v0.4.0
Features
-
Support multiple signatures both for signing & verification
- A new signing option
--append-signature(or-A) is added for users to generate a signed YAML manifest that have multiple signatures. Users don't need to manually add them anymore.
- A new signing option
-
Add a new signing method and the original signing method will be non-default soon
- The original signing method (
--tarball=yes) creates a tarball of YAML files before signing. However, this may cause verification error when multiple signatures are provided. So we add a new signing method (--tarball=no) that can solve this issue. The original method is still the default option now, but the new one will be default on v0.5.0 and later.
- The original signing method (
-
Update cosign version to v1.10.1
- update the version of cosign on which k8s-manifest-sigstore depends, and add some new command options to be consistent with cosign
Changelog
- 14f7cab bump cosign version to v1.10.1 (add --no-tlog-upload option to sign cmd) (#90)
- f8596c1 fix lint issue with the latest golangci-lint (#91)
- 8df5a18 bump cosign version to v1.10.0 (#89)
- e9c59e0 allow image change patterns by default (#88)
- 18676b9 add some special error definitions and handling (#87)
- b963d28 fix cosign options in verify resource CLI (#86)
- dde52ad add sign & verify options to support cosign command options (#85)
- 87bf46f bump cosign version to the latest(v1.9.1-0.20220615165628-e4bc4a95743b) (#84)
- 1a04330 bump cosign version to v1.9.0 (#83)
- b929f59 fix keyless multisignature verification (#82)
- 86d9fa3 fix keyless signing issue that tlog entry cannot be got after signing (#81)
- e73c57e support multiple signatures both for signing and verification (#79)
- 29dbe11 make the current signing method with tarball deprecated (#80)