v0.1.0
Pre-releaseThere were some ups and downs in today's release, but it's finally time to ride the cosign
wave! After battling some last minute test flakes that were popping up at an alarming frequency and running in circles trying to squaring up loose ends, I couldn't find any other tangents to go off on. The first release is here!
My only regret is not thinking to get this release out on Pi day :(
The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases
. You can find that here:
$ gsutil ls gs://cosign-releases/v0.1.0
gs://cosign-releases/v0.1.0/cosign
gs://cosign-releases/v0.1.0/cosign.sha256
gs://cosign-releases/v0.1.0/cosign.sig
Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:
Enhancements
This release added a feature to cosign
called cosign
. The cosign
feature can be used to sign container images and blobs.
Bug Fixes
There was no way to sign container images. Now there is!
Known Issues
This release only contains a linux/amd64 binary. You can build and install cosign on other platforms with go install
, but the main goal of v0.1.0
is to get a working build we can start packing to make signing releases of other tools easier. We'll add other platforms to the next set of releases!
Contributors
Thanks to everyone who conributed to this release!
- dlorenc
- priyawadhwa
- Ahmet Alp Balkan
- Ivan Font
- Jason Hall
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
Verifying
This release was self-signed! It was built in this Action run: https://github.com/sigstore/cosign/actions/runs/669626925
The public key used to sign this release is located here: https://github.com/sigstore/cosign/blob/083406c6e85284ded34af96048361d1e8c887e50/.github/workflows/cosign.pub
You should be able to verify it with the cosign verify-blob
command using this key. Good luck!