Signing prototype

Last update: Nov 24, 2022

Related tags

Overview

sigstore signing CLI tool

⚠️ Not ready for use yet!

sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the sigstore signing infrastructure

For container signing, you want cosign

Comments

Move fulcioroots and tuf packages from cosign
Summary

This moves these packages from sigstore/cosign into sigstore/sigstore.

pkg/fulcioroots comes from cosign's cmd/cosign/cli/fulcio/[email protected], and drops that package's behavior when the SIGSTORE_ROOT_FILE env var is set -- this will remain in sigstore/cosign.

pkg/tuf comes from cosign's pkg/cosign/[email protected] and is otherwise largely unchanged. Some methods were unexported that aren't used outside of this package.

Part of https://github.com/sigstore/cosign/issues/1865

Release Note

pkg/fulcioroots and pkg/tuf are moved from cosign repo
opened by imjasonh 29

Workload Identity Federation is not working with GCP KMS support

Description

Recently, we (w/@dentrax @erkanzileli) added other key management system support to Kyverno while verifying image signatures.^1 Then, I tried this feature on GCP while using GCP KMS and GKE. To achieve this I took advantage of Workload Identity Federation^2. To enable this I've used the following commands:

🎗 Cross-ref: https://github.com/kyverno/website/pull/376

$ export PROJECT_ID=$(gcloud config get-value project)
$ export CLUSTER_NAME="gke-wif"
$ gcloud container clusters create $CLUSTER_NAME \
    --workload-pool=$PROJECT_ID.svc.id.goog --num-nodes=2
$ export GSA_NAME=kyverno-sa
$ gcloud iam service-accounts create $GSA_NAME
$ gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJECT_ID}.svc.id.goog[kyverno/kyverno]" \
  ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
$ gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --role roles/cloudkms.admin \
  --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
$ kubectl annotate serviceaccount \
  --namespace kyverno \
  kyverno \
  iam.gke.io/gcp-service-account=${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com

Then, I tried it with Kyverno but it didn't work as I expected. So, I decided to do a small test together with the google/cloud-sdk:slim image. So, I ran a Pod with this image, everything worked fine.

kubectl run -it --rm \
  --image google/cloud-sdk:slim \
  --serviceaccount kyverno \
  --namespace kyverno \
  workload-identity-test

Screen Shot 2021-11-11 at 15 53 53

cc: @JimBugwadia @dlorenc @cpanato

enhancement

opened by developer-guy 28

community : Contributor ladder
Description

I am opening this to ask if there's a contributor ladder defined for sigstore. How do I become an org member?

I would be happy to help do PR's reviews here, hoping to work towards maintainership.

previous contributions - mainly fuzzing sigstore and integrating with oss-fuzz

PR's in sigstore

https://github.com/sigstore/sigstore/pull/214

https://github.com/sigstore/sigstore/pull/213

https://github.com/sigstore/sigstore/pull/212

https://github.com/sigstore/sigstore/pull/197

https://github.com/sigstore/sigstore/pull/178

https://github.com/sigstore/sigstore/pull/177

https://github.com/sigstore/sigstore/pull/173

https://github.com/sigstore/sigstore/pull/170

https://github.com/sigstore/sigstore/pull/169

https://github.com/sigstore/sigstore/pull/168

https://github.com/sigstore/sigstore/pull/165

https://github.com/sigstore/sigstore/pull/164

https://github.com/sigstore/sigstore/pull/160

https://github.com/sigstore/sigstore/pull/158

https://github.com/sigstore/sigstore/pull/157

https://github.com/sigstore/sigstore/pull/148

https://github.com/sigstore/sigstore/pull/146

https://github.com/sigstore/sigstore/pull/127

oss-fuzz and actively maintaining the oss-fuzz issues

https://github.com/google/oss-fuzz/pull/6890

https://github.com/google/oss-fuzz/pull/6927

https://github.com/google/oss-fuzz/pull/6964

Issues in sigstore

https://github.com/sigstore/sigstore/issues?q=is%3Aissue+author%3Anaveensrinivasan

PR's in cosign

https://github.com/sigstore/cosign/pull/1141

https://github.com/sigstore/cosign/pull/1020

https://github.com/sigstore/cosign/pull/1001

https://github.com/sigstore/cosign/pull/971

https://github.com/sigstore/cosign/pull/968

https://github.com/sigstore/cosign/pull/944

https://github.com/sigstore/cosign/pull/124

https://github.com/sigstore/cosign/pull/121

https://github.com/sigstore/cosign/pull/120

https://github.com/sigstore/cosign/pull/119

Issues in cosign

https://github.com/sigstore/cosign/issues?q=is%3Aissue+author%3Anaveensrinivasan+

PR's rekor

https://github.com/sigstore/rekor/pulls?q=author%3Anaveensrinivasan

Issues in rekor

https://github.com/sigstore/rekor/issues?q=author%3Anaveensrinivasan

cc @lukehinds @dlorenc @bobcallaway
enhancement
opened by naveensrinivasan 23

consider moving core sign & verify functions from cosign to sigstore

TL;DR: I propose transferring the core crypto functions of cosign to project Sigstore.

Motivation

We aim to make sigstore more commonize for cryptographic functions. Cosign calls the all the crypto-specific functions (i.e., generating ECDSA, signing, validating, etc.) from the keys.go file. If we get rid of those ECDSA-related functions, we would easily import sigstore project and use those functions again in cosign; moreover, we would import them on other non-container-specific projects. For cosign, this work will likely legacy change for no discernible benefit. I think it should be better to handle these functions (like GenerateKeyPair(), LoadECDSAPrivateKey(), LoadPublicKey(), etc.) inside the Sigstore itself.

We could find neither an actively discussing issue nor a PR. It is a great opportunity to get used to Sigstore project.

Implementation

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

func GenerateKeyPair(options *GenerateKeyPairOptions) (*KeyPair, error)

func LoadPublicKey(options *PublicKeyOptions) (PublicKey, error)

func LoadPrivateKey(options *PrivateKeyOptions) (signature.ECDSASignerVerifier, error)

func KeyToPem(pub crypto.PublicKey) ([]byte, error)

func CertToPem(c *x509.Certificate) []byte

func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)

Example Usages:

package main

import (
	"github.com/sigstore/sigstore/pkg/signature"
)

func main() {
    s, _ := signature.GenerateKeyPair(&signature.GenerateKeyPairOptions{
        PassFunc := pf()
    })

    content := "foo"
    
    pub, _ := signature.LoadPublicKey(&signature.PublicKeyOptions{
        Path: "cosign.pub",
    })

    key, _ := signature.LoadPrivateKey(&signature.PrivateKeyOptions{
        Path: "cosign.key",
        Pass: []byte("foo"),
    })
    
    s1, s2, _ := key.Sign(context.TODO(), []byte(content))
    
    _ = pub.Verify(context.TODO(), []byte(content), s1)

    // ...
}

opened by Dentrax 14

Out of band flow not working

Description

The auth process in gitsign outputs a URL you should be able to open in the browser to get a verification code, but the oauth2 server redirects to localhost after logging in. In this case localhost is not accessible so the auth flow cannot complete.

$ git commit -m "foo"
error opening browser: exit status 3
Go to the following link in a browser:

         https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=P69wZPuonUkCS2-LAp26XO-Ndw3GzeyATyuixsMRz7c&code_challenge_method=S256&nonce=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A45077%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=xxx
Enter verification code:

Version

gitsign v0.2.0

bug

opened by ianlewis 13

Using sigstore in CNCF projects

Folks,

There are a bunch of MPL libraries here: https://github.com/sigstore/sigstore/blob/main/go.mod#L58-L75

CNCF only allows a handful of MPL'ed libraries from hashicorp: https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json#L23-L46

the CNCF policy is written down here: https://github.com/cncf/foundation/tree/main/license-exceptions

Question is ... what do we do next?
question

opened by dims 13
Enforcement of a digest looking like a digest

Description

There's an interesting forgery for ECDSA where it's possible to forge a valid signature over a random value for a fixed public key. To defend against this, it's necessary to first hash a message before signing or verifying it. For ED25519, this is handled via a pre-hash, while for ECDSA, it's standard practice to first hash the message.

However, for the hashedrekord type, it's a requirement that we verify against a digest without hashing again. This is why we support WithDigest. This makes WithDigest unsafe. We can help defend against this if there is a check beforehand that the digest look like a digest, so a random value isn't accepted. For example, Rekor checks that the digest matches a SHA256 regex.

This is not a full proof approach, as it is still possible that a random value look like a digest, it's just hard to find such a value for this forgery (I think this is true, but I'd need someone more well-versed in elliptic curve crypto to verify this).

We should add a) warnings in comments about the dangers of verifying with a digest, and b) move the rekor checks into here to enforce that a digest looks like a digest.
enhancement

opened by haydentherapper 12
Add `signature` library
The goal is it as easy as possible to put the business logic in pkg, re-use pkg across project within sigstore, and allow third parties to build on top of these libraries (e.g. to implement CI plugins)

TODOs:

refactor existing libs in sigstore and cosign

implement TPM signer

Signed-off-by: Jake Sanders [email protected]
opened by dekkagaijin 12
Idp specific default flows

Suggestion: Adding interactive flows for each specific identity provider, allowing users to skip the main idp selection page. I think one less click can improve the UX a bit. Further UX improvement is gained when browser uses a default idp account the user does may not need to interactively intervene at all. Such psodo-auto flow may also be valuable in automation uses cases, for example a git hook signing SLSA provenance.

Hope this helps . mikey strauss

opened by houdini91 9
oauthflow/interactive: Fix oob flow
Summary

This change does 2 things:

Always sets oob URL for the oob flow. Reverts 8c6a840f - w.r.t. pkg/oauth/oidc: this looks largely duplicative of pkg/oauthflow so we probably want to delete / merge these together in another PR - both cosign and gitsign are using oauthflow. 🤷

Changes Fscanln to Fscanf - Fscanln wasn't reading values unless it received EOF, making it non-obvious that a value was successfully read (especially in gitsign where we use the TTY directly so values don't populate to stdout).

Verified this works as expected for gitsign.

Fixes #594

Release Note

🐛 Fixes OoB flow.

Documentation
opened by wlynch 8
ci: enable gofumpt with extra
Signed-off-by: Furkan [email protected]

Ran $ gofumpt -w -extra .

-w write result to (source) file instead of stdout -extra enable extra rules which should be vetted by a human

Summary

Ticket Link

Fixes

Release Note
opened by Dentrax 8
build(deps): bump github.com/aws/aws-sdk-go from 1.44.144 to 1.44.145
Bumps github.com/aws/aws-sdk-go from 1.44.144 to 1.44.145.

Release notes

Sourced from github.com/aws/aws-sdk-go's releases.

Release v1.44.145 (2022-11-23)

Service Client Updates

service/grafana: Updates service API and documentation

service/rbin: Updates service API and documentation

Commits

d9ed7d6 Release v1.44.145 (2022-11-23) (#4636)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies go
opened by dependabot[bot] 0
Move OtherName and SANS functions to s/s

These were used by both Cosign and Fulcio, and will now be used by Rekor, so they should be in the shared library.

Signed-off-by: Hayden Blauzvern [email protected]

Summary

Release Note

Documentation

opened by haydentherapper 0
Update README to describe purpose of s/s

Context: https://github.com/sigstore/sigstore-go

This text is consistent with the long-term purpose of s/s, as well as the current state. Eventually, the "Go clients" bit will develop a little more nuance :)

Signed-off-by: Zack Newman [email protected]

opened by znewman01 0
KMIP support (standardized KMS)
Hi,

I would like to enquire if SigStore has any plans to facilitiate integrating technology partners to act as KMS service providers via the the KMIP standard.

I note Sigstore has integrations in custom way with KMS providers for key storage using proprietary vender specific integrations which are tightly coupled to Sigstore e.g. Azure Key Vault, Hashicorp Vault, AWS KMS, and GCP KMS. We would like to enquire and discover if Sigstore intend to support a more general integration for KMS providers by leveraging an open standard like KMIP to facilitate other providers instead of integrating new partners individually in bespoke way.

We feel it may be mutually beneficial as this opens up the possibility for more KMS services to connect with Sigstore service(s) using KMIP for services that store keys in a KMS service provider and are KMIP ready.

Thanks,

Dave

Originally posted by @daveroche-digi in https://github.com/sigstore/sigstore/discussions/776
opened by znewman01 1
reusable-release workflow does not use key_ring and key_name inputs

reusable-release.yml defines a workflow with inputs key_ring and key_name. These inputs are not actually used in the workflow: the values are instead hardocded to "release-cosign" and "cosign" respectively. I think this only works since all users happen to use the same key?
bug

opened by jku 1

Releases(v1.4.6)

v1.4.6(Nov 24, 2022)
What's Changed

manually upgrade deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/808

update import due to deprecation by @cpanato in https://github.com/sigstore/sigstore/pull/822

several dependencies updates

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.5...v1.4.6
Source code(tar.gz)
Source code(zip)
v1.4.5(Oct 20, 2022)
What's Changed

fulcioroots: Allow appended Fulcio roots to an existing CertPool. by @wlynch in https://github.com/sigstore/sigstore/pull/749

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.4...v1.4.5
Source code(tar.gz)
Source code(zip)
v1.4.4(Oct 10, 2022)
NOTE: Fixed TUF root initialization with GCS bucket. This affects anyone who uses their own TUF root hosted on GCS, and specifies the GCS bucket only by name and not by HTTP path.

What's Changed

Fix remoteFromMirror with GCS bucket by @haydentherapper in https://github.com/sigstore/sigstore/pull/734

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.3...v1.4.4
Source code(tar.gz)
Source code(zip)
v1.4.3(Oct 7, 2022)
What's Changed

Add support for file based remote stores for airgap mode. by @vaikas in https://github.com/sigstore/sigstore/pull/715

Handle invalid elliptic curve gracefully when verifying signature by @haydentherapper in https://github.com/sigstore/sigstore/pull/728

tuf: fix on-disk cache when writing targets in subfolders by @asraa in https://github.com/sigstore/sigstore/pull/729

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.2...v1.4.3
Source code(tar.gz)
Source code(zip)
v1.4.2(Sep 21, 2022)
What's Changed

Package descriptions for all TODOs by @haydentherapper in https://github.com/sigstore/sigstore/pull/685

add package docs, fix deprecated linter by @bobcallaway in https://github.com/sigstore/sigstore/pull/673

oauthflow/interactive: Fix oob flow by @wlynch in https://github.com/sigstore/sigstore/pull/698

Handle certificates that end in newline by @haydentherapper in https://github.com/sigstore/sigstore/pull/699

deps: bump go-tuf to main to avoid excessive logging by @asraa in https://github.com/sigstore/sigstore/pull/701

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.1...v1.4.2
Source code(tar.gz)
Source code(zip)
v1.4.1(Sep 13, 2022)
What's Changed

Fix: support certificate pem type by @k4leung4 in https://github.com/sigstore/sigstore/pull/633

Revert "Fix: support certificate pem type (#633)" by @k4leung4 in https://github.com/sigstore/sigstore/pull/634

Add support for parsing PKCS#1 priv/pub keys, SEC1 priv keys by @haydentherapper in https://github.com/sigstore/sigstore/pull/638

Fix : Failing Fuzz tests for FuzzRSAPSSSignerVerfier by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/664

bump: update go-tuf to pull in compatibility fix by @asraa in https://github.com/sigstore/sigstore/pull/672

fix lints and remove ioutils deprecations by @cpanato in https://github.com/sigstore/sigstore/pull/681

test: Add a test in the TUF client pkg for the hex to ECDSA key format migration by @asraa in https://github.com/sigstore/sigstore/pull/676

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.0...v1.4.1
Source code(tar.gz)
Source code(zip)
v1.4.0(Aug 16, 2022)
What's Changed

Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in https://github.com/sigstore/sigstore/pull/582

Bump github.com/aws/aws-sdk-go from 1.44.63 to 1.44.64 by @dependabot in https://github.com/sigstore/sigstore/pull/583

Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in https://github.com/sigstore/sigstore/pull/584

ci: enable gofumpt with extra by @Dentrax in https://github.com/sigstore/sigstore/pull/278

Bump github.com/aws/aws-sdk-go from 1.44.64 to 1.44.65 by @dependabot in https://github.com/sigstore/sigstore/pull/586

Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in https://github.com/sigstore/sigstore/pull/585

add pkce values to device code flow by @bobcallaway in https://github.com/sigstore/sigstore/pull/516

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.0 to 1.18.1 by @dependabot in https://github.com/sigstore/sigstore/pull/591

Bump github.com/aws/aws-sdk-go from 1.44.65 to 1.44.67 by @dependabot in https://github.com/sigstore/sigstore/pull/588

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.14 to 1.15.15 by @dependabot in https://github.com/sigstore/sigstore/pull/590

Bump github.com/aws/aws-sdk-go from 1.44.67 to 1.44.68 by @dependabot in https://github.com/sigstore/sigstore/pull/593

Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in https://github.com/sigstore/sigstore/pull/595

Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in https://github.com/sigstore/sigstore/pull/596

Bump github.com/go-rod/rod from 0.108.1 to 0.108.2 by @dependabot in https://github.com/sigstore/sigstore/pull/597

Bump github.com/aws/aws-sdk-go from 1.44.68 to 1.44.70 by @dependabot in https://github.com/sigstore/sigstore/pull/598

Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in https://github.com/sigstore/sigstore/pull/599

Fix issue #600. When using StaticTokenGetter do not make network calls. by @vaikas in https://github.com/sigstore/sigstore/pull/601

Bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.71 by @dependabot in https://github.com/sigstore/sigstore/pull/603

Bump github.com/aws/aws-sdk-go-v2 from 1.16.8 to 1.16.9 by @dependabot in https://github.com/sigstore/sigstore/pull/604

Use well-known OIDC config for device endpoints by @bobcallaway in https://github.com/sigstore/sigstore/pull/602

Migrate to go 1.18 for Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/592

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.1 to 1.18.2 by @dependabot in https://github.com/sigstore/sigstore/pull/606

Bump github.com/aws/aws-sdk-go from 1.44.71 to 1.44.72 by @dependabot in https://github.com/sigstore/sigstore/pull/605

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.15 to 1.15.17 by @dependabot in https://github.com/sigstore/sigstore/pull/608

Bump github.com/aws/aws-sdk-go from 1.44.72 to 1.44.73 by @dependabot in https://github.com/sigstore/sigstore/pull/610

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.2 to 1.18.4 by @dependabot in https://github.com/sigstore/sigstore/pull/616

Bump github.com/go-rod/rod from 0.108.2 to 0.109.0 by @dependabot in https://github.com/sigstore/sigstore/pull/618

Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in https://github.com/sigstore/sigstore/pull/613

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.17 to 1.16.1 by @dependabot in https://github.com/sigstore/sigstore/pull/620

Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in https://github.com/sigstore/sigstore/pull/611

Bump github.com/aws/aws-sdk-go from 1.44.73 to 1.44.76 by @dependabot in https://github.com/sigstore/sigstore/pull/621

Bump github.com/aws/aws-sdk-go-v2/config from 1.16.1 to 1.17.0 by @dependabot in https://github.com/sigstore/sigstore/pull/625

Bump github.com/go-rod/rod from 0.109.0 to 0.109.1 by @dependabot in https://github.com/sigstore/sigstore/pull/626

Add a more friendly error in pubkey failure by @rikatz in https://github.com/sigstore/sigstore/pull/623

remove old swagger commands from Makefile and fix typo by @bobcallaway in https://github.com/sigstore/sigstore/pull/624

New Contributors

@vaikas made their first contribution in https://github.com/sigstore/sigstore/pull/601

@rikatz made their first contribution in https://github.com/sigstore/sigstore/pull/623

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.3.1...v1.4.0
Source code(tar.gz)
Source code(zip)
v1.3.1(Jul 28, 2022)
What's Changed

oauthflow: Fix recursive call for GetOutput. by @wlynch in https://github.com/sigstore/sigstore/pull/527

Bump github.com/aws/aws-sdk-go from 1.44.41 to 1.44.42 by @dependabot in https://github.com/sigstore/sigstore/pull/531

Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in https://github.com/sigstore/sigstore/pull/530

Bump github.com/go-rod/rod from 0.107.2 to 0.107.3 by @dependabot in https://github.com/sigstore/sigstore/pull/532

Bump github.com/aws/aws-sdk-go from 1.44.42 to 1.44.43 by @dependabot in https://github.com/sigstore/sigstore/pull/533

Bump github.com/aws/aws-sdk-go from 1.44.43 to 1.44.44 by @dependabot in https://github.com/sigstore/sigstore/pull/534

Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in https://github.com/sigstore/sigstore/pull/535

Keep calm and don't panic: enable and apply forcetypeassert lint rules by @Dentrax in https://github.com/sigstore/sigstore/pull/522

Bump github.com/aws/aws-sdk-go from 1.44.44 to 1.44.45 by @dependabot in https://github.com/sigstore/sigstore/pull/538

Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in https://github.com/sigstore/sigstore/pull/539

Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in https://github.com/sigstore/sigstore/pull/537

Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6 by @dependabot in https://github.com/sigstore/sigstore/pull/542

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.11 to 1.15.12 by @dependabot in https://github.com/sigstore/sigstore/pull/540

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.3 to 1.17.4 by @dependabot in https://github.com/sigstore/sigstore/pull/541

Remove err from type cast failures by @mtrmac in https://github.com/sigstore/sigstore/pull/536

Bump github.com/aws/aws-sdk-go from 1.44.45 to 1.44.46 by @dependabot in https://github.com/sigstore/sigstore/pull/543

Bump github.com/aws/aws-sdk-go from 1.44.46 to 1.44.47 by @dependabot in https://github.com/sigstore/sigstore/pull/545

Bump github.com/aws/aws-sdk-go from 1.44.47 to 1.44.48 by @dependabot in https://github.com/sigstore/sigstore/pull/547

Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/546

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.12 to 1.15.13 by @dependabot in https://github.com/sigstore/sigstore/pull/550

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.4 to 1.17.5 by @dependabot in https://github.com/sigstore/sigstore/pull/549

Bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.49 by @dependabot in https://github.com/sigstore/sigstore/pull/551

Bump github.com/aws/aws-sdk-go from 1.44.49 to 1.44.51 by @dependabot in https://github.com/sigstore/sigstore/pull/553

Bump github.com/go-rod/rod from 0.107.3 to 0.108.1 by @dependabot in https://github.com/sigstore/sigstore/pull/552

Bump github.com/aws/aws-sdk-go from 1.44.51 to 1.44.52 by @dependabot in https://github.com/sigstore/sigstore/pull/556

Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in https://github.com/sigstore/sigstore/pull/555

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.13 to 1.15.14 by @dependabot in https://github.com/sigstore/sigstore/pull/557

Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in https://github.com/sigstore/sigstore/pull/558

Bump github.com/aws/aws-sdk-go from 1.44.52 to 1.44.53 by @dependabot in https://github.com/sigstore/sigstore/pull/559

tuf: remove test that targets list is complete by @asraa in https://github.com/sigstore/sigstore/pull/554

Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in https://github.com/sigstore/sigstore/pull/560

Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in https://github.com/sigstore/sigstore/pull/561

Bump github.com/aws/aws-sdk-go from 1.44.53 to 1.44.54 by @dependabot in https://github.com/sigstore/sigstore/pull/564

Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in https://github.com/sigstore/sigstore/pull/563

Bump github.com/aws/aws-sdk-go from 1.44.54 to 1.44.55 by @dependabot in https://github.com/sigstore/sigstore/pull/565

Bump github.com/aws/aws-sdk-go from 1.44.55 to 1.44.56 by @dependabot in https://github.com/sigstore/sigstore/pull/566

fix gosec lint G112 errors by @dekkagaijin in https://github.com/sigstore/sigstore/pull/571

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.5 to 1.18.0 by @dependabot in https://github.com/sigstore/sigstore/pull/568

Bump github.com/aws/aws-sdk-go from 1.44.56 to 1.44.59 by @dependabot in https://github.com/sigstore/sigstore/pull/569

Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in https://github.com/sigstore/sigstore/pull/572

Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in https://github.com/sigstore/sigstore/pull/570

update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/573

Bump github.com/aws/aws-sdk-go from 1.44.60 to 1.44.61 by @dependabot in https://github.com/sigstore/sigstore/pull/575

Bump github.com/aws/aws-sdk-go from 1.44.61 to 1.44.62 by @dependabot in https://github.com/sigstore/sigstore/pull/577

Bump github.com/Azure/go-autorest/autorest from 0.11.27 to 0.11.28 by @dependabot in https://github.com/sigstore/sigstore/pull/578

Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in https://github.com/sigstore/sigstore/pull/579

Bump github.com/aws/aws-sdk-go from 1.44.62 to 1.44.63 by @dependabot in https://github.com/sigstore/sigstore/pull/580

update dependencies that was not bumped by the bot by @cpanato in https://github.com/sigstore/sigstore/pull/576

Add oncall members to list of people who can kick off releases by @priyawadhwa in https://github.com/sigstore/sigstore/pull/581

New Contributors

@mtrmac made their first contribution in https://github.com/sigstore/sigstore/pull/536

@asraa made their first contribution in https://github.com/sigstore/sigstore/pull/554

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.3.0...v1.3.1
Source code(tar.gz)
Source code(zip)
v1.3.0(Jun 24, 2022)
What's Changed

Bump github.com/aws/aws-sdk-go from 1.43.24 to 1.43.26 by @dependabot in https://github.com/sigstore/sigstore/pull/349

Bump github.com/hashicorp/vault/api from 1.4.1 to 1.5.0 by @dependabot in https://github.com/sigstore/sigstore/pull/348

Add method to validate public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/344

Makefile: Install golangci lint by @hectorj2f in https://github.com/sigstore/sigstore/pull/350

Bump github.com/go-rod/rod from 0.104.1 to 0.104.2 by @dependabot in https://github.com/sigstore/sigstore/pull/352

Bump github.com/aws/aws-sdk-go from 1.43.26 to 1.43.27 by @dependabot in https://github.com/sigstore/sigstore/pull/351

Bump github.com/Azure/azure-sdk-for-go from 62.3.0+incompatible to 63.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/354

Bump github.com/aws/aws-sdk-go from 1.43.27 to 1.43.28 by @dependabot in https://github.com/sigstore/sigstore/pull/355

Bump github.com/go-rod/rod from 0.104.2 to 0.104.4 by @dependabot in https://github.com/sigstore/sigstore/pull/358

Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in https://github.com/sigstore/sigstore/pull/356

Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/357

oidc: set the redirect url if needed by @hectorj2f in https://github.com/sigstore/sigstore/pull/353

Fix regex for matching GCP KMS key by @haydentherapper in https://github.com/sigstore/sigstore/pull/359

Bump github.com/aws/aws-sdk-go from 1.43.28 to 1.43.29 by @dependabot in https://github.com/sigstore/sigstore/pull/360

Bump github.com/aws/aws-sdk-go from 1.43.29 to 1.43.30 by @dependabot in https://github.com/sigstore/sigstore/pull/363

Bump github.com/Azure/go-autorest/autorest from 0.11.24 to 0.11.25 by @dependabot in https://github.com/sigstore/sigstore/pull/362

update boulder dependency to remove some syslog dependencies that affect windows build by @cpanato in https://github.com/sigstore/sigstore/pull/364

Add fake signer that implements KMS interface by @haydentherapper in https://github.com/sigstore/sigstore/pull/361

fix if check in the release job by @cpanato in https://github.com/sigstore/sigstore/pull/365

fix missing curly brackets by @cpanato in https://github.com/sigstore/sigstore/pull/366

Bump github.com/aws/aws-sdk-go from 1.43.30 to 1.43.31 by @dependabot in https://github.com/sigstore/sigstore/pull/367

chore: set redirect URL in doOobFlow by @hectorj2f in https://github.com/sigstore/sigstore/pull/368

Bump github.com/aws/aws-sdk-go from 1.43.31 to 1.43.33 by @dependabot in https://github.com/sigstore/sigstore/pull/373

Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in https://github.com/sigstore/sigstore/pull/372

Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/371

Bump github.com/Azure/azure-sdk-for-go from 63.0.0+incompatible to 63.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/369

Bump github.com/aws/aws-sdk-go from 1.43.33 to 1.43.34 by @dependabot in https://github.com/sigstore/sigstore/pull/375

Bump github.com/aws/aws-sdk-go from 1.43.34 to 1.43.36 by @dependabot in https://github.com/sigstore/sigstore/pull/379

Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in https://github.com/sigstore/sigstore/pull/378

Bump github.com/go-rod/rod from 0.104.4 to 0.105.0 by @dependabot in https://github.com/sigstore/sigstore/pull/377

Update to go 1.17 / 1.18 by @lukehinds in https://github.com/sigstore/sigstore/pull/374

Bump github.com/aws/aws-sdk-go from 1.43.36 to 1.43.37 by @dependabot in https://github.com/sigstore/sigstore/pull/382

Bump github.com/go-rod/rod from 0.105.0 to 0.105.1 by @dependabot in https://github.com/sigstore/sigstore/pull/383

Bump github.com/Azure/azure-sdk-for-go from 63.1.0+incompatible to 63.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/385

Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/381

run tests with go1.17 and go1.18 by @cpanato in https://github.com/sigstore/sigstore/pull/380

Bump github.com/aws/aws-sdk-go from 1.43.37 to 1.43.39 by @dependabot in https://github.com/sigstore/sigstore/pull/387

Bump github.com/aws/aws-sdk-go from 1.43.39 to 1.43.40 by @dependabot in https://github.com/sigstore/sigstore/pull/389

Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/388

Bump github.com/go-rod/rod from 0.105.1 to 0.106.0 by @dependabot in https://github.com/sigstore/sigstore/pull/390

Bump github.com/aws/aws-sdk-go from 1.43.40 to 1.43.41 by @dependabot in https://github.com/sigstore/sigstore/pull/391

Bump github.com/Azure/azure-sdk-for-go from 63.2.0+incompatible to 63.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/393

Bump github.com/Azure/go-autorest/autorest from 0.11.25 to 0.11.26 by @dependabot in https://github.com/sigstore/sigstore/pull/392

Bump github.com/go-rod/rod from 0.106.0 to 0.106.1 by @dependabot in https://github.com/sigstore/sigstore/pull/395

Add a helper method to parse a PEM-encoded CSR by @haydentherapper in https://github.com/sigstore/sigstore/pull/394

Bump github.com/aws/aws-sdk-go from 1.43.41 to 1.43.43 by @dependabot in https://github.com/sigstore/sigstore/pull/398

Add method for generating certificate serial number by @haydentherapper in https://github.com/sigstore/sigstore/pull/399

Bump github.com/aws/aws-sdk-go from 1.43.43 to 1.43.44 by @dependabot in https://github.com/sigstore/sigstore/pull/402

Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/401

make target integration by @sallyom in https://github.com/sigstore/sigstore/pull/400

Bump github.com/Azure/go-autorest/autorest from 0.11.26 to 0.11.27 by @dependabot in https://github.com/sigstore/sigstore/pull/404

Bump github.com/aws/aws-sdk-go from 1.43.44 to 1.43.45 by @dependabot in https://github.com/sigstore/sigstore/pull/405

Add error type for kms.Get when provider not found by @znewman01 in https://github.com/sigstore/sigstore/pull/407

Bump github.com/Azure/azure-sdk-for-go from 63.3.0+incompatible to 63.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/409

Bump github.com/aws/aws-sdk-go from 1.43.45 to 1.44.0 by @dependabot in https://github.com/sigstore/sigstore/pull/410

Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/408

Bump github.com/aws/aws-sdk-go from 1.44.0 to 1.44.1 by @dependabot in https://github.com/sigstore/sigstore/pull/412

Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in https://github.com/sigstore/sigstore/pull/411

Bump github.com/aws/aws-sdk-go from 1.44.1 to 1.44.2 by @dependabot in https://github.com/sigstore/sigstore/pull/413

Bump github.com/go-rod/rod from 0.106.1 to 0.106.2 by @dependabot in https://github.com/sigstore/sigstore/pull/414

Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in https://github.com/sigstore/sigstore/pull/415

Bump github.com/go-rod/rod from 0.106.2 to 0.106.4 by @dependabot in https://github.com/sigstore/sigstore/pull/417

Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.3 by @dependabot in https://github.com/sigstore/sigstore/pull/416

Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.4 by @dependabot in https://github.com/sigstore/sigstore/pull/418

chore(deps): Included dependency review by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/406

Call ValidReference in all KMS cases by @imjasonh in https://github.com/sigstore/sigstore/pull/419

Bump github.com/aws/aws-sdk-go from 1.44.4 to 1.44.5 by @dependabot in https://github.com/sigstore/sigstore/pull/420

Bump github.com/go-rod/rod from 0.106.4 to 0.106.5 by @dependabot in https://github.com/sigstore/sigstore/pull/421

Bump github.com/aws/aws-sdk-go from 1.44.5 to 1.44.7 by @dependabot in https://github.com/sigstore/sigstore/pull/422

Bump github.com/aws/aws-sdk-go from 1.44.7 to 1.44.8 by @dependabot in https://github.com/sigstore/sigstore/pull/423

Bump github.com/aws/aws-sdk-go from 1.44.8 to 1.44.9 by @dependabot in https://github.com/sigstore/sigstore/pull/424

Remove copy of OAuth success HTML by @imjasonh in https://github.com/sigstore/sigstore/pull/425

Bump github.com/go-rod/rod from 0.106.5 to 0.106.6 by @dependabot in https://github.com/sigstore/sigstore/pull/427

Bump github.com/aws/aws-sdk-go from 1.44.9 to 1.44.10 by @dependabot in https://github.com/sigstore/sigstore/pull/428

Bump github.com/Azure/azure-sdk-for-go from 63.4.0+incompatible to 64.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/429

Bump github.com/aws/aws-sdk-go from 1.44.10 to 1.44.11 by @dependabot in https://github.com/sigstore/sigstore/pull/432

Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/433

Bump github.com/aws/aws-sdk-go from 1.44.11 to 1.44.12 by @dependabot in https://github.com/sigstore/sigstore/pull/434

Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/431

Bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/437

Add method to unmarshal certificates with a limit by @haydentherapper in https://github.com/sigstore/sigstore/pull/430

Add unsafe verifier to verify signatures with SHA1 digests by @haydentherapper in https://github.com/sigstore/sigstore/pull/441

Bump github.com/aws/aws-sdk-go from 1.44.12 to 1.44.13 by @dependabot in https://github.com/sigstore/sigstore/pull/440

Bump github/codeql-action from 75b4f1c4669133dc294b06c2794e969efa2e5316 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/439

Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/438

Bump github.com/aws/aws-sdk-go from 1.44.13 to 1.44.14 by @dependabot in https://github.com/sigstore/sigstore/pull/443

Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in https://github.com/sigstore/sigstore/pull/442

Remove dependency on deprecated github.com/pkg/errors by @imjasonh in https://github.com/sigstore/sigstore/pull/444

Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/446

Bump github.com/aws/aws-sdk-go from 1.44.14 to 1.44.15 by @dependabot in https://github.com/sigstore/sigstore/pull/447

Bump github.com/Azure/azure-sdk-for-go from 64.0.0+incompatible to 64.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/445

Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in https://github.com/sigstore/sigstore/pull/448

Bump github.com/aws/aws-sdk-go from 1.44.15 to 1.44.16 by @dependabot in https://github.com/sigstore/sigstore/pull/449

Bump github.com/go-rod/rod from 0.106.6 to 0.106.7 by @dependabot in https://github.com/sigstore/sigstore/pull/450

Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/451

Bump github.com/aws/aws-sdk-go from 1.44.16 to 1.44.17 by @dependabot in https://github.com/sigstore/sigstore/pull/453

Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/452

Bump github.com/go-rod/rod from 0.106.7 to 0.106.8 by @dependabot in https://github.com/sigstore/sigstore/pull/454

Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/456

Bump github.com/aws/aws-sdk-go from 1.44.17 to 1.44.18 by @dependabot in https://github.com/sigstore/sigstore/pull/455

Bump github.com/aws/aws-sdk-go from 1.44.18 to 1.44.19 by @dependabot in https://github.com/sigstore/sigstore/pull/457

Bump github.com/aws/aws-sdk-go from 1.44.19 to 1.44.20 by @dependabot in https://github.com/sigstore/sigstore/pull/461

Bump github.com/Azure/azure-sdk-for-go from 64.1.0+incompatible to 65.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/460

Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/459

Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in https://github.com/sigstore/sigstore/pull/458

Bump github.com/aws/aws-sdk-go from 1.44.20 to 1.44.21 by @dependabot in https://github.com/sigstore/sigstore/pull/464

Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/463

Bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.22 by @dependabot in https://github.com/sigstore/sigstore/pull/465

Update go-tuf to pick up security fixes by @haydentherapper in https://github.com/sigstore/sigstore/pull/462

Export providerInit type by @imjasonh in https://github.com/sigstore/sigstore/pull/466

Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/469

Bump github.com/aws/aws-sdk-go from 1.44.22 to 1.44.23 by @dependabot in https://github.com/sigstore/sigstore/pull/470

Bump github.com/go-rod/rod from 0.106.8 to 0.107.0 by @dependabot in https://github.com/sigstore/sigstore/pull/471

update error message for pkg/signature/ecdsa.go when checking the VerifyASN1 by @cpanato in https://github.com/sigstore/sigstore/pull/473

Bump github.com/aws/aws-sdk-go from 1.44.23 to 1.44.24 by @dependabot in https://github.com/sigstore/sigstore/pull/474

Allow passing options to GCP's LoadSignVerifier. by @mattmoor in https://github.com/sigstore/sigstore/pull/468

Migrate AWK KMS to use the v2 SDK. by @mattmoor in https://github.com/sigstore/sigstore/pull/475

Bump google.golang.org/api from 0.75.0 to 0.81.0 by @dependabot in https://github.com/sigstore/sigstore/pull/476

fix uppercase err msgs to quiet golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/477

Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in https://github.com/sigstore/sigstore/pull/478

Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/482

Bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.26 by @dependabot in https://github.com/sigstore/sigstore/pull/481

Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in https://github.com/sigstore/sigstore/pull/480

Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in https://github.com/sigstore/sigstore/pull/483

Autoclose OAuth success page after 5 seconds. by @wlynch in https://github.com/sigstore/sigstore/pull/484

Bump github.com/aws/aws-sdk-go from 1.44.26 to 1.44.27 by @dependabot in https://github.com/sigstore/sigstore/pull/485

Add a warning when using WithDigest with ECDSA by @haydentherapper in https://github.com/sigstore/sigstore/pull/487

Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/489

Bump github.com/go-rod/rod from 0.107.0 to 0.107.1 by @dependabot in https://github.com/sigstore/sigstore/pull/488

Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in https://github.com/sigstore/sigstore/pull/495

Bump github.com/aws/aws-sdk-go-v2 from 1.16.4 to 1.16.5 by @dependabot in https://github.com/sigstore/sigstore/pull/491

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.9 to 1.15.10 by @dependabot in https://github.com/sigstore/sigstore/pull/494

Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.2 to 1.17.3 by @dependabot in https://github.com/sigstore/sigstore/pull/493

Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in https://github.com/sigstore/sigstore/pull/490

Bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.29 by @dependabot in https://github.com/sigstore/sigstore/pull/492

Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/496

Bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.30 by @dependabot in https://github.com/sigstore/sigstore/pull/497

Bump github.com/aws/aws-sdk-go from 1.44.30 to 1.44.31 by @dependabot in https://github.com/sigstore/sigstore/pull/498

Bump github.com/hashicorp/vault/api from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/499

Move fulcioroots and tuf packages from cosign by @imjasonh in https://github.com/sigstore/sigstore/pull/435

Bump github.com/aws/aws-sdk-go from 1.44.31 to 1.44.32 by @dependabot in https://github.com/sigstore/sigstore/pull/501

Bump github.com/aws/aws-sdk-go from 1.44.32 to 1.44.33 by @dependabot in https://github.com/sigstore/sigstore/pull/504

Lock TUF client during target loading operations by @puerco in https://github.com/sigstore/sigstore/pull/503

Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in https://github.com/sigstore/sigstore/pull/507

Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.34 by @dependabot in https://github.com/sigstore/sigstore/pull/506

Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.35 by @dependabot in https://github.com/sigstore/sigstore/pull/508

Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/505

Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/509

Bump github.com/aws/aws-sdk-go from 1.44.35 to 1.44.36 by @dependabot in https://github.com/sigstore/sigstore/pull/510

Bump github.com/aws/aws-sdk-go-v2/config from 1.15.10 to 1.15.11 by @dependabot in https://github.com/sigstore/sigstore/pull/511

Bump github.com/go-rod/rod from 0.107.1 to 0.107.2 by @dependabot in https://github.com/sigstore/sigstore/pull/512

Bump github.com/aws/aws-sdk-go from 1.44.36 to 1.44.37 by @dependabot in https://github.com/sigstore/sigstore/pull/513

Bump github.com/aws/aws-sdk-go from 1.44.37 to 1.44.38 by @dependabot in https://github.com/sigstore/sigstore/pull/517

Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/518

Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in https://github.com/sigstore/sigstore/pull/520

Bump github.com/aws/aws-sdk-go from 1.44.38 to 1.44.39 by @dependabot in https://github.com/sigstore/sigstore/pull/521

Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in https://github.com/sigstore/sigstore/pull/519

Revert "Autoclose OAuth success page after 5 seconds. (#484)" by @wlynch in https://github.com/sigstore/sigstore/pull/502

oauthflow/interactive: Make input/output configurable. by @wlynch in https://github.com/sigstore/sigstore/pull/514

Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in https://github.com/sigstore/sigstore/pull/523

Bump github.com/aws/aws-sdk-go from 1.44.39 to 1.44.40 by @dependabot in https://github.com/sigstore/sigstore/pull/524

Bump github.com/Azure/azure-sdk-for-go from 65.0.0+incompatible to 66.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/526

add check if transit return nil data by @Dentrax in https://github.com/sigstore/sigstore/pull/515

Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/525

Bump github.com/aws/aws-sdk-go from 1.44.40 to 1.44.41 by @dependabot in https://github.com/sigstore/sigstore/pull/529

Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in https://github.com/sigstore/sigstore/pull/528

New Contributors

@hectorj2f made their first contribution in https://github.com/sigstore/sigstore/pull/350

@sallyom made their first contribution in https://github.com/sigstore/sigstore/pull/400

@znewman01 made their first contribution in https://github.com/sigstore/sigstore/pull/407

@mattmoor made their first contribution in https://github.com/sigstore/sigstore/pull/468

@wlynch made their first contribution in https://github.com/sigstore/sigstore/pull/484

@puerco made their first contribution in https://github.com/sigstore/sigstore/pull/503

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.2.0...v1.3.0
Source code(tar.gz)
Source code(zip)
v1.2.0(Mar 25, 2022)
What's Changed

Moved dsse to fuzz dir by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/214

Bump github.com/Azure/azure-sdk-for-go from 60.3.0+incompatible to 61.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/215

Fuzz - Fixed the panic that was caused by incorrect data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/213

Bump github.com/aws/aws-sdk-go from 1.42.25 to 1.42.26 by @dependabot in https://github.com/sigstore/sigstore/pull/216

Bump github.com/aws/aws-sdk-go from 1.42.26 to 1.42.27 by @dependabot in https://github.com/sigstore/sigstore/pull/217

Bump github.com/aws/aws-sdk-go from 1.42.27 to 1.42.28 by @dependabot in https://github.com/sigstore/sigstore/pull/219

Bump github.com/Azure/azure-sdk-for-go from 61.0.0+incompatible to 61.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/218

Bump github.com/aws/aws-sdk-go from 1.42.28 to 1.42.29 by @dependabot in https://github.com/sigstore/sigstore/pull/220

Bump github.com/aws/aws-sdk-go from 1.42.29 to 1.42.31 by @dependabot in https://github.com/sigstore/sigstore/pull/222

pin actions by digest; update chrome install to use signed repo by @bobcallaway in https://github.com/sigstore/sigstore/pull/225

Bump github.com/aws/aws-sdk-go from 1.42.31 to 1.42.32 by @dependabot in https://github.com/sigstore/sigstore/pull/224

Bump github.com/aws/aws-sdk-go from 1.42.32 to 1.42.33 by @dependabot in https://github.com/sigstore/sigstore/pull/227

Bump github/codeql-action from 300c8b6dcbaf905eb250b06113e2e62c340a2d20 to 1.0.27 by @dependabot in https://github.com/sigstore/sigstore/pull/226

Fix: verify with HashiVault KMS by @blz-ea in https://github.com/sigstore/sigstore/pull/229

Bump github.com/aws/aws-sdk-go from 1.42.33 to 1.42.34 by @dependabot in https://github.com/sigstore/sigstore/pull/230

Bump github.com/Azure/azure-sdk-for-go from 61.1.0+incompatible to 61.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/231

KMS: Change how the Azure authentication method is handled by @simongottschlag in https://github.com/sigstore/sigstore/pull/228

Bump github.com/aws/aws-sdk-go from 1.42.34 to 1.42.35 by @dependabot in https://github.com/sigstore/sigstore/pull/232

Bump github.com/Azure/go-autorest/autorest from 0.11.22 to 0.11.24 by @dependabot in https://github.com/sigstore/sigstore/pull/233

Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1 by @haydentherapper in https://github.com/sigstore/sigstore/pull/234

Bump github/codeql-action from 1.0.27 to 1.0.28 by @dependabot in https://github.com/sigstore/sigstore/pull/236

Bump github.com/aws/aws-sdk-go from 1.42.35 to 1.42.36 by @dependabot in https://github.com/sigstore/sigstore/pull/235

Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 by @dependabot in https://github.com/sigstore/sigstore/pull/237

Bump github.com/aws/aws-sdk-go from 1.42.36 to 1.42.37 by @dependabot in https://github.com/sigstore/sigstore/pull/238

Bump github.com/Azure/azure-sdk-for-go from 61.2.0+incompatible to 61.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/239

Fix minor typos for HashiCorp by @jbayer in https://github.com/sigstore/sigstore/pull/240

Bump github.com/aws/aws-sdk-go from 1.42.37 to 1.42.38 by @dependabot in https://github.com/sigstore/sigstore/pull/242

Bump github/codeql-action from 1.0.28 to 1.0.29 by @dependabot in https://github.com/sigstore/sigstore/pull/241

Add subject key ID calculation from public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/243

Bump github.com/aws/aws-sdk-go from 1.42.38 to 1.42.39 by @dependabot in https://github.com/sigstore/sigstore/pull/245

Bump github/codeql-action from 1.0.29 to 1.0.30 by @dependabot in https://github.com/sigstore/sigstore/pull/244

Bump github.com/aws/aws-sdk-go from 1.42.39 to 1.42.40 by @dependabot in https://github.com/sigstore/sigstore/pull/248

Wire up html page passed in for interactive OIDC callback server by @n3wscott in https://github.com/sigstore/sigstore/pull/247

Bump github.com/aws/aws-sdk-go from 1.42.40 to 1.42.41 by @dependabot in https://github.com/sigstore/sigstore/pull/250

Bump github.com/aws/aws-sdk-go from 1.42.41 to 1.42.42 by @dependabot in https://github.com/sigstore/sigstore/pull/251

Bump github.com/aws/aws-sdk-go from 1.42.42 to 1.42.43 by @dependabot in https://github.com/sigstore/sigstore/pull/252

Add oidc login to vault by @sudo-bmitch in https://github.com/sigstore/sigstore/pull/249

Bump github/codeql-action from 1.0.30 to 1.0.31 by @dependabot in https://github.com/sigstore/sigstore/pull/253

Bump github.com/aws/aws-sdk-go from 1.42.43 to 1.42.44 by @dependabot in https://github.com/sigstore/sigstore/pull/254

Bump github.com/Azure/azure-sdk-for-go from 61.3.0+incompatible to 61.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/255

Skip strict check on PKCE discovery claim on Azure by @bobcallaway in https://github.com/sigstore/sigstore/pull/246

Add ability to specify key version for Hashivault by @bobcallaway in https://github.com/sigstore/sigstore/pull/256

update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/257

Bump github.com/aws/aws-sdk-go from 1.42.45 to 1.42.46 by @dependabot in https://github.com/sigstore/sigstore/pull/258

Bump cloud.google.com/go/kms from 1.1.0 to 1.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/259

return version of Vault key via functional option by @bobcallaway in https://github.com/sigstore/sigstore/pull/260

Bump github/codeql-action from 1.0.31 to 1.0.32 by @dependabot in https://github.com/sigstore/sigstore/pull/261

Bump github.com/aws/aws-sdk-go from 1.42.46 to 1.42.47 by @dependabot in https://github.com/sigstore/sigstore/pull/262

Bump github.com/aws/aws-sdk-go from 1.42.47 to 1.42.48 by @dependabot in https://github.com/sigstore/sigstore/pull/264

Bump github.com/go-rod/rod from 0.101.8 to 0.102.0 by @dependabot in https://github.com/sigstore/sigstore/pull/265

Bump github.com/aws/aws-sdk-go from 1.42.48 to 1.42.49 by @dependabot in https://github.com/sigstore/sigstore/pull/267

Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/266

Bump github.com/aws/aws-sdk-go from 1.42.49 to 1.42.50 by @dependabot in https://github.com/sigstore/sigstore/pull/268

Bump github.com/go-rod/rod from 0.102.0 to 0.102.1 by @dependabot in https://github.com/sigstore/sigstore/pull/271

Bump github.com/aws/aws-sdk-go from 1.42.50 to 1.42.51 by @dependabot in https://github.com/sigstore/sigstore/pull/270

Bump github/codeql-action from 1.0.32 to 1.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/269

Bump github.com/aws/aws-sdk-go from 1.42.51 to 1.42.52 by @dependabot in https://github.com/sigstore/sigstore/pull/272

Bump github.com/Azure/azure-sdk-for-go from 61.4.0+incompatible to 61.5.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/273

Bump cloud.google.com/go/kms from 1.2.0 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/274

Bump github.com/aws/aws-sdk-go from 1.42.52 to 1.42.53 by @dependabot in https://github.com/sigstore/sigstore/pull/275

Bump github.com/aws/aws-sdk-go from 1.42.53 to 1.43.0 by @dependabot in https://github.com/sigstore/sigstore/pull/281

Bump github/codeql-action from 1.1.0 to 1.1.2 by @dependabot in https://github.com/sigstore/sigstore/pull/280

pkg/signature/kms doesn't depend on kms impls by @imjasonh in https://github.com/sigstore/sigstore/pull/276

remove unmaintained test dependency with invalid license by @bobcallaway in https://github.com/sigstore/sigstore/pull/279

move e2e tests inline with various implementation packages by @bobcallaway in https://github.com/sigstore/sigstore/pull/282

feat(kms): add supported providers func by @Dentrax in https://github.com/sigstore/sigstore/pull/277

Bump github.com/aws/aws-sdk-go from 1.43.0 to 1.43.1 by @dependabot in https://github.com/sigstore/sigstore/pull/283

Bump github.com/Azure/azure-sdk-for-go from 61.5.0+incompatible to 61.6.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/284

Bump github.com/aws/aws-sdk-go from 1.43.1 to 1.43.2 by @dependabot in https://github.com/sigstore/sigstore/pull/285

Bump github.com/aws/aws-sdk-go from 1.43.2 to 1.43.3 by @dependabot in https://github.com/sigstore/sigstore/pull/286

Bump github.com/aws/aws-sdk-go from 1.43.3 to 1.43.4 by @dependabot in https://github.com/sigstore/sigstore/pull/287

Permit usage of signing keys with aws-us-gov arn partitions by @chaospuppy in https://github.com/sigstore/sigstore/pull/289

Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/sigstore/pull/291

Bump github.com/aws/aws-sdk-go from 1.43.4 to 1.43.5 by @dependabot in https://github.com/sigstore/sigstore/pull/292

update permissions for codeql by @bobcallaway in https://github.com/sigstore/sigstore/pull/293

Bump github.com/aws/aws-sdk-go from 1.43.5 to 1.43.6 by @dependabot in https://github.com/sigstore/sigstore/pull/295

Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/294

Bump hashicorp vault to 1.4.0. by @dlorenc in https://github.com/sigstore/sigstore/pull/297

Bump github.com/hashicorp/vault/api from 1.4.0 to 1.4.1 by @dependabot in https://github.com/sigstore/sigstore/pull/298

Explicitly run the go setup action. by @dlorenc in https://github.com/sigstore/sigstore/pull/299

Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.0 to 0.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/304

Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/300

Bump actions/setup-go from 2.2.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/301

Bump github.com/aws/aws-sdk-go from 1.43.6 to 1.43.7 by @dependabot in https://github.com/sigstore/sigstore/pull/302

Bump github.com/Azure/azure-sdk-for-go from 61.6.0+incompatible to 62.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/303

Bump github.com/aws/aws-sdk-go from 1.43.7 to 1.43.8 by @dependabot in https://github.com/sigstore/sigstore/pull/307

Bump actions/checkout from 2.4.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/306

Bump github.com/aws/aws-sdk-go from 1.43.8 to 1.43.9 by @dependabot in https://github.com/sigstore/sigstore/pull/309

Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/310

Bump cloud.google.com/go/kms from 1.3.0 to 1.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/311

Bump github.com/aws/aws-sdk-go from 1.43.9 to 1.43.10 by @dependabot in https://github.com/sigstore/sigstore/pull/312

Bump github.com/go-rod/rod from 0.102.1 to 0.103.0 by @dependabot in https://github.com/sigstore/sigstore/pull/313

Bump github.com/aws/aws-sdk-go from 1.43.10 to 1.43.11 by @dependabot in https://github.com/sigstore/sigstore/pull/314

Bump github.com/aws/aws-sdk-go from 1.43.11 to 1.43.12 by @dependabot in https://github.com/sigstore/sigstore/pull/316

Bump github.com/Azure/azure-sdk-for-go from 62.0.0+incompatible to 62.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/317

Bump github.com/aws/aws-sdk-go from 1.43.12 to 1.43.13 by @dependabot in https://github.com/sigstore/sigstore/pull/319

Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in https://github.com/sigstore/sigstore/pull/318

Bump github.com/aws/aws-sdk-go from 1.43.13 to 1.43.14 by @dependabot in https://github.com/sigstore/sigstore/pull/321

Enable the same golangci-lint rules as cosign by @dekkagaijin in https://github.com/sigstore/sigstore/pull/322

Bump github.com/aws/aws-sdk-go from 1.43.14 to 1.43.15 by @dependabot in https://github.com/sigstore/sigstore/pull/323

Initial introduction and implementation of oidc.IDTokenSource by @dekkagaijin in https://github.com/sigstore/sigstore/pull/320

Update CODEOWNERS by @endorama in https://github.com/sigstore/sigstore/pull/315

Bump github.com/aws/aws-sdk-go from 1.43.15 to 1.43.16 by @dependabot in https://github.com/sigstore/sigstore/pull/324

Add a reusuable GitHub Action workflow for cutting releases. by @k4leung4 in https://github.com/sigstore/sigstore/pull/325

return immediately, without waiting for the operation in progress to complete by @cpanato in https://github.com/sigstore/sigstore/pull/326

Bump github.com/aws/aws-sdk-go from 1.43.16 to 1.43.17 by @dependabot in https://github.com/sigstore/sigstore/pull/327

Bump github.com/Azure/azure-sdk-for-go from 62.1.0+incompatible to 62.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/328

Bump github.com/aws/aws-sdk-go from 1.43.17 to 1.43.18 by @dependabot in https://github.com/sigstore/sigstore/pull/329

Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/332

Included OpenSSF Best Practices badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/333

Bump github.com/aws/aws-sdk-go from 1.43.18 to 1.43.19 by @dependabot in https://github.com/sigstore/sigstore/pull/331

fix lints found by golangci-lint by @cpanato in https://github.com/sigstore/sigstore/pull/334

Bump github.com/aws/aws-sdk-go from 1.43.19 to 1.43.20 by @dependabot in https://github.com/sigstore/sigstore/pull/335

Bump github.com/aws/aws-sdk-go from 1.43.20 to 1.43.21 by @dependabot in https://github.com/sigstore/sigstore/pull/336

Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in https://github.com/sigstore/sigstore/pull/330

Make tag,key_ring,key optional for release workflow. by @k4leung4 in https://github.com/sigstore/sigstore/pull/338

Bump github.com/go-rod/rod from 0.103.0 to 0.104.1 by @dependabot in https://github.com/sigstore/sigstore/pull/341

Bump github.com/Azure/azure-sdk-for-go from 62.2.0+incompatible to 62.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/342

Bump github.com/aws/aws-sdk-go from 1.43.21 to 1.43.22 by @dependabot in https://github.com/sigstore/sigstore/pull/340

Bump actions/cache from 2.1.7 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/339

Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/sigstore/sigstore/pull/343

Bump github.com/aws/aws-sdk-go from 1.43.22 to 1.43.24 by @dependabot in https://github.com/sigstore/sigstore/pull/345

Add utilities to parse Oauth2 access token HTTP responses by @dekkagaijin in https://github.com/sigstore/sigstore/pull/337

Add method to check for public key equality by @haydentherapper in https://github.com/sigstore/sigstore/pull/346

New Contributors

@blz-ea made their first contribution in https://github.com/sigstore/sigstore/pull/229

@simongottschlag made their first contribution in https://github.com/sigstore/sigstore/pull/228

@haydentherapper made their first contribution in https://github.com/sigstore/sigstore/pull/234

@jbayer made their first contribution in https://github.com/sigstore/sigstore/pull/240

@n3wscott made their first contribution in https://github.com/sigstore/sigstore/pull/247

@sudo-bmitch made their first contribution in https://github.com/sigstore/sigstore/pull/249

@imjasonh made their first contribution in https://github.com/sigstore/sigstore/pull/276

@Dentrax made their first contribution in https://github.com/sigstore/sigstore/pull/277

@chaospuppy made their first contribution in https://github.com/sigstore/sigstore/pull/289

@endorama made their first contribution in https://github.com/sigstore/sigstore/pull/315

@k4leung4 made their first contribution in https://github.com/sigstore/sigstore/pull/325

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.1.0...v1.2.0
Source code(tar.gz)
Source code(zip)
v1.1.0(Dec 28, 2021)
What's Changed

Idp specific default flows by @houdini91 in https://github.com/sigstore/sigstore/pull/123

Bump github.com/aws/aws-sdk-go from 1.42.1 to 1.42.2 by @dependabot in https://github.com/sigstore/sigstore/pull/139

Bump github.com/aws/aws-sdk-go from 1.42.2 to 1.42.3 by @dependabot in https://github.com/sigstore/sigstore/pull/140

Bump github.com/google/go-containerregistry from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/142

Bump github.com/aws/aws-sdk-go from 1.42.3 to 1.42.4 by @dependabot in https://github.com/sigstore/sigstore/pull/143

expose innerWrapper as VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/144

also expose the wrapped verifier in VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/145

Bump github.com/aws/aws-sdk-go from 1.42.4 to 1.42.5 by @dependabot in https://github.com/sigstore/sigstore/pull/147

Feat : Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/146

Linter - Included linter check for doc rules by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/148

Bump github.com/aws/aws-sdk-go from 1.42.5 to 1.42.7 by @dependabot in https://github.com/sigstore/sigstore/pull/150

update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/151

Bump github.com/aws/aws-sdk-go from 1.42.8 to 1.42.9 by @dependabot in https://github.com/sigstore/sigstore/pull/152

Move the ssh signing/verification utilities to sigstore from rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/141

Bump github.com/aws/aws-sdk-go from 1.42.9 to 1.42.10 by @dependabot in https://github.com/sigstore/sigstore/pull/153

Fix revive lint warnings. by @dlorenc in https://github.com/sigstore/sigstore/pull/156

Included fuzzing for more cryptoutils by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/157

Bump github.com/aws/aws-sdk-go from 1.42.10 to 1.42.11 by @dependabot in https://github.com/sigstore/sigstore/pull/161

hack: add hack/tools to hold non required dependencies/tools for the project by @cpanato in https://github.com/sigstore/sigstore/pull/159

update lint action by @dekkagaijin in https://github.com/sigstore/sigstore/pull/155

Fuzzing password and some signature API by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/160

Bump github.com/aws/aws-sdk-go from 1.42.11 to 1.42.12 by @dependabot in https://github.com/sigstore/sigstore/pull/162

Bump github.com/Azure/azure-sdk-for-go from 59.3.0+incompatible to 59.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/163

Docs for Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/165

Fuzzing - Included RSA Targets by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/164

Bump github.com/aws/aws-sdk-go from 1.42.12 to 1.42.14 by @dependabot in https://github.com/sigstore/sigstore/pull/166

Clean up lint errors by @bobcallaway in https://github.com/sigstore/sigstore/pull/167

Included fuzz badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/168

Included CIFuzz by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/169

Bump github.com/aws/aws-sdk-go from 1.42.14 to 1.42.15 by @dependabot in https://github.com/sigstore/sigstore/pull/171

Fuzzing for RSAPASS by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/170

Bump github.com/aws/aws-sdk-go from 1.42.15 to 1.42.16 by @dependabot in https://github.com/sigstore/sigstore/pull/174

Upgraded go-securesystemslib from 0.1.0 to 0.2.0 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/178

Bump github.com/aws/aws-sdk-go from 1.42.16 to 1.42.17 by @dependabot in https://github.com/sigstore/sigstore/pull/176

Additional corpus for ecdsa and ed25519 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/177

Fuzz testing DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/173

Bump github.com/aws/aws-sdk-go from 1.42.17 to 1.42.18 by @dependabot in https://github.com/sigstore/sigstore/pull/180

Bump github.com/Azure/azure-sdk-for-go from 59.4.0+incompatible to 60.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/179

Updatathon by @dekkagaijin in https://github.com/sigstore/sigstore/pull/181

Bump github.com/ReneKroon/ttlcache/v2 from 2.9.0 to 2.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/184

Bump github.com/aws/aws-sdk-go from 1.42.19 to 1.42.20 by @dependabot in https://github.com/sigstore/sigstore/pull/187

Bump actions/upload-artifact from 2.2.4 to 2.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/185

bump github.com/secure-systems-lab/go-securesystemslib to v0.3.0 by @dekkagaijin in https://github.com/sigstore/sigstore/pull/189

bump the rest of the deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/190

fix wrong return value in error case by @bobcallaway in https://github.com/sigstore/sigstore/pull/192

Bump github.com/aws/aws-sdk-go from 1.42.20 to 1.42.21 by @dependabot in https://github.com/sigstore/sigstore/pull/194

Bump github.com/aws/aws-sdk-go from 1.42.21 to 1.42.22 by @dependabot in https://github.com/sigstore/sigstore/pull/195

Bump github.com/Azure/azure-sdk-for-go from 60.0.0+incompatible to 60.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/196

Fuzz - Fixes nil data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/197

Bump github.com/aws/aws-sdk-go from 1.42.22 to 1.42.23 by @dependabot in https://github.com/sigstore/sigstore/pull/201

Bump actions/upload-artifact from 2.3.0 to 2.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/202

Bump github.com/Azure/azure-sdk-for-go from 60.1.0+incompatible to 60.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/204

Dsse multi signature wrapper by @houdini91 in https://github.com/sigstore/sigstore/pull/203

Bump github.com/ReneKroon/ttlcache/v2 from 2.10.0 to 2.11.0 by @dependabot in https://github.com/sigstore/sigstore/pull/206

Bump github.com/aws/aws-sdk-go from 1.42.23 to 1.42.24 by @dependabot in https://github.com/sigstore/sigstore/pull/207

Bump github.com/aws/aws-sdk-go from 1.42.24 to 1.42.25 by @dependabot in https://github.com/sigstore/sigstore/pull/208

Bump github.com/hashicorp/vault/api from 1.3.0 to 1.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/209

Bump github.com/Azure/azure-sdk-for-go from 60.2.0+incompatible to 60.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/210

Fuzz- Fixes the invalid UTF-8 string for DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/212

New Contributors

@houdini91 made their first contribution in https://github.com/sigstore/sigstore/pull/123

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.1...v1.1.0
Source code(tar.gz)
Source code(zip)
v1.0.1(Nov 11, 2021)
What's Changed

Make SimpleContainerImage struct accesible for tekton chains by @priyawadhwa in https://github.com/sigstore/sigstore/pull/124

(fix): Fix vault integration to work with rotated keys by @rjbrown57 in https://github.com/sigstore/sigstore/pull/125

Create dependabot.yml by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/127

Fix the azure KMS provider by @dlorenc in https://github.com/sigstore/sigstore/pull/126

Bump actions/checkout from 2.3.4 to 2.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/128

Bump github.com/go-test/deep from 1.0.7 to 1.0.8 by @dependabot in https://github.com/sigstore/sigstore/pull/129

Bump github.com/aws/aws-sdk-go from 1.40.7 to 1.41.19 by @dependabot in https://github.com/sigstore/sigstore/pull/130

Bump cloud.google.com/go from 0.88.0 to 0.97.0 by @dependabot in https://github.com/sigstore/sigstore/pull/134

Bump github.com/ReneKroon/ttlcache/v2 from 2.7.0 to 2.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/132

Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/133

Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/135

Bump github.com/hashicorp/vault/api from 1.1.1 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/131

Bump github.com/aws/aws-sdk-go from 1.41.19 to 1.42.0 by @dependabot in https://github.com/sigstore/sigstore/pull/136

Bump github.com/aws/aws-sdk-go from 1.42.0 to 1.42.1 by @dependabot in https://github.com/sigstore/sigstore/pull/137

New Contributors

@rjbrown57 made their first contribution in https://github.com/sigstore/sigstore/pull/125

@naveensrinivasan made their first contribution in https://github.com/sigstore/sigstore/pull/127

@dependabot made their first contribution in https://github.com/sigstore/sigstore/pull/128

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.0...v1.0.1
Source code(tar.gz)
Source code(zip)
v1.0.0(Oct 11, 2021)
What's Changed

Missed a couple of renames by @lukehinds in https://github.com/sigstore/sigstore/pull/1

User can use toml config for cert details by @lukehinds in https://github.com/sigstore/sigstore/pull/2

OIDC by @lukehinds in https://github.com/sigstore/sigstore/pull/3

readme, gitignore by @lukehinds in https://github.com/sigstore/sigstore/pull/4

Project Rename by @lukehinds in https://github.com/sigstore/sigstore/pull/5

Project refactor in prep for rewrite by @lukehinds in https://github.com/sigstore/sigstore/pull/7

Key generation code by @lukehinds in https://github.com/sigstore/sigstore/pull/9

Fix lint errors by @lukehinds in https://github.com/sigstore/sigstore/pull/12

Set up CI by @lukehinds in https://github.com/sigstore/sigstore/pull/11

Return PubK in correct type by @lukehinds in https://github.com/sigstore/sigstore/pull/13

Client port by @lukehinds in https://github.com/sigstore/sigstore/pull/14

Return the response so we can handle specific status codes by @lukehinds in https://github.com/sigstore/sigstore/pull/15

Bind flags with PreRun by @lukehinds in https://github.com/sigstore/sigstore/pull/18

Rename clients by @lukehinds in https://github.com/sigstore/sigstore/pull/20

Implements file MIME checking by @lukehinds in https://github.com/sigstore/sigstore/pull/21

Delete DS_Store by @lukehinds in https://github.com/sigstore/sigstore/pull/22

Implement rekor log entry by @lukehinds in https://github.com/sigstore/sigstore/pull/23

Update copyright statement by @dekkagaijin in https://github.com/sigstore/sigstore/pull/25

Device flow! by @dlorenc in https://github.com/sigstore/sigstore/pull/24

Add signature library by @dekkagaijin in https://github.com/sigstore/sigstore/pull/26

Add Security Section by @lukehinds in https://github.com/sigstore/sigstore/pull/29

cmd: add version command by @cpanato in https://github.com/sigstore/sigstore/pull/31

Rename signature payloads to be more descriptive for users by @dekkagaijin in https://github.com/sigstore/sigstore/pull/32

Use crypto.PublicKey in favor of *ecdsa.PublicKey by @dekkagaijin in https://github.com/sigstore/sigstore/pull/33

remove Ed25519 until we can make it work sanely with Rekor by @dekkagaijin in https://github.com/sigstore/sigstore/pull/34

Signers should return the payloads which were actually signed by @dekkagaijin in https://github.com/sigstore/sigstore/pull/35

update boilerplate header and apply go fmt by @cpanato in https://github.com/sigstore/sigstore/pull/37

ci/boilerplate: fix bolierplate check by @cpanato in https://github.com/sigstore/sigstore/pull/39

go: update go version to use 1.16.x by @cpanato in https://github.com/sigstore/sigstore/pull/36

Move kms package from cosign to sigstore by @priyawadhwa in https://github.com/sigstore/sigstore/pull/41

Leverage the signature package for signing by @dekkagaijin in https://github.com/sigstore/sigstore/pull/38

Implement code owners by @lukehinds in https://github.com/sigstore/sigstore/pull/40

use RSA-PSS instead of RSA-PKCS#1 v1.5 signature scheme by @dekkagaijin in https://github.com/sigstore/sigstore/pull/43

feat: add vault transit kms engine by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/44

Bump the rekor dependency. by @dlorenc in https://github.com/sigstore/sigstore/pull/47

Allow specifying the full key version. by @dlorenc in https://github.com/sigstore/sigstore/pull/45

some vault fixes by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/49

Better define sigstores purpose by @lukehinds in https://github.com/sigstore/sigstore/pull/52

remove optional algorithm; ensure CI and Makefile are correct by @bobcallaway in https://github.com/sigstore/sigstore/pull/57

log error message but continue with OAuth2 flow if browser auto-open … by @bobcallaway in https://github.com/sigstore/sigstore/pull/56

change to rekor.sigstore.dev by @bobcallaway in https://github.com/sigstore/sigstore/pull/60

remove gosec since it is handled by golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/58

Add support for ed25519 based keys by @priyawadhwa in https://github.com/sigstore/sigstore/pull/51

Bump rekor for the new API changes. by @dlorenc in https://github.com/sigstore/sigstore/pull/61

Move all rekor code to tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/63

Refact key tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/65

Add support for static identity tokens supplied directly by the caller. by @dlorenc in https://github.com/sigstore/sigstore/pull/64

enable transit secret engine at another path by @developer-guy in https://github.com/sigstore/sigstore/pull/67

Refactor IDToken handling to support claims based on fields other tha… by @dlorenc in https://github.com/sigstore/sigstore/pull/68

cert.Subject is not populated, return serial instead by @lukehinds in https://github.com/sigstore/sigstore/pull/71

Allow the OOB authentication flow when we can't open a browser. by @dlorenc in https://github.com/sigstore/sigstore/pull/62

convert signature library to implement crypto.Signer interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/69

use new path to GetRekorClient by @bobcallaway in https://github.com/sigstore/sigstore/pull/73

Fix for Error: error during PEM decoding by @lukehinds in https://github.com/sigstore/sigstore/pull/78

Use output to save client cert file locally by @lukehinds in https://github.com/sigstore/sigstore/pull/79

Add formatted URL for rekor entry by @lukehinds in https://github.com/sigstore/sigstore/pull/80

Add PublicKeyProvider interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/75

Bump rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/82

Also output the signature if required by @lukehinds in https://github.com/sigstore/sigstore/pull/83

filehandler: add application/x-executable to supported mimetype by @cpanato in https://github.com/sigstore/sigstore/pull/84

stop using signerverifier to get access to publickeyprovider by @bobcallaway in https://github.com/sigstore/sigstore/pull/85

compute crc over digest instead of message by @bobcallaway in https://github.com/sigstore/sigstore/pull/86

We should use the client ID from the oauth config, not viper. by @dlorenc in https://github.com/sigstore/sigstore/pull/87

Don't use pointers for ed25519 keys by @dekkagaijin in https://github.com/sigstore/sigstore/pull/88

AWS KMS Support by @codysoyland in https://github.com/sigstore/sigstore/pull/74

Remove cmd/, clean up unused code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/90

Remove pkg/tlog, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/91

update go modules, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/94

update github actions to latest versions by @dekkagaijin in https://github.com/sigstore/sigstore/pull/93

change in-memory signers to implement crypto.Signer by @bobcallaway in https://github.com/sigstore/sigstore/pull/92

Add initial Azure KMS support by @cpanato in https://github.com/sigstore/sigstore/pull/76

Remove pkg/util directory by @dekkagaijin in https://github.com/sigstore/sigstore/pull/95

Implement wrappers/converters for the DSSE signing spec. by @dlorenc in https://github.com/sigstore/sigstore/pull/96

Add tests for pkg/cryptoutils by @dekkagaijin in https://github.com/sigstore/sigstore/pull/99

More pkg/cryptoutils tests, add a generator for ECDSA keypairs by @dekkagaijin in https://github.com/sigstore/sigstore/pull/100

ENCRYPTED COSIGN PRIVATE KEY -> ENCRYPTED SIGSTORE PRIVATE KEY by @dekkagaijin in https://github.com/sigstore/sigstore/pull/101

remove fulcio client code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/103

small update in the makefile by @cpanato in https://github.com/sigstore/sigstore/pull/105

default to P-256 curve again by @dekkagaijin in https://github.com/sigstore/sigstore/pull/106

Add missing code of conduct (stock sigstore one) by @lukehinds in https://github.com/sigstore/sigstore/pull/107

leverage Vault token helpers approach while obtaining Vault token by @developer-guy in https://github.com/sigstore/sigstore/pull/104

Transit backend path is hardcoded for some operations of the KMS Vault client by @LeSuisse in https://github.com/sigstore/sigstore/pull/102

Switch DSSE provider to go-securesystemslib by @adityasaky in https://github.com/sigstore/sigstore/pull/111

pass by reference instead of pointer so correct redirect_uri is known by @bobcallaway in https://github.com/sigstore/sigstore/pull/114

Pin localstack in e2e tests (fixes #112) by @codysoyland in https://github.com/sigstore/sigstore/pull/115

Fix typo/readability by @ocdtrekkie in https://github.com/sigstore/sigstore/pull/116

Modularise CI by @lukehinds in https://github.com/sigstore/sigstore/pull/118

Update readme in anticipation of 1.0 by @lukehinds in https://github.com/sigstore/sigstore/pull/119

Integration tests for dex / OIDConnect by @lukehinds in https://github.com/sigstore/sigstore/pull/110

Change redirect listener to use ephemeral port by @bobcallaway in https://github.com/sigstore/sigstore/pull/120

New Contributors

@lukehinds made their first contribution in https://github.com/sigstore/sigstore/pull/1

@dekkagaijin made their first contribution in https://github.com/sigstore/sigstore/pull/25

@dlorenc made their first contribution in https://github.com/sigstore/sigstore/pull/24

@cpanato made their first contribution in https://github.com/sigstore/sigstore/pull/31

@priyawadhwa made their first contribution in https://github.com/sigstore/sigstore/pull/41

@RichiCoder1 made their first contribution in https://github.com/sigstore/sigstore/pull/44

@bobcallaway made their first contribution in https://github.com/sigstore/sigstore/pull/57

@developer-guy made their first contribution in https://github.com/sigstore/sigstore/pull/67

@codysoyland made their first contribution in https://github.com/sigstore/sigstore/pull/74

@LeSuisse made their first contribution in https://github.com/sigstore/sigstore/pull/102

@adityasaky made their first contribution in https://github.com/sigstore/sigstore/pull/111

@ocdtrekkie made their first contribution in https://github.com/sigstore/sigstore/pull/116

Full Changelog: https://github.com/sigstore/sigstore/commits/v1.0.0
Source code(tar.gz)
Source code(zip)