Releases: sigstore/k8s-manifest-sigstore
Releases · sigstore/k8s-manifest-sigstore
v0.5.4
v0.5.3
release v0.5.3
v0.5.2
release v0.5.2
v0.5.1
v0.5.0
v0.4.4
Features
- Support keyless signing & verification from GitHub actions
-
Subject Alternative Name (SAN)in a certificate generated by keyless signing from GitHub action is now reported as a signer name when verification. Users can check the subject information for further validation.eg) signer name: "https://github.com/sigstore/k8s-manifest-sigstore/.github/workflows/github_oidc.yaml@refs/pull/107/merge"
-
Changelog
Thanks for all contributors!
- Chip Zoller
- Hiro Kitahara
v0.4.3
Features
- Update cosign version to v1.13.1
- update the version of cosign on which k8s-manifest-sigstore depends to v1.13.1
Changelog
- bda2106 fix github action (#100)
- e973188 bump cosign up to v1.13.1 (#99)
- 9ad46e4 Generate SLSA Provenance on Release using SLSA Go Releaser (#98)
Thanks for all contributors!
- Joyce
- Hiro Kitahara
v0.4.2
v0.4.1
Features
- Update cosign version to v1.12.1
- update the version of cosign on which k8s-manifest-sigstore depends, and add some new command options to be consistent with cosign
--allow-insecure-registryoption allows users to push the signed manifest image to some container registries that require "insecure-registry:true" for the access.--forceoption works for skipping confirmations/validations by cosign sign command.
- update the version of cosign on which k8s-manifest-sigstore depends, and add some new command options to be consistent with cosign
Changelog
Thanks for all contributors!
v0.4.0
Features
-
Support multiple signatures both for signing & verification
- A new signing option
--append-signature(or-A) is added for users to generate a signed YAML manifest that have multiple signatures. Users don't need to manually add them anymore.
- A new signing option
-
Add a new signing method and the original signing method will be non-default soon
- The original signing method (
--tarball=yes) creates a tarball of YAML files before signing. However, this may cause verification error when multiple signatures are provided. So we add a new signing method (--tarball=no) that can solve this issue. The original method is still the default option now, but the new one will be default on v0.5.0 and later.
- The original signing method (
-
Update cosign version to v1.10.1
- update the version of cosign on which k8s-manifest-sigstore depends, and add some new command options to be consistent with cosign
Changelog
- 14f7cab bump cosign version to v1.10.1 (add --no-tlog-upload option to sign cmd) (#90)
- f8596c1 fix lint issue with the latest golangci-lint (#91)
- 8df5a18 bump cosign version to v1.10.0 (#89)
- e9c59e0 allow image change patterns by default (#88)
- 18676b9 add some special error definitions and handling (#87)
- b963d28 fix cosign options in verify resource CLI (#86)
- dde52ad add sign & verify options to support cosign command options (#85)
- 87bf46f bump cosign version to the latest(v1.9.1-0.20220615165628-e4bc4a95743b) (#84)
- 1a04330 bump cosign version to v1.9.0 (#83)
- b929f59 fix keyless multisignature verification (#82)
- 86d9fa3 fix keyless signing issue that tlog entry cannot be got after signing (#81)
- e73c57e support multiple signatures both for signing and verification (#79)
- 29dbe11 make the current signing method with tarball deprecated (#80)