Skip to content

Releases: sigstore/sigstore-go

v1.2.2

Choose a tag to compare

@Hayden-IO Hayden-IO released this 06 Jul 17:13
55aa624

What's Changed

  • Reject certificate identity with no SAN or issuer criteria in #645
  • Support Verification in sigstore/cosign with X.509 Certificate Chain in #581

Full Changelog: v1.2.1...v1.2.2

v1.2.1

Choose a tag to compare

@Hayden-IO Hayden-IO released this 09 Jun 20:32
4594ab4

What's Changed

v1.2.1 resolves GHSA-wqqc-jjcq-vfxm.

  • Check signature time against public key validity window in #642

Full Changelog: v1.2.0...v1.2.1

v1.2.0

Choose a tag to compare

@codysoyland codysoyland released this 03 Jun 15:17
8ca80c4

What's Changed

  • Add preferred method for verifying log entry proofs by @Hayden-IO in #557
  • docs(verify): annotate identity matchers and regexp semantics by @1seal in #558
  • Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #563
  • Bump the minor-patch group across 1 directory with 7 updates by @dependabot[bot] in #565
  • ensure we have verification material before attempting to extract public key by @bobcallaway in #566
  • fix(tlog): fail closed for rekor v2 parsing by @1seal in #562
  • Bump sigstore-conformance to latest by @cmurphy in #559
  • Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #573
  • Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in /examples/oci-image-verification by @dependabot[bot] in #576
  • Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in /examples/oci-image-verification by @dependabot[bot] in #571
  • Bump production and staging TUF roots by @Hayden-IO in #580
  • Support DSSE signing conformance test by @aaronlew02 in #582
  • Fix nil pointer dereference in LiveTrustedRoot refresh by @Hayden-IO in #584
  • Bump sigstore/sigstore-conformance from 0.0.25 to 0.0.26 by @dependabot[bot] in #585
  • chore: remove large test dependencies by replacing ctfe usage by @Hayden-IO in #587
  • Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @dependabot[bot] in #575
  • Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @dependabot[bot] in #569
  • Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1 by @dependabot[bot] in #578
  • Set minimum threshold for WithIntegratedTimestamps by @Hayden-IO in #590
  • Bump all recent deps by @Hayden-IO in #586
  • Bump the minor-patch group across 1 directory with 2 updates by @dependabot[bot] in #591
  • Bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible in /examples/oci-image-verification by @dependabot[bot] in #595
  • deps: update go-openapi/strfmt to v0.26.1 by @tonistiigi in #603
  • verify message digest matches artifact hash by @piceri in #600
  • Run go fix across codebase by @Hayden-IO in #610
  • Harden verification, HTTP clients, and TUF by @Hayden-IO in #609
  • Verify log entry digest matches artifact/envelope by @Hayden-IO in #611
  • Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #608
  • Bump actions/setup-go from 6.2.0 to 6.4.0 by @dependabot[bot] in #606
  • Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 in /examples/oci-image-verification by @dependabot[bot] in #614
  • Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by @dependabot[bot] in #601
  • Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 by @dependabot[bot] in #613
  • Bump go-tuf, rekor-tiles versions by @Hayden-IO in #616
  • Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 by @dependabot[bot] in #621
  • Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /examples/oci-image-verification by @dependabot[bot] in #623
  • Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by @dependabot[bot] in #624
  • bundle: cap raw TlogEntries length before per-entry parse by @tonghuaroot in #630
  • Prevent multi-log threshold bypasses via single compromised log by @Hayden-IO in #633
  • Verify Rekor v2 inclusion using reconstructed leaf hash by @codysoyland in #635
  • Encode Rekor v2 DSSE envelopes as hashedrekord by @codysoyland in #627
  • Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #631
  • Bump the minor-patch group across 2 directories with 10 updates by @dependabot[bot] in #637
  • Fix conformance test failures for managed-key verification by @codysoyland in #638

New Contributors

Full Changelog: v1.1.4...v1.2.0

v1.1.4

Choose a tag to compare

@Hayden-IO Hayden-IO released this 10 Dec 16:58
cc06490

What's Changed

  • Update rekor-tiles version path in #531
  • Bump production Sigstore TUF root to latest in #537
  • Bump staging Sigstore TUF root to latest in #538
  • Bump deps for sigstore libraries in #543

Full Changelog: v1.1.3...v1.1.4

v1.1.3

Choose a tag to compare

@Hayden-IO Hayden-IO released this 26 Sep 15:59
c79035f

What's Changed

  • Set user agent for TUF and Rekor v2 clients in #525

Full Changelog: v1.1.2...v1.1.3

v1.1.2

Choose a tag to compare

@Hayden-IO Hayden-IO released this 08 Sep 17:52
fe24fbf

What's Changed

  • Allow no timestamps to be provided when verifying a key in #510
  • Support other key algorithms for Rekor v2 in #520

Full Changelog: v1.1.1...v1.1.2

v1.1.1

Choose a tag to compare

@Hayden-IO Hayden-IO released this 07 Aug 16:18
d9ac070

What's Changed

  • Make conformance compatible with rekor v2 in #505
  • Update GetSigningConfig to use signing_config.v0.2.json in #506
  • Refactor SelectService to return Service rather than URL, add supported API versions in #503
  • Remove noisy log message in #507

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Choose a tag to compare

@Hayden-IO Hayden-IO released this 14 Jul 16:29
dcab992

sigstore-go v1.1.0 introduces support for Rekor v2, a redesigned and modernized transparency log that's cheaper to operate, easier to scale, and simpler to maintain.

What's Changed

  • Error Wrapping in TUF by @lukehinds in #482
  • Avoid naked errors from other modules by @kommendorkapten in #484
  • Added a parameter to the TUF options for live refresh. by @kommendorkapten in #485
  • Add end to end tests by @cmurphy in #489
  • Fail SigstoreTimestampingAuthority Verify early with nil Root by @dmitris in #490
  • Add support for Rekor V2 for signing and verification by @cmurphy in #481
  • Allow public keys to sign hashedrekord by @cmurphy in #497
  • Add support for operator in SigningConfig by @haydentherapper in #494
  • Add MarshalJSON to SigningConfig, fix marshaling bug by @haydentherapper in #498
  • Select highest API version for SigningConfig services always by @haydentherapper in #499

Full Changelog: v1.0.0...v1.1.0

v1.0.0

Choose a tag to compare

@codysoyland codysoyland released this 12 May 19:30
cedac1b

We're very excited to release sigstore-go 1.0! View the blog post announcing this release for more details.

This release should contain the last set of breaking changes until version 2.0, including a few renames (such as SignedEntityVerifier -> Verifier and VerifyTimestampAuthority -> VerifySignedTimestamp). We are excited to begin a new phase of simple, stable APIs!

What's Changed

  • Prevent duplicate timestamps from same TSA by @codysoyland in #472
  • Update theupdateframework/go-tuf to v2.1.0 and copy in unexported repo type from theupdateframework/go-tuf/examples/repository directory by @malancas in #474
  • Add verification errors to output of VerifyTimestampAuthority by @codysoyland in #473
  • Use repository.Type from go-tuf in tests by @codysoyland in #475
  • Rename and deprecate SignedEntityVerifier in favor of Verifier by @codysoyland in #476
  • Deprecate and rename VerifyTimestampAuthority/VerifyArtifactTransparencyLog by @codysoyland in #477
  • Update README for 1.0.0 release by @codysoyland in #480

Full Changelog: v0.7.3...v1.0.0

v0.7.3

Choose a tag to compare

@Hayden-IO Hayden-IO released this 07 May 19:04
8dff965

Note: v0.7.3 will likely be the last release before v1.0.

What's Changed

  • Add context to Rekor interactions in signer by @codysoyland in #461
  • Use default Verifier for the public key contained in a certificate (closes #74) by @ret2libc in #424
  • Select highest API version with multiple SigningConfig services by @haydentherapper in #459
  • Fix SigningConfig ValidFor when dates are missing by @jku in #465
  • correct error on unsupported TrustedRoot media type by @dmitris in #466
  • Signing example improvements by @jku in #458
  • Disable TUF timestamping when TUF cache disabled by @codysoyland in #470

Full Changelog: v0.7.2...v0.7.3