Signing prototype

Related tags

Security sigstore
Overview

sigstore signing CLI tool

⚠️ Not ready for use yet!

sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the sigstore signing infrastructure

For container signing, you want cosign

Issues
  • Move fulcioroots and tuf packages from cosign

    Move fulcioroots and tuf packages from cosign

    Summary

    This moves these packages from sigstore/cosign into sigstore/sigstore.

    • pkg/fulcioroots comes from cosign's cmd/cosign/cli/fulcio/[email protected], and drops that package's behavior when the SIGSTORE_ROOT_FILE env var is set -- this will remain in sigstore/cosign.
    • pkg/tuf comes from cosign's pkg/cosign/[email protected] and is otherwise largely unchanged. Some methods were unexported that aren't used outside of this package.

    Part of https://github.com/sigstore/cosign/issues/1865

    Release Note

    pkg/fulcioroots and pkg/tuf are moved from cosign repo
    
    opened by imjasonh 29
  •  community : Contributor ladder

    community : Contributor ladder

    Description

    I am opening this to ask if there's a contributor ladder defined for sigstore. How do I become an org member?

    I would be happy to help do PR's reviews here, hoping to work towards maintainership.

    previous contributions - mainly fuzzing sigstore and integrating with oss-fuzz

    PR's in sigstore

    1. https://github.com/sigstore/sigstore/pull/214
    2. https://github.com/sigstore/sigstore/pull/213
    3. https://github.com/sigstore/sigstore/pull/212
    4. https://github.com/sigstore/sigstore/pull/197
    5. https://github.com/sigstore/sigstore/pull/178
    6. https://github.com/sigstore/sigstore/pull/177
    7. https://github.com/sigstore/sigstore/pull/173
    8. https://github.com/sigstore/sigstore/pull/170
    9. https://github.com/sigstore/sigstore/pull/169
    10. https://github.com/sigstore/sigstore/pull/168
    11. https://github.com/sigstore/sigstore/pull/165
    12. https://github.com/sigstore/sigstore/pull/164
    13. https://github.com/sigstore/sigstore/pull/160
    14. https://github.com/sigstore/sigstore/pull/158
    15. https://github.com/sigstore/sigstore/pull/157
    16. https://github.com/sigstore/sigstore/pull/148
    17. https://github.com/sigstore/sigstore/pull/146
    18. https://github.com/sigstore/sigstore/pull/127

    oss-fuzz and actively maintaining the oss-fuzz issues

    1. https://github.com/google/oss-fuzz/pull/6890
    2. https://github.com/google/oss-fuzz/pull/6927
    3. https://github.com/google/oss-fuzz/pull/6964

    Issues in sigstore

    https://github.com/sigstore/sigstore/issues?q=is%3Aissue+author%3Anaveensrinivasan

    PR's in cosign

    1. https://github.com/sigstore/cosign/pull/1141
    2. https://github.com/sigstore/cosign/pull/1020
    3. https://github.com/sigstore/cosign/pull/1001
    4. https://github.com/sigstore/cosign/pull/971
    5. https://github.com/sigstore/cosign/pull/968
    6. https://github.com/sigstore/cosign/pull/944
    7. https://github.com/sigstore/cosign/pull/124
    8. https://github.com/sigstore/cosign/pull/121
    9. https://github.com/sigstore/cosign/pull/120
    10. https://github.com/sigstore/cosign/pull/119

    Issues in cosign

    https://github.com/sigstore/cosign/issues?q=is%3Aissue+author%3Anaveensrinivasan+

    PR's rekor

    https://github.com/sigstore/rekor/pulls?q=author%3Anaveensrinivasan

    Issues in rekor

    https://github.com/sigstore/rekor/issues?q=author%3Anaveensrinivasan

    cc @lukehinds @dlorenc @bobcallaway

    enhancement 
    opened by naveensrinivasan 23
  • Using sigstore in CNCF projects

    Using sigstore in CNCF projects

    Folks,

    There are a bunch of MPL libraries here: https://github.com/sigstore/sigstore/blob/main/go.mod#L58-L75

    CNCF only allows a handful of MPL'ed libraries from hashicorp: https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json#L23-L46

    the CNCF policy is written down here: https://github.com/cncf/foundation/tree/main/license-exceptions

    Question is ... what do we do next?

    question 
    opened by dims 13
  • Enforcement of a digest looking like a digest

    Enforcement of a digest looking like a digest

    Description

    There's an interesting forgery for ECDSA where it's possible to forge a valid signature over a random value for a fixed public key. To defend against this, it's necessary to first hash a message before signing or verifying it. For ED25519, this is handled via a pre-hash, while for ECDSA, it's standard practice to first hash the message.

    However, for the hashedrekord type, it's a requirement that we verify against a digest without hashing again. This is why we support WithDigest. This makes WithDigest unsafe. We can help defend against this if there is a check beforehand that the digest look like a digest, so a random value isn't accepted. For example, Rekor checks that the digest matches a SHA256 regex.

    This is not a full proof approach, as it is still possible that a random value look like a digest, it's just hard to find such a value for this forgery (I think this is true, but I'd need someone more well-versed in elliptic curve crypto to verify this).

    We should add a) warnings in comments about the dangers of verifying with a digest, and b) move the rekor checks into here to enforce that a digest looks like a digest.

    enhancement 
    opened by haydentherapper 12
  • Add `signature` library

    Add `signature` library

    The goal is it as easy as possible to put the business logic in pkg, re-use pkg across project within sigstore, and allow third parties to build on top of these libraries (e.g. to implement CI plugins)

    TODOs:

    • refactor existing libs in sigstore and cosign
    • implement TPM signer

    Signed-off-by: Jake Sanders [email protected]

    opened by dekkagaijin 12
  • Idp specific default flows

    Idp specific default flows

    Suggestion: Adding interactive flows for each specific identity provider, allowing users to skip the main idp selection page. I think one less click can improve the UX a bit. Further UX improvement is gained when browser uses a default idp account the user does may not need to interactively intervene at all. Such psodo-auto flow may also be valuable in automation uses cases, for example a git hook signing SLSA provenance.

    Hope this helps . mikey strauss

    opened by houdini91 9
  • pkg/signature/kms doesn't depend on kms impls

    pkg/signature/kms doesn't depend on kms impls

    Summary

    Clients who want to enable specific kms implementations can import (or underscore-import) specific KMS impls they want, and otherwise don't have to depend on them.

    Release Note

    Specific kms implementations that are needed must be explicitly imported for init-time setup.
    
    opened by imjasonh 8
  • KMS: Change how the Azure authentication method is handled

    KMS: Change how the Azure authentication method is handled

    Summary

    This patch removes the requirement of having the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET set to use the Azure KMS (KeyVault).

    By removing the requirement, we enable usage of MSI (Managed Service Identity) through the NewAuthorizerFromEnvironment() and we at the same time add support for the NewAuthorizerFromCLI().

    By splitting the function of calculating what method to use to it's own function , getAuthenticationMethod(), it's possible to test the logic separately.

    We also introduce the new environment variable AZURE_AUTH_METHOD which if set to environment will use FromEnvironment() (may be useful for the MSI case) and if set to cli will use FromCLI().

    If nothing is defined, FromEnvironment() will be tested first and then FromCLI(). :^)

    Ticket Link

    Fixes #223

    Release Note

    Add support for more Azure KMS authentication methods.
    
    opened by simongottschlag 8
  • Feat : Fuzzing

    Feat : Fuzzing

    Enabling fuzzing for sigstore.

    The first steps into fuzzing Sigstore. The goal is to integrate this into oss-fuzz using libfuzzer https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/ and https://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-for.html

    Signed-off-by: naveen [email protected]

    opened by naveensrinivasan 8
  • convert signature library to implement crypto.Signer interface

    convert signature library to implement crypto.Signer interface

    This is the first step of several to try to have signature library that can be used across all of sigstore's golang projects.

    1. Have all non-KMS implementations implement crypto.Signer interface
    2. Support hash algorithms other than SHA256
    3. Replaces calls of fmt.Print(f|ln) to log.Printf()
    4. Adds public key caching support for KMS providers
    5. Use correct hashing algorithm per KMS provider response
    opened by bobcallaway 8
  • Hashivault KMS provider public key vs. verify

    Hashivault KMS provider public key vs. verify

    There's an issue with the hashivault provider that I haven't quite been able to pin down yet. I noticed it while testing https://github.com/sigstore/cosign/pull/278, so the bug may not actually be here.

    The existing PR works when you sign/verify with the provider API itself, but does not work when you verify against the exported public key. That is:

    cosign sign -key hashivault://foo followed by cosign verify -key hashivault://foo works

    but

    cosign sign -key hashivault://foo followed by cosign public-key -key hashivault://foo > hk.pub && cosign verify -key hk.pub does not work.

    opened by dlorenc 7
  • tuf: add a method to retrieve rekor public keys

    tuf: add a method to retrieve rekor public keys

    Signed-off-by: Asra Ali [email protected]

    Summary

    • Adds a wrapper method to get rekor public keys, to use in cosign

    I expect that with this method, we can now set sign/verify opts to include RekorPubKeys, so that people can define this themselves when they cosign as a library. This is how the fulcio roots works as well.

    Ticket Link

    Fixes

    Release Note

    
    
    opened by asraa 0
  • Merge 'cosign/pkg/providers' into sigstore/sigstore.

    Merge 'cosign/pkg/providers' into sigstore/sigstore.

    Summary

    Merge 'cosign/pkg/providers' into sigstore/sigstore.

    This upstream's cosign's provider packages into sigstore/sigstore so that other tools like gitsign can use them without needing to depend on cosign. These packages are generic enough that they seem like a good fit here to be shared across sigstore projects.

    This was intentionally done as a merge so that commit history is preserved for both the sigstore repo and the commits that are coming from cosign.

    That said, we could also do this as a rebase on top of sigstore (would rewrite all commit times for cosign commits) or a single squash commit (all changes attributed to 1 commit). Let me know if you have thoughts on this.

    Ticket Link

    Part of https://github.com/sigstore/gitsign/issues/62

    Release Note

    cosign's OAuth provider packages are now available in sigstore/sigstore.
    
    opened by wlynch 10
  • verification of `gcpkms://` requires overly broad permissions

    verification of `gcpkms://` requires overly broad permissions

    Description

    I was looking at the permissions needed by the ClusterImagePolicy -> ConfigMap reconciler to deal with KMS, and it seems to require cloudkms.cryptoKeys.get, where I'd expect it to only need cloudkms.cryptoKeyVersions.viewPublicKey.

    I can understand the signing path requiring more capabilities, but for things like the admission controller and cosign verify flows, it should be doable by folks that only have public key access.

    cc @dekkagaijin @imjasonh

    bug 
    opened by mattmoor 1
  • Followups from #435

    Followups from #435

    Followups from https://github.com/sigstore/sigstore/pull/435

    • [x] remove panic in fulcioroots.Get()
    • [ ] add doc comments for un-doc-commented exported methods (or unexport them if appropriate)
    • [x] drop dependency on GCS and just make regular HTTP calls directly https://github.com/sigstore/cosign/pull/1967
    • [ ] bump version: 3 in root.json (https://github.com/sigstore/sigstore/pull/435#discussion_r874926503)

    /assign @haydentherapper

    enhancement 
    opened by imjasonh 11
  • Improve design of OAuth success HTML page

    Improve design of OAuth success HTML page

    Description

    Currently, when you successfully get through an OAuth flow, you're met with this page:

    Screen Shot 2022-05-07 at 1 51 41 PM

    Good stuff:

    • it's small and simple
    • it's fast to load
    • it's clear about what to do next

    Bad stuff:

    • it's black Times New Roman on white background (not Sigstore branding)

    I think we have an opportunity to make this page feel really cohesive with the rest of the Sigstore brand. We shouldn't take this as an opportunity to load the page down with a bunch of CSS/JS/images, but I think there's improvements we could make, like:

    • add a Sigstore logo
    • use Sigstore's font/coloring
    • ~~add a button to close, or maybe even "press space to close" -- JS won't let you close a window without some user action, but I think keyboard event should work.~~ edit: browsers no longer allow this

    After https://github.com/sigstore/sigstore/pull/425 we'll only have one copy of this HTML, here:

    https://github.com/sigstore/sigstore/blob/9a39e97a01521211a31ecc8c29ecf4545be3a73f/pkg/oauth/interactive.go#L19-L25

    enhancement 
    opened by imjasonh 1
Releases(v1.3.0)
  • v1.3.0(Jun 24, 2022)

    What's Changed

    • Bump github.com/aws/aws-sdk-go from 1.43.24 to 1.43.26 by @dependabot in https://github.com/sigstore/sigstore/pull/349
    • Bump github.com/hashicorp/vault/api from 1.4.1 to 1.5.0 by @dependabot in https://github.com/sigstore/sigstore/pull/348
    • Add method to validate public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/344
    • Makefile: Install golangci lint by @hectorj2f in https://github.com/sigstore/sigstore/pull/350
    • Bump github.com/go-rod/rod from 0.104.1 to 0.104.2 by @dependabot in https://github.com/sigstore/sigstore/pull/352
    • Bump github.com/aws/aws-sdk-go from 1.43.26 to 1.43.27 by @dependabot in https://github.com/sigstore/sigstore/pull/351
    • Bump github.com/Azure/azure-sdk-for-go from 62.3.0+incompatible to 63.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/354
    • Bump github.com/aws/aws-sdk-go from 1.43.27 to 1.43.28 by @dependabot in https://github.com/sigstore/sigstore/pull/355
    • Bump github.com/go-rod/rod from 0.104.2 to 0.104.4 by @dependabot in https://github.com/sigstore/sigstore/pull/358
    • Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in https://github.com/sigstore/sigstore/pull/356
    • Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/357
    • oidc: set the redirect url if needed by @hectorj2f in https://github.com/sigstore/sigstore/pull/353
    • Fix regex for matching GCP KMS key by @haydentherapper in https://github.com/sigstore/sigstore/pull/359
    • Bump github.com/aws/aws-sdk-go from 1.43.28 to 1.43.29 by @dependabot in https://github.com/sigstore/sigstore/pull/360
    • Bump github.com/aws/aws-sdk-go from 1.43.29 to 1.43.30 by @dependabot in https://github.com/sigstore/sigstore/pull/363
    • Bump github.com/Azure/go-autorest/autorest from 0.11.24 to 0.11.25 by @dependabot in https://github.com/sigstore/sigstore/pull/362
    • update boulder dependency to remove some syslog dependencies that affect windows build by @cpanato in https://github.com/sigstore/sigstore/pull/364
    • Add fake signer that implements KMS interface by @haydentherapper in https://github.com/sigstore/sigstore/pull/361
    • fix if check in the release job by @cpanato in https://github.com/sigstore/sigstore/pull/365
    • fix missing curly brackets by @cpanato in https://github.com/sigstore/sigstore/pull/366
    • Bump github.com/aws/aws-sdk-go from 1.43.30 to 1.43.31 by @dependabot in https://github.com/sigstore/sigstore/pull/367
    • chore: set redirect URL in doOobFlow by @hectorj2f in https://github.com/sigstore/sigstore/pull/368
    • Bump github.com/aws/aws-sdk-go from 1.43.31 to 1.43.33 by @dependabot in https://github.com/sigstore/sigstore/pull/373
    • Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in https://github.com/sigstore/sigstore/pull/372
    • Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/371
    • Bump github.com/Azure/azure-sdk-for-go from 63.0.0+incompatible to 63.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/369
    • Bump github.com/aws/aws-sdk-go from 1.43.33 to 1.43.34 by @dependabot in https://github.com/sigstore/sigstore/pull/375
    • Bump github.com/aws/aws-sdk-go from 1.43.34 to 1.43.36 by @dependabot in https://github.com/sigstore/sigstore/pull/379
    • Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in https://github.com/sigstore/sigstore/pull/378
    • Bump github.com/go-rod/rod from 0.104.4 to 0.105.0 by @dependabot in https://github.com/sigstore/sigstore/pull/377
    • Update to go 1.17 / 1.18 by @lukehinds in https://github.com/sigstore/sigstore/pull/374
    • Bump github.com/aws/aws-sdk-go from 1.43.36 to 1.43.37 by @dependabot in https://github.com/sigstore/sigstore/pull/382
    • Bump github.com/go-rod/rod from 0.105.0 to 0.105.1 by @dependabot in https://github.com/sigstore/sigstore/pull/383
    • Bump github.com/Azure/azure-sdk-for-go from 63.1.0+incompatible to 63.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/385
    • Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/381
    • run tests with go1.17 and go1.18 by @cpanato in https://github.com/sigstore/sigstore/pull/380
    • Bump github.com/aws/aws-sdk-go from 1.43.37 to 1.43.39 by @dependabot in https://github.com/sigstore/sigstore/pull/387
    • Bump github.com/aws/aws-sdk-go from 1.43.39 to 1.43.40 by @dependabot in https://github.com/sigstore/sigstore/pull/389
    • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/388
    • Bump github.com/go-rod/rod from 0.105.1 to 0.106.0 by @dependabot in https://github.com/sigstore/sigstore/pull/390
    • Bump github.com/aws/aws-sdk-go from 1.43.40 to 1.43.41 by @dependabot in https://github.com/sigstore/sigstore/pull/391
    • Bump github.com/Azure/azure-sdk-for-go from 63.2.0+incompatible to 63.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/393
    • Bump github.com/Azure/go-autorest/autorest from 0.11.25 to 0.11.26 by @dependabot in https://github.com/sigstore/sigstore/pull/392
    • Bump github.com/go-rod/rod from 0.106.0 to 0.106.1 by @dependabot in https://github.com/sigstore/sigstore/pull/395
    • Add a helper method to parse a PEM-encoded CSR by @haydentherapper in https://github.com/sigstore/sigstore/pull/394
    • Bump github.com/aws/aws-sdk-go from 1.43.41 to 1.43.43 by @dependabot in https://github.com/sigstore/sigstore/pull/398
    • Add method for generating certificate serial number by @haydentherapper in https://github.com/sigstore/sigstore/pull/399
    • Bump github.com/aws/aws-sdk-go from 1.43.43 to 1.43.44 by @dependabot in https://github.com/sigstore/sigstore/pull/402
    • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/401
    • make target integration by @sallyom in https://github.com/sigstore/sigstore/pull/400
    • Bump github.com/Azure/go-autorest/autorest from 0.11.26 to 0.11.27 by @dependabot in https://github.com/sigstore/sigstore/pull/404
    • Bump github.com/aws/aws-sdk-go from 1.43.44 to 1.43.45 by @dependabot in https://github.com/sigstore/sigstore/pull/405
    • Add error type for kms.Get when provider not found by @znewman01 in https://github.com/sigstore/sigstore/pull/407
    • Bump github.com/Azure/azure-sdk-for-go from 63.3.0+incompatible to 63.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/409
    • Bump github.com/aws/aws-sdk-go from 1.43.45 to 1.44.0 by @dependabot in https://github.com/sigstore/sigstore/pull/410
    • Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/408
    • Bump github.com/aws/aws-sdk-go from 1.44.0 to 1.44.1 by @dependabot in https://github.com/sigstore/sigstore/pull/412
    • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in https://github.com/sigstore/sigstore/pull/411
    • Bump github.com/aws/aws-sdk-go from 1.44.1 to 1.44.2 by @dependabot in https://github.com/sigstore/sigstore/pull/413
    • Bump github.com/go-rod/rod from 0.106.1 to 0.106.2 by @dependabot in https://github.com/sigstore/sigstore/pull/414
    • Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in https://github.com/sigstore/sigstore/pull/415
    • Bump github.com/go-rod/rod from 0.106.2 to 0.106.4 by @dependabot in https://github.com/sigstore/sigstore/pull/417
    • Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.3 by @dependabot in https://github.com/sigstore/sigstore/pull/416
    • Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.4 by @dependabot in https://github.com/sigstore/sigstore/pull/418
    • chore(deps): Included dependency review by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/406
    • Call ValidReference in all KMS cases by @imjasonh in https://github.com/sigstore/sigstore/pull/419
    • Bump github.com/aws/aws-sdk-go from 1.44.4 to 1.44.5 by @dependabot in https://github.com/sigstore/sigstore/pull/420
    • Bump github.com/go-rod/rod from 0.106.4 to 0.106.5 by @dependabot in https://github.com/sigstore/sigstore/pull/421
    • Bump github.com/aws/aws-sdk-go from 1.44.5 to 1.44.7 by @dependabot in https://github.com/sigstore/sigstore/pull/422
    • Bump github.com/aws/aws-sdk-go from 1.44.7 to 1.44.8 by @dependabot in https://github.com/sigstore/sigstore/pull/423
    • Bump github.com/aws/aws-sdk-go from 1.44.8 to 1.44.9 by @dependabot in https://github.com/sigstore/sigstore/pull/424
    • Remove copy of OAuth success HTML by @imjasonh in https://github.com/sigstore/sigstore/pull/425
    • Bump github.com/go-rod/rod from 0.106.5 to 0.106.6 by @dependabot in https://github.com/sigstore/sigstore/pull/427
    • Bump github.com/aws/aws-sdk-go from 1.44.9 to 1.44.10 by @dependabot in https://github.com/sigstore/sigstore/pull/428
    • Bump github.com/Azure/azure-sdk-for-go from 63.4.0+incompatible to 64.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/429
    • Bump github.com/aws/aws-sdk-go from 1.44.10 to 1.44.11 by @dependabot in https://github.com/sigstore/sigstore/pull/432
    • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/433
    • Bump github.com/aws/aws-sdk-go from 1.44.11 to 1.44.12 by @dependabot in https://github.com/sigstore/sigstore/pull/434
    • Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/431
    • Bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/437
    • Add method to unmarshal certificates with a limit by @haydentherapper in https://github.com/sigstore/sigstore/pull/430
    • Add unsafe verifier to verify signatures with SHA1 digests by @haydentherapper in https://github.com/sigstore/sigstore/pull/441
    • Bump github.com/aws/aws-sdk-go from 1.44.12 to 1.44.13 by @dependabot in https://github.com/sigstore/sigstore/pull/440
    • Bump github/codeql-action from 75b4f1c4669133dc294b06c2794e969efa2e5316 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/439
    • Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/438
    • Bump github.com/aws/aws-sdk-go from 1.44.13 to 1.44.14 by @dependabot in https://github.com/sigstore/sigstore/pull/443
    • Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in https://github.com/sigstore/sigstore/pull/442
    • Remove dependency on deprecated github.com/pkg/errors by @imjasonh in https://github.com/sigstore/sigstore/pull/444
    • Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/446
    • Bump github.com/aws/aws-sdk-go from 1.44.14 to 1.44.15 by @dependabot in https://github.com/sigstore/sigstore/pull/447
    • Bump github.com/Azure/azure-sdk-for-go from 64.0.0+incompatible to 64.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/445
    • Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in https://github.com/sigstore/sigstore/pull/448
    • Bump github.com/aws/aws-sdk-go from 1.44.15 to 1.44.16 by @dependabot in https://github.com/sigstore/sigstore/pull/449
    • Bump github.com/go-rod/rod from 0.106.6 to 0.106.7 by @dependabot in https://github.com/sigstore/sigstore/pull/450
    • Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/451
    • Bump github.com/aws/aws-sdk-go from 1.44.16 to 1.44.17 by @dependabot in https://github.com/sigstore/sigstore/pull/453
    • Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/452
    • Bump github.com/go-rod/rod from 0.106.7 to 0.106.8 by @dependabot in https://github.com/sigstore/sigstore/pull/454
    • Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/456
    • Bump github.com/aws/aws-sdk-go from 1.44.17 to 1.44.18 by @dependabot in https://github.com/sigstore/sigstore/pull/455
    • Bump github.com/aws/aws-sdk-go from 1.44.18 to 1.44.19 by @dependabot in https://github.com/sigstore/sigstore/pull/457
    • Bump github.com/aws/aws-sdk-go from 1.44.19 to 1.44.20 by @dependabot in https://github.com/sigstore/sigstore/pull/461
    • Bump github.com/Azure/azure-sdk-for-go from 64.1.0+incompatible to 65.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/460
    • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/459
    • Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in https://github.com/sigstore/sigstore/pull/458
    • Bump github.com/aws/aws-sdk-go from 1.44.20 to 1.44.21 by @dependabot in https://github.com/sigstore/sigstore/pull/464
    • Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/463
    • Bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.22 by @dependabot in https://github.com/sigstore/sigstore/pull/465
    • Update go-tuf to pick up security fixes by @haydentherapper in https://github.com/sigstore/sigstore/pull/462
    • Export providerInit type by @imjasonh in https://github.com/sigstore/sigstore/pull/466
    • Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/469
    • Bump github.com/aws/aws-sdk-go from 1.44.22 to 1.44.23 by @dependabot in https://github.com/sigstore/sigstore/pull/470
    • Bump github.com/go-rod/rod from 0.106.8 to 0.107.0 by @dependabot in https://github.com/sigstore/sigstore/pull/471
    • update error message for pkg/signature/ecdsa.go when checking the VerifyASN1 by @cpanato in https://github.com/sigstore/sigstore/pull/473
    • Bump github.com/aws/aws-sdk-go from 1.44.23 to 1.44.24 by @dependabot in https://github.com/sigstore/sigstore/pull/474
    • Allow passing options to GCP's LoadSignVerifier. by @mattmoor in https://github.com/sigstore/sigstore/pull/468
    • Migrate AWK KMS to use the v2 SDK. by @mattmoor in https://github.com/sigstore/sigstore/pull/475
    • Bump google.golang.org/api from 0.75.0 to 0.81.0 by @dependabot in https://github.com/sigstore/sigstore/pull/476
    • fix uppercase err msgs to quiet golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/477
    • Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in https://github.com/sigstore/sigstore/pull/478
    • Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/482
    • Bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.26 by @dependabot in https://github.com/sigstore/sigstore/pull/481
    • Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in https://github.com/sigstore/sigstore/pull/480
    • Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in https://github.com/sigstore/sigstore/pull/483
    • Autoclose OAuth success page after 5 seconds. by @wlynch in https://github.com/sigstore/sigstore/pull/484
    • Bump github.com/aws/aws-sdk-go from 1.44.26 to 1.44.27 by @dependabot in https://github.com/sigstore/sigstore/pull/485
    • Add a warning when using WithDigest with ECDSA by @haydentherapper in https://github.com/sigstore/sigstore/pull/487
    • Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/489
    • Bump github.com/go-rod/rod from 0.107.0 to 0.107.1 by @dependabot in https://github.com/sigstore/sigstore/pull/488
    • Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in https://github.com/sigstore/sigstore/pull/495
    • Bump github.com/aws/aws-sdk-go-v2 from 1.16.4 to 1.16.5 by @dependabot in https://github.com/sigstore/sigstore/pull/491
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.9 to 1.15.10 by @dependabot in https://github.com/sigstore/sigstore/pull/494
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.2 to 1.17.3 by @dependabot in https://github.com/sigstore/sigstore/pull/493
    • Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in https://github.com/sigstore/sigstore/pull/490
    • Bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.29 by @dependabot in https://github.com/sigstore/sigstore/pull/492
    • Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/496
    • Bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.30 by @dependabot in https://github.com/sigstore/sigstore/pull/497
    • Bump github.com/aws/aws-sdk-go from 1.44.30 to 1.44.31 by @dependabot in https://github.com/sigstore/sigstore/pull/498
    • Bump github.com/hashicorp/vault/api from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/499
    • Move fulcioroots and tuf packages from cosign by @imjasonh in https://github.com/sigstore/sigstore/pull/435
    • Bump github.com/aws/aws-sdk-go from 1.44.31 to 1.44.32 by @dependabot in https://github.com/sigstore/sigstore/pull/501
    • Bump github.com/aws/aws-sdk-go from 1.44.32 to 1.44.33 by @dependabot in https://github.com/sigstore/sigstore/pull/504
    • Lock TUF client during target loading operations by @puerco in https://github.com/sigstore/sigstore/pull/503
    • Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in https://github.com/sigstore/sigstore/pull/507
    • Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.34 by @dependabot in https://github.com/sigstore/sigstore/pull/506
    • Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.35 by @dependabot in https://github.com/sigstore/sigstore/pull/508
    • Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/505
    • Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/509
    • Bump github.com/aws/aws-sdk-go from 1.44.35 to 1.44.36 by @dependabot in https://github.com/sigstore/sigstore/pull/510
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.10 to 1.15.11 by @dependabot in https://github.com/sigstore/sigstore/pull/511
    • Bump github.com/go-rod/rod from 0.107.1 to 0.107.2 by @dependabot in https://github.com/sigstore/sigstore/pull/512
    • Bump github.com/aws/aws-sdk-go from 1.44.36 to 1.44.37 by @dependabot in https://github.com/sigstore/sigstore/pull/513
    • Bump github.com/aws/aws-sdk-go from 1.44.37 to 1.44.38 by @dependabot in https://github.com/sigstore/sigstore/pull/517
    • Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/518
    • Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in https://github.com/sigstore/sigstore/pull/520
    • Bump github.com/aws/aws-sdk-go from 1.44.38 to 1.44.39 by @dependabot in https://github.com/sigstore/sigstore/pull/521
    • Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in https://github.com/sigstore/sigstore/pull/519
    • Revert "Autoclose OAuth success page after 5 seconds. (#484)" by @wlynch in https://github.com/sigstore/sigstore/pull/502
    • oauthflow/interactive: Make input/output configurable. by @wlynch in https://github.com/sigstore/sigstore/pull/514
    • Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in https://github.com/sigstore/sigstore/pull/523
    • Bump github.com/aws/aws-sdk-go from 1.44.39 to 1.44.40 by @dependabot in https://github.com/sigstore/sigstore/pull/524
    • Bump github.com/Azure/azure-sdk-for-go from 65.0.0+incompatible to 66.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/526
    • add check if transit return nil data by @Dentrax in https://github.com/sigstore/sigstore/pull/515
    • Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/525
    • Bump github.com/aws/aws-sdk-go from 1.44.40 to 1.44.41 by @dependabot in https://github.com/sigstore/sigstore/pull/529
    • Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in https://github.com/sigstore/sigstore/pull/528

    New Contributors

    • @hectorj2f made their first contribution in https://github.com/sigstore/sigstore/pull/350
    • @sallyom made their first contribution in https://github.com/sigstore/sigstore/pull/400
    • @znewman01 made their first contribution in https://github.com/sigstore/sigstore/pull/407
    • @mattmoor made their first contribution in https://github.com/sigstore/sigstore/pull/468
    • @wlynch made their first contribution in https://github.com/sigstore/sigstore/pull/484
    • @puerco made their first contribution in https://github.com/sigstore/sigstore/pull/503

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.2.0...v1.3.0

    Source code(tar.gz)
    Source code(zip)
  • v1.2.0(Mar 25, 2022)

    What's Changed

    • Moved dsse to fuzz dir by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/214
    • Bump github.com/Azure/azure-sdk-for-go from 60.3.0+incompatible to 61.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/215
    • Fuzz - Fixed the panic that was caused by incorrect data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/213
    • Bump github.com/aws/aws-sdk-go from 1.42.25 to 1.42.26 by @dependabot in https://github.com/sigstore/sigstore/pull/216
    • Bump github.com/aws/aws-sdk-go from 1.42.26 to 1.42.27 by @dependabot in https://github.com/sigstore/sigstore/pull/217
    • Bump github.com/aws/aws-sdk-go from 1.42.27 to 1.42.28 by @dependabot in https://github.com/sigstore/sigstore/pull/219
    • Bump github.com/Azure/azure-sdk-for-go from 61.0.0+incompatible to 61.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/218
    • Bump github.com/aws/aws-sdk-go from 1.42.28 to 1.42.29 by @dependabot in https://github.com/sigstore/sigstore/pull/220
    • Bump github.com/aws/aws-sdk-go from 1.42.29 to 1.42.31 by @dependabot in https://github.com/sigstore/sigstore/pull/222
    • pin actions by digest; update chrome install to use signed repo by @bobcallaway in https://github.com/sigstore/sigstore/pull/225
    • Bump github.com/aws/aws-sdk-go from 1.42.31 to 1.42.32 by @dependabot in https://github.com/sigstore/sigstore/pull/224
    • Bump github.com/aws/aws-sdk-go from 1.42.32 to 1.42.33 by @dependabot in https://github.com/sigstore/sigstore/pull/227
    • Bump github/codeql-action from 300c8b6dcbaf905eb250b06113e2e62c340a2d20 to 1.0.27 by @dependabot in https://github.com/sigstore/sigstore/pull/226
    • Fix: verify with HashiVault KMS by @blz-ea in https://github.com/sigstore/sigstore/pull/229
    • Bump github.com/aws/aws-sdk-go from 1.42.33 to 1.42.34 by @dependabot in https://github.com/sigstore/sigstore/pull/230
    • Bump github.com/Azure/azure-sdk-for-go from 61.1.0+incompatible to 61.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/231
    • KMS: Change how the Azure authentication method is handled by @simongottschlag in https://github.com/sigstore/sigstore/pull/228
    • Bump github.com/aws/aws-sdk-go from 1.42.34 to 1.42.35 by @dependabot in https://github.com/sigstore/sigstore/pull/232
    • Bump github.com/Azure/go-autorest/autorest from 0.11.22 to 0.11.24 by @dependabot in https://github.com/sigstore/sigstore/pull/233
    • Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1 by @haydentherapper in https://github.com/sigstore/sigstore/pull/234
    • Bump github/codeql-action from 1.0.27 to 1.0.28 by @dependabot in https://github.com/sigstore/sigstore/pull/236
    • Bump github.com/aws/aws-sdk-go from 1.42.35 to 1.42.36 by @dependabot in https://github.com/sigstore/sigstore/pull/235
    • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 by @dependabot in https://github.com/sigstore/sigstore/pull/237
    • Bump github.com/aws/aws-sdk-go from 1.42.36 to 1.42.37 by @dependabot in https://github.com/sigstore/sigstore/pull/238
    • Bump github.com/Azure/azure-sdk-for-go from 61.2.0+incompatible to 61.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/239
    • Fix minor typos for HashiCorp by @jbayer in https://github.com/sigstore/sigstore/pull/240
    • Bump github.com/aws/aws-sdk-go from 1.42.37 to 1.42.38 by @dependabot in https://github.com/sigstore/sigstore/pull/242
    • Bump github/codeql-action from 1.0.28 to 1.0.29 by @dependabot in https://github.com/sigstore/sigstore/pull/241
    • Add subject key ID calculation from public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/243
    • Bump github.com/aws/aws-sdk-go from 1.42.38 to 1.42.39 by @dependabot in https://github.com/sigstore/sigstore/pull/245
    • Bump github/codeql-action from 1.0.29 to 1.0.30 by @dependabot in https://github.com/sigstore/sigstore/pull/244
    • Bump github.com/aws/aws-sdk-go from 1.42.39 to 1.42.40 by @dependabot in https://github.com/sigstore/sigstore/pull/248
    • Wire up html page passed in for interactive OIDC callback server by @n3wscott in https://github.com/sigstore/sigstore/pull/247
    • Bump github.com/aws/aws-sdk-go from 1.42.40 to 1.42.41 by @dependabot in https://github.com/sigstore/sigstore/pull/250
    • Bump github.com/aws/aws-sdk-go from 1.42.41 to 1.42.42 by @dependabot in https://github.com/sigstore/sigstore/pull/251
    • Bump github.com/aws/aws-sdk-go from 1.42.42 to 1.42.43 by @dependabot in https://github.com/sigstore/sigstore/pull/252
    • Add oidc login to vault by @sudo-bmitch in https://github.com/sigstore/sigstore/pull/249
    • Bump github/codeql-action from 1.0.30 to 1.0.31 by @dependabot in https://github.com/sigstore/sigstore/pull/253
    • Bump github.com/aws/aws-sdk-go from 1.42.43 to 1.42.44 by @dependabot in https://github.com/sigstore/sigstore/pull/254
    • Bump github.com/Azure/azure-sdk-for-go from 61.3.0+incompatible to 61.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/255
    • Skip strict check on PKCE discovery claim on Azure by @bobcallaway in https://github.com/sigstore/sigstore/pull/246
    • Add ability to specify key version for Hashivault by @bobcallaway in https://github.com/sigstore/sigstore/pull/256
    • update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/257
    • Bump github.com/aws/aws-sdk-go from 1.42.45 to 1.42.46 by @dependabot in https://github.com/sigstore/sigstore/pull/258
    • Bump cloud.google.com/go/kms from 1.1.0 to 1.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/259
    • return version of Vault key via functional option by @bobcallaway in https://github.com/sigstore/sigstore/pull/260
    • Bump github/codeql-action from 1.0.31 to 1.0.32 by @dependabot in https://github.com/sigstore/sigstore/pull/261
    • Bump github.com/aws/aws-sdk-go from 1.42.46 to 1.42.47 by @dependabot in https://github.com/sigstore/sigstore/pull/262
    • Bump github.com/aws/aws-sdk-go from 1.42.47 to 1.42.48 by @dependabot in https://github.com/sigstore/sigstore/pull/264
    • Bump github.com/go-rod/rod from 0.101.8 to 0.102.0 by @dependabot in https://github.com/sigstore/sigstore/pull/265
    • Bump github.com/aws/aws-sdk-go from 1.42.48 to 1.42.49 by @dependabot in https://github.com/sigstore/sigstore/pull/267
    • Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/266
    • Bump github.com/aws/aws-sdk-go from 1.42.49 to 1.42.50 by @dependabot in https://github.com/sigstore/sigstore/pull/268
    • Bump github.com/go-rod/rod from 0.102.0 to 0.102.1 by @dependabot in https://github.com/sigstore/sigstore/pull/271
    • Bump github.com/aws/aws-sdk-go from 1.42.50 to 1.42.51 by @dependabot in https://github.com/sigstore/sigstore/pull/270
    • Bump github/codeql-action from 1.0.32 to 1.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/269
    • Bump github.com/aws/aws-sdk-go from 1.42.51 to 1.42.52 by @dependabot in https://github.com/sigstore/sigstore/pull/272
    • Bump github.com/Azure/azure-sdk-for-go from 61.4.0+incompatible to 61.5.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/273
    • Bump cloud.google.com/go/kms from 1.2.0 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/274
    • Bump github.com/aws/aws-sdk-go from 1.42.52 to 1.42.53 by @dependabot in https://github.com/sigstore/sigstore/pull/275
    • Bump github.com/aws/aws-sdk-go from 1.42.53 to 1.43.0 by @dependabot in https://github.com/sigstore/sigstore/pull/281
    • Bump github/codeql-action from 1.1.0 to 1.1.2 by @dependabot in https://github.com/sigstore/sigstore/pull/280
    • pkg/signature/kms doesn't depend on kms impls by @imjasonh in https://github.com/sigstore/sigstore/pull/276
    • remove unmaintained test dependency with invalid license by @bobcallaway in https://github.com/sigstore/sigstore/pull/279
    • move e2e tests inline with various implementation packages by @bobcallaway in https://github.com/sigstore/sigstore/pull/282
    • feat(kms): add supported providers func by @Dentrax in https://github.com/sigstore/sigstore/pull/277
    • Bump github.com/aws/aws-sdk-go from 1.43.0 to 1.43.1 by @dependabot in https://github.com/sigstore/sigstore/pull/283
    • Bump github.com/Azure/azure-sdk-for-go from 61.5.0+incompatible to 61.6.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/284
    • Bump github.com/aws/aws-sdk-go from 1.43.1 to 1.43.2 by @dependabot in https://github.com/sigstore/sigstore/pull/285
    • Bump github.com/aws/aws-sdk-go from 1.43.2 to 1.43.3 by @dependabot in https://github.com/sigstore/sigstore/pull/286
    • Bump github.com/aws/aws-sdk-go from 1.43.3 to 1.43.4 by @dependabot in https://github.com/sigstore/sigstore/pull/287
    • Permit usage of signing keys with aws-us-gov arn partitions by @chaospuppy in https://github.com/sigstore/sigstore/pull/289
    • Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/sigstore/pull/291
    • Bump github.com/aws/aws-sdk-go from 1.43.4 to 1.43.5 by @dependabot in https://github.com/sigstore/sigstore/pull/292
    • update permissions for codeql by @bobcallaway in https://github.com/sigstore/sigstore/pull/293
    • Bump github.com/aws/aws-sdk-go from 1.43.5 to 1.43.6 by @dependabot in https://github.com/sigstore/sigstore/pull/295
    • Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/294
    • Bump hashicorp vault to 1.4.0. by @dlorenc in https://github.com/sigstore/sigstore/pull/297
    • Bump github.com/hashicorp/vault/api from 1.4.0 to 1.4.1 by @dependabot in https://github.com/sigstore/sigstore/pull/298
    • Explicitly run the go setup action. by @dlorenc in https://github.com/sigstore/sigstore/pull/299
    • Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.0 to 0.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/304
    • Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/300
    • Bump actions/setup-go from 2.2.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/301
    • Bump github.com/aws/aws-sdk-go from 1.43.6 to 1.43.7 by @dependabot in https://github.com/sigstore/sigstore/pull/302
    • Bump github.com/Azure/azure-sdk-for-go from 61.6.0+incompatible to 62.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/303
    • Bump github.com/aws/aws-sdk-go from 1.43.7 to 1.43.8 by @dependabot in https://github.com/sigstore/sigstore/pull/307
    • Bump actions/checkout from 2.4.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/306
    • Bump github.com/aws/aws-sdk-go from 1.43.8 to 1.43.9 by @dependabot in https://github.com/sigstore/sigstore/pull/309
    • Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/310
    • Bump cloud.google.com/go/kms from 1.3.0 to 1.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/311
    • Bump github.com/aws/aws-sdk-go from 1.43.9 to 1.43.10 by @dependabot in https://github.com/sigstore/sigstore/pull/312
    • Bump github.com/go-rod/rod from 0.102.1 to 0.103.0 by @dependabot in https://github.com/sigstore/sigstore/pull/313
    • Bump github.com/aws/aws-sdk-go from 1.43.10 to 1.43.11 by @dependabot in https://github.com/sigstore/sigstore/pull/314
    • Bump github.com/aws/aws-sdk-go from 1.43.11 to 1.43.12 by @dependabot in https://github.com/sigstore/sigstore/pull/316
    • Bump github.com/Azure/azure-sdk-for-go from 62.0.0+incompatible to 62.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/317
    • Bump github.com/aws/aws-sdk-go from 1.43.12 to 1.43.13 by @dependabot in https://github.com/sigstore/sigstore/pull/319
    • Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in https://github.com/sigstore/sigstore/pull/318
    • Bump github.com/aws/aws-sdk-go from 1.43.13 to 1.43.14 by @dependabot in https://github.com/sigstore/sigstore/pull/321
    • Enable the same golangci-lint rules as cosign by @dekkagaijin in https://github.com/sigstore/sigstore/pull/322
    • Bump github.com/aws/aws-sdk-go from 1.43.14 to 1.43.15 by @dependabot in https://github.com/sigstore/sigstore/pull/323
    • Initial introduction and implementation of oidc.IDTokenSource by @dekkagaijin in https://github.com/sigstore/sigstore/pull/320
    • Update CODEOWNERS by @endorama in https://github.com/sigstore/sigstore/pull/315
    • Bump github.com/aws/aws-sdk-go from 1.43.15 to 1.43.16 by @dependabot in https://github.com/sigstore/sigstore/pull/324
    • Add a reusuable GitHub Action workflow for cutting releases. by @k4leung4 in https://github.com/sigstore/sigstore/pull/325
    • return immediately, without waiting for the operation in progress to complete by @cpanato in https://github.com/sigstore/sigstore/pull/326
    • Bump github.com/aws/aws-sdk-go from 1.43.16 to 1.43.17 by @dependabot in https://github.com/sigstore/sigstore/pull/327
    • Bump github.com/Azure/azure-sdk-for-go from 62.1.0+incompatible to 62.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/328
    • Bump github.com/aws/aws-sdk-go from 1.43.17 to 1.43.18 by @dependabot in https://github.com/sigstore/sigstore/pull/329
    • Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/332
    • Included OpenSSF Best Practices badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/333
    • Bump github.com/aws/aws-sdk-go from 1.43.18 to 1.43.19 by @dependabot in https://github.com/sigstore/sigstore/pull/331
    • fix lints found by golangci-lint by @cpanato in https://github.com/sigstore/sigstore/pull/334
    • Bump github.com/aws/aws-sdk-go from 1.43.19 to 1.43.20 by @dependabot in https://github.com/sigstore/sigstore/pull/335
    • Bump github.com/aws/aws-sdk-go from 1.43.20 to 1.43.21 by @dependabot in https://github.com/sigstore/sigstore/pull/336
    • Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in https://github.com/sigstore/sigstore/pull/330
    • Make tag,key_ring,key optional for release workflow. by @k4leung4 in https://github.com/sigstore/sigstore/pull/338
    • Bump github.com/go-rod/rod from 0.103.0 to 0.104.1 by @dependabot in https://github.com/sigstore/sigstore/pull/341
    • Bump github.com/Azure/azure-sdk-for-go from 62.2.0+incompatible to 62.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/342
    • Bump github.com/aws/aws-sdk-go from 1.43.21 to 1.43.22 by @dependabot in https://github.com/sigstore/sigstore/pull/340
    • Bump actions/cache from 2.1.7 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/339
    • Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/sigstore/sigstore/pull/343
    • Bump github.com/aws/aws-sdk-go from 1.43.22 to 1.43.24 by @dependabot in https://github.com/sigstore/sigstore/pull/345
    • Add utilities to parse Oauth2 access token HTTP responses by @dekkagaijin in https://github.com/sigstore/sigstore/pull/337
    • Add method to check for public key equality by @haydentherapper in https://github.com/sigstore/sigstore/pull/346

    New Contributors

    • @blz-ea made their first contribution in https://github.com/sigstore/sigstore/pull/229
    • @simongottschlag made their first contribution in https://github.com/sigstore/sigstore/pull/228
    • @haydentherapper made their first contribution in https://github.com/sigstore/sigstore/pull/234
    • @jbayer made their first contribution in https://github.com/sigstore/sigstore/pull/240
    • @n3wscott made their first contribution in https://github.com/sigstore/sigstore/pull/247
    • @sudo-bmitch made their first contribution in https://github.com/sigstore/sigstore/pull/249
    • @imjasonh made their first contribution in https://github.com/sigstore/sigstore/pull/276
    • @Dentrax made their first contribution in https://github.com/sigstore/sigstore/pull/277
    • @chaospuppy made their first contribution in https://github.com/sigstore/sigstore/pull/289
    • @endorama made their first contribution in https://github.com/sigstore/sigstore/pull/315
    • @k4leung4 made their first contribution in https://github.com/sigstore/sigstore/pull/325

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.1.0...v1.2.0

    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Dec 28, 2021)

    What's Changed

    • Idp specific default flows by @houdini91 in https://github.com/sigstore/sigstore/pull/123
    • Bump github.com/aws/aws-sdk-go from 1.42.1 to 1.42.2 by @dependabot in https://github.com/sigstore/sigstore/pull/139
    • Bump github.com/aws/aws-sdk-go from 1.42.2 to 1.42.3 by @dependabot in https://github.com/sigstore/sigstore/pull/140
    • Bump github.com/google/go-containerregistry from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/142
    • Bump github.com/aws/aws-sdk-go from 1.42.3 to 1.42.4 by @dependabot in https://github.com/sigstore/sigstore/pull/143
    • expose innerWrapper as VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/144
    • also expose the wrapped verifier in VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/145
    • Bump github.com/aws/aws-sdk-go from 1.42.4 to 1.42.5 by @dependabot in https://github.com/sigstore/sigstore/pull/147
    • Feat : Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/146
    • Linter - Included linter check for doc rules by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/148
    • Bump github.com/aws/aws-sdk-go from 1.42.5 to 1.42.7 by @dependabot in https://github.com/sigstore/sigstore/pull/150
    • update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/151
    • Bump github.com/aws/aws-sdk-go from 1.42.8 to 1.42.9 by @dependabot in https://github.com/sigstore/sigstore/pull/152
    • Move the ssh signing/verification utilities to sigstore from rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/141
    • Bump github.com/aws/aws-sdk-go from 1.42.9 to 1.42.10 by @dependabot in https://github.com/sigstore/sigstore/pull/153
    • Fix revive lint warnings. by @dlorenc in https://github.com/sigstore/sigstore/pull/156
    • Included fuzzing for more cryptoutils by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/157
    • Bump github.com/aws/aws-sdk-go from 1.42.10 to 1.42.11 by @dependabot in https://github.com/sigstore/sigstore/pull/161
    • hack: add hack/tools to hold non required dependencies/tools for the project by @cpanato in https://github.com/sigstore/sigstore/pull/159
    • update lint action by @dekkagaijin in https://github.com/sigstore/sigstore/pull/155
    • Fuzzing password and some signature API by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/160
    • Bump github.com/aws/aws-sdk-go from 1.42.11 to 1.42.12 by @dependabot in https://github.com/sigstore/sigstore/pull/162
    • Bump github.com/Azure/azure-sdk-for-go from 59.3.0+incompatible to 59.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/163
    • Docs for Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/165
    • Fuzzing - Included RSA Targets by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/164
    • Bump github.com/aws/aws-sdk-go from 1.42.12 to 1.42.14 by @dependabot in https://github.com/sigstore/sigstore/pull/166
    • Clean up lint errors by @bobcallaway in https://github.com/sigstore/sigstore/pull/167
    • Included fuzz badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/168
    • Included CIFuzz by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/169
    • Bump github.com/aws/aws-sdk-go from 1.42.14 to 1.42.15 by @dependabot in https://github.com/sigstore/sigstore/pull/171
    • Fuzzing for RSAPASS by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/170
    • Bump github.com/aws/aws-sdk-go from 1.42.15 to 1.42.16 by @dependabot in https://github.com/sigstore/sigstore/pull/174
    • Upgraded go-securesystemslib from 0.1.0 to 0.2.0 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/178
    • Bump github.com/aws/aws-sdk-go from 1.42.16 to 1.42.17 by @dependabot in https://github.com/sigstore/sigstore/pull/176
    • Additional corpus for ecdsa and ed25519 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/177
    • Fuzz testing DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/173
    • Bump github.com/aws/aws-sdk-go from 1.42.17 to 1.42.18 by @dependabot in https://github.com/sigstore/sigstore/pull/180
    • Bump github.com/Azure/azure-sdk-for-go from 59.4.0+incompatible to 60.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/179
    • Updatathon by @dekkagaijin in https://github.com/sigstore/sigstore/pull/181
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.9.0 to 2.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/184
    • Bump github.com/aws/aws-sdk-go from 1.42.19 to 1.42.20 by @dependabot in https://github.com/sigstore/sigstore/pull/187
    • Bump actions/upload-artifact from 2.2.4 to 2.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/185
    • bump github.com/secure-systems-lab/go-securesystemslib to v0.3.0 by @dekkagaijin in https://github.com/sigstore/sigstore/pull/189
    • bump the rest of the deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/190
    • fix wrong return value in error case by @bobcallaway in https://github.com/sigstore/sigstore/pull/192
    • Bump github.com/aws/aws-sdk-go from 1.42.20 to 1.42.21 by @dependabot in https://github.com/sigstore/sigstore/pull/194
    • Bump github.com/aws/aws-sdk-go from 1.42.21 to 1.42.22 by @dependabot in https://github.com/sigstore/sigstore/pull/195
    • Bump github.com/Azure/azure-sdk-for-go from 60.0.0+incompatible to 60.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/196
    • Fuzz - Fixes nil data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/197
    • Bump github.com/aws/aws-sdk-go from 1.42.22 to 1.42.23 by @dependabot in https://github.com/sigstore/sigstore/pull/201
    • Bump actions/upload-artifact from 2.3.0 to 2.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/202
    • Bump github.com/Azure/azure-sdk-for-go from 60.1.0+incompatible to 60.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/204
    • Dsse multi signature wrapper by @houdini91 in https://github.com/sigstore/sigstore/pull/203
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.10.0 to 2.11.0 by @dependabot in https://github.com/sigstore/sigstore/pull/206
    • Bump github.com/aws/aws-sdk-go from 1.42.23 to 1.42.24 by @dependabot in https://github.com/sigstore/sigstore/pull/207
    • Bump github.com/aws/aws-sdk-go from 1.42.24 to 1.42.25 by @dependabot in https://github.com/sigstore/sigstore/pull/208
    • Bump github.com/hashicorp/vault/api from 1.3.0 to 1.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/209
    • Bump github.com/Azure/azure-sdk-for-go from 60.2.0+incompatible to 60.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/210
    • Fuzz- Fixes the invalid UTF-8 string for DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/212

    New Contributors

    • @houdini91 made their first contribution in https://github.com/sigstore/sigstore/pull/123

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.1...v1.1.0

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Nov 11, 2021)

    What's Changed

    • Make SimpleContainerImage struct accesible for tekton chains by @priyawadhwa in https://github.com/sigstore/sigstore/pull/124
    • (fix): Fix vault integration to work with rotated keys by @rjbrown57 in https://github.com/sigstore/sigstore/pull/125
    • Create dependabot.yml by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/127
    • Fix the azure KMS provider by @dlorenc in https://github.com/sigstore/sigstore/pull/126
    • Bump actions/checkout from 2.3.4 to 2.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/128
    • Bump github.com/go-test/deep from 1.0.7 to 1.0.8 by @dependabot in https://github.com/sigstore/sigstore/pull/129
    • Bump github.com/aws/aws-sdk-go from 1.40.7 to 1.41.19 by @dependabot in https://github.com/sigstore/sigstore/pull/130
    • Bump cloud.google.com/go from 0.88.0 to 0.97.0 by @dependabot in https://github.com/sigstore/sigstore/pull/134
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.7.0 to 2.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/132
    • Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/133
    • Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/135
    • Bump github.com/hashicorp/vault/api from 1.1.1 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/131
    • Bump github.com/aws/aws-sdk-go from 1.41.19 to 1.42.0 by @dependabot in https://github.com/sigstore/sigstore/pull/136
    • Bump github.com/aws/aws-sdk-go from 1.42.0 to 1.42.1 by @dependabot in https://github.com/sigstore/sigstore/pull/137

    New Contributors

    • @rjbrown57 made their first contribution in https://github.com/sigstore/sigstore/pull/125
    • @naveensrinivasan made their first contribution in https://github.com/sigstore/sigstore/pull/127
    • @dependabot made their first contribution in https://github.com/sigstore/sigstore/pull/128

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.0...v1.0.1

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Oct 11, 2021)

    What's Changed

    • Missed a couple of renames by @lukehinds in https://github.com/sigstore/sigstore/pull/1
    • User can use toml config for cert details by @lukehinds in https://github.com/sigstore/sigstore/pull/2
    • OIDC by @lukehinds in https://github.com/sigstore/sigstore/pull/3
    • readme, gitignore by @lukehinds in https://github.com/sigstore/sigstore/pull/4
    • Project Rename by @lukehinds in https://github.com/sigstore/sigstore/pull/5
    • Project refactor in prep for rewrite by @lukehinds in https://github.com/sigstore/sigstore/pull/7
    • Key generation code by @lukehinds in https://github.com/sigstore/sigstore/pull/9
    • Fix lint errors by @lukehinds in https://github.com/sigstore/sigstore/pull/12
    • Set up CI by @lukehinds in https://github.com/sigstore/sigstore/pull/11
    • Return PubK in correct type by @lukehinds in https://github.com/sigstore/sigstore/pull/13
    • Client port by @lukehinds in https://github.com/sigstore/sigstore/pull/14
    • Return the response so we can handle specific status codes by @lukehinds in https://github.com/sigstore/sigstore/pull/15
    • Bind flags with PreRun by @lukehinds in https://github.com/sigstore/sigstore/pull/18
    • Rename clients by @lukehinds in https://github.com/sigstore/sigstore/pull/20
    • Implements file MIME checking by @lukehinds in https://github.com/sigstore/sigstore/pull/21
    • Delete DS_Store by @lukehinds in https://github.com/sigstore/sigstore/pull/22
    • Implement rekor log entry by @lukehinds in https://github.com/sigstore/sigstore/pull/23
    • Update copyright statement by @dekkagaijin in https://github.com/sigstore/sigstore/pull/25
    • Device flow! by @dlorenc in https://github.com/sigstore/sigstore/pull/24
    • Add signature library by @dekkagaijin in https://github.com/sigstore/sigstore/pull/26
    • Add Security Section by @lukehinds in https://github.com/sigstore/sigstore/pull/29
    • cmd: add version command by @cpanato in https://github.com/sigstore/sigstore/pull/31
    • Rename signature payloads to be more descriptive for users by @dekkagaijin in https://github.com/sigstore/sigstore/pull/32
    • Use crypto.PublicKey in favor of *ecdsa.PublicKey by @dekkagaijin in https://github.com/sigstore/sigstore/pull/33
    • remove Ed25519 until we can make it work sanely with Rekor by @dekkagaijin in https://github.com/sigstore/sigstore/pull/34
    • Signers should return the payloads which were actually signed by @dekkagaijin in https://github.com/sigstore/sigstore/pull/35
    • update boilerplate header and apply go fmt by @cpanato in https://github.com/sigstore/sigstore/pull/37
    • ci/boilerplate: fix bolierplate check by @cpanato in https://github.com/sigstore/sigstore/pull/39
    • go: update go version to use 1.16.x by @cpanato in https://github.com/sigstore/sigstore/pull/36
    • Move kms package from cosign to sigstore by @priyawadhwa in https://github.com/sigstore/sigstore/pull/41
    • Leverage the signature package for signing by @dekkagaijin in https://github.com/sigstore/sigstore/pull/38
    • Implement code owners by @lukehinds in https://github.com/sigstore/sigstore/pull/40
    • use RSA-PSS instead of RSA-PKCS#1 v1.5 signature scheme by @dekkagaijin in https://github.com/sigstore/sigstore/pull/43
    • feat: add vault transit kms engine by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/44
    • Bump the rekor dependency. by @dlorenc in https://github.com/sigstore/sigstore/pull/47
    • Allow specifying the full key version. by @dlorenc in https://github.com/sigstore/sigstore/pull/45
    • some vault fixes by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/49
    • Better define sigstores purpose by @lukehinds in https://github.com/sigstore/sigstore/pull/52
    • remove optional algorithm; ensure CI and Makefile are correct by @bobcallaway in https://github.com/sigstore/sigstore/pull/57
    • log error message but continue with OAuth2 flow if browser auto-open … by @bobcallaway in https://github.com/sigstore/sigstore/pull/56
    • change to rekor.sigstore.dev by @bobcallaway in https://github.com/sigstore/sigstore/pull/60
    • remove gosec since it is handled by golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/58
    • Add support for ed25519 based keys by @priyawadhwa in https://github.com/sigstore/sigstore/pull/51
    • Bump rekor for the new API changes. by @dlorenc in https://github.com/sigstore/sigstore/pull/61
    • Move all rekor code to tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/63
    • Refact key tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/65
    • Add support for static identity tokens supplied directly by the caller. by @dlorenc in https://github.com/sigstore/sigstore/pull/64
    • enable transit secret engine at another path by @developer-guy in https://github.com/sigstore/sigstore/pull/67
    • Refactor IDToken handling to support claims based on fields other tha… by @dlorenc in https://github.com/sigstore/sigstore/pull/68
    • cert.Subject is not populated, return serial instead by @lukehinds in https://github.com/sigstore/sigstore/pull/71
    • Allow the OOB authentication flow when we can't open a browser. by @dlorenc in https://github.com/sigstore/sigstore/pull/62
    • convert signature library to implement crypto.Signer interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/69
    • use new path to GetRekorClient by @bobcallaway in https://github.com/sigstore/sigstore/pull/73
    • Fix for Error: error during PEM decoding by @lukehinds in https://github.com/sigstore/sigstore/pull/78
    • Use output to save client cert file locally by @lukehinds in https://github.com/sigstore/sigstore/pull/79
    • Add formatted URL for rekor entry by @lukehinds in https://github.com/sigstore/sigstore/pull/80
    • Add PublicKeyProvider interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/75
    • Bump rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/82
    • Also output the signature if required by @lukehinds in https://github.com/sigstore/sigstore/pull/83
    • filehandler: add application/x-executable to supported mimetype by @cpanato in https://github.com/sigstore/sigstore/pull/84
    • stop using signerverifier to get access to publickeyprovider by @bobcallaway in https://github.com/sigstore/sigstore/pull/85
    • compute crc over digest instead of message by @bobcallaway in https://github.com/sigstore/sigstore/pull/86
    • We should use the client ID from the oauth config, not viper. by @dlorenc in https://github.com/sigstore/sigstore/pull/87
    • Don't use pointers for ed25519 keys by @dekkagaijin in https://github.com/sigstore/sigstore/pull/88
    • AWS KMS Support by @codysoyland in https://github.com/sigstore/sigstore/pull/74
    • Remove cmd/, clean up unused code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/90
    • Remove pkg/tlog, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/91
    • update go modules, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/94
    • update github actions to latest versions by @dekkagaijin in https://github.com/sigstore/sigstore/pull/93
    • change in-memory signers to implement crypto.Signer by @bobcallaway in https://github.com/sigstore/sigstore/pull/92
    • Add initial Azure KMS support by @cpanato in https://github.com/sigstore/sigstore/pull/76
    • Remove pkg/util directory by @dekkagaijin in https://github.com/sigstore/sigstore/pull/95
    • Implement wrappers/converters for the DSSE signing spec. by @dlorenc in https://github.com/sigstore/sigstore/pull/96
    • Add tests for pkg/cryptoutils by @dekkagaijin in https://github.com/sigstore/sigstore/pull/99
    • More pkg/cryptoutils tests, add a generator for ECDSA keypairs by @dekkagaijin in https://github.com/sigstore/sigstore/pull/100
    • ENCRYPTED COSIGN PRIVATE KEY -> ENCRYPTED SIGSTORE PRIVATE KEY by @dekkagaijin in https://github.com/sigstore/sigstore/pull/101
    • remove fulcio client code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/103
    • small update in the makefile by @cpanato in https://github.com/sigstore/sigstore/pull/105
    • default to P-256 curve again by @dekkagaijin in https://github.com/sigstore/sigstore/pull/106
    • Add missing code of conduct (stock sigstore one) by @lukehinds in https://github.com/sigstore/sigstore/pull/107
    • leverage Vault token helpers approach while obtaining Vault token by @developer-guy in https://github.com/sigstore/sigstore/pull/104
    • Transit backend path is hardcoded for some operations of the KMS Vault client by @LeSuisse in https://github.com/sigstore/sigstore/pull/102
    • Switch DSSE provider to go-securesystemslib by @adityasaky in https://github.com/sigstore/sigstore/pull/111
    • pass by reference instead of pointer so correct redirect_uri is known by @bobcallaway in https://github.com/sigstore/sigstore/pull/114
    • Pin localstack in e2e tests (fixes #112) by @codysoyland in https://github.com/sigstore/sigstore/pull/115
    • Fix typo/readability by @ocdtrekkie in https://github.com/sigstore/sigstore/pull/116
    • Modularise CI by @lukehinds in https://github.com/sigstore/sigstore/pull/118
    • Update readme in anticipation of 1.0 by @lukehinds in https://github.com/sigstore/sigstore/pull/119
    • Integration tests for dex / OIDConnect by @lukehinds in https://github.com/sigstore/sigstore/pull/110
    • Change redirect listener to use ephemeral port by @bobcallaway in https://github.com/sigstore/sigstore/pull/120

    New Contributors

    • @lukehinds made their first contribution in https://github.com/sigstore/sigstore/pull/1
    • @dekkagaijin made their first contribution in https://github.com/sigstore/sigstore/pull/25
    • @dlorenc made their first contribution in https://github.com/sigstore/sigstore/pull/24
    • @cpanato made their first contribution in https://github.com/sigstore/sigstore/pull/31
    • @priyawadhwa made their first contribution in https://github.com/sigstore/sigstore/pull/41
    • @RichiCoder1 made their first contribution in https://github.com/sigstore/sigstore/pull/44
    • @bobcallaway made their first contribution in https://github.com/sigstore/sigstore/pull/57
    • @developer-guy made their first contribution in https://github.com/sigstore/sigstore/pull/67
    • @codysoyland made their first contribution in https://github.com/sigstore/sigstore/pull/74
    • @LeSuisse made their first contribution in https://github.com/sigstore/sigstore/pull/102
    • @adityasaky made their first contribution in https://github.com/sigstore/sigstore/pull/111
    • @ocdtrekkie made their first contribution in https://github.com/sigstore/sigstore/pull/116

    Full Changelog: https://github.com/sigstore/sigstore/commits/v1.0.0

    Source code(tar.gz)
    Source code(zip)
Owner
sigstore
Software supply chain transparency
sigstore
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 78 Jun 10, 2022
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 325 Jun 22, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 19 May 22, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

null 0 Nov 15, 2021
Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

null 48 Jun 4, 2022
Prototype of signing container images in the index

Prototype for inline signing of images in the image index. When designing Notary v2 there was a strong consensus for having detached signatures. These

Justin Cormack 2 Jan 8, 2022
A tool for testing, building, signing, and publishing binaries.

gomason Tool for testing, building, signing and publishing binaries. Think of it as an on premesis CI/CD system- that also performs code signing and p

Nik Ogura 53 Apr 7, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Rohan Verma 87 Jun 10, 2022
Container Signing

cosign Container Signing, Verification and Storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. Info Cosign is develop

sigstore 2.2k Jul 1, 2022
Work with remote images registries - retrieving information, images, signing content

skopeo skopeo is a command line utility that performs various operations on container images and image repositories. skopeo does not require the user

Containers 4.8k Jun 28, 2022
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 78 Jun 10, 2022
2D virtual tabletop prototype

Mirkwood Engine ?? A prototype of a virtual tabletop written in Go 1.16 and Ebiten 2 (The gif can seems a bit laggy but the animations are smooth in r

null 19 Sep 28, 2021
A CLI tool for leveraging IDP signing keys to impersonate users and groups

Imperson8 Disclaimer This is a security testing tool. Only use this on systems you have explicit authorization to test. This isn't an exploit and won'

null 18 Feb 12, 2022
kcp is a prototype of a Kubernetes API server that is not a Kubernetes cluster - a place to create, update, and maintain Kube-like APis with controllers above or without clusters.

kcp is a minimal Kubernetes API server How minimal exactly? kcp doesn't know about Pods or Nodes, let alone Deployments, Services, LoadBalancers, etc.

Prototype of Future Kubernetes Ideas 1.5k Jun 26, 2022
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 10 Jun 11, 2022
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 29 Jun 18, 2022
gon is a simple, no-frills tool for signing and notarizing your CLI binaries for macOS

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

Mitchell Hashimoto 1.2k Jun 28, 2022
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 325 Jun 22, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 19 May 22, 2022
Prototype pollution scanner using headless chrome

plution Prototype pollution scanner using headless chrome What this is Plution is a convenient way to scan at scale for pages that are vulnerable to c

null 139 Jun 15, 2022
ConsenSys Software 8 Jan 18, 2022
A cutting edge (haha), prototype, object-oriented and highly modular slash command handler for Discordgo.

ken ⚠️ Disclaimer This package is still in a very early state of development and future updates might include breaking changes to the API until the fi

Ringo Hoffmann 15 Jun 13, 2022
ETH <-> XMR atomic swap prototype

ETH-XMR Atomic Swaps This is a prototype of ETH<->XMR atomic swaps, which was worked on during ETHLisbon. Instructions Start ganache-cli with determin

null 129 Jul 2, 2022
x-crafter is used to quickly create templates from your prototype, also come with a builder to quickly regenerate your code

XCrafter ?? x-crafter is used to quickly create templates from your prototype, also come with a builder to quickly regenerate your code. Install Using

Chi-Tai Vong 3 Nov 29, 2021
A prototype code-generator library for golang.

A prototype code-generator library for golang.

PL Pery 6 Jan 18, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

null 0 Nov 15, 2021
A simple and lightweight library for creating, formatting, manipulating, signing, and validating JSON Web Tokens in Go.

GoJWT - JSON Web Tokens in Go GoJWT is a simple and lightweight library for creating, formatting, manipulating, signing and validating Json Web Tokens

Toby 5 Feb 7, 2022
Prototype to predict Ethereum transactions' access lists

predict_al Prototype to predict Ethereum transactions' access lists. The project comes from CDAP cohort-one. The current design is to use a simplified

Alex Chen 3 May 9, 2022
Simples3 : Simple no frills AWS S3 Library using REST with V4 Signing

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Rohan Verma 70 Nov 30, 2021