by @cpanato in #943
- Bump golang from
9349ed8
to6e10f44
by @dependabot in #942 - add ldflags back by @cpanato in #944
New Contributors
- @azeemshaikh38 made their first contribution in #941
Full Changelog: v0.9.1...v0.10.0