v1.1.0

v1.1.0

Functional Enhancements

• improve validation on intoto v0.0.2 type (#1351)
• add feature to limit HTTP request body length to process (#1334)
• add information about the file size limit (#1313)
• Add script to backfill Redis from Rekor (#1163)
• Feature: add search support for sha512 (#1142)

Quality Enhancements

• fuzzing: refactor OSS-Fuzz build script (#1377)
• Update cloudbuild for cosign 2.0 (#1375)
• Tests - Additional sharding tests (#1180)
• jar type: add fuzzer for 3rd-party dep (#1360)
• update cosign to 2.0.0 and builder image and also cosign flags (#1368)
• fuzzing: move alpine utils to fuzz utils (#1335)
• fuzzing: add seed for alpine fuzzer (#1342)
• jar: add v001 fuzzer (#1327)
• fuzzing: open writer later in fuzz utils (#1326)
• fuzzing: remove tar operations in alpine fuzzer (#1322)
• alpine: add v001 fuzzer (#1316)
• hashedrekord: add v001 fuzzer (#1315)
• fuzzing: add call to IndexKeys in multiple fuzzers (#1302)
• fuzzing: improve cose fuzzer (#1300)
• fuzzing: improve fuzz utils (#1298)
• fuzzing: improve alpine fuzzer (#1273)
• fuzzing: go mod edit go-fuzz-headers (#1272)
• fuzzing: add .options file (#1271)
• fuzzing: build helm fuzzer from correct dir (#1264)
• types: refactor multiple fuzzers (#1258)
• helm: add fuzzer for provenance unmarshalling (#1243)
• pki: add fuzzer (#1256)
• Fuzzing: Add more bug detectors (#1253)
• Refactor e2e - part 5 (#1236)
• Removed unused tool/deps (#1244)
• Fixed the invalid path (#1245)
• Run latest fuzzers in OSS-Fuzz (#1221)
• Fuzz tests - hashedrekord (#1224)
• Update builder (#1228)
• Revamping rekor e2e - part 4 of N (#1218)
• types: add fuzzers (#1225)
• jar type: add fuzzer (#1215)
• Revamping rekor e2e - part 3 of N (#1177)
• modify OSS-Fuzz build script (#1214)
• move over oss-fuzz build script (#1204)
• wrap redis client errors to aid debugging (#1176)
• don't test release candidate builds in harness (#1183)
• types/alpine: add fuzzer (#1200)
• logging tweaks to improve usability (#1235)
• Add backfill-redis to the release artifacts (#1174)
• ensure jobs run on release branches (#1181)
• update builder image and cosign (#1165)
• Refactor e2e tests - x509 apk (#1152)
• Sharding - Additional tests (#1156)
• Ran gofmt and cleaned up (#1157)
• Fuzz - Fuzz tests for sharding (#1147)
• Revamping rekor e2e - part 1 of N (#1089)

Bug Fixes

• remove goroutine usage from SearchLogQuery (#1407)
• drop log messages regarding attestation storage to debug (#1408)
• fix ko-local build (#1381)
• disable blocking checks (#1353)
• fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
• fix: fix regex for multi-digit counts (#1321)
• return NotFound if treesize is 0 rather than calling trillian (#1311)
• enumerate slice to get sugared logs (#1312)
• put a reasonable size limit on ssh key reader (#1288)
• CLIENT: Fix Custom Host and Path Issue (#1306)
• do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
• correctly handle invalid or missing pki format (#1281)
• Add Verifier to get public key/cert and identities for entry type (#1210)
• fix goroutine leak in client; add insecure TLS option (#1238)
• Fix - Remove the force-recreate flag (#1179)
• trim whitespace around public keys before parsing (#1175)
• stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
• Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
• remove double encoding of payload and signature fields for intoto (#1150)
• fix SearchLogQuery behavior to conform to openapi spec (#1145)
• Remove pem-certificate-chain from client (#1138)
• fix flag type for operator in search (#1136)
• use sigstore/community dep review (#1132)

Contributors

• AdamKorcz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Fabian Kammel
• Fredrik Skogman
• Hayden B
• Joyce
• Naveen
• Noah Kreiger
• Priya Wadhwa

v1.0.1

What's Changed

• ensure jobs run on release branches (#1181) by @bobcallaway in #1182
• stop inserting envelope hash for intoto:0.0.2 types into index (#1171) by @bobcallaway in #1172
• Cherry pick #1163 and #1174 into release-1.0 by @haydentherapper in #1194
• Cherry pick #1145 into the release-1.0 branch by @priyawadhwa in #1191
• [cherrypick #1165] update builder and cosign image by @cpanato in #1196

Full Changelog: v1.0.0...v1.0.1

v1.0.0

What's Changed

• add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
• add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
• Adding e2e test coverage by @cdris in #1071
• export rekor build/version information by @cpanato in #1074
• Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
• Search through all shards when searching by hash by @priyawadhwa in #1082
• Update CHANGELOG.md for 0.12.2 release by @priyawadhwa in #1085
• verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in #1092
• add ability to enable/disable specific rekor API endpoints by @bobcallaway in #1080
• enable configurable client retries with backoff in RekorClient by @bobcallaway in #1096
• remove dead code around api-key and timestamp references by @bobcallaway in #1098
• update swagger API version to 1.0.0 by @bobcallaway in #1102
• remove unused RekorVersion API definition by @bobcallaway in #1101
• install gocovmerge in hack/tools by @bobcallaway in #1103
• Cut 1.0 prerelease by @priyawadhwa in #1105
• add retry command line flag on rekor-cli by @bobcallaway in #1097
• Add some info and debug logging to commonly used funcs by @priyawadhwa in #1106
• Add CHANGELOG.md for v1.0.0-rc.1 by @priyawadhwa in #1110
• update builder images and cosign by @cpanato in #1114
• Add Rekor 1.0 CHANGELOG by @priyawadhwa in #1122

Full Changelog: v0.12.1...v1.0.0

v1.0.0-rc.1

What's Changed

• add retry command line flag on rekor-cli by @bobcallaway in #1097
• Add some info and debug logging to commonly used funcs by @priyawadhwa in #1106
• Add CHANGELOG.md for v1.0.0-rc.1 by @priyawadhwa in #1110

Full Changelog: v1.0-rc...v1.0.0-rc.1

v1.0-rc

What's Changed

• add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
• add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
• Adding e2e test coverage by @cdris in #1071
• export rekor build/version information by @cpanato in #1074
• Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
• Search through all shards when searching by hash by @priyawadhwa in #1082
• Update CHANGELOG.md for 0.12.2 release by @priyawadhwa in #1085
• verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in #1092
• add ability to enable/disable specific rekor API endpoints by @bobcallaway in #1080
• enable configurable client retries with backoff in RekorClient by @bobcallaway in #1096
• remove dead code around api-key and timestamp references by @bobcallaway in #1098
• update swagger API version to 1.0.0 by @bobcallaway in #1102
• remove unused RekorVersion API definition by @bobcallaway in #1101
• install gocovmerge in hack/tools by @bobcallaway in #1103
• Cut 1.0 prerelease by @priyawadhwa in #1105

Full Changelog: v0.12.1...v1.0-rc

v0.12.2

What's Changed

• add changelog for 0.12.0 and 0.12.1 by @cpanato in #1064
• add description on /api/v1/index/retrieve endpoint by @bobcallaway in #1073
• Adding e2e test coverage by @cdris in #1071
• export rekor build/version information by @cpanato in #1074
• Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in #1083
• Search through all shards when searching by hash by @priyawadhwa in #1082

Full Changelog: v0.12.1...v0.12.2

v0.12.1

Highlights

** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
The addition of the intotov2 created a breaking change for the rekor-cli

What's Changed

• fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
• feat: add file based signer and password by @asraa in #1049
• Adds new rekor metrics for latency and QPS. by @var-sdk in #1059

New Contributors

• @var-sdk made their first contribution in #1059

Full Changelog: v0.12.0...v0.12.1

Thanks for all contributors!

v0.12.0

What's Changed

• update changelog for 0.11.0 by @cpanato in #989
• bump sigstore/sigstore from 1.2.1 to 1.4.0 by @k4leung4 in #985
• check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
• enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
• api.SearchLogQueryHandler thread safety by @cdris in #1006
• 'docker compose' to 'docker-compose' by @bobcallaway in #1009
• Intoto v0.0.2 by @pxp928 in #973
• Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
• Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
• feat: add verification functions by @asraa in #986
• Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
• Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
• fix: use entry uuid uniformly in return responses by @asraa in #1012
• remove /api/v1/version endpoint by @bobcallaway in #1022
• upgrade to go1.19 by @cpanato in #1018
• update to go-swagger v0.30.2 by @bobcallaway in #1028
• Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
• Fix harness tests @ main by @priyawadhwa in #1038
• Fetch all tags in harness tests by @priyawadhwa in #1039
• fix retrieve endpoint response code and add testing by @asraa in #1043
• update go builder to go1.19.1 by @cpanato in #1044

New Contributors

• @cdris made their first contribution in #1006
• @pxp928 made their first contribution in #973

Full Changelog: v0.11.0...v0.12.0

v0.11.0

What's Changed

• Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #946
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #947
• Bump golang from 6e10f44 to 8a62670 by @dependabot in #948
• Bump golang from 1.18.4 to 1.18.5 by @dependabot in #950
• Add rekor harness tests by @priyawadhwa in #945
• Persist and check attestations across harness tests by @priyawadhwa in #952
• Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #955
• Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 by @dependabot in #958
• Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 by @dependabot in #959
• Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in #961
• Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 by @dependabot in #960
• api: fix inclusion proof verification flake by @asraa in #956
• change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
• Bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 by @dependabot in #964
• fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
• Add prometheus summary to track metric latency by @priyawadhwa in #966
• compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
• update field documentation on publicKey for hashedrekord by @bobcallaway in #969
• Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #971
• Bump github.com/mediocregopher/radix/v4 from 4.1.0 to 4.1.1 by @dependabot in #972
• Allow sharding config to be written in yaml or json by @priyawadhwa in #974
• Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #975
• Bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 by @dependabot in #978
• Bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 by @dependabot in #977
• fix incorrect schema id for cose type by @bobcallaway in #979
• Bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 by @dependabot in #976
• fix: make rekor verify work with sharded uuids by @asraa in #970
• update builder and cosign images by @cpanato in #981
• remove trailing slash on directories by @bobcallaway in #984
• add changelog for v0.11.0 release by @cpanato in #982
• add support for intersection & union in search operations by @dsa0x in #968
• Update scorecard-action to v2:alpha by @azeemshaikh38 in #987

New Contributors

• @dsa0x made their first contribution in #965

Full Changelog: v0.10.0...v0.11.0

v0.10.0

** Note: Rekor will not send application/yaml responses anymore only application/json responses

What's Changed

• reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912
• Updates on the release job/makefile cleanup by @cpanato in #914
• Return 404 if entry isn't found in log by @priyawadhwa in #915
• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #916
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #920
• Bump golang from 1.18.3 to 1.18.4 by @dependabot in #919
• Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #924
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #925
• Bump github.com/veraison/go-cose from 1.0.0-alpha.1 to 1.0.0-rc.1 by @dependabot in #928
• Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.2 by @dependabot in #927
• Update cosign image in validate-release job by @priyawadhwa in #931
• Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in #930
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #936
• Bump github.com/google/trillian from 1.4.1 to 1.4.2 in /hack/tools by @dependabot in #939
• Bump sigs.k8s.io/release-utils from 0.7.2 to 0.7.3 by @dependabot in #937
• update go builder and cosign image by @cpanato in #934
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #940
• Drop application/yaml content type by @haydentherapper in #933
• Add rekor test harness to presubmit tests by @priyawadhwa in #921
• ✨ Enable Scorecard badge by @azeemshaikh38 in #941
• update go mod in hack/tools to go1.18 by @cpanato in #935
• update changelog in preparation of v0.10.0 release by @cpanato in #943
• Bump golang from 9349ed8 to 6e10f44 by @dependabot in #942
• add ldflags back by @cpanato in #944

New Contributors

• @azeemshaikh38 made their first contribution in #941

Full Changelog: v0.9.1...v0.10.0

Thanks to all contributors!