Releases: sigstore/cosign
v0.3.1
A minor bugfix release
Bug Fixes
- Fixed CI container image breakage introduced in v0.3.0
- Fixed lack of version information in release binaries
v0.3.0
This is the third release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release.
See #254 for more info.
Enhancements
- The
-output-file
flag supports writing output to a specific file - The
-key
flag now supportskms
references and URLs, thekms
specific flag has been removed - Yubikey/PIV hardware support is now included!
- Support for signing and verifying multiple images in one invocation
Bug Fixes
- Bug fixes in KMS keypair generation
- Bug fixes in key type parsing
Contributors
- Dan Lorenc
- Priya Wadhwa
- Ivan Font
- Depandabot!
- Mark Bestavros
- Jake Sanders
- Carlos Tadeu Panato Junior
v0.2.0 Release
This is the second release of cosign
! If you came for puns, check out yesterday's Twitter thread.
The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases. This release is now cross-platform, so be careful with installer scripts! You can find that here:
$ gsutil ls gs://cosign-releases/v0.2.0/
gs://cosign-releases/v0.2.0/cosign-darwin-amd64
gs://cosign-releases/v0.2.0/cosign-darwin-amd64.sig
gs://cosign-releases/v0.2.0/cosign-linux-amd64
gs://cosign-releases/v0.2.0/cosign-linux-amd64.sig
Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:
This is the second release of cosign
!
We still expect many flags, commands, and formats to change going forward, but we're getting closer.
No backwards compatiblity is promised or implied.
Enhancements
- The password for private keys can now be passed via the
COSIGN_PASSWORD
- KMS keys can now be used to sign and verify blobs
- The
version
command can now be used to return the release version - The
public-key
command can now be used to extract the public key from KMS or a private key - The
COSIGN_REPOSITORY
environment variable can be used to store signatures in an alternate location - Tons of new EXAMPLES in our help text
Bug Fixes
- Improved error messages for command line flag verification
- TONS more unit and integration testing
- Too many others to count :)
Contributors
We would love to thank the contributors:
- Dan Lorenc
- Priya Wadhwa
- Ahmet Alp Balkan
- Naveen Srinivasan
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
- Dan POP
- eminks
- Mark Bestavros
- Jake Sanders
v0.1.0
There were some ups and downs in today's release, but it's finally time to ride the cosign
wave! After battling some last minute test flakes that were popping up at an alarming frequency and running in circles trying to squaring up loose ends, I couldn't find any other tangents to go off on. The first release is here!
My only regret is not thinking to get this release out on Pi day :(
The release is available here in this repo, and on Google Cloud Storage in the bucket cosign-releases
. You can find that here:
$ gsutil ls gs://cosign-releases/v0.1.0
gs://cosign-releases/v0.1.0/cosign
gs://cosign-releases/v0.1.0/cosign.sha256
gs://cosign-releases/v0.1.0/cosign.sig
Check out the full CHANGELOG.md for the details, but here are some highlights and lowlights:
Enhancements
This release added a feature to cosign
called cosign
. The cosign
feature can be used to sign container images and blobs.
Bug Fixes
There was no way to sign container images. Now there is!
Known Issues
This release only contains a linux/amd64 binary. You can build and install cosign on other platforms with go install
, but the main goal of v0.1.0
is to get a working build we can start packing to make signing releases of other tools easier. We'll add other platforms to the next set of releases!
Contributors
Thanks to everyone who conributed to this release!
- dlorenc
- priyawadhwa
- Ahmet Alp Balkan
- Ivan Font
- Jason Hall
- Chris Norman
- Jon Johnson
- Kim Lewandowski
- Luke Hinds
- Bob Callaway
Verifying
This release was self-signed! It was built in this Action run: https://github.com/sigstore/cosign/actions/runs/669626925
The public key used to sign this release is located here: https://github.com/sigstore/cosign/blob/083406c6e85284ded34af96048361d1e8c887e50/.github/workflows/cosign.pub
You should be able to verify it with the cosign verify-blob
command using this key. Good luck!