Signing prototype

Related tags

Security sigstore
Overview

sigstore signing CLI tool

⚠️ Not ready for use yet!

sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the sigstore signing infrastructure

For container signing, you want cosign

Comments
  • Move fulcioroots and tuf packages from cosign

    Move fulcioroots and tuf packages from cosign

    Summary

    This moves these packages from sigstore/cosign into sigstore/sigstore.

    • pkg/fulcioroots comes from cosign's cmd/cosign/cli/fulcio/[email protected], and drops that package's behavior when the SIGSTORE_ROOT_FILE env var is set -- this will remain in sigstore/cosign.
    • pkg/tuf comes from cosign's pkg/cosign/[email protected] and is otherwise largely unchanged. Some methods were unexported that aren't used outside of this package.

    Part of https://github.com/sigstore/cosign/issues/1865

    Release Note

    pkg/fulcioroots and pkg/tuf are moved from cosign repo
    
    opened by imjasonh 29
  • Workload Identity Federation is not working with GCP KMS support

    Workload Identity Federation is not working with GCP KMS support

    Description

    Recently, we (w/@dentrax @erkanzileli) added other key management system support to Kyverno while verifying image signatures.^1 Then, I tried this feature on GCP while using GCP KMS and GKE. To achieve this I took advantage of Workload Identity Federation^2. To enable this I've used the following commands:

    🎗 Cross-ref: https://github.com/kyverno/website/pull/376

    $ export PROJECT_ID=$(gcloud config get-value project)
    $ export CLUSTER_NAME="gke-wif"
    $ gcloud container clusters create $CLUSTER_NAME \
        --workload-pool=$PROJECT_ID.svc.id.goog --num-nodes=2
    $ export GSA_NAME=kyverno-sa
    $ gcloud iam service-accounts create $GSA_NAME
    $ gcloud iam service-accounts add-iam-policy-binding \
      --role roles/iam.workloadIdentityUser \
      --member "serviceAccount:${PROJECT_ID}.svc.id.goog[kyverno/kyverno]" \
      ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
    $ gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --role roles/cloudkms.admin \
      --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
    $ kubectl annotate serviceaccount \
      --namespace kyverno \
      kyverno \
      iam.gke.io/gcp-service-account=${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
    

    Then, I tried it with Kyverno but it didn't work as I expected. So, I decided to do a small test together with the google/cloud-sdk:slim image. So, I ran a Pod with this image, everything worked fine.

    kubectl run -it --rm \
      --image google/cloud-sdk:slim \
      --serviceaccount kyverno \
      --namespace kyverno \
      workload-identity-test
    

    Screen Shot 2021-11-11 at 15 53 53

    cc: @JimBugwadia @dlorenc @cpanato

    enhancement 
    opened by developer-guy 28
  •  community : Contributor ladder

    community : Contributor ladder

    Description

    I am opening this to ask if there's a contributor ladder defined for sigstore. How do I become an org member?

    I would be happy to help do PR's reviews here, hoping to work towards maintainership.

    previous contributions - mainly fuzzing sigstore and integrating with oss-fuzz

    PR's in sigstore

    1. https://github.com/sigstore/sigstore/pull/214
    2. https://github.com/sigstore/sigstore/pull/213
    3. https://github.com/sigstore/sigstore/pull/212
    4. https://github.com/sigstore/sigstore/pull/197
    5. https://github.com/sigstore/sigstore/pull/178
    6. https://github.com/sigstore/sigstore/pull/177
    7. https://github.com/sigstore/sigstore/pull/173
    8. https://github.com/sigstore/sigstore/pull/170
    9. https://github.com/sigstore/sigstore/pull/169
    10. https://github.com/sigstore/sigstore/pull/168
    11. https://github.com/sigstore/sigstore/pull/165
    12. https://github.com/sigstore/sigstore/pull/164
    13. https://github.com/sigstore/sigstore/pull/160
    14. https://github.com/sigstore/sigstore/pull/158
    15. https://github.com/sigstore/sigstore/pull/157
    16. https://github.com/sigstore/sigstore/pull/148
    17. https://github.com/sigstore/sigstore/pull/146
    18. https://github.com/sigstore/sigstore/pull/127

    oss-fuzz and actively maintaining the oss-fuzz issues

    1. https://github.com/google/oss-fuzz/pull/6890
    2. https://github.com/google/oss-fuzz/pull/6927
    3. https://github.com/google/oss-fuzz/pull/6964

    Issues in sigstore

    https://github.com/sigstore/sigstore/issues?q=is%3Aissue+author%3Anaveensrinivasan

    PR's in cosign

    1. https://github.com/sigstore/cosign/pull/1141
    2. https://github.com/sigstore/cosign/pull/1020
    3. https://github.com/sigstore/cosign/pull/1001
    4. https://github.com/sigstore/cosign/pull/971
    5. https://github.com/sigstore/cosign/pull/968
    6. https://github.com/sigstore/cosign/pull/944
    7. https://github.com/sigstore/cosign/pull/124
    8. https://github.com/sigstore/cosign/pull/121
    9. https://github.com/sigstore/cosign/pull/120
    10. https://github.com/sigstore/cosign/pull/119

    Issues in cosign

    https://github.com/sigstore/cosign/issues?q=is%3Aissue+author%3Anaveensrinivasan+

    PR's rekor

    https://github.com/sigstore/rekor/pulls?q=author%3Anaveensrinivasan

    Issues in rekor

    https://github.com/sigstore/rekor/issues?q=author%3Anaveensrinivasan

    cc @lukehinds @dlorenc @bobcallaway

    enhancement 
    opened by naveensrinivasan 23
  • consider moving core sign & verify functions from cosign to sigstore

    consider moving core sign & verify functions from cosign to sigstore

    TL;DR: I propose transferring the core crypto functions of cosign to project Sigstore.

    Motivation

    We aim to make sigstore more commonize for cryptographic functions. Cosign calls the all the crypto-specific functions (i.e., generating ECDSA, signing, validating, etc.) from the keys.go file. If we get rid of those ECDSA-related functions, we would easily import sigstore project and use those functions again in cosign; moreover, we would import them on other non-container-specific projects. For cosign, this work will likely legacy change for no discernible benefit. I think it should be better to handle these functions (like GenerateKeyPair(), LoadECDSAPrivateKey(), LoadPublicKey(), etc.) inside the Sigstore itself.

    We could find neither an actively discussing issue nor a PR. It is a great opportunity to get used to Sigstore project.

    Implementation

    func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
    
    func GenerateKeyPair(options *GenerateKeyPairOptions) (*KeyPair, error)
    
    func LoadPublicKey(options *PublicKeyOptions) (PublicKey, error)
    
    func LoadPrivateKey(options *PrivateKeyOptions) (signature.ECDSASignerVerifier, error)
    
    func KeyToPem(pub crypto.PublicKey) ([]byte, error)
    
    func CertToPem(c *x509.Certificate) []byte
    
    func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error)
    

    Example Usages:

    package main
    
    import (
    	"github.com/sigstore/sigstore/pkg/signature"
    )
    
    func main() {
        s, _ := signature.GenerateKeyPair(&signature.GenerateKeyPairOptions{
            PassFunc := pf()
        })
    
        content := "foo"
        
        pub, _ := signature.LoadPublicKey(&signature.PublicKeyOptions{
            Path: "cosign.pub",
        })
    
        key, _ := signature.LoadPrivateKey(&signature.PrivateKeyOptions{
            Path: "cosign.key",
            Pass: []byte("foo"),
        })
        
        s1, s2, _ := key.Sign(context.TODO(), []byte(content))
        
        _ = pub.Verify(context.TODO(), []byte(content), s1)
    
        // ...
    }
    
    opened by Dentrax 14
  • Out of band flow not working

    Out of band flow not working

    Description

    The auth process in gitsign outputs a URL you should be able to open in the browser to get a verification code, but the oauth2 server redirects to localhost after logging in. In this case localhost is not accessible so the auth flow cannot complete.

    $ git commit -m "foo"
    error opening browser: exit status 3
    Go to the following link in a browser:
    
             https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=P69wZPuonUkCS2-LAp26XO-Ndw3GzeyATyuixsMRz7c&code_challenge_method=S256&nonce=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A45077%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=xxx
    Enter verification code:
    

    Version

    gitsign v0.2.0

    bug 
    opened by ianlewis 13
  • Using sigstore in CNCF projects

    Using sigstore in CNCF projects

    Folks,

    There are a bunch of MPL libraries here: https://github.com/sigstore/sigstore/blob/main/go.mod#L58-L75

    CNCF only allows a handful of MPL'ed libraries from hashicorp: https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json#L23-L46

    the CNCF policy is written down here: https://github.com/cncf/foundation/tree/main/license-exceptions

    Question is ... what do we do next?

    question 
    opened by dims 13
  • Enforcement of a digest looking like a digest

    Enforcement of a digest looking like a digest

    Description

    There's an interesting forgery for ECDSA where it's possible to forge a valid signature over a random value for a fixed public key. To defend against this, it's necessary to first hash a message before signing or verifying it. For ED25519, this is handled via a pre-hash, while for ECDSA, it's standard practice to first hash the message.

    However, for the hashedrekord type, it's a requirement that we verify against a digest without hashing again. This is why we support WithDigest. This makes WithDigest unsafe. We can help defend against this if there is a check beforehand that the digest look like a digest, so a random value isn't accepted. For example, Rekor checks that the digest matches a SHA256 regex.

    This is not a full proof approach, as it is still possible that a random value look like a digest, it's just hard to find such a value for this forgery (I think this is true, but I'd need someone more well-versed in elliptic curve crypto to verify this).

    We should add a) warnings in comments about the dangers of verifying with a digest, and b) move the rekor checks into here to enforce that a digest looks like a digest.

    enhancement 
    opened by haydentherapper 12
  • Add `signature` library

    Add `signature` library

    The goal is it as easy as possible to put the business logic in pkg, re-use pkg across project within sigstore, and allow third parties to build on top of these libraries (e.g. to implement CI plugins)

    TODOs:

    • refactor existing libs in sigstore and cosign
    • implement TPM signer

    Signed-off-by: Jake Sanders [email protected]

    opened by dekkagaijin 12
  • Idp specific default flows

    Idp specific default flows

    Suggestion: Adding interactive flows for each specific identity provider, allowing users to skip the main idp selection page. I think one less click can improve the UX a bit. Further UX improvement is gained when browser uses a default idp account the user does may not need to interactively intervene at all. Such psodo-auto flow may also be valuable in automation uses cases, for example a git hook signing SLSA provenance.

    Hope this helps . mikey strauss

    opened by houdini91 9
  • oauthflow/interactive: Fix oob flow

    oauthflow/interactive: Fix oob flow

    Summary

    This change does 2 things:

    1. Always sets oob URL for the oob flow. Reverts 8c6a840f - w.r.t. pkg/oauth/oidc: this looks largely duplicative of pkg/oauthflow so we probably want to delete / merge these together in another PR - both cosign and gitsign are using oauthflow. 🤷
    2. Changes Fscanln to Fscanf - Fscanln wasn't reading values unless it received EOF, making it non-obvious that a value was successfully read (especially in gitsign where we use the TTY directly so values don't populate to stdout).

    Verified this works as expected for gitsign.

    Fixes #594

    Release Note

    🐛 Fixes OoB flow.

    Documentation

    opened by wlynch 8
  • ci: enable gofumpt with extra

    ci: enable gofumpt with extra

    Signed-off-by: Furkan [email protected]

    Ran $ gofumpt -w -extra .

    -w	write result to (source) file instead of stdout
    -extra
        	enable extra rules which should be vetted by a human
    

    Summary

    Ticket Link

    Fixes

    Release Note

    
    
    opened by Dentrax 8
  • build(deps): bump github.com/aws/aws-sdk-go from 1.44.144 to 1.44.145

    build(deps): bump github.com/aws/aws-sdk-go from 1.44.144 to 1.44.145

    Bumps github.com/aws/aws-sdk-go from 1.44.144 to 1.44.145.

    Release notes

    Sourced from github.com/aws/aws-sdk-go's releases.

    Release v1.44.145 (2022-11-23)

    Service Client Updates

    • service/grafana: Updates service API and documentation
    • service/rbin: Updates service API and documentation
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • Move OtherName and SANS functions to s/s

    Move OtherName and SANS functions to s/s

    These were used by both Cosign and Fulcio, and will now be used by Rekor, so they should be in the shared library.

    Signed-off-by: Hayden Blauzvern [email protected]

    Summary

    Release Note

    Documentation

    opened by haydentherapper 0
  • Update README to describe purpose of s/s

    Update README to describe purpose of s/s

    Context: https://github.com/sigstore/sigstore-go

    This text is consistent with the long-term purpose of s/s, as well as the current state. Eventually, the "Go clients" bit will develop a little more nuance :)

    Signed-off-by: Zack Newman [email protected]

    opened by znewman01 0
  • KMIP support (standardized KMS)

    KMIP support (standardized KMS)

      Hi,
    

    I would like to enquire if SigStore has any plans to facilitiate integrating technology partners to act as KMS service providers via the the KMIP standard.

    I note Sigstore has integrations in custom way with KMS providers for key storage using proprietary vender specific integrations which are tightly coupled to Sigstore e.g. Azure Key Vault, Hashicorp Vault, AWS KMS, and GCP KMS. We would like to enquire and discover if Sigstore intend to support a more general integration for KMS providers by leveraging an open standard like KMIP to facilitate other providers instead of integrating new partners individually in bespoke way.

    We feel it may be mutually beneficial as this opens up the possibility for more KMS services to connect with Sigstore service(s) using KMIP for services that store keys in a KMS service provider and are KMIP ready.

    Thanks,

    Dave

    Originally posted by @daveroche-digi in https://github.com/sigstore/sigstore/discussions/776

    opened by znewman01 1
  • reusable-release workflow does not use key_ring and key_name inputs

    reusable-release workflow does not use key_ring and key_name inputs

    reusable-release.yml defines a workflow with inputs key_ring and key_name. These inputs are not actually used in the workflow: the values are instead hardocded to "release-cosign" and "cosign" respectively. I think this only works since all users happen to use the same key?

    bug 
    opened by jku 1
Releases(v1.4.6)
  • v1.4.6(Nov 24, 2022)

    What's Changed

    • manually upgrade deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/808
    • update import due to deprecation by @cpanato in https://github.com/sigstore/sigstore/pull/822
    • several dependencies updates

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.5...v1.4.6

    Source code(tar.gz)
    Source code(zip)
  • v1.4.5(Oct 20, 2022)

    What's Changed

    • fulcioroots: Allow appended Fulcio roots to an existing CertPool. by @wlynch in https://github.com/sigstore/sigstore/pull/749

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.4...v1.4.5

    Source code(tar.gz)
    Source code(zip)
  • v1.4.4(Oct 10, 2022)

    NOTE: Fixed TUF root initialization with GCS bucket. This affects anyone who uses their own TUF root hosted on GCS, and specifies the GCS bucket only by name and not by HTTP path.

    What's Changed

    • Fix remoteFromMirror with GCS bucket by @haydentherapper in https://github.com/sigstore/sigstore/pull/734

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.3...v1.4.4

    Source code(tar.gz)
    Source code(zip)
  • v1.4.3(Oct 7, 2022)

    What's Changed

    • Add support for file based remote stores for airgap mode. by @vaikas in https://github.com/sigstore/sigstore/pull/715
    • Handle invalid elliptic curve gracefully when verifying signature by @haydentherapper in https://github.com/sigstore/sigstore/pull/728
    • tuf: fix on-disk cache when writing targets in subfolders by @asraa in https://github.com/sigstore/sigstore/pull/729

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.2...v1.4.3

    Source code(tar.gz)
    Source code(zip)
  • v1.4.2(Sep 21, 2022)

    What's Changed

    • Package descriptions for all TODOs by @haydentherapper in https://github.com/sigstore/sigstore/pull/685
    • add package docs, fix deprecated linter by @bobcallaway in https://github.com/sigstore/sigstore/pull/673
    • oauthflow/interactive: Fix oob flow by @wlynch in https://github.com/sigstore/sigstore/pull/698
    • Handle certificates that end in newline by @haydentherapper in https://github.com/sigstore/sigstore/pull/699
    • deps: bump go-tuf to main to avoid excessive logging by @asraa in https://github.com/sigstore/sigstore/pull/701

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.1...v1.4.2

    Source code(tar.gz)
    Source code(zip)
  • v1.4.1(Sep 13, 2022)

    What's Changed

    • Fix: support certificate pem type by @k4leung4 in https://github.com/sigstore/sigstore/pull/633
    • Revert "Fix: support certificate pem type (#633)" by @k4leung4 in https://github.com/sigstore/sigstore/pull/634
    • Add support for parsing PKCS#1 priv/pub keys, SEC1 priv keys by @haydentherapper in https://github.com/sigstore/sigstore/pull/638
    • Fix : Failing Fuzz tests for FuzzRSAPSSSignerVerfier by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/664
    • bump: update go-tuf to pull in compatibility fix by @asraa in https://github.com/sigstore/sigstore/pull/672
    • fix lints and remove ioutils deprecations by @cpanato in https://github.com/sigstore/sigstore/pull/681
    • test: Add a test in the TUF client pkg for the hex to ECDSA key format migration by @asraa in https://github.com/sigstore/sigstore/pull/676

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.4.0...v1.4.1

    Source code(tar.gz)
    Source code(zip)
  • v1.4.0(Aug 16, 2022)

    What's Changed

    • Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in https://github.com/sigstore/sigstore/pull/582
    • Bump github.com/aws/aws-sdk-go from 1.44.63 to 1.44.64 by @dependabot in https://github.com/sigstore/sigstore/pull/583
    • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in https://github.com/sigstore/sigstore/pull/584
    • ci: enable gofumpt with extra by @Dentrax in https://github.com/sigstore/sigstore/pull/278
    • Bump github.com/aws/aws-sdk-go from 1.44.64 to 1.44.65 by @dependabot in https://github.com/sigstore/sigstore/pull/586
    • Bump google.golang.org/api from 0.89.0 to 0.90.0 by @dependabot in https://github.com/sigstore/sigstore/pull/585
    • add pkce values to device code flow by @bobcallaway in https://github.com/sigstore/sigstore/pull/516
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.0 to 1.18.1 by @dependabot in https://github.com/sigstore/sigstore/pull/591
    • Bump github.com/aws/aws-sdk-go from 1.44.65 to 1.44.67 by @dependabot in https://github.com/sigstore/sigstore/pull/588
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.14 to 1.15.15 by @dependabot in https://github.com/sigstore/sigstore/pull/590
    • Bump github.com/aws/aws-sdk-go from 1.44.67 to 1.44.68 by @dependabot in https://github.com/sigstore/sigstore/pull/593
    • Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in https://github.com/sigstore/sigstore/pull/595
    • Bump google.golang.org/api from 0.90.0 to 0.91.0 by @dependabot in https://github.com/sigstore/sigstore/pull/596
    • Bump github.com/go-rod/rod from 0.108.1 to 0.108.2 by @dependabot in https://github.com/sigstore/sigstore/pull/597
    • Bump github.com/aws/aws-sdk-go from 1.44.68 to 1.44.70 by @dependabot in https://github.com/sigstore/sigstore/pull/598
    • Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in https://github.com/sigstore/sigstore/pull/599
    • Fix issue #600. When using StaticTokenGetter do not make network calls. by @vaikas in https://github.com/sigstore/sigstore/pull/601
    • Bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.71 by @dependabot in https://github.com/sigstore/sigstore/pull/603
    • Bump github.com/aws/aws-sdk-go-v2 from 1.16.8 to 1.16.9 by @dependabot in https://github.com/sigstore/sigstore/pull/604
    • Use well-known OIDC config for device endpoints by @bobcallaway in https://github.com/sigstore/sigstore/pull/602
    • Migrate to go 1.18 for Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/592
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.1 to 1.18.2 by @dependabot in https://github.com/sigstore/sigstore/pull/606
    • Bump github.com/aws/aws-sdk-go from 1.44.71 to 1.44.72 by @dependabot in https://github.com/sigstore/sigstore/pull/605
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.15 to 1.15.17 by @dependabot in https://github.com/sigstore/sigstore/pull/608
    • Bump github.com/aws/aws-sdk-go from 1.44.72 to 1.44.73 by @dependabot in https://github.com/sigstore/sigstore/pull/610
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.2 to 1.18.4 by @dependabot in https://github.com/sigstore/sigstore/pull/616
    • Bump github.com/go-rod/rod from 0.108.2 to 0.109.0 by @dependabot in https://github.com/sigstore/sigstore/pull/618
    • Bump google.golang.org/api from 0.91.0 to 0.92.0 by @dependabot in https://github.com/sigstore/sigstore/pull/613
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.17 to 1.16.1 by @dependabot in https://github.com/sigstore/sigstore/pull/620
    • Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in https://github.com/sigstore/sigstore/pull/611
    • Bump github.com/aws/aws-sdk-go from 1.44.73 to 1.44.76 by @dependabot in https://github.com/sigstore/sigstore/pull/621
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.16.1 to 1.17.0 by @dependabot in https://github.com/sigstore/sigstore/pull/625
    • Bump github.com/go-rod/rod from 0.109.0 to 0.109.1 by @dependabot in https://github.com/sigstore/sigstore/pull/626
    • Add a more friendly error in pubkey failure by @rikatz in https://github.com/sigstore/sigstore/pull/623
    • remove old swagger commands from Makefile and fix typo by @bobcallaway in https://github.com/sigstore/sigstore/pull/624

    New Contributors

    • @vaikas made their first contribution in https://github.com/sigstore/sigstore/pull/601
    • @rikatz made their first contribution in https://github.com/sigstore/sigstore/pull/623

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.3.1...v1.4.0

    Source code(tar.gz)
    Source code(zip)
  • v1.3.1(Jul 28, 2022)

    What's Changed

    • oauthflow: Fix recursive call for GetOutput. by @wlynch in https://github.com/sigstore/sigstore/pull/527
    • Bump github.com/aws/aws-sdk-go from 1.44.41 to 1.44.42 by @dependabot in https://github.com/sigstore/sigstore/pull/531
    • Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in https://github.com/sigstore/sigstore/pull/530
    • Bump github.com/go-rod/rod from 0.107.2 to 0.107.3 by @dependabot in https://github.com/sigstore/sigstore/pull/532
    • Bump github.com/aws/aws-sdk-go from 1.44.42 to 1.44.43 by @dependabot in https://github.com/sigstore/sigstore/pull/533
    • Bump github.com/aws/aws-sdk-go from 1.44.43 to 1.44.44 by @dependabot in https://github.com/sigstore/sigstore/pull/534
    • Bump google.golang.org/api from 0.85.0 to 0.86.0 by @dependabot in https://github.com/sigstore/sigstore/pull/535
    • Keep calm and don't panic: enable and apply forcetypeassert lint rules by @Dentrax in https://github.com/sigstore/sigstore/pull/522
    • Bump github.com/aws/aws-sdk-go from 1.44.44 to 1.44.45 by @dependabot in https://github.com/sigstore/sigstore/pull/538
    • Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in https://github.com/sigstore/sigstore/pull/539
    • Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in https://github.com/sigstore/sigstore/pull/537
    • Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6 by @dependabot in https://github.com/sigstore/sigstore/pull/542
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.11 to 1.15.12 by @dependabot in https://github.com/sigstore/sigstore/pull/540
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.3 to 1.17.4 by @dependabot in https://github.com/sigstore/sigstore/pull/541
    • Remove err from type cast failures by @mtrmac in https://github.com/sigstore/sigstore/pull/536
    • Bump github.com/aws/aws-sdk-go from 1.44.45 to 1.44.46 by @dependabot in https://github.com/sigstore/sigstore/pull/543
    • Bump github.com/aws/aws-sdk-go from 1.44.46 to 1.44.47 by @dependabot in https://github.com/sigstore/sigstore/pull/545
    • Bump github.com/aws/aws-sdk-go from 1.44.47 to 1.44.48 by @dependabot in https://github.com/sigstore/sigstore/pull/547
    • Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/546
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.12 to 1.15.13 by @dependabot in https://github.com/sigstore/sigstore/pull/550
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.4 to 1.17.5 by @dependabot in https://github.com/sigstore/sigstore/pull/549
    • Bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.49 by @dependabot in https://github.com/sigstore/sigstore/pull/551
    • Bump github.com/aws/aws-sdk-go from 1.44.49 to 1.44.51 by @dependabot in https://github.com/sigstore/sigstore/pull/553
    • Bump github.com/go-rod/rod from 0.107.3 to 0.108.1 by @dependabot in https://github.com/sigstore/sigstore/pull/552
    • Bump github.com/aws/aws-sdk-go from 1.44.51 to 1.44.52 by @dependabot in https://github.com/sigstore/sigstore/pull/556
    • Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in https://github.com/sigstore/sigstore/pull/555
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.13 to 1.15.14 by @dependabot in https://github.com/sigstore/sigstore/pull/557
    • Bump google.golang.org/api from 0.86.0 to 0.87.0 by @dependabot in https://github.com/sigstore/sigstore/pull/558
    • Bump github.com/aws/aws-sdk-go from 1.44.52 to 1.44.53 by @dependabot in https://github.com/sigstore/sigstore/pull/559
    • tuf: remove test that targets list is complete by @asraa in https://github.com/sigstore/sigstore/pull/554
    • Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in https://github.com/sigstore/sigstore/pull/560
    • Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in https://github.com/sigstore/sigstore/pull/561
    • Bump github.com/aws/aws-sdk-go from 1.44.53 to 1.44.54 by @dependabot in https://github.com/sigstore/sigstore/pull/564
    • Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in https://github.com/sigstore/sigstore/pull/563
    • Bump github.com/aws/aws-sdk-go from 1.44.54 to 1.44.55 by @dependabot in https://github.com/sigstore/sigstore/pull/565
    • Bump github.com/aws/aws-sdk-go from 1.44.55 to 1.44.56 by @dependabot in https://github.com/sigstore/sigstore/pull/566
    • fix gosec lint G112 errors by @dekkagaijin in https://github.com/sigstore/sigstore/pull/571
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.5 to 1.18.0 by @dependabot in https://github.com/sigstore/sigstore/pull/568
    • Bump github.com/aws/aws-sdk-go from 1.44.56 to 1.44.59 by @dependabot in https://github.com/sigstore/sigstore/pull/569
    • Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in https://github.com/sigstore/sigstore/pull/572
    • Bump google.golang.org/api from 0.87.0 to 0.88.0 by @dependabot in https://github.com/sigstore/sigstore/pull/570
    • update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/573
    • Bump github.com/aws/aws-sdk-go from 1.44.60 to 1.44.61 by @dependabot in https://github.com/sigstore/sigstore/pull/575
    • Bump github.com/aws/aws-sdk-go from 1.44.61 to 1.44.62 by @dependabot in https://github.com/sigstore/sigstore/pull/577
    • Bump github.com/Azure/go-autorest/autorest from 0.11.27 to 0.11.28 by @dependabot in https://github.com/sigstore/sigstore/pull/578
    • Bump google.golang.org/api from 0.88.0 to 0.89.0 by @dependabot in https://github.com/sigstore/sigstore/pull/579
    • Bump github.com/aws/aws-sdk-go from 1.44.62 to 1.44.63 by @dependabot in https://github.com/sigstore/sigstore/pull/580
    • update dependencies that was not bumped by the bot by @cpanato in https://github.com/sigstore/sigstore/pull/576
    • Add oncall members to list of people who can kick off releases by @priyawadhwa in https://github.com/sigstore/sigstore/pull/581

    New Contributors

    • @mtrmac made their first contribution in https://github.com/sigstore/sigstore/pull/536
    • @asraa made their first contribution in https://github.com/sigstore/sigstore/pull/554

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.3.0...v1.3.1

    Source code(tar.gz)
    Source code(zip)
  • v1.3.0(Jun 24, 2022)

    What's Changed

    • Bump github.com/aws/aws-sdk-go from 1.43.24 to 1.43.26 by @dependabot in https://github.com/sigstore/sigstore/pull/349
    • Bump github.com/hashicorp/vault/api from 1.4.1 to 1.5.0 by @dependabot in https://github.com/sigstore/sigstore/pull/348
    • Add method to validate public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/344
    • Makefile: Install golangci lint by @hectorj2f in https://github.com/sigstore/sigstore/pull/350
    • Bump github.com/go-rod/rod from 0.104.1 to 0.104.2 by @dependabot in https://github.com/sigstore/sigstore/pull/352
    • Bump github.com/aws/aws-sdk-go from 1.43.26 to 1.43.27 by @dependabot in https://github.com/sigstore/sigstore/pull/351
    • Bump github.com/Azure/azure-sdk-for-go from 62.3.0+incompatible to 63.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/354
    • Bump github.com/aws/aws-sdk-go from 1.43.27 to 1.43.28 by @dependabot in https://github.com/sigstore/sigstore/pull/355
    • Bump github.com/go-rod/rod from 0.104.2 to 0.104.4 by @dependabot in https://github.com/sigstore/sigstore/pull/358
    • Bump github/codeql-action from 1.1.5 to 2.1.6 by @dependabot in https://github.com/sigstore/sigstore/pull/356
    • Bump actions/cache from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/357
    • oidc: set the redirect url if needed by @hectorj2f in https://github.com/sigstore/sigstore/pull/353
    • Fix regex for matching GCP KMS key by @haydentherapper in https://github.com/sigstore/sigstore/pull/359
    • Bump github.com/aws/aws-sdk-go from 1.43.28 to 1.43.29 by @dependabot in https://github.com/sigstore/sigstore/pull/360
    • Bump github.com/aws/aws-sdk-go from 1.43.29 to 1.43.30 by @dependabot in https://github.com/sigstore/sigstore/pull/363
    • Bump github.com/Azure/go-autorest/autorest from 0.11.24 to 0.11.25 by @dependabot in https://github.com/sigstore/sigstore/pull/362
    • update boulder dependency to remove some syslog dependencies that affect windows build by @cpanato in https://github.com/sigstore/sigstore/pull/364
    • Add fake signer that implements KMS interface by @haydentherapper in https://github.com/sigstore/sigstore/pull/361
    • fix if check in the release job by @cpanato in https://github.com/sigstore/sigstore/pull/365
    • fix missing curly brackets by @cpanato in https://github.com/sigstore/sigstore/pull/366
    • Bump github.com/aws/aws-sdk-go from 1.43.30 to 1.43.31 by @dependabot in https://github.com/sigstore/sigstore/pull/367
    • chore: set redirect URL in doOobFlow by @hectorj2f in https://github.com/sigstore/sigstore/pull/368
    • Bump github.com/aws/aws-sdk-go from 1.43.31 to 1.43.33 by @dependabot in https://github.com/sigstore/sigstore/pull/373
    • Bump github/codeql-action from 2.1.6 to 2.1.7 by @dependabot in https://github.com/sigstore/sigstore/pull/372
    • Bump google-github-actions/auth from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/371
    • Bump github.com/Azure/azure-sdk-for-go from 63.0.0+incompatible to 63.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/369
    • Bump github.com/aws/aws-sdk-go from 1.43.33 to 1.43.34 by @dependabot in https://github.com/sigstore/sigstore/pull/375
    • Bump github.com/aws/aws-sdk-go from 1.43.34 to 1.43.36 by @dependabot in https://github.com/sigstore/sigstore/pull/379
    • Bump github/codeql-action from 2.1.7 to 2.1.8 by @dependabot in https://github.com/sigstore/sigstore/pull/378
    • Bump github.com/go-rod/rod from 0.104.4 to 0.105.0 by @dependabot in https://github.com/sigstore/sigstore/pull/377
    • Update to go 1.17 / 1.18 by @lukehinds in https://github.com/sigstore/sigstore/pull/374
    • Bump github.com/aws/aws-sdk-go from 1.43.36 to 1.43.37 by @dependabot in https://github.com/sigstore/sigstore/pull/382
    • Bump github.com/go-rod/rod from 0.105.0 to 0.105.1 by @dependabot in https://github.com/sigstore/sigstore/pull/383
    • Bump github.com/Azure/azure-sdk-for-go from 63.1.0+incompatible to 63.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/385
    • Bump actions/cache from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/381
    • run tests with go1.17 and go1.18 by @cpanato in https://github.com/sigstore/sigstore/pull/380
    • Bump github.com/aws/aws-sdk-go from 1.43.37 to 1.43.39 by @dependabot in https://github.com/sigstore/sigstore/pull/387
    • Bump github.com/aws/aws-sdk-go from 1.43.39 to 1.43.40 by @dependabot in https://github.com/sigstore/sigstore/pull/389
    • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/388
    • Bump github.com/go-rod/rod from 0.105.1 to 0.106.0 by @dependabot in https://github.com/sigstore/sigstore/pull/390
    • Bump github.com/aws/aws-sdk-go from 1.43.40 to 1.43.41 by @dependabot in https://github.com/sigstore/sigstore/pull/391
    • Bump github.com/Azure/azure-sdk-for-go from 63.2.0+incompatible to 63.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/393
    • Bump github.com/Azure/go-autorest/autorest from 0.11.25 to 0.11.26 by @dependabot in https://github.com/sigstore/sigstore/pull/392
    • Bump github.com/go-rod/rod from 0.106.0 to 0.106.1 by @dependabot in https://github.com/sigstore/sigstore/pull/395
    • Add a helper method to parse a PEM-encoded CSR by @haydentherapper in https://github.com/sigstore/sigstore/pull/394
    • Bump github.com/aws/aws-sdk-go from 1.43.41 to 1.43.43 by @dependabot in https://github.com/sigstore/sigstore/pull/398
    • Add method for generating certificate serial number by @haydentherapper in https://github.com/sigstore/sigstore/pull/399
    • Bump github.com/aws/aws-sdk-go from 1.43.43 to 1.43.44 by @dependabot in https://github.com/sigstore/sigstore/pull/402
    • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/401
    • make target integration by @sallyom in https://github.com/sigstore/sigstore/pull/400
    • Bump github.com/Azure/go-autorest/autorest from 0.11.26 to 0.11.27 by @dependabot in https://github.com/sigstore/sigstore/pull/404
    • Bump github.com/aws/aws-sdk-go from 1.43.44 to 1.43.45 by @dependabot in https://github.com/sigstore/sigstore/pull/405
    • Add error type for kms.Get when provider not found by @znewman01 in https://github.com/sigstore/sigstore/pull/407
    • Bump github.com/Azure/azure-sdk-for-go from 63.3.0+incompatible to 63.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/409
    • Bump github.com/aws/aws-sdk-go from 1.43.45 to 1.44.0 by @dependabot in https://github.com/sigstore/sigstore/pull/410
    • Bump google-github-actions/auth from 0.7.0 to 0.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/408
    • Bump github.com/aws/aws-sdk-go from 1.44.0 to 1.44.1 by @dependabot in https://github.com/sigstore/sigstore/pull/412
    • Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in https://github.com/sigstore/sigstore/pull/411
    • Bump github.com/aws/aws-sdk-go from 1.44.1 to 1.44.2 by @dependabot in https://github.com/sigstore/sigstore/pull/413
    • Bump github.com/go-rod/rod from 0.106.1 to 0.106.2 by @dependabot in https://github.com/sigstore/sigstore/pull/414
    • Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in https://github.com/sigstore/sigstore/pull/415
    • Bump github.com/go-rod/rod from 0.106.2 to 0.106.4 by @dependabot in https://github.com/sigstore/sigstore/pull/417
    • Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.3 by @dependabot in https://github.com/sigstore/sigstore/pull/416
    • Bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.4 by @dependabot in https://github.com/sigstore/sigstore/pull/418
    • chore(deps): Included dependency review by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/406
    • Call ValidReference in all KMS cases by @imjasonh in https://github.com/sigstore/sigstore/pull/419
    • Bump github.com/aws/aws-sdk-go from 1.44.4 to 1.44.5 by @dependabot in https://github.com/sigstore/sigstore/pull/420
    • Bump github.com/go-rod/rod from 0.106.4 to 0.106.5 by @dependabot in https://github.com/sigstore/sigstore/pull/421
    • Bump github.com/aws/aws-sdk-go from 1.44.5 to 1.44.7 by @dependabot in https://github.com/sigstore/sigstore/pull/422
    • Bump github.com/aws/aws-sdk-go from 1.44.7 to 1.44.8 by @dependabot in https://github.com/sigstore/sigstore/pull/423
    • Bump github.com/aws/aws-sdk-go from 1.44.8 to 1.44.9 by @dependabot in https://github.com/sigstore/sigstore/pull/424
    • Remove copy of OAuth success HTML by @imjasonh in https://github.com/sigstore/sigstore/pull/425
    • Bump github.com/go-rod/rod from 0.106.5 to 0.106.6 by @dependabot in https://github.com/sigstore/sigstore/pull/427
    • Bump github.com/aws/aws-sdk-go from 1.44.9 to 1.44.10 by @dependabot in https://github.com/sigstore/sigstore/pull/428
    • Bump github.com/Azure/azure-sdk-for-go from 63.4.0+incompatible to 64.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/429
    • Bump github.com/aws/aws-sdk-go from 1.44.10 to 1.44.11 by @dependabot in https://github.com/sigstore/sigstore/pull/432
    • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/433
    • Bump github.com/aws/aws-sdk-go from 1.44.11 to 1.44.12 by @dependabot in https://github.com/sigstore/sigstore/pull/434
    • Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/431
    • Bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/437
    • Add method to unmarshal certificates with a limit by @haydentherapper in https://github.com/sigstore/sigstore/pull/430
    • Add unsafe verifier to verify signatures with SHA1 digests by @haydentherapper in https://github.com/sigstore/sigstore/pull/441
    • Bump github.com/aws/aws-sdk-go from 1.44.12 to 1.44.13 by @dependabot in https://github.com/sigstore/sigstore/pull/440
    • Bump github/codeql-action from 75b4f1c4669133dc294b06c2794e969efa2e5316 to 2.1.10 by @dependabot in https://github.com/sigstore/sigstore/pull/439
    • Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/438
    • Bump github.com/aws/aws-sdk-go from 1.44.13 to 1.44.14 by @dependabot in https://github.com/sigstore/sigstore/pull/443
    • Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in https://github.com/sigstore/sigstore/pull/442
    • Remove dependency on deprecated github.com/pkg/errors by @imjasonh in https://github.com/sigstore/sigstore/pull/444
    • Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/446
    • Bump github.com/aws/aws-sdk-go from 1.44.14 to 1.44.15 by @dependabot in https://github.com/sigstore/sigstore/pull/447
    • Bump github.com/Azure/azure-sdk-for-go from 64.0.0+incompatible to 64.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/445
    • Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in https://github.com/sigstore/sigstore/pull/448
    • Bump github.com/aws/aws-sdk-go from 1.44.15 to 1.44.16 by @dependabot in https://github.com/sigstore/sigstore/pull/449
    • Bump github.com/go-rod/rod from 0.106.6 to 0.106.7 by @dependabot in https://github.com/sigstore/sigstore/pull/450
    • Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/451
    • Bump github.com/aws/aws-sdk-go from 1.44.16 to 1.44.17 by @dependabot in https://github.com/sigstore/sigstore/pull/453
    • Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/452
    • Bump github.com/go-rod/rod from 0.106.7 to 0.106.8 by @dependabot in https://github.com/sigstore/sigstore/pull/454
    • Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/456
    • Bump github.com/aws/aws-sdk-go from 1.44.17 to 1.44.18 by @dependabot in https://github.com/sigstore/sigstore/pull/455
    • Bump github.com/aws/aws-sdk-go from 1.44.18 to 1.44.19 by @dependabot in https://github.com/sigstore/sigstore/pull/457
    • Bump github.com/aws/aws-sdk-go from 1.44.19 to 1.44.20 by @dependabot in https://github.com/sigstore/sigstore/pull/461
    • Bump github.com/Azure/azure-sdk-for-go from 64.1.0+incompatible to 65.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/460
    • Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/459
    • Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in https://github.com/sigstore/sigstore/pull/458
    • Bump github.com/aws/aws-sdk-go from 1.44.20 to 1.44.21 by @dependabot in https://github.com/sigstore/sigstore/pull/464
    • Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/463
    • Bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.22 by @dependabot in https://github.com/sigstore/sigstore/pull/465
    • Update go-tuf to pick up security fixes by @haydentherapper in https://github.com/sigstore/sigstore/pull/462
    • Export providerInit type by @imjasonh in https://github.com/sigstore/sigstore/pull/466
    • Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/469
    • Bump github.com/aws/aws-sdk-go from 1.44.22 to 1.44.23 by @dependabot in https://github.com/sigstore/sigstore/pull/470
    • Bump github.com/go-rod/rod from 0.106.8 to 0.107.0 by @dependabot in https://github.com/sigstore/sigstore/pull/471
    • update error message for pkg/signature/ecdsa.go when checking the VerifyASN1 by @cpanato in https://github.com/sigstore/sigstore/pull/473
    • Bump github.com/aws/aws-sdk-go from 1.44.23 to 1.44.24 by @dependabot in https://github.com/sigstore/sigstore/pull/474
    • Allow passing options to GCP's LoadSignVerifier. by @mattmoor in https://github.com/sigstore/sigstore/pull/468
    • Migrate AWK KMS to use the v2 SDK. by @mattmoor in https://github.com/sigstore/sigstore/pull/475
    • Bump google.golang.org/api from 0.75.0 to 0.81.0 by @dependabot in https://github.com/sigstore/sigstore/pull/476
    • fix uppercase err msgs to quiet golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/477
    • Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in https://github.com/sigstore/sigstore/pull/478
    • Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/482
    • Bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.26 by @dependabot in https://github.com/sigstore/sigstore/pull/481
    • Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in https://github.com/sigstore/sigstore/pull/480
    • Bump google.golang.org/api from 0.81.0 to 0.82.0 by @dependabot in https://github.com/sigstore/sigstore/pull/483
    • Autoclose OAuth success page after 5 seconds. by @wlynch in https://github.com/sigstore/sigstore/pull/484
    • Bump github.com/aws/aws-sdk-go from 1.44.26 to 1.44.27 by @dependabot in https://github.com/sigstore/sigstore/pull/485
    • Add a warning when using WithDigest with ECDSA by @haydentherapper in https://github.com/sigstore/sigstore/pull/487
    • Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/489
    • Bump github.com/go-rod/rod from 0.107.0 to 0.107.1 by @dependabot in https://github.com/sigstore/sigstore/pull/488
    • Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in https://github.com/sigstore/sigstore/pull/495
    • Bump github.com/aws/aws-sdk-go-v2 from 1.16.4 to 1.16.5 by @dependabot in https://github.com/sigstore/sigstore/pull/491
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.9 to 1.15.10 by @dependabot in https://github.com/sigstore/sigstore/pull/494
    • Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.2 to 1.17.3 by @dependabot in https://github.com/sigstore/sigstore/pull/493
    • Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in https://github.com/sigstore/sigstore/pull/490
    • Bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.29 by @dependabot in https://github.com/sigstore/sigstore/pull/492
    • Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/496
    • Bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.30 by @dependabot in https://github.com/sigstore/sigstore/pull/497
    • Bump github.com/aws/aws-sdk-go from 1.44.30 to 1.44.31 by @dependabot in https://github.com/sigstore/sigstore/pull/498
    • Bump github.com/hashicorp/vault/api from 1.7.1 to 1.7.2 by @dependabot in https://github.com/sigstore/sigstore/pull/499
    • Move fulcioroots and tuf packages from cosign by @imjasonh in https://github.com/sigstore/sigstore/pull/435
    • Bump github.com/aws/aws-sdk-go from 1.44.31 to 1.44.32 by @dependabot in https://github.com/sigstore/sigstore/pull/501
    • Bump github.com/aws/aws-sdk-go from 1.44.32 to 1.44.33 by @dependabot in https://github.com/sigstore/sigstore/pull/504
    • Lock TUF client during target loading operations by @puerco in https://github.com/sigstore/sigstore/pull/503
    • Bump google.golang.org/api from 0.83.0 to 0.84.0 by @dependabot in https://github.com/sigstore/sigstore/pull/507
    • Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.34 by @dependabot in https://github.com/sigstore/sigstore/pull/506
    • Bump github.com/aws/aws-sdk-go from 1.44.33 to 1.44.35 by @dependabot in https://github.com/sigstore/sigstore/pull/508
    • Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in https://github.com/sigstore/sigstore/pull/505
    • Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in https://github.com/sigstore/sigstore/pull/509
    • Bump github.com/aws/aws-sdk-go from 1.44.35 to 1.44.36 by @dependabot in https://github.com/sigstore/sigstore/pull/510
    • Bump github.com/aws/aws-sdk-go-v2/config from 1.15.10 to 1.15.11 by @dependabot in https://github.com/sigstore/sigstore/pull/511
    • Bump github.com/go-rod/rod from 0.107.1 to 0.107.2 by @dependabot in https://github.com/sigstore/sigstore/pull/512
    • Bump github.com/aws/aws-sdk-go from 1.44.36 to 1.44.37 by @dependabot in https://github.com/sigstore/sigstore/pull/513
    • Bump github.com/aws/aws-sdk-go from 1.44.37 to 1.44.38 by @dependabot in https://github.com/sigstore/sigstore/pull/517
    • Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @dependabot in https://github.com/sigstore/sigstore/pull/518
    • Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @dependabot in https://github.com/sigstore/sigstore/pull/520
    • Bump github.com/aws/aws-sdk-go from 1.44.38 to 1.44.39 by @dependabot in https://github.com/sigstore/sigstore/pull/521
    • Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in https://github.com/sigstore/sigstore/pull/519
    • Revert "Autoclose OAuth success page after 5 seconds. (#484)" by @wlynch in https://github.com/sigstore/sigstore/pull/502
    • oauthflow/interactive: Make input/output configurable. by @wlynch in https://github.com/sigstore/sigstore/pull/514
    • Bump google.golang.org/api from 0.84.0 to 0.85.0 by @dependabot in https://github.com/sigstore/sigstore/pull/523
    • Bump github.com/aws/aws-sdk-go from 1.44.39 to 1.44.40 by @dependabot in https://github.com/sigstore/sigstore/pull/524
    • Bump github.com/Azure/azure-sdk-for-go from 65.0.0+incompatible to 66.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/526
    • add check if transit return nil data by @Dentrax in https://github.com/sigstore/sigstore/pull/515
    • Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/525
    • Bump github.com/aws/aws-sdk-go from 1.44.40 to 1.44.41 by @dependabot in https://github.com/sigstore/sigstore/pull/529
    • Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in https://github.com/sigstore/sigstore/pull/528

    New Contributors

    • @hectorj2f made their first contribution in https://github.com/sigstore/sigstore/pull/350
    • @sallyom made their first contribution in https://github.com/sigstore/sigstore/pull/400
    • @znewman01 made their first contribution in https://github.com/sigstore/sigstore/pull/407
    • @mattmoor made their first contribution in https://github.com/sigstore/sigstore/pull/468
    • @wlynch made their first contribution in https://github.com/sigstore/sigstore/pull/484
    • @puerco made their first contribution in https://github.com/sigstore/sigstore/pull/503

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.2.0...v1.3.0

    Source code(tar.gz)
    Source code(zip)
  • v1.2.0(Mar 25, 2022)

    What's Changed

    • Moved dsse to fuzz dir by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/214
    • Bump github.com/Azure/azure-sdk-for-go from 60.3.0+incompatible to 61.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/215
    • Fuzz - Fixed the panic that was caused by incorrect data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/213
    • Bump github.com/aws/aws-sdk-go from 1.42.25 to 1.42.26 by @dependabot in https://github.com/sigstore/sigstore/pull/216
    • Bump github.com/aws/aws-sdk-go from 1.42.26 to 1.42.27 by @dependabot in https://github.com/sigstore/sigstore/pull/217
    • Bump github.com/aws/aws-sdk-go from 1.42.27 to 1.42.28 by @dependabot in https://github.com/sigstore/sigstore/pull/219
    • Bump github.com/Azure/azure-sdk-for-go from 61.0.0+incompatible to 61.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/218
    • Bump github.com/aws/aws-sdk-go from 1.42.28 to 1.42.29 by @dependabot in https://github.com/sigstore/sigstore/pull/220
    • Bump github.com/aws/aws-sdk-go from 1.42.29 to 1.42.31 by @dependabot in https://github.com/sigstore/sigstore/pull/222
    • pin actions by digest; update chrome install to use signed repo by @bobcallaway in https://github.com/sigstore/sigstore/pull/225
    • Bump github.com/aws/aws-sdk-go from 1.42.31 to 1.42.32 by @dependabot in https://github.com/sigstore/sigstore/pull/224
    • Bump github.com/aws/aws-sdk-go from 1.42.32 to 1.42.33 by @dependabot in https://github.com/sigstore/sigstore/pull/227
    • Bump github/codeql-action from 300c8b6dcbaf905eb250b06113e2e62c340a2d20 to 1.0.27 by @dependabot in https://github.com/sigstore/sigstore/pull/226
    • Fix: verify with HashiVault KMS by @blz-ea in https://github.com/sigstore/sigstore/pull/229
    • Bump github.com/aws/aws-sdk-go from 1.42.33 to 1.42.34 by @dependabot in https://github.com/sigstore/sigstore/pull/230
    • Bump github.com/Azure/azure-sdk-for-go from 61.1.0+incompatible to 61.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/231
    • KMS: Change how the Azure authentication method is handled by @simongottschlag in https://github.com/sigstore/sigstore/pull/228
    • Bump github.com/aws/aws-sdk-go from 1.42.34 to 1.42.35 by @dependabot in https://github.com/sigstore/sigstore/pull/232
    • Bump github.com/Azure/go-autorest/autorest from 0.11.22 to 0.11.24 by @dependabot in https://github.com/sigstore/sigstore/pull/233
    • Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1 by @haydentherapper in https://github.com/sigstore/sigstore/pull/234
    • Bump github/codeql-action from 1.0.27 to 1.0.28 by @dependabot in https://github.com/sigstore/sigstore/pull/236
    • Bump github.com/aws/aws-sdk-go from 1.42.35 to 1.42.36 by @dependabot in https://github.com/sigstore/sigstore/pull/235
    • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 by @dependabot in https://github.com/sigstore/sigstore/pull/237
    • Bump github.com/aws/aws-sdk-go from 1.42.36 to 1.42.37 by @dependabot in https://github.com/sigstore/sigstore/pull/238
    • Bump github.com/Azure/azure-sdk-for-go from 61.2.0+incompatible to 61.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/239
    • Fix minor typos for HashiCorp by @jbayer in https://github.com/sigstore/sigstore/pull/240
    • Bump github.com/aws/aws-sdk-go from 1.42.37 to 1.42.38 by @dependabot in https://github.com/sigstore/sigstore/pull/242
    • Bump github/codeql-action from 1.0.28 to 1.0.29 by @dependabot in https://github.com/sigstore/sigstore/pull/241
    • Add subject key ID calculation from public key by @haydentherapper in https://github.com/sigstore/sigstore/pull/243
    • Bump github.com/aws/aws-sdk-go from 1.42.38 to 1.42.39 by @dependabot in https://github.com/sigstore/sigstore/pull/245
    • Bump github/codeql-action from 1.0.29 to 1.0.30 by @dependabot in https://github.com/sigstore/sigstore/pull/244
    • Bump github.com/aws/aws-sdk-go from 1.42.39 to 1.42.40 by @dependabot in https://github.com/sigstore/sigstore/pull/248
    • Wire up html page passed in for interactive OIDC callback server by @n3wscott in https://github.com/sigstore/sigstore/pull/247
    • Bump github.com/aws/aws-sdk-go from 1.42.40 to 1.42.41 by @dependabot in https://github.com/sigstore/sigstore/pull/250
    • Bump github.com/aws/aws-sdk-go from 1.42.41 to 1.42.42 by @dependabot in https://github.com/sigstore/sigstore/pull/251
    • Bump github.com/aws/aws-sdk-go from 1.42.42 to 1.42.43 by @dependabot in https://github.com/sigstore/sigstore/pull/252
    • Add oidc login to vault by @sudo-bmitch in https://github.com/sigstore/sigstore/pull/249
    • Bump github/codeql-action from 1.0.30 to 1.0.31 by @dependabot in https://github.com/sigstore/sigstore/pull/253
    • Bump github.com/aws/aws-sdk-go from 1.42.43 to 1.42.44 by @dependabot in https://github.com/sigstore/sigstore/pull/254
    • Bump github.com/Azure/azure-sdk-for-go from 61.3.0+incompatible to 61.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/255
    • Skip strict check on PKCE discovery claim on Azure by @bobcallaway in https://github.com/sigstore/sigstore/pull/246
    • Add ability to specify key version for Hashivault by @bobcallaway in https://github.com/sigstore/sigstore/pull/256
    • update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/257
    • Bump github.com/aws/aws-sdk-go from 1.42.45 to 1.42.46 by @dependabot in https://github.com/sigstore/sigstore/pull/258
    • Bump cloud.google.com/go/kms from 1.1.0 to 1.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/259
    • return version of Vault key via functional option by @bobcallaway in https://github.com/sigstore/sigstore/pull/260
    • Bump github/codeql-action from 1.0.31 to 1.0.32 by @dependabot in https://github.com/sigstore/sigstore/pull/261
    • Bump github.com/aws/aws-sdk-go from 1.42.46 to 1.42.47 by @dependabot in https://github.com/sigstore/sigstore/pull/262
    • Bump github.com/aws/aws-sdk-go from 1.42.47 to 1.42.48 by @dependabot in https://github.com/sigstore/sigstore/pull/264
    • Bump github.com/go-rod/rod from 0.101.8 to 0.102.0 by @dependabot in https://github.com/sigstore/sigstore/pull/265
    • Bump github.com/aws/aws-sdk-go from 1.42.48 to 1.42.49 by @dependabot in https://github.com/sigstore/sigstore/pull/267
    • Bump actions/setup-go from 2.1.5 to 2.2.0 by @dependabot in https://github.com/sigstore/sigstore/pull/266
    • Bump github.com/aws/aws-sdk-go from 1.42.49 to 1.42.50 by @dependabot in https://github.com/sigstore/sigstore/pull/268
    • Bump github.com/go-rod/rod from 0.102.0 to 0.102.1 by @dependabot in https://github.com/sigstore/sigstore/pull/271
    • Bump github.com/aws/aws-sdk-go from 1.42.50 to 1.42.51 by @dependabot in https://github.com/sigstore/sigstore/pull/270
    • Bump github/codeql-action from 1.0.32 to 1.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/269
    • Bump github.com/aws/aws-sdk-go from 1.42.51 to 1.42.52 by @dependabot in https://github.com/sigstore/sigstore/pull/272
    • Bump github.com/Azure/azure-sdk-for-go from 61.4.0+incompatible to 61.5.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/273
    • Bump cloud.google.com/go/kms from 1.2.0 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/274
    • Bump github.com/aws/aws-sdk-go from 1.42.52 to 1.42.53 by @dependabot in https://github.com/sigstore/sigstore/pull/275
    • Bump github.com/aws/aws-sdk-go from 1.42.53 to 1.43.0 by @dependabot in https://github.com/sigstore/sigstore/pull/281
    • Bump github/codeql-action from 1.1.0 to 1.1.2 by @dependabot in https://github.com/sigstore/sigstore/pull/280
    • pkg/signature/kms doesn't depend on kms impls by @imjasonh in https://github.com/sigstore/sigstore/pull/276
    • remove unmaintained test dependency with invalid license by @bobcallaway in https://github.com/sigstore/sigstore/pull/279
    • move e2e tests inline with various implementation packages by @bobcallaway in https://github.com/sigstore/sigstore/pull/282
    • feat(kms): add supported providers func by @Dentrax in https://github.com/sigstore/sigstore/pull/277
    • Bump github.com/aws/aws-sdk-go from 1.43.0 to 1.43.1 by @dependabot in https://github.com/sigstore/sigstore/pull/283
    • Bump github.com/Azure/azure-sdk-for-go from 61.5.0+incompatible to 61.6.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/284
    • Bump github.com/aws/aws-sdk-go from 1.43.1 to 1.43.2 by @dependabot in https://github.com/sigstore/sigstore/pull/285
    • Bump github.com/aws/aws-sdk-go from 1.43.2 to 1.43.3 by @dependabot in https://github.com/sigstore/sigstore/pull/286
    • Bump github.com/aws/aws-sdk-go from 1.43.3 to 1.43.4 by @dependabot in https://github.com/sigstore/sigstore/pull/287
    • Permit usage of signing keys with aws-us-gov arn partitions by @chaospuppy in https://github.com/sigstore/sigstore/pull/289
    • Bump github/codeql-action from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/sigstore/pull/291
    • Bump github.com/aws/aws-sdk-go from 1.43.4 to 1.43.5 by @dependabot in https://github.com/sigstore/sigstore/pull/292
    • update permissions for codeql by @bobcallaway in https://github.com/sigstore/sigstore/pull/293
    • Bump github.com/aws/aws-sdk-go from 1.43.5 to 1.43.6 by @dependabot in https://github.com/sigstore/sigstore/pull/295
    • Bump golangci/golangci-lint-action from 2.5.2 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/294
    • Bump hashicorp vault to 1.4.0. by @dlorenc in https://github.com/sigstore/sigstore/pull/297
    • Bump github.com/hashicorp/vault/api from 1.4.0 to 1.4.1 by @dependabot in https://github.com/sigstore/sigstore/pull/298
    • Explicitly run the go setup action. by @dlorenc in https://github.com/sigstore/sigstore/pull/299
    • Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.0 to 0.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/304
    • Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/300
    • Bump actions/setup-go from 2.2.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/301
    • Bump github.com/aws/aws-sdk-go from 1.43.6 to 1.43.7 by @dependabot in https://github.com/sigstore/sigstore/pull/302
    • Bump github.com/Azure/azure-sdk-for-go from 61.6.0+incompatible to 62.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/303
    • Bump github.com/aws/aws-sdk-go from 1.43.7 to 1.43.8 by @dependabot in https://github.com/sigstore/sigstore/pull/307
    • Bump actions/checkout from 2.4.0 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/306
    • Bump github.com/aws/aws-sdk-go from 1.43.8 to 1.43.9 by @dependabot in https://github.com/sigstore/sigstore/pull/309
    • Bump actions/upload-artifact from 2.3.1 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/310
    • Bump cloud.google.com/go/kms from 1.3.0 to 1.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/311
    • Bump github.com/aws/aws-sdk-go from 1.43.9 to 1.43.10 by @dependabot in https://github.com/sigstore/sigstore/pull/312
    • Bump github.com/go-rod/rod from 0.102.1 to 0.103.0 by @dependabot in https://github.com/sigstore/sigstore/pull/313
    • Bump github.com/aws/aws-sdk-go from 1.43.10 to 1.43.11 by @dependabot in https://github.com/sigstore/sigstore/pull/314
    • Bump github.com/aws/aws-sdk-go from 1.43.11 to 1.43.12 by @dependabot in https://github.com/sigstore/sigstore/pull/316
    • Bump github.com/Azure/azure-sdk-for-go from 62.0.0+incompatible to 62.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/317
    • Bump github.com/aws/aws-sdk-go from 1.43.12 to 1.43.13 by @dependabot in https://github.com/sigstore/sigstore/pull/319
    • Bump github/codeql-action from 1.1.3 to 1.1.4 by @dependabot in https://github.com/sigstore/sigstore/pull/318
    • Bump github.com/aws/aws-sdk-go from 1.43.13 to 1.43.14 by @dependabot in https://github.com/sigstore/sigstore/pull/321
    • Enable the same golangci-lint rules as cosign by @dekkagaijin in https://github.com/sigstore/sigstore/pull/322
    • Bump github.com/aws/aws-sdk-go from 1.43.14 to 1.43.15 by @dependabot in https://github.com/sigstore/sigstore/pull/323
    • Initial introduction and implementation of oidc.IDTokenSource by @dekkagaijin in https://github.com/sigstore/sigstore/pull/320
    • Update CODEOWNERS by @endorama in https://github.com/sigstore/sigstore/pull/315
    • Bump github.com/aws/aws-sdk-go from 1.43.15 to 1.43.16 by @dependabot in https://github.com/sigstore/sigstore/pull/324
    • Add a reusuable GitHub Action workflow for cutting releases. by @k4leung4 in https://github.com/sigstore/sigstore/pull/325
    • return immediately, without waiting for the operation in progress to complete by @cpanato in https://github.com/sigstore/sigstore/pull/326
    • Bump github.com/aws/aws-sdk-go from 1.43.16 to 1.43.17 by @dependabot in https://github.com/sigstore/sigstore/pull/327
    • Bump github.com/Azure/azure-sdk-for-go from 62.1.0+incompatible to 62.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/328
    • Bump github.com/aws/aws-sdk-go from 1.43.17 to 1.43.18 by @dependabot in https://github.com/sigstore/sigstore/pull/329
    • Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in https://github.com/sigstore/sigstore/pull/332
    • Included OpenSSF Best Practices badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/333
    • Bump github.com/aws/aws-sdk-go from 1.43.18 to 1.43.19 by @dependabot in https://github.com/sigstore/sigstore/pull/331
    • fix lints found by golangci-lint by @cpanato in https://github.com/sigstore/sigstore/pull/334
    • Bump github.com/aws/aws-sdk-go from 1.43.19 to 1.43.20 by @dependabot in https://github.com/sigstore/sigstore/pull/335
    • Bump github.com/aws/aws-sdk-go from 1.43.20 to 1.43.21 by @dependabot in https://github.com/sigstore/sigstore/pull/336
    • Bump github/codeql-action from 1.1.4 to 1.1.5 by @dependabot in https://github.com/sigstore/sigstore/pull/330
    • Make tag,key_ring,key optional for release workflow. by @k4leung4 in https://github.com/sigstore/sigstore/pull/338
    • Bump github.com/go-rod/rod from 0.103.0 to 0.104.1 by @dependabot in https://github.com/sigstore/sigstore/pull/341
    • Bump github.com/Azure/azure-sdk-for-go from 62.2.0+incompatible to 62.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/342
    • Bump github.com/aws/aws-sdk-go from 1.43.21 to 1.43.22 by @dependabot in https://github.com/sigstore/sigstore/pull/340
    • Bump actions/cache from 2.1.7 to 3 by @dependabot in https://github.com/sigstore/sigstore/pull/339
    • Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/sigstore/sigstore/pull/343
    • Bump github.com/aws/aws-sdk-go from 1.43.22 to 1.43.24 by @dependabot in https://github.com/sigstore/sigstore/pull/345
    • Add utilities to parse Oauth2 access token HTTP responses by @dekkagaijin in https://github.com/sigstore/sigstore/pull/337
    • Add method to check for public key equality by @haydentherapper in https://github.com/sigstore/sigstore/pull/346

    New Contributors

    • @blz-ea made their first contribution in https://github.com/sigstore/sigstore/pull/229
    • @simongottschlag made their first contribution in https://github.com/sigstore/sigstore/pull/228
    • @haydentherapper made their first contribution in https://github.com/sigstore/sigstore/pull/234
    • @jbayer made their first contribution in https://github.com/sigstore/sigstore/pull/240
    • @n3wscott made their first contribution in https://github.com/sigstore/sigstore/pull/247
    • @sudo-bmitch made their first contribution in https://github.com/sigstore/sigstore/pull/249
    • @imjasonh made their first contribution in https://github.com/sigstore/sigstore/pull/276
    • @Dentrax made their first contribution in https://github.com/sigstore/sigstore/pull/277
    • @chaospuppy made their first contribution in https://github.com/sigstore/sigstore/pull/289
    • @endorama made their first contribution in https://github.com/sigstore/sigstore/pull/315
    • @k4leung4 made their first contribution in https://github.com/sigstore/sigstore/pull/325

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.1.0...v1.2.0

    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Dec 28, 2021)

    What's Changed

    • Idp specific default flows by @houdini91 in https://github.com/sigstore/sigstore/pull/123
    • Bump github.com/aws/aws-sdk-go from 1.42.1 to 1.42.2 by @dependabot in https://github.com/sigstore/sigstore/pull/139
    • Bump github.com/aws/aws-sdk-go from 1.42.2 to 1.42.3 by @dependabot in https://github.com/sigstore/sigstore/pull/140
    • Bump github.com/google/go-containerregistry from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/sigstore/pull/142
    • Bump github.com/aws/aws-sdk-go from 1.42.3 to 1.42.4 by @dependabot in https://github.com/sigstore/sigstore/pull/143
    • expose innerWrapper as VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/144
    • also expose the wrapped verifier in VerifierAdapter by @dekkagaijin in https://github.com/sigstore/sigstore/pull/145
    • Bump github.com/aws/aws-sdk-go from 1.42.4 to 1.42.5 by @dependabot in https://github.com/sigstore/sigstore/pull/147
    • Feat : Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/146
    • Linter - Included linter check for doc rules by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/148
    • Bump github.com/aws/aws-sdk-go from 1.42.5 to 1.42.7 by @dependabot in https://github.com/sigstore/sigstore/pull/150
    • update deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/151
    • Bump github.com/aws/aws-sdk-go from 1.42.8 to 1.42.9 by @dependabot in https://github.com/sigstore/sigstore/pull/152
    • Move the ssh signing/verification utilities to sigstore from rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/141
    • Bump github.com/aws/aws-sdk-go from 1.42.9 to 1.42.10 by @dependabot in https://github.com/sigstore/sigstore/pull/153
    • Fix revive lint warnings. by @dlorenc in https://github.com/sigstore/sigstore/pull/156
    • Included fuzzing for more cryptoutils by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/157
    • Bump github.com/aws/aws-sdk-go from 1.42.10 to 1.42.11 by @dependabot in https://github.com/sigstore/sigstore/pull/161
    • hack: add hack/tools to hold non required dependencies/tools for the project by @cpanato in https://github.com/sigstore/sigstore/pull/159
    • update lint action by @dekkagaijin in https://github.com/sigstore/sigstore/pull/155
    • Fuzzing password and some signature API by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/160
    • Bump github.com/aws/aws-sdk-go from 1.42.11 to 1.42.12 by @dependabot in https://github.com/sigstore/sigstore/pull/162
    • Bump github.com/Azure/azure-sdk-for-go from 59.3.0+incompatible to 59.4.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/163
    • Docs for Fuzzing by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/165
    • Fuzzing - Included RSA Targets by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/164
    • Bump github.com/aws/aws-sdk-go from 1.42.12 to 1.42.14 by @dependabot in https://github.com/sigstore/sigstore/pull/166
    • Clean up lint errors by @bobcallaway in https://github.com/sigstore/sigstore/pull/167
    • Included fuzz badge by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/168
    • Included CIFuzz by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/169
    • Bump github.com/aws/aws-sdk-go from 1.42.14 to 1.42.15 by @dependabot in https://github.com/sigstore/sigstore/pull/171
    • Fuzzing for RSAPASS by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/170
    • Bump github.com/aws/aws-sdk-go from 1.42.15 to 1.42.16 by @dependabot in https://github.com/sigstore/sigstore/pull/174
    • Upgraded go-securesystemslib from 0.1.0 to 0.2.0 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/178
    • Bump github.com/aws/aws-sdk-go from 1.42.16 to 1.42.17 by @dependabot in https://github.com/sigstore/sigstore/pull/176
    • Additional corpus for ecdsa and ed25519 by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/177
    • Fuzz testing DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/173
    • Bump github.com/aws/aws-sdk-go from 1.42.17 to 1.42.18 by @dependabot in https://github.com/sigstore/sigstore/pull/180
    • Bump github.com/Azure/azure-sdk-for-go from 59.4.0+incompatible to 60.0.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/179
    • Updatathon by @dekkagaijin in https://github.com/sigstore/sigstore/pull/181
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.9.0 to 2.10.0 by @dependabot in https://github.com/sigstore/sigstore/pull/184
    • Bump github.com/aws/aws-sdk-go from 1.42.19 to 1.42.20 by @dependabot in https://github.com/sigstore/sigstore/pull/187
    • Bump actions/upload-artifact from 2.2.4 to 2.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/185
    • bump github.com/secure-systems-lab/go-securesystemslib to v0.3.0 by @dekkagaijin in https://github.com/sigstore/sigstore/pull/189
    • bump the rest of the deps by @dekkagaijin in https://github.com/sigstore/sigstore/pull/190
    • fix wrong return value in error case by @bobcallaway in https://github.com/sigstore/sigstore/pull/192
    • Bump github.com/aws/aws-sdk-go from 1.42.20 to 1.42.21 by @dependabot in https://github.com/sigstore/sigstore/pull/194
    • Bump github.com/aws/aws-sdk-go from 1.42.21 to 1.42.22 by @dependabot in https://github.com/sigstore/sigstore/pull/195
    • Bump github.com/Azure/azure-sdk-for-go from 60.0.0+incompatible to 60.1.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/196
    • Fuzz - Fixes nil data by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/197
    • Bump github.com/aws/aws-sdk-go from 1.42.22 to 1.42.23 by @dependabot in https://github.com/sigstore/sigstore/pull/201
    • Bump actions/upload-artifact from 2.3.0 to 2.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/202
    • Bump github.com/Azure/azure-sdk-for-go from 60.1.0+incompatible to 60.2.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/204
    • Dsse multi signature wrapper by @houdini91 in https://github.com/sigstore/sigstore/pull/203
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.10.0 to 2.11.0 by @dependabot in https://github.com/sigstore/sigstore/pull/206
    • Bump github.com/aws/aws-sdk-go from 1.42.23 to 1.42.24 by @dependabot in https://github.com/sigstore/sigstore/pull/207
    • Bump github.com/aws/aws-sdk-go from 1.42.24 to 1.42.25 by @dependabot in https://github.com/sigstore/sigstore/pull/208
    • Bump github.com/hashicorp/vault/api from 1.3.0 to 1.3.1 by @dependabot in https://github.com/sigstore/sigstore/pull/209
    • Bump github.com/Azure/azure-sdk-for-go from 60.2.0+incompatible to 60.3.0+incompatible by @dependabot in https://github.com/sigstore/sigstore/pull/210
    • Fuzz- Fixes the invalid UTF-8 string for DSSE by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/212

    New Contributors

    • @houdini91 made their first contribution in https://github.com/sigstore/sigstore/pull/123

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.1...v1.1.0

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Nov 11, 2021)

    What's Changed

    • Make SimpleContainerImage struct accesible for tekton chains by @priyawadhwa in https://github.com/sigstore/sigstore/pull/124
    • (fix): Fix vault integration to work with rotated keys by @rjbrown57 in https://github.com/sigstore/sigstore/pull/125
    • Create dependabot.yml by @naveensrinivasan in https://github.com/sigstore/sigstore/pull/127
    • Fix the azure KMS provider by @dlorenc in https://github.com/sigstore/sigstore/pull/126
    • Bump actions/checkout from 2.3.4 to 2.4.0 by @dependabot in https://github.com/sigstore/sigstore/pull/128
    • Bump github.com/go-test/deep from 1.0.7 to 1.0.8 by @dependabot in https://github.com/sigstore/sigstore/pull/129
    • Bump github.com/aws/aws-sdk-go from 1.40.7 to 1.41.19 by @dependabot in https://github.com/sigstore/sigstore/pull/130
    • Bump cloud.google.com/go from 0.88.0 to 0.97.0 by @dependabot in https://github.com/sigstore/sigstore/pull/134
    • Bump github.com/ReneKroon/ttlcache/v2 from 2.7.0 to 2.9.0 by @dependabot in https://github.com/sigstore/sigstore/pull/132
    • Bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/sigstore/pull/133
    • Bump github.com/google/go-containerregistry from 0.5.1 to 0.6.0 by @dependabot in https://github.com/sigstore/sigstore/pull/135
    • Bump github.com/hashicorp/vault/api from 1.1.1 to 1.3.0 by @dependabot in https://github.com/sigstore/sigstore/pull/131
    • Bump github.com/aws/aws-sdk-go from 1.41.19 to 1.42.0 by @dependabot in https://github.com/sigstore/sigstore/pull/136
    • Bump github.com/aws/aws-sdk-go from 1.42.0 to 1.42.1 by @dependabot in https://github.com/sigstore/sigstore/pull/137

    New Contributors

    • @rjbrown57 made their first contribution in https://github.com/sigstore/sigstore/pull/125
    • @naveensrinivasan made their first contribution in https://github.com/sigstore/sigstore/pull/127
    • @dependabot made their first contribution in https://github.com/sigstore/sigstore/pull/128

    Full Changelog: https://github.com/sigstore/sigstore/compare/v1.0.0...v1.0.1

    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Oct 11, 2021)

    What's Changed

    • Missed a couple of renames by @lukehinds in https://github.com/sigstore/sigstore/pull/1
    • User can use toml config for cert details by @lukehinds in https://github.com/sigstore/sigstore/pull/2
    • OIDC by @lukehinds in https://github.com/sigstore/sigstore/pull/3
    • readme, gitignore by @lukehinds in https://github.com/sigstore/sigstore/pull/4
    • Project Rename by @lukehinds in https://github.com/sigstore/sigstore/pull/5
    • Project refactor in prep for rewrite by @lukehinds in https://github.com/sigstore/sigstore/pull/7
    • Key generation code by @lukehinds in https://github.com/sigstore/sigstore/pull/9
    • Fix lint errors by @lukehinds in https://github.com/sigstore/sigstore/pull/12
    • Set up CI by @lukehinds in https://github.com/sigstore/sigstore/pull/11
    • Return PubK in correct type by @lukehinds in https://github.com/sigstore/sigstore/pull/13
    • Client port by @lukehinds in https://github.com/sigstore/sigstore/pull/14
    • Return the response so we can handle specific status codes by @lukehinds in https://github.com/sigstore/sigstore/pull/15
    • Bind flags with PreRun by @lukehinds in https://github.com/sigstore/sigstore/pull/18
    • Rename clients by @lukehinds in https://github.com/sigstore/sigstore/pull/20
    • Implements file MIME checking by @lukehinds in https://github.com/sigstore/sigstore/pull/21
    • Delete DS_Store by @lukehinds in https://github.com/sigstore/sigstore/pull/22
    • Implement rekor log entry by @lukehinds in https://github.com/sigstore/sigstore/pull/23
    • Update copyright statement by @dekkagaijin in https://github.com/sigstore/sigstore/pull/25
    • Device flow! by @dlorenc in https://github.com/sigstore/sigstore/pull/24
    • Add signature library by @dekkagaijin in https://github.com/sigstore/sigstore/pull/26
    • Add Security Section by @lukehinds in https://github.com/sigstore/sigstore/pull/29
    • cmd: add version command by @cpanato in https://github.com/sigstore/sigstore/pull/31
    • Rename signature payloads to be more descriptive for users by @dekkagaijin in https://github.com/sigstore/sigstore/pull/32
    • Use crypto.PublicKey in favor of *ecdsa.PublicKey by @dekkagaijin in https://github.com/sigstore/sigstore/pull/33
    • remove Ed25519 until we can make it work sanely with Rekor by @dekkagaijin in https://github.com/sigstore/sigstore/pull/34
    • Signers should return the payloads which were actually signed by @dekkagaijin in https://github.com/sigstore/sigstore/pull/35
    • update boilerplate header and apply go fmt by @cpanato in https://github.com/sigstore/sigstore/pull/37
    • ci/boilerplate: fix bolierplate check by @cpanato in https://github.com/sigstore/sigstore/pull/39
    • go: update go version to use 1.16.x by @cpanato in https://github.com/sigstore/sigstore/pull/36
    • Move kms package from cosign to sigstore by @priyawadhwa in https://github.com/sigstore/sigstore/pull/41
    • Leverage the signature package for signing by @dekkagaijin in https://github.com/sigstore/sigstore/pull/38
    • Implement code owners by @lukehinds in https://github.com/sigstore/sigstore/pull/40
    • use RSA-PSS instead of RSA-PKCS#1 v1.5 signature scheme by @dekkagaijin in https://github.com/sigstore/sigstore/pull/43
    • feat: add vault transit kms engine by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/44
    • Bump the rekor dependency. by @dlorenc in https://github.com/sigstore/sigstore/pull/47
    • Allow specifying the full key version. by @dlorenc in https://github.com/sigstore/sigstore/pull/45
    • some vault fixes by @RichiCoder1 in https://github.com/sigstore/sigstore/pull/49
    • Better define sigstores purpose by @lukehinds in https://github.com/sigstore/sigstore/pull/52
    • remove optional algorithm; ensure CI and Makefile are correct by @bobcallaway in https://github.com/sigstore/sigstore/pull/57
    • log error message but continue with OAuth2 flow if browser auto-open … by @bobcallaway in https://github.com/sigstore/sigstore/pull/56
    • change to rekor.sigstore.dev by @bobcallaway in https://github.com/sigstore/sigstore/pull/60
    • remove gosec since it is handled by golangci-lint by @bobcallaway in https://github.com/sigstore/sigstore/pull/58
    • Add support for ed25519 based keys by @priyawadhwa in https://github.com/sigstore/sigstore/pull/51
    • Bump rekor for the new API changes. by @dlorenc in https://github.com/sigstore/sigstore/pull/61
    • Move all rekor code to tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/63
    • Refact key tlog by @lukehinds in https://github.com/sigstore/sigstore/pull/65
    • Add support for static identity tokens supplied directly by the caller. by @dlorenc in https://github.com/sigstore/sigstore/pull/64
    • enable transit secret engine at another path by @developer-guy in https://github.com/sigstore/sigstore/pull/67
    • Refactor IDToken handling to support claims based on fields other tha… by @dlorenc in https://github.com/sigstore/sigstore/pull/68
    • cert.Subject is not populated, return serial instead by @lukehinds in https://github.com/sigstore/sigstore/pull/71
    • Allow the OOB authentication flow when we can't open a browser. by @dlorenc in https://github.com/sigstore/sigstore/pull/62
    • convert signature library to implement crypto.Signer interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/69
    • use new path to GetRekorClient by @bobcallaway in https://github.com/sigstore/sigstore/pull/73
    • Fix for Error: error during PEM decoding by @lukehinds in https://github.com/sigstore/sigstore/pull/78
    • Use output to save client cert file locally by @lukehinds in https://github.com/sigstore/sigstore/pull/79
    • Add formatted URL for rekor entry by @lukehinds in https://github.com/sigstore/sigstore/pull/80
    • Add PublicKeyProvider interface by @bobcallaway in https://github.com/sigstore/sigstore/pull/75
    • Bump rekor. by @dlorenc in https://github.com/sigstore/sigstore/pull/82
    • Also output the signature if required by @lukehinds in https://github.com/sigstore/sigstore/pull/83
    • filehandler: add application/x-executable to supported mimetype by @cpanato in https://github.com/sigstore/sigstore/pull/84
    • stop using signerverifier to get access to publickeyprovider by @bobcallaway in https://github.com/sigstore/sigstore/pull/85
    • compute crc over digest instead of message by @bobcallaway in https://github.com/sigstore/sigstore/pull/86
    • We should use the client ID from the oauth config, not viper. by @dlorenc in https://github.com/sigstore/sigstore/pull/87
    • Don't use pointers for ed25519 keys by @dekkagaijin in https://github.com/sigstore/sigstore/pull/88
    • AWS KMS Support by @codysoyland in https://github.com/sigstore/sigstore/pull/74
    • Remove cmd/, clean up unused code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/90
    • Remove pkg/tlog, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/91
    • update go modules, run go mod tidy by @dekkagaijin in https://github.com/sigstore/sigstore/pull/94
    • update github actions to latest versions by @dekkagaijin in https://github.com/sigstore/sigstore/pull/93
    • change in-memory signers to implement crypto.Signer by @bobcallaway in https://github.com/sigstore/sigstore/pull/92
    • Add initial Azure KMS support by @cpanato in https://github.com/sigstore/sigstore/pull/76
    • Remove pkg/util directory by @dekkagaijin in https://github.com/sigstore/sigstore/pull/95
    • Implement wrappers/converters for the DSSE signing spec. by @dlorenc in https://github.com/sigstore/sigstore/pull/96
    • Add tests for pkg/cryptoutils by @dekkagaijin in https://github.com/sigstore/sigstore/pull/99
    • More pkg/cryptoutils tests, add a generator for ECDSA keypairs by @dekkagaijin in https://github.com/sigstore/sigstore/pull/100
    • ENCRYPTED COSIGN PRIVATE KEY -> ENCRYPTED SIGSTORE PRIVATE KEY by @dekkagaijin in https://github.com/sigstore/sigstore/pull/101
    • remove fulcio client code by @dekkagaijin in https://github.com/sigstore/sigstore/pull/103
    • small update in the makefile by @cpanato in https://github.com/sigstore/sigstore/pull/105
    • default to P-256 curve again by @dekkagaijin in https://github.com/sigstore/sigstore/pull/106
    • Add missing code of conduct (stock sigstore one) by @lukehinds in https://github.com/sigstore/sigstore/pull/107
    • leverage Vault token helpers approach while obtaining Vault token by @developer-guy in https://github.com/sigstore/sigstore/pull/104
    • Transit backend path is hardcoded for some operations of the KMS Vault client by @LeSuisse in https://github.com/sigstore/sigstore/pull/102
    • Switch DSSE provider to go-securesystemslib by @adityasaky in https://github.com/sigstore/sigstore/pull/111
    • pass by reference instead of pointer so correct redirect_uri is known by @bobcallaway in https://github.com/sigstore/sigstore/pull/114
    • Pin localstack in e2e tests (fixes #112) by @codysoyland in https://github.com/sigstore/sigstore/pull/115
    • Fix typo/readability by @ocdtrekkie in https://github.com/sigstore/sigstore/pull/116
    • Modularise CI by @lukehinds in https://github.com/sigstore/sigstore/pull/118
    • Update readme in anticipation of 1.0 by @lukehinds in https://github.com/sigstore/sigstore/pull/119
    • Integration tests for dex / OIDConnect by @lukehinds in https://github.com/sigstore/sigstore/pull/110
    • Change redirect listener to use ephemeral port by @bobcallaway in https://github.com/sigstore/sigstore/pull/120

    New Contributors

    • @lukehinds made their first contribution in https://github.com/sigstore/sigstore/pull/1
    • @dekkagaijin made their first contribution in https://github.com/sigstore/sigstore/pull/25
    • @dlorenc made their first contribution in https://github.com/sigstore/sigstore/pull/24
    • @cpanato made their first contribution in https://github.com/sigstore/sigstore/pull/31
    • @priyawadhwa made their first contribution in https://github.com/sigstore/sigstore/pull/41
    • @RichiCoder1 made their first contribution in https://github.com/sigstore/sigstore/pull/44
    • @bobcallaway made their first contribution in https://github.com/sigstore/sigstore/pull/57
    • @developer-guy made their first contribution in https://github.com/sigstore/sigstore/pull/67
    • @codysoyland made their first contribution in https://github.com/sigstore/sigstore/pull/74
    • @LeSuisse made their first contribution in https://github.com/sigstore/sigstore/pull/102
    • @adityasaky made their first contribution in https://github.com/sigstore/sigstore/pull/111
    • @ocdtrekkie made their first contribution in https://github.com/sigstore/sigstore/pull/116

    Full Changelog: https://github.com/sigstore/sigstore/commits/v1.0.0

    Source code(tar.gz)
    Source code(zip)
Owner
sigstore
Software supply chain transparency
sigstore
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 82 Sep 22, 2022
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 356 Nov 17, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 20 Jul 24, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

null 0 Nov 15, 2021
Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

null 52 Nov 9, 2022
Prototype of signing container images in the index

Prototype for inline signing of images in the image index. When designing Notary v2 there was a strong consensus for having detached signatures. These

Justin Cormack 3 Aug 24, 2022
A tool for testing, building, signing, and publishing binaries.

gomason Tool for testing, building, signing and publishing binaries. Think of it as an on premesis CI/CD system- that also performs code signing and p

Nik Ogura 54 Sep 26, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Rohan Verma 95 Nov 4, 2022
Container Signing

cosign Container Signing, Verification and Storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. Info Cosign is develop

sigstore 2.8k Nov 27, 2022
Work with remote images registries - retrieving information, images, signing content

skopeo skopeo is a command line utility that performs various operations on container images and image repositories. skopeo does not require the user

Containers 5.4k Nov 24, 2022
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 82 Sep 22, 2022
2D virtual tabletop prototype

Mirkwood Engine ?? A prototype of a virtual tabletop written in Go 1.16 and Ebiten 2 (The gif can seems a bit laggy but the animations are smooth in r

null 19 Sep 28, 2021
A CLI tool for leveraging IDP signing keys to impersonate users and groups

Imperson8 Disclaimer This is a security testing tool. Only use this on systems you have explicit authorization to test. This isn't an exploit and won'

null 17 Jul 23, 2022
kcp is a prototype of a Kubernetes API server that is not a Kubernetes cluster - a place to create, update, and maintain Kube-like APis with controllers above or without clusters.

kcp is a minimal Kubernetes API server How minimal exactly? kcp doesn't know about Pods or Nodes, let alone Deployments, Services, LoadBalancers, etc.

Prototype of Future Kubernetes Ideas 1.8k Nov 26, 2022
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 10 Jun 29, 2022
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 69 Nov 27, 2022
gon is a simple, no-frills tool for signing and notarizing your CLI binaries for macOS

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

Mitchell Hashimoto 1.3k Nov 21, 2022
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 356 Nov 17, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 20 Jul 24, 2022
Prototype pollution scanner using headless chrome

plution Prototype pollution scanner using headless chrome What this is Plution is a convenient way to scan at scale for pages that are vulnerable to c

null 142 Nov 16, 2022