SigStore WebPKI

Related tags

Security fulcio
Overview

fulcio - A New Kind of Root CA For Code Signing

fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address.

fulcio only signs short-lived certificates that are valid for under 20 minutes.

Status

Fulcio is a work in progress. There's working code and a running instance and a plan, but you should not attempt to try to actually use it for anything.

The fulcio root cert is currently:

-----BEGIN CERTIFICATE-----
  MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq
  MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
  MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu
  ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy
  A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas
  taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm
  MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
  FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u
  Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx
  Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup
  Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
  -----END CERTIFICATE-----

We WILL change this and add intermediaries in the future.

API

The API is defined via OpenAPI, defined here.

Transparency

Fulcio will publish issued certificates to a unique CT-log. That log will be hosted by the sigstore project.

We encourage auditors to monitor this log, and aim to help people access the data.

A simple example would be a service that emails users (on a different address) when ceritficates have been issued on their behalf. This can then be used to detect bad behavior or possible compromise.

Parameters

The fulcio root CA is currently running on GCP Private CA with the EC_P384_SHA384 algorithm.

Security Model

  • Fulcio assumes that a valid OIDC token is a sufficient "proof of ownership" of an email address.

  • To mitigate against this, Fulcio uses a Transparency log to help protect against OIDC compromise. This means:

    • Fulcio MUST publish all certificates to the log.
    • Clients MUST NOT trust certificates that are not in the log.

    As a result users can detect any mis-issued certificates.

  • Combined with rekor's signature transparency, artifacts signed with compromised accounts can be identified.

Revocation, Rotation and Expiry

There are two main approaches to code signing:

  1. Long-term certs
  2. Trusted time-stamping

Long-term certs

These certificates are typically valid for years. All old code must be re-signed with a new cert before an old cert expires. Typically this works with long deprecation periods, dual-signing and planned rotations.

There are a couple problems with this approach:

  1. It assumes users can keep acess to private keys and keep them secret over log periods of time
  2. Revocation is hard and doesn't work well

Fulcio's Model

Fulcio is designed to avoid revocation, by issuing short-lived certificates. What really matters for CodeSigning is to know that an artifact was signed while the certificate was valid.

This can be done a few ways:

  • Third-party Timestamp Authorities (RFC3161)
  • Transparency Logs
  • Both (Fulcio's Model)

RFC3161 Timestamp Servers

RFC3161 defines a protocol for Trusted Timestamps. Parties can send a payload to an RFC3161 service and the service digitally signs that payload with its own timestamp. This is the equivalent of posting a hash to Twitter - you are getting a third-party attestation that you had a particular piece of data at a particular time, as observed by that same third-party.

The downside is that users need to interact with another service. They must timestamp all signatures and check the timestamps of all signatures - adding another dependency and set of keys they must trust (the timestamp servers). We could provide one for free, but if people don't trust the clock in our transparency ledger they might not trust another service we run.

Transparency Logs

The rekor service provides a transparency log of software signatures. As entries are appended into this log, rekor periodically signs the full tree along with a timestamp.

An entry in Rekor provides a single-party attestation that a piece of data existed prior to a certain time. These timestamps cannot be tampered with later, providing long-term trust. This long-term trust also requires that the log is monitored.

Transparency Logs make it hard to forge timestamps long-term, but in short time-windows it would be much easier for the Rekor operator to fake or forge timestamps. To mitigate this, Rekor's timestamps and STHs are signed - a valid signed tree hash contains a non-repudiadable timestamp. These signed timestamp tokens are saved as evidence in case Rekor's clock changes in the future. So, more skeptical parties don't have to trust Rekor at all!

Why Not Both!?!?!?

Like usual, we can combine timestamp servers and transparency logs to do a bit better.

Third-party timestamp authorities provide signatures for pieces of data, which includes a timestamp. Rekor can interact with these third-party TSAs automatically, allowing users to skip this step. Rekor can get its own STH (including the timestamp) signed by one or many third-party TSAs regularly.

Each timestamp attestation in the Rekor log provides a fixed "fencepost" in time. Rekor, the client and a third-party can all provide evidence of the state of the world at a point in time. Fenceposts every ten minutes protect all data in between. Auditors can monitor Rekor's log to ensure these are added, shifting the complexity burden from users to auditors.

Info

Fulcio is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Comments
  • Add file backed certificate authority

    Add file backed certificate authority

    Summary

    Adds a simple file-based certificate authority to Fulcio. Expects PEM encoded key-pair without password protection.

    Usage

    fulcio serve --ca fileca --fileca-key /path/to/key.pem --fileca-cert /path/to/cert.pem
    

    By default the file passed are watched for updates and reloaded on change. This behaviour can be disabled with ---fileca-watch false.

    Fixes #276

    Remaining Work

    • [x] Add unit tests
    • [x] Run an integration test (docker-compose maybe?)

    Release Note

    - Added a simple file based certificate authority `fileca`
    
    opened by nsmith5 30
  • Support simple file-backed CA

    Support simple file-backed CA

    Description

    Some operators may wish to use a simple file based CA to issue certificates. Lets support loading CA signing key and certificate chain from a local files.

    Design aspects:

    • Will require private key to be encrypted with password
    • Cert and private key will be in seperate files
    • Cert and private key must be PEM encoded

    Work items This work will be broken up into a couple small deliverables below

    • [x] Support a root CA certificate (no certificates chains / intermediates)
    • [ ] Add support for intermediate CA / certificate chains
    • [ ] Replace emphemeralca in the e2e tests for cosign
    • [ ] Add documentation of usage (explain the CLI flags / basic example of generating a key-pair with openssl)
    enhancement 
    opened by nsmith5 16
  • Embed SCTs in issued certificates

    Embed SCTs in issued certificates

    Summary

    This adds support for embedding SCTs in certificates instead of returning a header with a detached SCTs. This is done by implementing an SCT interface for a signer. For example, GCP CA Service will not support embedded SCTs, but KMS will.

    This heavily leverages the Go CT library. I've removed the custom client in favor of the CT library client, which includes more verification and retry logic. Note that there's a TODO to include the public key of the CT log in Fulcio so that the SCT is checked before returning a response.

    A certificate is signed twice, which adds an extra remote call to KMS. The first certificate is added to the CT log via AddPreChain instead of AddChain.

    The Cosign client will need to be updated to support embedded SCTs.

    Signed-off-by: Hayden Blauzvern [email protected]

    Ticket Link

    Fixes #42, #310

    Release Note

    Added support for embedded SCTs for intermediate CA implementation. The CA will not return the SCT detached in a header. The client must verify the SCT using the SCT embedded in the certificate.
    
    opened by haydentherapper 14
  • Upgrade fulcios to use of the google privateca api at v1

    Upgrade fulcios to use of the google privateca api at v1

    Signed-off-by: Scott Nichols [email protected]

    Summary

    We were still on a v1beta1 api for the googleca private ca. This adds a flag to use the v1 of the api. We are still needing to update the cert to v1.

    The new flag --gcp_private_ca_version selects v1 by default to allow us to drop the flag when we move to v1 certs and then delete the flag and the v1beta1 codepaths.

    Ticket Link

    Relates to a checkbox in https://github.com/sigstore/fulcio/issues/191

    Release Note

    Fulcio now can use the v1 api for google privateca.
    
    opened by n3wscott 14
  • Changing the detached SCT to the correct format

    Changing the detached SCT to the correct format

    Description

    See https://github.com/trailofbits/sigstore-python/pull/24 - There was an issue around unmarshalling because the detached SCT is in an unexpected format.

    Given that Fulcio 0.4 will break the Cosign client already, I'd like to just go ahead and fix the header. We'll need to hold off on Fulcio 0.4 and release Cosign 1.8 (with a change to expect a different struct for the detached SCT from Fulcio) first.

    @dlorenc @cpanato FYI - Does this seem reasonable?

    bug 
    opened by haydentherapper 13
  • examples: This adds example code on how to fetch a fulcio certificate

    examples: This adds example code on how to fetch a fulcio certificate

    Summary

    The API isn't super clearly documented and the workflow how to fetch certificates is not well explained. There are no simple code examples nor examples around that makes fulcio easy to pick up. This is a start at providing examples for how to utilize fulcio and something we should look at adopting for the other sigstore projects as well.

    Signed-off-by: Morten Linderud [email protected]

    opened by Foxboron 13
  • Usage outside of sigstore

    Usage outside of sigstore

    The fulcio client code recently moved from this repo to the sigstore cli in the sigstore repo. I think fulcio is useful on its own as well, independently of rekor. The sigstore cli (correct me if I'm wrong) currently doesn't allow to just retrieve a fulcio cert without signing and sending to rekor.

    Is fulcio intended to stay as an independent service? If so, does it make sense to have a stand-alone client here (or elsewhere) for it? Or alternatively extend the sigstore cli to retrieve a cert for custom usage?

    opened by letmaik 13
  • Add note about the status of the legacy HTTP API.

    Add note about the status of the legacy HTTP API.

    Summary

    Small doc clarification about the legacy HTTP API.

    Ticket Link

    No ticket, but this came up in the 2022-04-19 community meeting.

    Release Note

    NONE
    
    opened by znewman01 12
  • Add API for fetching Fulcio configuration

    Add API for fetching Fulcio configuration

    This API provides the following:

    • All OIDC issuers, including the meta/wildcard issuers
    • The expected audience of the token
    • The claim that must be signed for a proof of possession
    • The SPIFFE trust domain, when the issuer is of type SPIFFE

    This has only been added to the V2 API, as we are no longer updating the V1 API.

    Signed-off-by: Hayden Blauzvern [email protected]

    Summary

    Ticket Link

    Fixes #607

    Release Note

    Added API for fetching the Fulcio OIDC issuer configuration
    
    opened by haydentherapper 11
  • Add intermediate CA implementation with KMS-backed signer

    Add intermediate CA implementation with KMS-backed signer

    This CA implementation will use an on-disk certificate chain and a remote KMS signer to sign certificates. There is validation on server startup that the provided chain matches the provided key.

    I've also added a utility to generate the intermediate certificate by calling GCP CA Service. This will be used to set up Fulcio.

    This also refactors the code to add an intermediate CA struct that implements the common methods. This makes it simple to add new intermediate CA types, with each only needing to provide a method to fetch a signer and certificate chain.

    Updated sigstore/sigstore to pull in the latest change to compare public keys.

    Tested with: go run pkg/ca/intermediateca/fetch_ca_cert/fetch_ca_cert.go --kms-key="gcpkms://projects/<project>/locations/us-central1/keyRings/test-key-ring/cryptoKeys/ca-key/versions/1" --gcp-ca-parent="projects/<project>/locations/us-west1/caPools/<pool>" --output="chain.crt.pem"

    go run main.go serve --port 5555 --ca kmsca --ct-log-url="" --kms-key="gcpkms://projects/<project>/locations/us-central1/keyRings/test-key-ring/cryptoKeys/ca-key/versions/1" --cert-chain-path="chain.crt.pem"

    Made a call using a script based on the load testing tool, got back a certificate chain.

    Signed-off-by: Hayden Blauzvern [email protected]

    Summary

    Ticket Link

    Fixes #489

    Release Note

    Added a KMS-backed intermediate CA implementation
    
    opened by haydentherapper 11
  • Implement standalone CLI command

    Implement standalone CLI command

    May be used to generate an OIDC certificate without any signing or tlog interaction. Resolves #95

    Open to feedback! I'm not sure if the output format is exactly what's needed, so testing would be appreciated.

    Signed-off-by: Mark Bestavros [email protected]

    opened by mbestavros 11
  • Bump cloud.google.com/go/security from 1.7.0 to 1.8.0

    Bump cloud.google.com/go/security from 1.7.0 to 1.8.0

    Bumps cloud.google.com/go/security from 1.7.0 to 1.8.0.

    Changelog

    Sourced from cloud.google.com/go/security's changelog.

    1.8.0 (2022-09-21)

    Features

    • documentai: rewrite signatures in terms of new types for betas (9f303f9)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • Bump actions/dependency-review-action from 2.2.0 to 2.3.0

    Bump actions/dependency-review-action from 2.2.0 to 2.3.0

    Bumps actions/dependency-review-action from 2.2.0 to 2.3.0.

    Release notes

    Sourced from actions/dependency-review-action's releases.

    2.3.0

    We're adding back support for an external configuration file. You can use the config-file configuration string to specify a path to a YAML configuration file where you can specify any options you want:

      dependency-review:
        runs-on: ubuntu-latest
        steps:
          - name: 'Checkout Repository'
            uses: actions/[email protected]
          - name: 'Dependency Review'
            uses: actions/[email protected]
            with: 
              - config-file: ./.github/dependency-review-config.yml
    
    Commits
    • 2843194 Updating version.
    • 6944531 Update README.md
    • 29cdbbe Merge pull request #228 from actions/external-config
    • 88502ba Update README.md
    • ff7c97a adding dist
    • 4d3b8e5 Clarify code a bit.
    • 38ee6e8 Improve scopes example in new docs.
    • 54cd9a7 Merge branch 'main' into external-config
    • c4693c0 Raise errors for invalid values in the external config.
    • e89f113 add callout to checkout main when updating major version tag
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • Proposal: Kubernetes Pod Details OID

    Proposal: Kubernetes Pod Details OID

    Description

    We should add more details about Kubernetes based OIDC tokens in certificates to ID pods / service accounts.

    Currently we only include the service account / cluster, i.e.

    Subject Alternative Name (critical):
        url:
        - https://kubernetes.io/namespaces/default/serviceaccounts/default
      OIDC Issuer: https://container.googleapis.com/v1/projects/...
    

    https://rekor.tlog.dev/?logIndex=3405075

    We actually already parse out all of the claims, but we don't include them in the cert:

    https://github.com/sigstore/fulcio/blob/6b5f9aecf50803569ebda6e064561fd0838dddbc/pkg/identity/kubernetes/principal.go#L86-L95

    Including these would let us identify the individual pod that ran, similar to how we can ID individual GitHub Action workflows with the GitHub custom claims.

    Proposal: Add new OIDs for Kubernetes runtime information.

    It probably also makes sense to start creating sub-directories of OIDs depending on the custom claim types - i.e. reserve 1.3.6.1.4.1.57264.1.7 for custom Kubernetes claims (2-6 is already in use by GitHub Actions) then add:

    OID | Name -|- 1.3.6.1.4.1.57264.1.7 | Kubernetes Claims 1.3.6.1.4.1.57264.1.7.1 | Namespace 1.3.6.1.4.1.57264.1.7.2 | Pod Name 1.3.6.1.4.1.57264.1.7.3 | Pod UID 1.3.6.1.4.1.57264.1.7.4 | Service Account Name 1.3.6.1.4.1.57264.1.7.5 | Service Account UID

    enhancement 
    opened by wlynch 4
  • Standardizing CI OIDC token claims

    Standardizing CI OIDC token claims

    Goal

    Create a standard set of claims that should be present in OIDC tokens from CI systems such as GitHub Actions, Cirrus CI, GitLab, Circle CI, etc.

    Background

    As noted in the NPM RFC for integrating with Sigstore, and as documented in other tickets (https://github.com/sigstore/fulcio/issues/243, https://github.com/sigstore/fulcio/issues/591, https://github.com/sigstore/fulcio/issues/748), there is interest in support for other CI systems. It is technically possible to implement support for each, but it will require code duplication and work for onboarding every CI platform. It would be ideal if all OIDC tokens from all CI systems had a standard set of claims to represent identity, so that onboarding would simply be updating configuration.

    Current state

    All of the above platforms either are working on or currently produce OIDC tokens for CI workflows. Fulcio currently only accepts CI tokens from GitHub Actions, and has hardcoded the GitHub specific claim values and produces a code signing certificate with GitHub specific OID values.

    Currently expected claims (GitHub ref)

    • job_workflow_ref
    • sha
    • event_name
    • repository
    • workflow
    • ref
    • aud (which must be set to sigstore)
    • exp

    sha, event_name, repository, workflow, and ref are included in issued certificates in custom OIDs - https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md.

    Required claims

    The token should include standard OIDC claims like:

    • aud (which must be customizable and set to sigstore)
    • sub
    • iss
    • exp
    • iat
    • nbf

    We should include the claims specified in "Currently expected claims".

    There was conversation in https://github.com/sigstore/fulcio/issues/624 about including the run ID (run_id), run count (run_number) and attempt count (run_attempt). We should decide if these should be required for Fulcio certificates.

    Another useful claim may be actor, who triggered the CI run.

    Any claim values must be immutable. For example, user IDs should be used instead of usernames, and repository IDs should be used instead of repository names, to prevent resurrection attacks.

    cc @asraa @laurentsimon @znewman01 @fkorotkov @feelepxyz, what would you like to see in a token and do you have recommendations on claim names?

    enhancement 
    opened by haydentherapper 10
  • Add support for Cirrus CI tokens

    Add support for Cirrus CI tokens

    disclaimer: I'm one of engineers working on Cirrus CI.

    Cirrus CI exposes an OIDC token via $CIRRUS OIDC_TOKEN and allows overriding the audience via setting $CIRRUS_OIDC_TOKEN_AUDIENCE variable.

    I'm following up this comment from the NPM's RFC. I wonder what will it take to add to add support for Cirrus CI?

    From a brief check it seems it will require implementing something similar to pkg/identity/github?

    enhancement 
    opened by fkorotkov 11
Releases(v0.5.3)
  • v0.5.3(Aug 22, 2022)

    What's Changed

    • Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in https://github.com/sigstore/fulcio/pull/705
    • Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in https://github.com/sigstore/fulcio/pull/704
    • Bump golang from 9349ed8 to f3d3d69 by @dependabot in https://github.com/sigstore/fulcio/pull/707
    • ✨ Enable Scorecard badge by @azeemshaikh38 in https://github.com/sigstore/fulcio/pull/706
    • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/712
    • Bump golang from f3d3d69 to 6e10f44 by @dependabot in https://github.com/sigstore/fulcio/pull/708
    • Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in https://github.com/sigstore/fulcio/pull/711
    • Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in https://github.com/sigstore/fulcio/pull/709
    • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in https://github.com/sigstore/fulcio/pull/710
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.1 by @dependabot in https://github.com/sigstore/fulcio/pull/714
    • Bump golang from 6e10f44 to 8a62670 by @dependabot in https://github.com/sigstore/fulcio/pull/713
    • Bump golang from 1.18.4 to 1.18.5 by @dependabot in https://github.com/sigstore/fulcio/pull/717
    • Update certificate issuance documentation by @haydentherapper in https://github.com/sigstore/fulcio/pull/702
    • Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in https://github.com/sigstore/fulcio/pull/720
    • Add documentation for SCT formats by @haydentherapper in https://github.com/sigstore/fulcio/pull/718
    • Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in https://github.com/sigstore/fulcio/pull/721
    • Create certificate specification by @haydentherapper in https://github.com/sigstore/fulcio/pull/703
    • Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 by @dependabot in https://github.com/sigstore/fulcio/pull/725
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.1 to 2.11.2 by @dependabot in https://github.com/sigstore/fulcio/pull/724
    • install protobuff 3.20.1 by @cpanato in https://github.com/sigstore/fulcio/pull/728
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.11.0 to 2.11.2 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/726
    • Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in https://github.com/sigstore/fulcio/pull/730
    • Bump github.com/googleapis/api-linter from 1.33.2 to 1.33.3 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/722
    • Bump github.com/googleapis/api-linter from 1.33.3 to 1.34.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/731
    • fix example to explicitly set port for gRPC call by @bobcallaway in https://github.com/sigstore/fulcio/pull/732
    • Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in https://github.com/sigstore/fulcio/pull/733
    • Bump go.step.sm/crypto from 0.17.0 to 0.17.1 by @dependabot in https://github.com/sigstore/fulcio/pull/737
    • update github.com/google/tink/go to 1.7.0 and fix deprecation by @cpanato in https://github.com/sigstore/fulcio/pull/736
    • address Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server by @cpanato in https://github.com/sigstore/fulcio/pull/735
    • Bump go.step.sm/crypto from 0.17.1 to 0.17.2 by @dependabot in https://github.com/sigstore/fulcio/pull/742
    • Bump google.golang.org/api from 0.92.0 to 0.93.0 by @dependabot in https://github.com/sigstore/fulcio/pull/741
    • update builder and cosign images by @cpanato in https://github.com/sigstore/fulcio/pull/743
    • Update scorecard-action to v2:alpha by @azeemshaikh38 in https://github.com/sigstore/fulcio/pull/746
    • Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/744
    • update changelog to add release v0.5.3 by @cpanato in https://github.com/sigstore/fulcio/pull/747
    • Clean up unix socket by @pauldthomson in https://github.com/sigstore/fulcio/pull/739
    • bump sigstore/sigstore from 1.3.1 to 1.4.0 by @k4leung4 in https://github.com/sigstore/fulcio/pull/745
    • Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in https://github.com/sigstore/fulcio/pull/749
    • Bump github/codeql-action from 2.1.19 to 2.1.20 by @dependabot in https://github.com/sigstore/fulcio/pull/750
    • adding tuf root env variable by @cpanato in https://github.com/sigstore/fulcio/pull/751

    New Contributors

    • @azeemshaikh38 made their first contribution in https://github.com/sigstore/fulcio/pull/706
    • @pauldthomson made their first contribution in https://github.com/sigstore/fulcio/pull/739

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.5.2...v0.5.3

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(38.89 MB)
    fulcio-linux-amd64-keyless.pem(1.31 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.5.3_linux_amd64.sbom(109.14 KB)
    fulcio-linux-arm(35.87 MB)
    fulcio-linux-arm-keyless.pem(1.31 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(37.41 MB)
    fulcio-linux-arm64-keyless.pem(1.31 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.5.3_linux_arm64.sbom(109.14 KB)
    fulcio-linux-arm_0.5.3_linux_arm.sbom(108.88 KB)
    fulcio-linux-ppc64le(37.88 MB)
    fulcio-linux-ppc64le-keyless.pem(1.30 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.5.3_linux_ppc64le.sbom(109.41 KB)
    fulcio-linux-s390x(39.45 MB)
    fulcio-linux-s390x-keyless.pem(1.31 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.5.3_linux_s390x.sbom(109.14 KB)
    fulcio-v0.5.3.yaml(5.17 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.31 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.5.2(Jul 25, 2022)

    What's Changed

    • Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in https://github.com/sigstore/fulcio/pull/677
    • Bump github.com/prometheus/common from 0.35.0 to 0.36.0 by @dependabot in https://github.com/sigstore/fulcio/pull/678
    • Bump cloud.google.com/go/security from 1.4.0 to 1.4.1 by @dependabot in https://github.com/sigstore/fulcio/pull/681
    • Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in https://github.com/sigstore/fulcio/pull/680
    • Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in https://github.com/sigstore/fulcio/pull/682
    • Bump github.com/googleapis/api-linter from 1.33.1 to 1.33.2 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/685
    • Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in https://github.com/sigstore/fulcio/pull/684
    • Bump golang from 1.18.3 to 1.18.4 by @dependabot in https://github.com/sigstore/fulcio/pull/683
    • Bump github.com/prometheus/common from 0.36.0 to 0.37.0 by @dependabot in https://github.com/sigstore/fulcio/pull/687
    • Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in https://github.com/sigstore/fulcio/pull/686
    • Bump go.step.sm/crypto from 0.16.2 to 0.17.0 by @dependabot in https://github.com/sigstore/fulcio/pull/688
    • bump cosign to v1.9.0 by @bobcallaway in https://github.com/sigstore/fulcio/pull/692
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.3 to 2.11.0 by @dependabot in https://github.com/sigstore/fulcio/pull/695
    • Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in https://github.com/sigstore/fulcio/pull/694
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.3 to 2.11.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/696
    • [NFC] docs/oidc: mark code blocks as JSON, minor syntax fixes by @woodruffw in https://github.com/sigstore/fulcio/pull/697
    • ensure GetTrustBundle returns array of strings instead of a single string with newlines by @bobcallaway in https://github.com/sigstore/fulcio/pull/690
    • update go builder and cosign image by @cpanato in https://github.com/sigstore/fulcio/pull/700
    • Add CHANGELOG for 0.5.2 by @haydentherapper in https://github.com/sigstore/fulcio/pull/701

    New Contributors

    • @woodruffw made their first contribution in https://github.com/sigstore/fulcio/pull/697

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.5.1...v0.5.2

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(38.95 MB)
    fulcio-linux-amd64-keyless.pem(1.31 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.5.2_linux_amd64.sbom(108.94 KB)
    fulcio-linux-arm(35.92 MB)
    fulcio-linux-arm-keyless.pem(1.31 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(37.41 MB)
    fulcio-linux-arm64-keyless.pem(1.31 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.5.2_linux_arm64.sbom(108.94 KB)
    fulcio-linux-arm_0.5.2_linux_arm.sbom(108.67 KB)
    fulcio-linux-ppc64le(37.88 MB)
    fulcio-linux-ppc64le-keyless.pem(1.31 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.5.2_linux_ppc64le.sbom(109.21 KB)
    fulcio-linux-s390x(39.52 MB)
    fulcio-linux-s390x-keyless.pem(1.30 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.5.2_linux_s390x.sbom(108.94 KB)
    fulcio-v0.5.2.yaml(5.17 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.31 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.5.1(Jul 8, 2022)

    What's Changed

    • Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in https://github.com/sigstore/fulcio/pull/642
    • Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in https://github.com/sigstore/fulcio/pull/647
    • Add interface for certs/signer fetching to remove mutex by @haydentherapper in https://github.com/sigstore/fulcio/pull/643
    • change grpc response logger to debug level instead of error by @bobcallaway in https://github.com/sigstore/fulcio/pull/648
    • Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in https://github.com/sigstore/fulcio/pull/650
    • Bump github.com/googleapis/api-linter from 1.32.1 to 1.32.2 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/651
    • Bump golang from b203dc5 to 1c3d22f by @dependabot in https://github.com/sigstore/fulcio/pull/649
    • Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in https://github.com/sigstore/fulcio/pull/652
    • Bump github.com/googleapis/api-linter from 1.32.2 to 1.32.3 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/653
    • Refactor in-memory signing CAs to use a single implementation by @haydentherapper in https://github.com/sigstore/fulcio/pull/644
    • Bump github.com/prometheus/common from 0.34.0 to 0.35.0 by @dependabot in https://github.com/sigstore/fulcio/pull/655
    • Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @dependabot in https://github.com/sigstore/fulcio/pull/658
    • Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in https://github.com/sigstore/fulcio/pull/657
    • Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in https://github.com/sigstore/fulcio/pull/656
    • Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in https://github.com/sigstore/fulcio/pull/659
    • Bump golang from 1c3d22f to 957001e by @dependabot in https://github.com/sigstore/fulcio/pull/660
    • Bump golang from 957001e to a452d62 by @dependabot in https://github.com/sigstore/fulcio/pull/661
    • Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in https://github.com/sigstore/fulcio/pull/662
    • Add Tink signing backend by @haydentherapper in https://github.com/sigstore/fulcio/pull/645
    • Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in https://github.com/sigstore/fulcio/pull/664
    • Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in https://github.com/sigstore/fulcio/pull/663
    • generate OpenAPI documents from protobuf by @bobcallaway in https://github.com/sigstore/fulcio/pull/666
    • add dependabot hack to monitor for new protoc releases by @bobcallaway in https://github.com/sigstore/fulcio/pull/667
    • Bump github.com/googleapis/api-linter from 1.32.3 to 1.33.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/669
    • Bump github.com/spiffe/go-spiffe/v2 from 2.1.0 to 2.1.1 by @dependabot in https://github.com/sigstore/fulcio/pull/668
    • Update sigstore to pull in fixes by @haydentherapper in https://github.com/sigstore/fulcio/pull/671
    • Add CORS support to HTTP endpoint by @bobcallaway in https://github.com/sigstore/fulcio/pull/670
    • pipe all log messages to stdout for dev logger by @bobcallaway in https://github.com/sigstore/fulcio/pull/673
    • Bump github.com/googleapis/api-linter from 1.33.0 to 1.33.1 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/674
    • add changelog for v0.5.1 by @cpanato in https://github.com/sigstore/fulcio/pull/675

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.5.0...v0.5.1

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(38.90 MB)
    fulcio-linux-amd64-keyless.pem(1.31 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.5.1_linux_amd64.sbom(107.94 KB)
    fulcio-linux-arm(35.88 MB)
    fulcio-linux-arm-keyless.pem(1.31 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(37.37 MB)
    fulcio-linux-arm64-keyless.pem(1.30 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.5.1_linux_arm64.sbom(107.94 KB)
    fulcio-linux-arm_0.5.1_linux_arm.sbom(107.67 KB)
    fulcio-linux-ppc64le(37.87 MB)
    fulcio-linux-ppc64le-keyless.pem(1.31 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.5.1_linux_ppc64le.sbom(108.21 KB)
    fulcio-linux-s390x(39.48 MB)
    fulcio-linux-s390x-keyless.pem(1.31 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.5.1_linux_s390x.sbom(107.94 KB)
    fulcio-v0.5.1.yaml(5.17 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.31 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.5.0(Jun 7, 2022)

    What's Changed

    • Bump google.golang.org/api from 0.77.0 to 0.78.0 by @dependabot in https://github.com/sigstore/fulcio/pull/556
    • Bump github.com/googleapis/api-linter from 1.31.1 to 1.31.2 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/557
    • Add new Issuer and Principal abstractions by @nsmith5 in https://github.com/sigstore/fulcio/pull/558
    • Add timeout to OIDC discovery by @nsmith5 in https://github.com/sigstore/fulcio/pull/560
    • Refactor x509 extension embedding logic by @nsmith5 in https://github.com/sigstore/fulcio/pull/561
    • Add client options testing by @nsmith5 in https://github.com/sigstore/fulcio/pull/562
    • Bump google.golang.org/api from 0.78.0 to 0.79.0 by @dependabot in https://github.com/sigstore/fulcio/pull/566
    • Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in https://github.com/sigstore/fulcio/pull/565
    • update go to 1.17.10 by @cpanato in https://github.com/sigstore/fulcio/pull/567
    • Remove unused Subject field from CodeSigningCertificate by @nsmith5 in https://github.com/sigstore/fulcio/pull/568
    • Use GenerateSerialNumber from cryptoutils by @nsmith5 in https://github.com/sigstore/fulcio/pull/571
    • Bump github.com/googleapis/api-linter from 1.31.2 to 1.32.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/575
    • Bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/fulcio/pull/574
    • Update to use go1.18 by @cpanato in https://github.com/sigstore/fulcio/pull/576
    • Small ca refactor by @nsmith5 in https://github.com/sigstore/fulcio/pull/569
    • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/fulcio/pull/573
    • Bump github/codeql-action from 75b4f1c4669133dc294b06c2794e969efa2e5316 to 2.1.10 by @dependabot in https://github.com/sigstore/fulcio/pull/572
    • googleca: Don't log all identities by @nsmith5 in https://github.com/sigstore/fulcio/pull/577
    • Consume identity.Principal in CA abstraction by @nsmith5 in https://github.com/sigstore/fulcio/pull/570
    • challenges: remove ParseCSR by @nsmith5 in https://github.com/sigstore/fulcio/pull/578
    • identity: improve the documentation for Principal.Name() by @nsmith5 in https://github.com/sigstore/fulcio/pull/579
    • Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in https://github.com/sigstore/fulcio/pull/581
    • Add some tests for challenges by @nsmith5 in https://github.com/sigstore/fulcio/pull/583
    • Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/582
    • Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 by @dependabot in https://github.com/sigstore/fulcio/pull/584
    • Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in https://github.com/sigstore/fulcio/pull/585
    • Bump github.com/google/certificate-transparency-go from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/fulcio/pull/586
    • Skip tests that require network access with HERMETIC=true by @haydentherapper in https://github.com/sigstore/fulcio/pull/587
    • Refactor challenge verification by @nsmith5 in https://github.com/sigstore/fulcio/pull/580
    • Correct SPIFFE trust domain checking by @nsmith5 in https://github.com/sigstore/fulcio/pull/588
    • Validate SPIFFE IDs and trust domains via library by @haydentherapper in https://github.com/sigstore/fulcio/pull/592
    • Move domain validation checks for URI/Username to service startup by @haydentherapper in https://github.com/sigstore/fulcio/pull/590
    • Bump google.golang.org/api from 0.79.0 to 0.80.0 by @dependabot in https://github.com/sigstore/fulcio/pull/595
    • Bump go.step.sm/crypto from 0.16.1 to 0.16.2 by @dependabot in https://github.com/sigstore/fulcio/pull/594
    • Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in https://github.com/sigstore/fulcio/pull/593
    • Bump github.com/googleapis/api-linter from 1.32.0 to 1.32.1 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/597
    • cmd/app: remove dependency on deprecated github.com/pkg/errors by @zchee in https://github.com/sigstore/fulcio/pull/598
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.0 to 2.10.1 by @dependabot in https://github.com/sigstore/fulcio/pull/600
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.0 to 2.10.1 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/601
    • Added additional tests for CA implementations and OIDC by @haydentherapper in https://github.com/sigstore/fulcio/pull/602
    • Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/603
    • Restict issuer claim mapping to email issuers by @nsmith5 in https://github.com/sigstore/fulcio/pull/606
    • Add e2e test that tests IssuerClaim by @haydentherapper in https://github.com/sigstore/fulcio/pull/605
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.1 to 2.10.2 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/611
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.1 to 2.10.2 by @dependabot in https://github.com/sigstore/fulcio/pull/610
    • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in https://github.com/sigstore/fulcio/pull/609
    • Bump google.golang.org/api from 0.80.0 to 0.81.0 by @dependabot in https://github.com/sigstore/fulcio/pull/614
    • Bump cloud.google.com/go/security from 1.3.0 to 1.4.0 by @dependabot in https://github.com/sigstore/fulcio/pull/613
    • Move github principal to its own package by @nsmith5 in https://github.com/sigstore/fulcio/pull/599
    • Split pkg/server from pkg/api by @mtrmac in https://github.com/sigstore/fulcio/pull/616
    • Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/618
    • Update sigstore to pull in go-tuf security fixes by @haydentherapper in https://github.com/sigstore/fulcio/pull/617
    • Move SPIFFE principal to its own package by @nsmith5 in https://github.com/sigstore/fulcio/pull/604
    • Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in https://github.com/sigstore/fulcio/pull/622
    • Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/fulcio/pull/621
    • Move kubernetes principal to package by @nsmith5 in https://github.com/sigstore/fulcio/pull/619
    • Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/fulcio/pull/623
    • Make prometheus port configurable by @nsmith5 in https://github.com/sigstore/fulcio/pull/625
    • Move email principal to package by @nsmith5 in https://github.com/sigstore/fulcio/pull/620
    • Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in https://github.com/sigstore/fulcio/pull/627
    • Final challenge result removal 🎉 by @nsmith5 in https://github.com/sigstore/fulcio/pull/626
    • Add API for fetching Fulcio configuration by @haydentherapper in https://github.com/sigstore/fulcio/pull/608
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.2 to 2.10.3 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/633
    • Bump golang from 1.18.2 to 1.18.3 by @dependabot in https://github.com/sigstore/fulcio/pull/628
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.10.2 to 2.10.3 by @dependabot in https://github.com/sigstore/fulcio/pull/632
    • Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in https://github.com/sigstore/fulcio/pull/631
    • typo: Github -> GitHub by @imjasonh in https://github.com/sigstore/fulcio/pull/636
    • update cross-builder image to use go1.18.3 by @cpanato in https://github.com/sigstore/fulcio/pull/635
    • Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in https://github.com/sigstore/fulcio/pull/630
    • Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in https://github.com/sigstore/fulcio/pull/629
    • Doc cleanup by @haydentherapper in https://github.com/sigstore/fulcio/pull/640
    • add changelog for release v0.5.0 by @cpanato in https://github.com/sigstore/fulcio/pull/637

    New Contributors

    • @zchee made their first contribution in https://github.com/sigstore/fulcio/pull/598
    • @mtrmac made their first contribution in https://github.com/sigstore/fulcio/pull/616

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.4.1...v0.5.0

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(34.13 MB)
    fulcio-linux-amd64-keyless.pem(1.31 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.5.0_linux_amd64.sbom(94.19 KB)
    fulcio-linux-arm(31.48 MB)
    fulcio-linux-arm-keyless.pem(1.31 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(32.84 MB)
    fulcio-linux-arm64-keyless.pem(1.31 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.5.0_linux_arm64.sbom(94.19 KB)
    fulcio-linux-arm_0.5.0_linux_arm.sbom(93.96 KB)
    fulcio-linux-ppc64le(33.17 MB)
    fulcio-linux-ppc64le-keyless.pem(1.31 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.5.0_linux_ppc64le.sbom(94.43 KB)
    fulcio-linux-s390x(34.52 MB)
    fulcio-linux-s390x-keyless.pem(1.31 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.5.0_linux_s390x.sbom(94.20 KB)
    fulcio-v0.5.0.yaml(5.17 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.30 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.4.1(May 3, 2022)

    What's Changed

    • Bump google.golang.org/grpc from 1.45.0 to 1.46.0 by @dependabot in https://github.com/sigstore/fulcio/pull/541
    • Bump github.com/googleapis/api-linter from 1.31.0 to 1.31.1 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/546
    • Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in https://github.com/sigstore/fulcio/pull/545
    • Bump google.golang.org/api from 0.75.0 to 0.76.0 by @dependabot in https://github.com/sigstore/fulcio/pull/542
    • Bump github.com/fsnotify/fsnotify from 1.5.3 to 1.5.4 by @dependabot in https://github.com/sigstore/fulcio/pull/543
    • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in https://github.com/sigstore/fulcio/pull/544
    • Add @haydentherapper to CODEOWNERS by @bobcallaway in https://github.com/sigstore/fulcio/pull/548
    • Fix key usage for issued certificates by @haydentherapper in https://github.com/sigstore/fulcio/pull/549
    • chore(deps): Included dependency review by @naveensrinivasan in https://github.com/sigstore/fulcio/pull/540
    • Add note about the status of the legacy HTTP API. by @znewman01 in https://github.com/sigstore/fulcio/pull/531
    • Bump google.golang.org/api from 0.76.0 to 0.77.0 by @dependabot in https://github.com/sigstore/fulcio/pull/552
    • add changelog for 0.4.1 release by @cpanato in https://github.com/sigstore/fulcio/pull/553
    • update go builder image and cosign image by @cpanato in https://github.com/sigstore/fulcio/pull/554
    • fix the digest image by @cpanato in https://github.com/sigstore/fulcio/pull/555

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.4.0...v0.4.1

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(34.21 MB)
    fulcio-linux-amd64-keyless.pem(1.06 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.4.1_linux_amd64.sbom(92.91 KB)
    fulcio-linux-arm(29.89 MB)
    fulcio-linux-arm-keyless.pem(1.06 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(33.63 MB)
    fulcio-linux-arm64-keyless.pem(1.06 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.4.1_linux_arm64.sbom(92.91 KB)
    fulcio-linux-arm_0.4.1_linux_arm.sbom(92.67 KB)
    fulcio-linux-ppc64le(33.46 MB)
    fulcio-linux-ppc64le-keyless.pem(1.06 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.4.1_linux_ppc64le.sbom(93.13 KB)
    fulcio-linux-s390x(34.19 MB)
    fulcio-linux-s390x-keyless.pem(1.06 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.4.1_linux_s390x.sbom(92.90 KB)
    fulcio-v0.4.1.yaml(5.08 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.06 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.4.0(Apr 23, 2022)

    What's Changed

    • add changelog for v0.3.0 release by @cpanato in https://github.com/sigstore/fulcio/pull/508
    • Add intermediate CA implementation with KMS-backed signer by @haydentherapper in https://github.com/sigstore/fulcio/pull/496
    • Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in https://github.com/sigstore/fulcio/pull/513
    • Embed SCTs in issued certificates by @haydentherapper in https://github.com/sigstore/fulcio/pull/507
    • Bump github.com/spf13/viper from 1.10.1 to 1.11.0 by @dependabot in https://github.com/sigstore/fulcio/pull/516
    • Update release images by @cpanato in https://github.com/sigstore/fulcio/pull/517
    • Add documentation for CT log by @haydentherapper in https://github.com/sigstore/fulcio/pull/514
    • examples: This adds example code on how to fetch a fulcio certificate by @Foxboron in https://github.com/sigstore/fulcio/pull/324
    • add GRPC interface by @bobcallaway in https://github.com/sigstore/fulcio/pull/472
    • Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/520
    • Add documentation for setting up Fulcio instance by @haydentherapper in https://github.com/sigstore/fulcio/pull/521
    • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/fulcio/pull/522
    • Remove checked in binary by @haydentherapper in https://github.com/sigstore/fulcio/pull/524
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.8.0 to 2.10.0 by @dependabot in https://github.com/sigstore/fulcio/pull/523
    • Fix null pointer crash and incorrect error statuses by @haydentherapper in https://github.com/sigstore/fulcio/pull/526
    • Bump google.golang.org/grpc/cmd/protoc-gen-go-grpc from 1.1.0 to 1.2.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/519
    • Read public key of CT log from path to verify SCTs by @haydentherapper in https://github.com/sigstore/fulcio/pull/529
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.8.0 to 2.10.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/518
    • Add CSR support for key delivery and proof of possession by @haydentherapper in https://github.com/sigstore/fulcio/pull/527
    • Bump google.golang.org/api from 0.74.0 to 0.75.0 by @dependabot in https://github.com/sigstore/fulcio/pull/532
    • Bump github.com/prometheus/common from 0.33.0 to 0.34.0 by @dependabot in https://github.com/sigstore/fulcio/pull/533
    • Bump github.com/googleapis/api-linter from 1.30.1 to 1.31.0 in /hack/tools by @dependabot in https://github.com/sigstore/fulcio/pull/534
    • Bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.3 by @dependabot in https://github.com/sigstore/fulcio/pull/537
    • Bump codecov/codecov-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/535
    • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/fulcio/pull/536
    • add changelog for v0.4.0 by @cpanato in https://github.com/sigstore/fulcio/pull/530

    New Contributors

    • @Foxboron made their first contribution in https://github.com/sigstore/fulcio/pull/324

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.3.0...v0.4.0

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(34.12 MB)
    fulcio-linux-amd64-keyless.pem(1.06 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.4.0_linux_amd64.sbom(92.90 KB)
    fulcio-linux-arm(29.81 MB)
    fulcio-linux-arm-keyless.pem(1.06 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(33.55 MB)
    fulcio-linux-arm64-keyless.pem(1.06 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.4.0_linux_arm64.sbom(92.90 KB)
    fulcio-linux-arm_0.4.0_linux_arm.sbom(92.67 KB)
    fulcio-linux-ppc64le(33.37 MB)
    fulcio-linux-ppc64le-keyless.pem(1.06 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.4.0_linux_ppc64le.sbom(93.13 KB)
    fulcio-linux-s390x(34.09 MB)
    fulcio-linux-s390x-keyless.pem(1.06 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.4.0_linux_s390x.sbom(92.90 KB)
    fulcio-v0.4.0.yaml(5.08 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.06 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.3.0(Apr 6, 2022)

    What's Changed

    • Bump go.step.sm/crypto from 0.15.2 to 0.15.3 by @dependabot in https://github.com/sigstore/fulcio/pull/473
    • Bump google.golang.org/api from 0.71.0 to 0.72.0 by @dependabot in https://github.com/sigstore/fulcio/pull/476
    • Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in https://github.com/sigstore/fulcio/pull/477
    • Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in https://github.com/sigstore/fulcio/pull/478
    • Bump google.golang.org/api from 0.72.0 to 0.73.0 by @dependabot in https://github.com/sigstore/fulcio/pull/479
    • Refactor API tests by @haydentherapper in https://github.com/sigstore/fulcio/pull/483
    • Bump go.step.sm/crypto from 0.15.3 to 0.16.0 by @dependabot in https://github.com/sigstore/fulcio/pull/482
    • Update Username OIDC flow based on comments by @haydentherapper in https://github.com/sigstore/fulcio/pull/463
    • fix build date format for version command by @cpanato in https://github.com/sigstore/fulcio/pull/484
    • Fix minor typos in README by @jspeed-meyers in https://github.com/sigstore/fulcio/pull/486
    • Fix minor typos in security model README by @jspeed-meyers in https://github.com/sigstore/fulcio/pull/488
    • Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/sigstore/fulcio/pull/485
    • Fix certificate README typos by @jspeed-meyers in https://github.com/sigstore/fulcio/pull/487
    • Bump github.com/prometheus/common from 0.32.1 to 0.33.0 by @dependabot in https://github.com/sigstore/fulcio/pull/491
    • Add validation of public keys to prevent certifying weak keys by @haydentherapper in https://github.com/sigstore/fulcio/pull/490
    • Add missing reader lock to File CA when reading certificate chain by @haydentherapper in https://github.com/sigstore/fulcio/pull/493
    • Fix concurrency properly in File CA implementation by @haydentherapper in https://github.com/sigstore/fulcio/pull/495
    • Bump google.golang.org/api from 0.73.0 to 0.74.0 by @dependabot in https://github.com/sigstore/fulcio/pull/499
    • Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in https://github.com/sigstore/fulcio/pull/497
    • Bump go.step.sm/crypto from 0.16.0 to 0.16.1 by @dependabot in https://github.com/sigstore/fulcio/pull/498
    • Use provided HTTP client instead when fetching root cert by @imjasonh in https://github.com/sigstore/fulcio/pull/502
    • Generate larger, compliant serial numbers by @haydentherapper in https://github.com/sigstore/fulcio/pull/500
    • Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in https://github.com/sigstore/fulcio/pull/504
    • Bump codecov/codecov-action from 2.1.0 to 3 by @dependabot in https://github.com/sigstore/fulcio/pull/505
    • update cosign and golang-cross images by @cpanato in https://github.com/sigstore/fulcio/pull/506

    New Contributors

    • @jspeed-meyers made their first contribution in https://github.com/sigstore/fulcio/pull/486
    • @imjasonh made their first contribution in https://github.com/sigstore/fulcio/pull/502

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.2.0...v0.3.0

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(22.59 MB)
    fulcio-linux-amd64-keyless.pem(1.06 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.3.0_linux_amd64.sbom(45.45 KB)
    fulcio-linux-arm(19.88 MB)
    fulcio-linux-arm-keyless.pem(1.06 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(21.87 MB)
    fulcio-linux-arm64-keyless.pem(1.06 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.3.0_linux_arm64.sbom(45.44 KB)
    fulcio-linux-arm_0.3.0_linux_arm.sbom(45.32 KB)
    fulcio-linux-ppc64le(22.04 MB)
    fulcio-linux-ppc64le-keyless.pem(1.06 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.3.0_linux_ppc64le.sbom(45.56 KB)
    fulcio-linux-s390x(22.87 MB)
    fulcio-linux-s390x-keyless.pem(1.06 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.3.0_linux_s390x.sbom(45.44 KB)
    fulcio-v0.3.0.yaml(4.95 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.06 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.2.0(Mar 14, 2022)

    What's Changed

    • Script and process to generate OIDC config from federation directory. by @dlorenc in https://github.com/sigstore/fulcio/pull/139
    • Add missing code of conduct (stock sigstore one) by @lukehinds in https://github.com/sigstore/fulcio/pull/153
    • makefile: add rule to download and set swagger and make rule to build the dist by @cpanato in https://github.com/sigstore/fulcio/pull/154
    • Bump cloud.google.com/go from 0.88.0 to 0.89.0 by @dependabot in https://github.com/sigstore/fulcio/pull/156
    • fulcio: add version command by @cpanato in https://github.com/sigstore/fulcio/pull/155
    • Bump cloud.google.com/go from 0.89.0 to 0.90.0 by @dependabot in https://github.com/sigstore/fulcio/pull/158
    • Bump golang from 1.16.6 to 1.16.7 by @dependabot in https://github.com/sigstore/fulcio/pull/159
    • Bump go.uber.org/zap from 1.18.1 to 1.19.0 by @dependabot in https://github.com/sigstore/fulcio/pull/160
    • Bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 by @dependabot in https://github.com/sigstore/fulcio/pull/161
    • Bump cloud.google.com/go from 0.90.0 to 0.91.1 by @dependabot in https://github.com/sigstore/fulcio/pull/162
    • add SCT as HTTP response header by @bobcallaway in https://github.com/sigstore/fulcio/pull/163
    • Bump cloud.google.com/go from 0.91.1 to 0.92.3 by @dependabot in https://github.com/sigstore/fulcio/pull/167
    • Bump golang from 1.16.7 to 1.17.0 by @dependabot in https://github.com/sigstore/fulcio/pull/166
    • Bump github.com/go-openapi/strfmt from 0.20.1 to 0.20.2 by @dependabot in https://github.com/sigstore/fulcio/pull/168
    • Bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 by @dependabot in https://github.com/sigstore/fulcio/pull/169
    • Bump github.com/go-openapi/runtime from 0.19.30 to 0.19.31 by @dependabot in https://github.com/sigstore/fulcio/pull/171
    • Switch to the JSON logger in prod by @dlorenc in https://github.com/sigstore/fulcio/pull/175
    • Generate client code with swagger in Makefile by @priyawadhwa in https://github.com/sigstore/fulcio/pull/176
    • Fix misspellings. by @msuozzo in https://github.com/sigstore/fulcio/pull/177
    • Bump go.uber.org/zap from 1.19.0 to 1.19.1 by @dependabot in https://github.com/sigstore/fulcio/pull/178
    • Bump golang from 1.17.0 to 1.17.1 by @dependabot in https://github.com/sigstore/fulcio/pull/179
    • Add support for Github OIDC by @mattmoor in https://github.com/sigstore/fulcio/pull/180
    • Bump github.com/ThalesIgnite/crypto11 from 1.2.4 to 1.2.5 by @dependabot in https://github.com/sigstore/fulcio/pull/182
    • Add Github to fulcioca path. by @mattmoor in https://github.com/sigstore/fulcio/pull/184
    • Changes fulcio-server to fulcio by @jyotsna-penumaka in https://github.com/sigstore/fulcio/pull/186
    • Bump github.com/mitchellh/mapstructure from 1.4.1 to 1.4.2 by @dependabot in https://github.com/sigstore/fulcio/pull/185
    • Add GitHub OIDC to Fulcio by @dlorenc in https://github.com/sigstore/fulcio/pull/181
    • Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/188
    • Bump github.com/spf13/viper from 1.8.1 to 1.9.0 by @dependabot in https://github.com/sigstore/fulcio/pull/189
    • add pkcs11-config-path command line parameter by @avoidik in https://github.com/sigstore/fulcio/pull/192
    • Bump golang from 1.17.1 to 1.17.2 by @dependabot in https://github.com/sigstore/fulcio/pull/197
    • Bump github.com/go-openapi/strfmt from 0.20.2 to 0.20.3 by @dependabot in https://github.com/sigstore/fulcio/pull/199
    • Bump github.com/go-openapi/loads from 0.20.2 to 0.20.3 by @dependabot in https://github.com/sigstore/fulcio/pull/200
    • Implement basic AWS CloudHSM support for root CA creation + rewrite "FulcioCA" to "PKCS11CA" by @mbestavros in https://github.com/sigstore/fulcio/pull/187
    • update go.sum by @bobcallaway in https://github.com/sigstore/fulcio/pull/205
    • Fix the Github OIDC challenge endpoint by @mattmoor in https://github.com/sigstore/fulcio/pull/206
    • Bump github.com/go-openapi/validate from 0.20.2 to 0.20.3 by @dependabot in https://github.com/sigstore/fulcio/pull/198
    • Bump github.com/go-openapi/spec from 0.20.3 to 0.20.4 by @dependabot in https://github.com/sigstore/fulcio/pull/201
    • Bump github.com/go-openapi/runtime from 0.19.31 to 0.20.0 by @dependabot in https://github.com/sigstore/fulcio/pull/202
    • Bump actions/checkout from 2.3.4 to 2.3.5 by @dependabot in https://github.com/sigstore/fulcio/pull/207
    • use request ID logger where possible by @bobcallaway in https://github.com/sigstore/fulcio/pull/209
    • Extract the OIDC issuer URL. by @mattmoor in https://github.com/sigstore/fulcio/pull/211
    • Reproducible builds with trimpath by @naveensrinivasan in https://github.com/sigstore/fulcio/pull/210
    • bump go-swagger to v0.28.0 by @bobcallaway in https://github.com/sigstore/fulcio/pull/213
    • Add issuer information to code signing certificates by @bobcallaway in https://github.com/sigstore/fulcio/pull/204
    • Refactor the kind e2e test. by @mattmoor in https://github.com/sigstore/fulcio/pull/215
    • use sigstore/sigstore instead of directly calling RSA/ECDSA verify calls by @bobcallaway in https://github.com/sigstore/fulcio/pull/221
    • Fulcio e2e testing / K8s OIDC / ephemeralca by @mattmoor in https://github.com/sigstore/fulcio/pull/219
    • Refactor the way we access Config by @mattmoor in https://github.com/sigstore/fulcio/pull/222
    • Remove the cluster-local block by default. by @mattmoor in https://github.com/sigstore/fulcio/pull/224
    • Add support for "meta issuers". by @mattmoor in https://github.com/sigstore/fulcio/pull/223
    • Use MetaIssuers to simulate EKS / GKE in e2e test. by @mattmoor in https://github.com/sigstore/fulcio/pull/225
    • Various nits trying SoftHSM by @mattmoor in https://github.com/sigstore/fulcio/pull/217
    • Bump github.com/hashicorp/golang-lru from 0.5.3 to 0.5.4 by @dependabot in https://github.com/sigstore/fulcio/pull/227
    • Bump github.com/go-openapi/strfmt from 0.20.3 to 0.21.0 by @dependabot in https://github.com/sigstore/fulcio/pull/226
    • Add support for recoginizing allow.pub as an spiffe issuer by @evanphx in https://github.com/sigstore/fulcio/pull/228
    • Bump github.com/go-openapi/runtime from 0.20.0 to 0.21.0 by @dependabot in https://github.com/sigstore/fulcio/pull/229
    • break out CA-specific implementation from common API class by @bobcallaway in https://github.com/sigstore/fulcio/pull/220
    • Bump actions/checkout from 2.3.5 to 2.4.0 by @dependabot in https://github.com/sigstore/fulcio/pull/233
    • Bump golang from 1.17.2 to 1.17.3 by @dependabot in https://github.com/sigstore/fulcio/pull/234
    • Fix nil pointer, update dev docs by @vaikas in https://github.com/sigstore/fulcio/pull/236
    • fix cutpaste error, sets cpu correctly by @vaikas in https://github.com/sigstore/fulcio/pull/237
    • Add commit sha and trigger to github workflow by @asraa in https://github.com/sigstore/fulcio/pull/232
    • Bump github.com/sigstore/sigstore from 1.0.0 to 1.0.1 by @dependabot in https://github.com/sigstore/fulcio/pull/239
    • Use CGO_ENABLED=1 via .ko.yaml. by @mattmoor in https://github.com/sigstore/fulcio/pull/242
    • Fix street-address and postal-code descriptions to be more descriptive. by @vaikas in https://github.com/sigstore/fulcio/pull/245
    • Bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 by @dependabot in https://github.com/sigstore/fulcio/pull/247
    • fix: go install complain missing version when dir not in module by @tuananh in https://github.com/sigstore/fulcio/pull/248
    • Bump cloud.google.com/go/security from 0.1.0 to 1.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/246
    • plumb through !cgo golang tags that removes pkcs11 support by @vaikas in https://github.com/sigstore/fulcio/pull/244
    • Upgrade fulcios to use of the google privateca api at v1 by @n3wscott in https://github.com/sigstore/fulcio/pull/218
    • Thread FulcioConfig through from main via ctx by @mattmoor in https://github.com/sigstore/fulcio/pull/249
    • [Correction] Upgrade fulcios to use of the google privateca api at v1 by @n3wscott in https://github.com/sigstore/fulcio/pull/252
    • Fix the k8s subject parsing. by @dlorenc in https://github.com/sigstore/fulcio/pull/254
    • Consolidate viper usage in pkg/ca/ca.go by @mattmoor in https://github.com/sigstore/fulcio/pull/255
    • Bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 by @dependabot in https://github.com/sigstore/fulcio/pull/256
    • Remove viper from pkg/. by @mattmoor in https://github.com/sigstore/fulcio/pull/257
    • Drop gratuitous sync.Once in google CAs. by @mattmoor in https://github.com/sigstore/fulcio/pull/258
    • Drop useless package. by @mattmoor in https://github.com/sigstore/fulcio/pull/259
    • The v1 GCP CA requires this field to be set. by @dlorenc in https://github.com/sigstore/fulcio/pull/260
    • Move the deployment to the new v1 cert. by @dlorenc in https://github.com/sigstore/fulcio/pull/261
    • Consolidate the source-of-truth. by @mattmoor in https://github.com/sigstore/fulcio/pull/263
    • add the ability to set the user-agent string on requests from the Client by @dekkagaijin in https://github.com/sigstore/fulcio/pull/264
    • Bump golang from 1.17.3 to 1.17.4 by @dependabot in https://github.com/sigstore/fulcio/pull/265
    • Drop OpenAPI from Fulcio by @mattmoor in https://github.com/sigstore/fulcio/pull/262
    • While working on #267 noticed this, but didn't want to bake into it. by @vaikas in https://github.com/sigstore/fulcio/pull/268
    • Wrap the server with the Prometheus so we get metrics + add an e2e te… by @vaikas in https://github.com/sigstore/fulcio/pull/267
    • Bump github.com/prometheus/common from 0.29.0 to 0.32.1 by @dependabot in https://github.com/sigstore/fulcio/pull/270
    • Bump golang from 1.17.4 to 1.17.5 by @dependabot in https://github.com/sigstore/fulcio/pull/269
    • Make client request timeout configurable with WithTimeout client option by @nsmith5 in https://github.com/sigstore/fulcio/pull/272
    • Localize flags to each subcommand by @nsmith5 in https://github.com/sigstore/fulcio/pull/274
    • Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 by @dependabot in https://github.com/sigstore/fulcio/pull/278
    • Bump github.com/spf13/viper from 1.10.0 to 1.10.1 by @dependabot in https://github.com/sigstore/fulcio/pull/283
    • Do not close the PKCS11 context on startup by @rgerganov in https://github.com/sigstore/fulcio/pull/282
    • Fail fast if private key is not found when using PKCS11 CA by @rgerganov in https://github.com/sigstore/fulcio/pull/285
    • Update readme for V1 CA Service by @haydentherapper in https://github.com/sigstore/fulcio/pull/286
    • Add a Root Cert method to the CA interface, and implement it. by @dlorenc in https://github.com/sigstore/fulcio/pull/287
    • add usersnames list to the codeonwers to make it easier to check by @cpanato in https://github.com/sigstore/fulcio/pull/295
    • Add back support for building with CGO_ENABLED=0 by @vaikas in https://github.com/sigstore/fulcio/pull/293
    • Add RootCert method to client + tests by @vaikas in https://github.com/sigstore/fulcio/pull/290
    • Fix the SCT header return value from the API to base64 encode it. by @dlorenc in https://github.com/sigstore/fulcio/pull/288
    • Add documentation for testing with ephemeralca. Document RootCert method by @vaikas in https://github.com/sigstore/fulcio/pull/296
    • Handle error when there are no roots returned by CA Service by @haydentherapper in https://github.com/sigstore/fulcio/pull/298
    • Change ports for docker compose to avoid conflict with Rekor by @haydentherapper in https://github.com/sigstore/fulcio/pull/297
    • Bump github.com/sigstore/sigstore from 1.0.1 to 1.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/299
    • Add file backed certificate authority by @nsmith5 in https://github.com/sigstore/fulcio/pull/280
    • add oid documentation by @bobcallaway in https://github.com/sigstore/fulcio/pull/307
    • Bump go.uber.org/zap from 1.19.1 to 1.20.0 by @dependabot in https://github.com/sigstore/fulcio/pull/313
    • Bump cloud.google.com/go/security from 1.1.0 to 1.1.1 by @dependabot in https://github.com/sigstore/fulcio/pull/312
    • Remove hack/tools by @nsmith5 in https://github.com/sigstore/fulcio/pull/308
    • Enable server settings via config file and env vars by @jdolitsky in https://github.com/sigstore/fulcio/pull/315
    • Extract additional claims from github-workflow token by @ckotzbauer in https://github.com/sigstore/fulcio/pull/306
    • Add Locust load test and README by @haydentherapper in https://github.com/sigstore/fulcio/pull/311
    • Bump google.golang.org/api from 0.63.0 to 0.64.0 by @dependabot in https://github.com/sigstore/fulcio/pull/318
    • Switch to use fileca in e2e tests by @jdolitsky in https://github.com/sigstore/fulcio/pull/309
    • Bump golang from 1.17.5 to 1.17.6 by @dependabot in https://github.com/sigstore/fulcio/pull/317
    • Bump go.step.sm/crypto from 0.13.0 to 0.14.0 by @dependabot in https://github.com/sigstore/fulcio/pull/319
    • Fix docker-compose dexidp startup by @haydentherapper in https://github.com/sigstore/fulcio/pull/316
    • release: add cloudbuild to run the release for fulcio by @cpanato in https://github.com/sigstore/fulcio/pull/322
    • pin github actions by digest instead of tag by @bobcallaway in https://github.com/sigstore/fulcio/pull/323
    • Bump golang from 8c0269d to 0fa6504 by @dependabot in https://github.com/sigstore/fulcio/pull/326
    • add OSSF scorecard action by @bobcallaway in https://github.com/sigstore/fulcio/pull/328
    • Bump google.golang.org/api from 0.64.0 to 0.65.0 by @dependabot in https://github.com/sigstore/fulcio/pull/321
    • pin one additional set of actions by @bobcallaway in https://github.com/sigstore/fulcio/pull/329
    • Bump ossf/scorecard-action from 0fe1afdc40f536c78e3dc69147b91b3ecec2cc8a to 1.0.1 by @dependabot in https://github.com/sigstore/fulcio/pull/331
    • Remove root CA whitespaces on README.md by @ereslibre in https://github.com/sigstore/fulcio/pull/325
    • Update github/codeql-action requirement to 8a4b243fbf9a03a93e93a71c1ec257347041f9c4 by @dependabot in https://github.com/sigstore/fulcio/pull/332
    • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 by @dependabot in https://github.com/sigstore/fulcio/pull/334
    • Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 by @dependabot in https://github.com/sigstore/fulcio/pull/333
    • Set max request size to 4MiB by @nsmith5 in https://github.com/sigstore/fulcio/pull/338
    • Support intermediate CA with fileca backend by @nsmith5 in https://github.com/sigstore/fulcio/pull/320
    • Add some reasonable timeouts to API server by @nsmith5 in https://github.com/sigstore/fulcio/pull/337
    • Add chain in response for all CAs, fix newlines in response by @haydentherapper in https://github.com/sigstore/fulcio/pull/341
    • fix link for SECURITY.md by @k4leung4 in https://github.com/sigstore/fulcio/pull/340
    • Generate subject key ID correctly for non-GCP certs by @haydentherapper in https://github.com/sigstore/fulcio/pull/345
    • update to v1.0.29 of codeql-action (including comments) by @bobcallaway in https://github.com/sigstore/fulcio/pull/344
    • Bump ossf/scorecard-action from 1.0.1 to 1.0.2 by @dependabot in https://github.com/sigstore/fulcio/pull/347
    • Remove Google CA v1beta1 API and associated config by @znewman01 in https://github.com/sigstore/fulcio/pull/349
    • Bump github/codeql-action from 1.0.28 to 1.0.30 by @dependabot in https://github.com/sigstore/fulcio/pull/346
    • createca: Address panic when no private key pair matches by @tstromberg in https://github.com/sigstore/fulcio/pull/351
    • Bump golang from 0fa6504 to d7f2f6f by @dependabot in https://github.com/sigstore/fulcio/pull/352
    • Initialize CT log client once by @nsmith5 in https://github.com/sigstore/fulcio/pull/350
    • Make the the invalid CA error message actionable by @tstromberg in https://github.com/sigstore/fulcio/pull/356
    • Bump go.step.sm/crypto from 0.14.0 to 0.15.0 by @dependabot in https://github.com/sigstore/fulcio/pull/359
    • Bump golang from d7f2f6f to 301609e by @dependabot in https://github.com/sigstore/fulcio/pull/358
    • Update README for V1 Fulcio cert by @haydentherapper in https://github.com/sigstore/fulcio/pull/355
    • Improve error message when an invalid OIDC issuer is provided by @tstromberg in https://github.com/sigstore/fulcio/pull/357
    • Make CA explicit dependency of API handler by @nsmith5 in https://github.com/sigstore/fulcio/pull/354
    • Include instructions to download verify the fulcio root certificate with TUF by @asraa in https://github.com/sigstore/fulcio/pull/361
    • Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 by @dependabot in https://github.com/sigstore/fulcio/pull/362
    • Bump google.golang.org/api from 0.65.0 to 0.66.0 by @dependabot in https://github.com/sigstore/fulcio/pull/363
    • Bump go.step.sm/crypto from 0.15.0 to 0.15.1 by @dependabot in https://github.com/sigstore/fulcio/pull/377
    • Address signingCert panic with the last-byte calculation of finalChainPEM by @tstromberg in https://github.com/sigstore/fulcio/pull/370
    • Upgrade miekg/pkcs11 library from v1.0.3 to v1.1.1 by @tstromberg in https://github.com/sigstore/fulcio/pull/376
    • Move OID information to docs directory and reformat by @nsmith5 in https://github.com/sigstore/fulcio/pull/378
    • Bump ossf/scorecard-action from 1.0.2 to 1.0.3 by @dependabot in https://github.com/sigstore/fulcio/pull/367
    • Move sec model out of readme by @nsmith5 in https://github.com/sigstore/fulcio/pull/382
    • Bump github/codeql-action from 1.0.30 to 1.0.31 by @dependabot in https://github.com/sigstore/fulcio/pull/366
    • Add Logo to README by @nsmith5 in https://github.com/sigstore/fulcio/pull/381
    • Bump google.golang.org/api from 0.66.0 to 0.67.0 by @dependabot in https://github.com/sigstore/fulcio/pull/385
    • Move CTL logging logic over to CTL package by @nsmith5 in https://github.com/sigstore/fulcio/pull/353
    • Document the certificate issuing process by @nsmith5 in https://github.com/sigstore/fulcio/pull/383
    • Add AKS as a meta issuer by @tcnghia in https://github.com/sigstore/fulcio/pull/384
    • Allow parameterized application/json content types by @loosebazooka in https://github.com/sigstore/fulcio/pull/386
    • Improve error messages returned by SigningCert by @tstromberg in https://github.com/sigstore/fulcio/pull/388
    • Update warning text. by @dlorenc in https://github.com/sigstore/fulcio/pull/389
    • Remove organization from subject for GCP CAS issuer by @haydentherapper in https://github.com/sigstore/fulcio/pull/391
    • Bump github/codeql-action from 1.0.31 to 1.0.32 by @dependabot in https://github.com/sigstore/fulcio/pull/392
    • Bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in https://github.com/sigstore/fulcio/pull/393
    • Count HTTP request error codes with prometheus by @priyawadhwa in https://github.com/sigstore/fulcio/pull/396
    • Bump google.golang.org/api from 0.67.0 to 0.68.0 by @dependabot in https://github.com/sigstore/fulcio/pull/399
    • Add feature stability and deprecation docs by @priyawadhwa in https://github.com/sigstore/fulcio/pull/400
    • Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in https://github.com/sigstore/fulcio/pull/402
    • Bump golang from 301609e to fff998d by @dependabot in https://github.com/sigstore/fulcio/pull/401
    • Bump golang from 1.17.6 to 1.17.7 by @dependabot in https://github.com/sigstore/fulcio/pull/403
    • update cross-build to use go 1.17.7 by @cpanato in https://github.com/sigstore/fulcio/pull/404
    • Bump github/codeql-action from 1.0.32 to 1.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/406
    • Bump cloud.google.com/go/security from 1.1.1 to 1.2.0 by @dependabot in https://github.com/sigstore/fulcio/pull/408
    • Fixing link to external resources by @endorama in https://github.com/sigstore/fulcio/pull/411
    • Bump google.golang.org/api from 0.68.0 to 0.69.0 by @dependabot in https://github.com/sigstore/fulcio/pull/412
    • add securityContext to deployment by @k4leung4 in https://github.com/sigstore/fulcio/pull/420
    • Extract CA/KMS support from README by @endorama in https://github.com/sigstore/fulcio/pull/409
    • Add unit tests for oidc-EmailFromIDToken method by @elizabetht in https://github.com/sigstore/fulcio/pull/413
    • Return an error if we fail get get the Root cert. by @vaikas in https://github.com/sigstore/fulcio/pull/416
    • drop -dev suffix for namespace and service account. by @k4leung4 in https://github.com/sigstore/fulcio/pull/418
    • Extract development documentation from README by @endorama in https://github.com/sigstore/fulcio/pull/410
    • Bump github/codeql-action from 1.1.0 to 1.1.2 by @dependabot in https://github.com/sigstore/fulcio/pull/424
    • Bump ossf/scorecard-action from 1.0.3 to 1.0.4 by @dependabot in https://github.com/sigstore/fulcio/pull/425
    • Bump golang from 1a35cc2 to 2c92978 by @dependabot in https://github.com/sigstore/fulcio/pull/423
    • create namespace as part of config yaml by @k4leung4 in https://github.com/sigstore/fulcio/pull/422
    • Bump golang from 2c92978 to e06c834 by @dependabot in https://github.com/sigstore/fulcio/pull/426
    • Take advantage of Chainguard maintained versions of various actions. by @mattmoor in https://github.com/sigstore/fulcio/pull/427
    • Automate release by @k4leung4 in https://github.com/sigstore/fulcio/pull/407
    • Add missing testing dependency by @nsmith5 in https://github.com/sigstore/fulcio/pull/429
    • Bump google.golang.org/api from 0.69.0 to 0.70.0 by @dependabot in https://github.com/sigstore/fulcio/pull/432
    • explicitly set permissions for github workflows by @k4leung4 in https://github.com/sigstore/fulcio/pull/433
    • Bump cloud.google.com/go/security from 1.2.0 to 1.2.1 by @dependabot in https://github.com/sigstore/fulcio/pull/431
    • add indent to fix yaml error by @bobcallaway in https://github.com/sigstore/fulcio/pull/434
    • Bump github.com/magiconair/properties from 1.8.5 to 1.8.6 by @dependabot in https://github.com/sigstore/fulcio/pull/436
    • Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/fulcio/pull/435
    • Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in https://github.com/sigstore/fulcio/pull/438
    • Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/fulcio/pull/439
    • Bump actions/setup-go from 2.2.0 to 3.0.0 by @dependabot in https://github.com/sigstore/fulcio/pull/440
    • Bump golang from e06c834 to c2ca472 by @dependabot in https://github.com/sigstore/fulcio/pull/442
    • Bump actions/checkout from 2 to 3 by @dependabot in https://github.com/sigstore/fulcio/pull/443
    • Mirror signed release images from GCR to GHCR as part of release with Cloud Build. by @k4leung4 in https://github.com/sigstore/fulcio/pull/441
    • Move CI private-ca YAML to subdir by @k4leung4 in https://github.com/sigstore/fulcio/pull/446
    • Bump golang from c2ca472 to b983574 by @dependabot in https://github.com/sigstore/fulcio/pull/447
    • Bump cloud.google.com/go/security from 1.2.1 to 1.3.0 by @dependabot in https://github.com/sigstore/fulcio/pull/448
    • add missing target name for cosign copy by @k4leung4 in https://github.com/sigstore/fulcio/pull/450
    • Go update to 1.17.8 and cosign to 1.6.0 by @cpanato in https://github.com/sigstore/fulcio/pull/453
    • Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in https://github.com/sigstore/fulcio/pull/452
    • Add codecov as github action. by @k4leung4 in https://github.com/sigstore/fulcio/pull/449
    • add changelog for release 0.2.0 by @cpanato in https://github.com/sigstore/fulcio/pull/454
    • Generate release yaml for non-CI builds. by @k4leung4 in https://github.com/sigstore/fulcio/pull/445
    • update action to use git hash by @cpanato in https://github.com/sigstore/fulcio/pull/456
    • release: dont upload local directory by @cpanato in https://github.com/sigstore/fulcio/pull/459
    • Bump go.step.sm/crypto from 0.15.1 to 0.15.2 by @dependabot in https://github.com/sigstore/fulcio/pull/458
    • Bump golang from 0168c35 to ca70980 by @dependabot in https://github.com/sigstore/fulcio/pull/457
    • grant cloud build permissions to github action sa by @k4leung4 in https://github.com/sigstore/fulcio/pull/460
    • Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in https://github.com/sigstore/fulcio/pull/461
    • update dir name after endpoint update. by @k4leung4 in https://github.com/sigstore/fulcio/pull/462
    • Bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 by @dependabot in https://github.com/sigstore/fulcio/pull/464
    • Bump google.golang.org/api from 0.70.0 to 0.71.0 by @dependabot in https://github.com/sigstore/fulcio/pull/465
    • release: fix sed to update the manifests by @cpanato in https://github.com/sigstore/fulcio/pull/466
    • Bump golang from ca70980 to c7c9458 by @dependabot in https://github.com/sigstore/fulcio/pull/468
    • Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in https://github.com/sigstore/fulcio/pull/469
    • Add documentation for OIDC configuration and tokens by @haydentherapper in https://github.com/sigstore/fulcio/pull/467
    • Add URI OIDC type to support URI subjects by @haydentherapper in https://github.com/sigstore/fulcio/pull/455
    • fix sed and update job by @cpanato in https://github.com/sigstore/fulcio/pull/470
    • Use reusuable release workflow in sigstore/sigstore by @k4leung4 in https://github.com/sigstore/fulcio/pull/471

    New Contributors

    • @msuozzo made their first contribution in https://github.com/sigstore/fulcio/pull/177
    • @mattmoor made their first contribution in https://github.com/sigstore/fulcio/pull/180
    • @jyotsna-penumaka made their first contribution in https://github.com/sigstore/fulcio/pull/186
    • @avoidik made their first contribution in https://github.com/sigstore/fulcio/pull/192
    • @mbestavros made their first contribution in https://github.com/sigstore/fulcio/pull/187
    • @naveensrinivasan made their first contribution in https://github.com/sigstore/fulcio/pull/210
    • @evanphx made their first contribution in https://github.com/sigstore/fulcio/pull/228
    • @vaikas made their first contribution in https://github.com/sigstore/fulcio/pull/236
    • @asraa made their first contribution in https://github.com/sigstore/fulcio/pull/232
    • @tuananh made their first contribution in https://github.com/sigstore/fulcio/pull/248
    • @n3wscott made their first contribution in https://github.com/sigstore/fulcio/pull/218
    • @nsmith5 made their first contribution in https://github.com/sigstore/fulcio/pull/272
    • @rgerganov made their first contribution in https://github.com/sigstore/fulcio/pull/282
    • @haydentherapper made their first contribution in https://github.com/sigstore/fulcio/pull/286
    • @jdolitsky made their first contribution in https://github.com/sigstore/fulcio/pull/315
    • @ckotzbauer made their first contribution in https://github.com/sigstore/fulcio/pull/306
    • @ereslibre made their first contribution in https://github.com/sigstore/fulcio/pull/325
    • @k4leung4 made their first contribution in https://github.com/sigstore/fulcio/pull/340
    • @znewman01 made their first contribution in https://github.com/sigstore/fulcio/pull/349
    • @tstromberg made their first contribution in https://github.com/sigstore/fulcio/pull/351
    • @tcnghia made their first contribution in https://github.com/sigstore/fulcio/pull/384
    • @elizabetht made their first contribution in https://github.com/sigstore/fulcio/pull/413

    Full Changelog: https://github.com/sigstore/fulcio/compare/v0.1.1...v0.2.0

    Thanks for all contributors!

    Source code(tar.gz)
    Source code(zip)
    fulcio-linux-amd64(22.18 MB)
    fulcio-linux-amd64-keyless.pem(1.06 KB)
    fulcio-linux-amd64-keyless.sig(96 bytes)
    fulcio-linux-amd64.sig(96 bytes)
    fulcio-linux-amd64_0.2.0_linux_amd64.sbom(43.22 KB)
    fulcio-linux-arm(19.51 MB)
    fulcio-linux-arm-keyless.pem(1.06 KB)
    fulcio-linux-arm-keyless.sig(96 bytes)
    fulcio-linux-arm.sig(96 bytes)
    fulcio-linux-arm64(21.45 MB)
    fulcio-linux-arm64-keyless.pem(1.06 KB)
    fulcio-linux-arm64-keyless.sig(96 bytes)
    fulcio-linux-arm64.sig(96 bytes)
    fulcio-linux-arm64_0.2.0_linux_arm64.sbom(43.22 KB)
    fulcio-linux-arm_0.2.0_linux_arm.sbom(43.10 KB)
    fulcio-linux-ppc64le(21.58 MB)
    fulcio-linux-ppc64le-keyless.pem(1.06 KB)
    fulcio-linux-ppc64le-keyless.sig(96 bytes)
    fulcio-linux-ppc64le.sig(96 bytes)
    fulcio-linux-ppc64le_0.2.0_linux_ppc64le.sbom(43.34 KB)
    fulcio-linux-s390x(22.45 MB)
    fulcio-linux-s390x-keyless.pem(1.06 KB)
    fulcio-linux-s390x-keyless.sig(96 bytes)
    fulcio-linux-s390x.sig(96 bytes)
    fulcio-linux-s390x_0.2.0_linux_s390x.sbom(43.22 KB)
    fulcio-v0.2.0.yaml(4.95 KB)
    fulcio_checksums.txt(965 bytes)
    fulcio_checksums.txt-keyless.pem(1.06 KB)
    fulcio_checksums.txt-keyless.sig(96 bytes)
  • v0.1.1(Jul 26, 2021)

    #142 update go module dekkagaijin #146 Validate its a recognised CA lukehinds #145 fulcio-server: add html page when humans reach the server via the browser cpanato #147 change or to and for known CA types runyontr #149 add pkg/client for (non-generated) client-related utilities dekkagaijin #151 Amend HSM cert usage lukehinds

    Releases signed against fulcio root with OpenID Account: [email protected]

    Fulcio Rekor entry: https://rekor.sigstore.dev/api/v1/log/entries/2fcb518e8b5b9a2db6a2a332475153a27291b3c9b188b9f2bd9c1b8652358223

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    fuclio_cert.pem(952 bytes)
    fulcio(23.77 MB)
    fulcio_signature.sig(104 bytes)
  • 0.1.0(Jul 7, 2021)

    • Implement modular CA and SoftHSM integration #115
    • Clarify some acronyms, add links #121
    • fulcio/e2e: add initial kind cluster deployment to test fulcio server #118
    • Support SPIFFE challenges instead of just emails #107
    • Move OIDC configuration to a nested JSON config file #105
    • Remove the viper config code #103
    • Remove the common name field from the certs #102

    Releases signed against fulcio root with OpenID Account: [email protected]

    Fulcio Rekor entry: https://rekor.sigstore.dev/api/v1/log/entries/e5e7197c84863605b43f67bd4df554b2af6089a28ba881a65dd7e9f0c978c5d7

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    fuclio_cert.pem(952 bytes)
    fulcio(23.76 MB)
    fulcio_signature.sig(103 bytes)
Owner
sigstore
Software supply chain transparency
sigstore
Plugin for Helm to integrate the sigstore ecosystem

helm-sigstore Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log. Info he

sigstore 39 Aug 27, 2022
Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.

sigstore-scaffolding This repository contains scaffolding to make standing up a full sigstore stack easier and automatable. Our focus is on running on

Ville Aikas 33 Sep 25, 2022