Releases: sigstore/sigstore-go
Release list
v1.2.2
v1.2.1
What's Changed
v1.2.1 resolves GHSA-wqqc-jjcq-vfxm.
- Check signature time against public key validity window in #642
Full Changelog: v1.2.0...v1.2.1
v1.2.0
What's Changed
- Add preferred method for verifying log entry proofs by @Hayden-IO in #557
- docs(verify): annotate identity matchers and regexp semantics by @1seal in #558
- Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #563
- Bump the minor-patch group across 1 directory with 7 updates by @dependabot[bot] in #565
- ensure we have verification material before attempting to extract public key by @bobcallaway in #566
- fix(tlog): fail closed for rekor v2 parsing by @1seal in #562
- Bump sigstore-conformance to latest by @cmurphy in #559
- Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #573
- Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in /examples/oci-image-verification by @dependabot[bot] in #576
- Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in /examples/oci-image-verification by @dependabot[bot] in #571
- Bump production and staging TUF roots by @Hayden-IO in #580
- Support DSSE signing conformance test by @aaronlew02 in #582
- Fix nil pointer dereference in LiveTrustedRoot refresh by @Hayden-IO in #584
- Bump sigstore/sigstore-conformance from 0.0.25 to 0.0.26 by @dependabot[bot] in #585
- chore: remove large test dependencies by replacing ctfe usage by @Hayden-IO in #587
- Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @dependabot[bot] in #575
- Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @dependabot[bot] in #569
- Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1 by @dependabot[bot] in #578
- Set minimum threshold for WithIntegratedTimestamps by @Hayden-IO in #590
- Bump all recent deps by @Hayden-IO in #586
- Bump the minor-patch group across 1 directory with 2 updates by @dependabot[bot] in #591
- Bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible in /examples/oci-image-verification by @dependabot[bot] in #595
- deps: update go-openapi/strfmt to v0.26.1 by @tonistiigi in #603
- verify message digest matches artifact hash by @piceri in #600
- Run go fix across codebase by @Hayden-IO in #610
- Harden verification, HTTP clients, and TUF by @Hayden-IO in #609
- Verify log entry digest matches artifact/envelope by @Hayden-IO in #611
- Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #608
- Bump actions/setup-go from 6.2.0 to 6.4.0 by @dependabot[bot] in #606
- Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 in /examples/oci-image-verification by @dependabot[bot] in #614
- Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by @dependabot[bot] in #601
- Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 by @dependabot[bot] in #613
- Bump go-tuf, rekor-tiles versions by @Hayden-IO in #616
- Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 by @dependabot[bot] in #621
- Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /examples/oci-image-verification by @dependabot[bot] in #623
- Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by @dependabot[bot] in #624
- bundle: cap raw TlogEntries length before per-entry parse by @tonghuaroot in #630
- Prevent multi-log threshold bypasses via single compromised log by @Hayden-IO in #633
- Verify Rekor v2 inclusion using reconstructed leaf hash by @codysoyland in #635
- Encode Rekor v2 DSSE envelopes as hashedrekord by @codysoyland in #627
- Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #631
- Bump the minor-patch group across 2 directories with 10 updates by @dependabot[bot] in #637
- Fix conformance test failures for managed-key verification by @codysoyland in #638
New Contributors
- @1seal made their first contribution in #558
- @aaronlew02 made their first contribution in #582
- @tonistiigi made their first contribution in #603
- @piceri made their first contribution in #600
- @tonghuaroot made their first contribution in #630
Full Changelog: v1.1.4...v1.2.0
v1.1.4
v1.1.3
v1.1.2
v1.1.1
What's Changed
- Make conformance compatible with rekor v2 in #505
- Update GetSigningConfig to use
signing_config.v0.2.jsonin #506 - Refactor SelectService to return Service rather than URL, add supported API versions in #503
- Remove noisy log message in #507
Full Changelog: v1.1.0...v1.1.1
v1.1.0
sigstore-go v1.1.0 introduces support for Rekor v2, a redesigned and modernized transparency log that's cheaper to operate, easier to scale, and simpler to maintain.
What's Changed
- Error Wrapping in TUF by @lukehinds in #482
- Avoid naked errors from other modules by @kommendorkapten in #484
- Added a parameter to the TUF options for live refresh. by @kommendorkapten in #485
- Add end to end tests by @cmurphy in #489
- Fail SigstoreTimestampingAuthority Verify early with nil Root by @dmitris in #490
- Add support for Rekor V2 for signing and verification by @cmurphy in #481
- Allow public keys to sign hashedrekord by @cmurphy in #497
- Add support for operator in SigningConfig by @haydentherapper in #494
- Add MarshalJSON to SigningConfig, fix marshaling bug by @haydentherapper in #498
- Select highest API version for SigningConfig services always by @haydentherapper in #499
Full Changelog: v1.0.0...v1.1.0
v1.0.0
We're very excited to release sigstore-go 1.0! View the blog post announcing this release for more details.
This release should contain the last set of breaking changes until version 2.0, including a few renames (such as SignedEntityVerifier -> Verifier and VerifyTimestampAuthority -> VerifySignedTimestamp). We are excited to begin a new phase of simple, stable APIs!
What's Changed
- Prevent duplicate timestamps from same TSA by @codysoyland in #472
- Update theupdateframework/go-tuf to v2.1.0 and copy in unexported repo type from
theupdateframework/go-tuf/examples/repositorydirectory by @malancas in #474 - Add verification errors to output of VerifyTimestampAuthority by @codysoyland in #473
- Use repository.Type from go-tuf in tests by @codysoyland in #475
- Rename and deprecate SignedEntityVerifier in favor of Verifier by @codysoyland in #476
- Deprecate and rename VerifyTimestampAuthority/VerifyArtifactTransparencyLog by @codysoyland in #477
- Update README for 1.0.0 release by @codysoyland in #480
Full Changelog: v0.7.3...v1.0.0
v0.7.3
Note: v0.7.3 will likely be the last release before v1.0.
What's Changed
- Add context to Rekor interactions in signer by @codysoyland in #461
- Use default Verifier for the public key contained in a certificate (closes #74) by @ret2libc in #424
- Select highest API version with multiple SigningConfig services by @haydentherapper in #459
- Fix SigningConfig ValidFor when dates are missing by @jku in #465
- correct error on unsupported TrustedRoot media type by @dmitris in #466
- Signing example improvements by @jku in #458
- Disable TUF timestamping when TUF cache disabled by @codysoyland in #470
Full Changelog: v0.7.2...v0.7.3