Skip to content

Releases: sigstore/k8s-manifest-sigstore

v0.3.0

10 Jun 06:59
@github-actions github-actions
v0.3.0
7f1b707
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.3.0

Features

  • Verification features are all "read-only" in this version!
    • k8s-manifest-sigstore does not create/update/delete any files including temporary files while verification.
    • This allows some external projects to implement verify-resource in a read-only container or in some least privileged environment.
  • Support multiple ways to input public key
    • Public key in a Kubernetes secret can be input with k8s://SECRET_NAMESPACE/SECRET_NAME.
    • PEM string of a public key in an environment variable can be input with env://ENV_VAR_NAME.
  • Prepare an example code to use verify-resource with a custom configuration in your project
    • Add an example code for developers to know how to implement verify-resource with a custom configuration in their go project.
  • Support multiple signatures for verification
    • multiple signatures can be specified in AnnotationConfig for verification functions both from CLI and from codes.
    • when multiple ones are specified, verification passes if at least one signature is successfully verified.
  • Enhance manifest matching in "verify-resource"
    • Add a new CheckMutatingResource option to verify a resource which is possibly mutated by multiple webhooks.
    • Add a new DisableDryRun option to disable dry run while verify-resoure.
  • Update cosign version to v1.8.0

A detail description of this release is here.

Contributors

  • Hiro Kitahara
  • Naman Lakhwani

Thank you for all contributors!

Changelog

  • 7f1b707 support multiple signatures for verification (#77)
  • 23559de update release note for v0.3.0 (#76)
  • 3d9f86c support public key from environment variable as cosign does (#75)
  • 61bc186 add DisableDryRun option for VerifyResource (#74)
  • f86f7f0 fix typo (#71)
  • f31cea5 add example usage of k8smanifest.VerifyResource() with a custom configuration (#73)
  • 5fdcfc7 bump cosign version to v1.8.0 (#72)
  • 1c9e624 support image canonicalization for admission verification (#69)
  • a4fd8cf support verification for multiple mutating webhooks (#68)
  • adfc287 enable direct manifest match by namespace pattern check (#67)
  • ed26e30 fix armored gpg public key issue (#66)
  • ad885d6 support public key in a kubernetes secret for all signature types (#65)
  • fb9f640 support all cosign keyRef types (#64)
  • 02581ee enable verification on read-only filesystem (#63)
  • bee9ea0 bump up cosign version to v1.5.2 (#62)
  • 7d66327 bump up cosign version to v1.5.1 (#59)
  • a39c4d3 fix keyed verification issue when experimental enabled (#58)
  • 78aa677 bump up cosign version to v1.4.1 (#57)
  • 5661e6f fix blob signing issue on wsl2 (#55)
  • 04091c4 fix issue in signing for concatenated YAML manifests (#54)
  • f46d6c8 bump up cosign to v1.3.1 (#52)
Assets 7
Loading

v0.1.0

07 Oct 00:33
@github-actions github-actions
v0.1.0
9ac7653
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.1.0

This is the first release of the project!

A description of this release is here.

Features

  • Easy use as a kubectl subcommand plugin
    • Users can install it easily by go install command. (installation)
    • Once installed, users can use it by a simple command like kubectl sigstore sign -f xxxxxx.yaml .
  • Signing Kubernetes YAML manifest specification
    • Sign "specification" of Kubernetes YAML manifests. A generated signature is composed of an encoded YAML manifest, signature payload and some other data. This encoded manifest is compared to a target manifest for equivalence checking at the time of verification.
    • There are 2 options how to store a generated signature.
      1. self-contained ... Embed signature into YAML manifests.
      2. external store ... Upload manifest & signature to OCI registry (= upload manifest bundle image). There is no need to change YAMLs in this case.
  • Verifying YAML manifests specification
    • Verify a local YAML manifest file by checking YAML specification as described above. If signature is not provided or if the manifest specification has been changed after signing, the verification fails.
  • Verifying Kubernetes resources that exist on a cluster
    • Kubernetes resources on a cluster can be verified with signature which is generated against YAML manifests.
    • There are 2 ways to specify resources.
      • Use the same arguments as kubectl get. For example, kubectl sigstore verify-resource cm -n default sample-cm.
      • By specifying manifest bundle image in OCI registry, it automatically selects the target resources. For example, kubectl sigstore verify-resource -n default -i sample-registry/sample-cm-manifest:dev.

Contributors

  • Hiro Kitahara
  • Luke Hinds
  • Batuhan Apaydın
  • Aditya Sirish
  • Yuji Watanabe
  • dlorenc

Thank you to all our contributors!!

Changelog

9ac7653 add a latest release doc (#50)
c0b9d67 fix issue of signing a directory (#49)
d7afc29 Switch DSSE provider to go-securesystemslib (#48)
4421fbf add github action to prepare for release v0.1.0 (#47)
f1329bb add github actions for releasing and enable go install (#46)
04236a2 add github action for tests and lint (#45)
6f446ea bump cosign version up to 1.2.0 (#44)
a8a0ec1 add e2e test and move related packages (#43)
1d5ef2f improve unit test coverage in core packages (#42)
2120192 bump cosign up to v1.1.0 (#41)
eeb8906 enable version command to show version of the executable (#40)
5bc6630 update admission controller example with the latest verify-resource codes (#39)
1922b2a improve verify-resource speed with concurrency in go (#36)
20bbc69 enable local file cache for verify-resource speed up (#37)
d360794 improve constraint option and update default profile (#35)
c4245c9 add manifest-build command for YAML manifest provenance (#34)
1767e96 enable to get signature and provenance from a resource in a cluster (#33)
b0ebd0e add provenance tracking option to verify-resource command (#32)
7bf33d6 add support of verifying pgp and x509 signatures (#30)
3af3485 enable to load config from constraint resource in a cluster (#31)
a32b6c6 fix input path issue in sign command (#29)
06f664e fix manifest detection config bug (#28)
3281adc Pick a resource from N resources in manifest file robustly (#27)
d6c202d support directly attached signature and related things into k8s annotations (#23)
437f81f add dryrun namespace option to verifyresourceoption (#24)
67f63f7 update go.mod (#22)
989d586 fix sign to set oidc option (#21)
a9407f0 bump up cosign version to v1.0.1 (#20)
65741c2 support non-compressed YAML manifest in manifest image (#19)
720a2b8 enable robust search mechanism for finding YAML manifest (#17)
88eb6dc update cosign version to v0.6.0 (#18)
eac5e6a extend verify-resource subcommand capability (#16)
3adf7ff image annotations added for signing/verifying process (#15)
d1cb533 Fix a few typos in the README. (#14)
86c17f5 fix for using public key, if public key used disable tlog (#12)
3f7db77 enable to output verify-resource result in JSON/YAML format (#10)
f9007b1 refactor codes and add known k8s ignore fields (#9)
8db49ca Add initial codes for kubectl signing plugins (#1) (#4)
e6625d6 CodeQL action (#2)
7262bc0 Create codeql-analysis.yml
38e9dd7 Merge pull request #1 from lukehinds/proj-bootstrap
acb4e79 Project bootstrap
fffb294 Initial commit

Assets 7
Loading