Sourced from github.com/sigstore/cosign/v2's releases.
v2.2.1
Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- feat: Support basic auth and bearer auth login to registry (#3310)
- add support for ignoring certificates with pkcs11 (#3334)
- Support ReplaceOp in Signatures (#3315)
- feat: added ability to get image digest back via triangulate (#3255)
- feat: add
--only
flag incosign copy
to copy sign, att & sbom (#3247)- feat: add support attaching a Rekor bundle to a container (#3246)
- feat: add support outputting rekor response on signing (#3248)
- feat: improve dockerfile verify subcommand (#3264)
- Add guard flag for experimental OCI 1.1 verify. (#3272)
- Deprecate SBOM attachments (#3256)
- feat: dedent line in cosign copy doc (#3244)
- feat: add platform flag to cosign copy command (#3234)
- Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
- attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent (#3245)
- ci: add a OCI registry test for referrers support (#3253)
- Fix ReplaceSignatures (#3292)
- Stop using deprecated in_toto.ProvenanceStatement (#3243)
- Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
- fix: update error in
SignedEntity
to be more descriptive (#3233)- Fail timestamp verification if no root is provided (#3224)
Documentation
- Add some docs about verifying in an air-gapped environment (#3321)
- Update CONTRIBUTING.md (#3268)
- docs: improves the Contribution guidelines (#3257)
- Remove security policy (#3230)
Others
- Set go to min 1.21 and update dependencies (#3327)
- Update contact for code of conduct (#3266)
- Update .ko.yaml (#3240)
Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
... (truncated)
Sourced from github.com/sigstore/cosign/v2's changelog.
v2.2.1
Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- feat: Support basic auth and bearer auth login to registry (#3310)
- add support for ignoring certificates with pkcs11 (#3334)
- Support ReplaceOp in Signatures (#3315)
- feat: added ability to get image digest back via triangulate (#3255)
- feat: add
--only
flag incosign copy
to copy sign, att & sbom (#3247)- feat: add support attaching a Rekor bundle to a container (#3246)
- feat: add support outputting rekor response on signing (#3248)
- feat: improve dockerfile verify subcommand (#3264)
- Add guard flag for experimental OCI 1.1 verify. (#3272)
- Deprecate SBOM attachments (#3256)
- feat: dedent line in cosign copy doc (#3244)
- feat: add platform flag to cosign copy command (#3234)
- Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
- attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent (#3245)
- ci: add a OCI registry test for referrers support (#3253)
- Fix ReplaceSignatures (#3292)
- Stop using deprecated in_toto.ProvenanceStatement (#3243)
- Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
- fix: update error in
SignedEntity
to be more descriptive (#3233)- Fail timestamp verification if no root is provided (#3224)
Documentation
- Add some docs about verifying in an air-gapped environment (#3321)
- Update CONTRIBUTING.md (#3268)
- docs: improves the Contribution guidelines (#3257)
- Remove security policy (#3230)
Others
- Set go to min 1.21 and update dependencies (#3327)
- Update contact for code of conduct (#3266)
- Update .ko.yaml (#3240)
Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
... (truncated)
12cbf9e
add changelog for v2.2.1 release (#3344)827f24e
feat: Support basic auth and bearer auth login to registry (#3310)8ac891f
Merge pull request from GHSA-vfp6-jrw2-99g98b366c4
add support for ignoring certificates with pkcs11 (#3334)23920de
chore(deps): bump golang.org/x/sync from 0.4.0 to 0.5.0 (#3342)e022e1c
chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#3341)28c59c5
add missing groups key (#3339)8e5bdcc
chore(deps): bump github.com/google/certificate-transparency-go (#3338)510cac4
chore(deps): bump github.com/sigstore/rekor from 1.3.2 to 1.3.3 (#3336)063902b
chore(deps): bump github.com/buildkite/agent/v3 from 3.57.0 to 3.58.0
(#3337)