Releases: sigstore/gitsign
Releases · sigstore/gitsign
v0.7.0
Changelog
- 8955100 Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 (#316)
- 5dd6092 Add offline verification (#220)
- 295f8c1 Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 (#314)
- fffe410 Bump sigstore/cosign-installer from 3.0.3 to 3.0.5 (#313)
- e135d08 Bump actions/setup-go from 4.0.0 to 4.0.1 (#312)
- dbeae80 Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#310)
- 859b2ac Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#311)
- ee39f77 Bump github.com/docker/distribution (#309)
- 70e4dfd Bump github.com/cloudflare/circl from 1.3.1 to 1.3.3 (#308)
- a454679 Bump github.com/sigstore/fulcio from 1.2.0 to 1.3.1 (#302)
- 472a9d1 Bump github.com/sigstore/sigstore from 1.6.3 to 1.6.4 (#304)
- 06cd545 Bump github.com/in-toto/in-toto-golang from 0.8.0 to 0.9.0 (#305)
- 71800bf Bump anchore/sbom-action from 0.14.1 to 0.14.2 (#307)
- d24ff29 Bump github.com/mattn/go-tty from 0.0.4 to 0.0.5 (#306)
- 9f5a9e8 Bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#300)
- a75b58a Bump github.com/in-toto/in-toto-golang from 0.7.1 to 0.8.0 (#298)
- df022a6 Bump github.com/sigstore/cosign/v2 from 2.0.1 to 2.0.2 (#299)
- 717e7e6 Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 (#297)
- a8dc697 Bump actions/checkout from 3.5.0 to 3.5.2 (#289)
- ebe8923 Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 (#296)
- f374e54 Bump github.com/go-openapi/runtime from 0.25.0 to 0.26.0 (#295)
- 71a9701 Bump dependabot/fetch-metadata from 1.3.6 to 1.4.0 (#294)
- 23df870 Ensure that io writers are properly closed. (#292)
- 04f9453 Bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 (#290)
- 76c47d5 Fix e2e test for initializing cosign (#287)
- d38cd0b Update e2e test to use CDN instead of GCS (#285)
- f9e70b5 Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#283)
Thanks to all contributors!
v0.6.0
Highlights
- Added
gitsign.matchCommitteroption to verify certificate identity matches expected committer identity. - Added
gitsign verifyto verify commits with certificate verification options to match cosign (--certificate-identity,--certificate-oidc-issuer) - Added support for Buildkite and Environment Variable OIDC credential detection.
What's Changed
- Bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 by @dependabot in #228
- Bump goreleaser/goreleaser-action from 4.1.0 to 4.1.1 by @dependabot in #227
- Bump anchore/sbom-action from 0.13.1 to 0.13.3 by @dependabot in #226
- Bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.6.0 by @dependabot in #233
- Bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 by @dependabot in #232
- Bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 by @dependabot in #231
- Bump actions/cache from 3.2.3 to 3.2.4 by @dependabot in #230
- Bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 by @dependabot in #237
- Bump actions/cache from 3.2.4 to 3.2.5 by @dependabot in #235
- upgrade go to 1.20 by @cpanato in #234
- Bump golang.org/x/crypto from 0.5.0 to 0.6.0 by @dependabot in #236
- Update README.md by @y12studio in #239
- Handle spaces in git config values by @adityasaky in #240
- Bump github.com/sigstore/fulcio from 1.0.0 to 1.1.0 by @dependabot in #243
- Bump golang.org/x/net from 0.6.0 to 0.7.0 by @dependabot in #245
- Update --detached-sign to --detach-sign, remove "auto generated" line from docs by @adityasaky in #242
- Add support for checking cert email against user config before signing. by @wlynch in #246
- Bump sigstore cosign to v2, dep and workflows by @k4leung4 in #247
- Bump actions/cache from 3.2.5 to 3.2.6 by @dependabot in #248
- Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 by @dependabot in #255
- Bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 by @dependabot in #252
- Bump golang.org/x/crypto from 0.6.0 to 0.7.0 by @dependabot in #253
- Bump sigstore/cosign-installer from 2.8.1 to 3.0.1 by @dependabot in #251
- enable auto merge/approval for dependencies by @cpanato in #229
- update some dependencies and use head of cosign for now by @cpanato in #250
- Bump actions/cache from 3.2.6 to 3.3.1 by @dependabot in #256
- Add matchCommitter to top level README table. by @wlynch in #257
- Bump github.com/go-openapi/strfmt from 0.21.3 to 0.21.5 by @dependabot in #260
- Bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 by @dependabot in #261
- Bump actions/setup-go from 3.5.0 to 4.0.0 by @dependabot in #259
- Bump actions/checkout from 3.3.0 to 3.4.0 by @dependabot in #258
- Add gitsign verify by @wlynch in #262
- Bump anchore/sbom-action from 0.13.3 to 0.13.4 by @dependabot in #266
- Fix e2e tests by including --certificate-identity flag. by @wlynch in #264
- Initialize staging TUF root for sigstage.dev. by @wlynch in #267
- Add cosign to e2e tests, generalize e2e tests for forked repos. by @wlynch in #268
- Fix verify flags in README by @wlynch in #263
- Bump actions/checkout from 3.4.0 to 3.5.0 by @dependabot in #265
- Bump github.com/go-openapi/strfmt from 0.21.5 to 0.21.7 by @dependabot in #272
- Bump github.com/sigstore/fulcio from 1.1.0 to 1.2.0 by @dependabot in #273
- Bump anchore/sbom-action from 0.13.4 to 0.14.1 by @dependabot in #269
- Bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 by @dependabot in #270
- Update logo URL by @wlynch in #274
- Bump github.com/docker/docker from 20.10.23+incompatible to 20.10.24+incompatible by @dependabot in #275
- bump cosign dependency to pick up buildkite OIDC provider by @imjasonh in #276
- Bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible by @dependabot in #277
- Revert change in Gitsign logo URL path by @sandipanpanda in #278
- Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 by @dependabot in #281
- Bump github.com/in-toto/in-toto-golang from 0.7.0 to 0.7.1 by @dependabot in #280
- Bump github.com/sigstore/cosign/v2 from 2.0.1-0.20230404223517-fdeea9fd1574 to 2.0.1 by @dependabot in #279
- Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 by @dependabot in #282
- Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 by @dependabot in #284
New Contributors
- @y12studio made their first contribution in #239
- @adityasaky made their first contribution in #240
- @k4leung4 made their first contribution in #247
- @sandipanpanda made their first contribution in #278
Full Changelog: v0.5.2...v0.6.0
Contributors
imjasonh, y12studio, and 6 other contributors
Assets 72
v0.5.2
Highlights
gitsign
- BREAKING CHANGE: URI schemes added to
gitsign showattestations to comply with intoto spec. (i.e.gitsign.sigstore.dev/predicate/git/v0.1->https://gitsign.sigstore.dev/predicate/git/v0.1)
gitsign-credential-cache
- Added support for systemd socket activation
- Added support for opening interactive auth flow through the cache socket - this allows users to forward interactive flows over remote SSH sockets to their local machines.
Changelog
- 3406c64 Remove usage of getopt to fix release. (#225)
- aca7918 Bump dependencies (go get -u ./...) (#224)
- ac61585 Add support for systemd socket activation (#223)
- 615911c Bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 (#221)
- f9c532b Update cache directory .sigstore -> sigstore. (#218)
- 98ef482 Add interactive flow to credential cache. (#211)
- 15447fe Add scheme to predicate type URI. (#217)
- e20e829 Bump actions/checkout from 3.2.0 to 3.3.0 (#212)
- ab6d26c Bump actions/cache from 3.2.2 to 3.2.3 (#213)
- ec74e38 Bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 (#214)
- 7a27e1d Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#215)
- cc36fa9 Bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 (#216)
- 6e4639c Bump actions/cache from 3.2.1 to 3.2.2 (#209)
- 9f45bc1 Bump github.com/go-git/go-billy/v5 from 5.3.1 to 5.4.0 (#210)
- cd97505 Bump actions/cache from 3.0.11 to 3.2.1 (#208)
- fddac02 Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#204)
- 753bc4f Bump actions/setup-go from 3.4.0 to 3.5.0 (#206)
- ec6825d Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#207)
- 91da40f Bump actions/checkout from 3.1.0 to 3.2.0 (#205)
- eca7ffc Bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#203)
- a086299 Bump actions/setup-go from 3.3.1 to 3.4.0 (#199)
- b9208e3 Bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#201)
Thanks to all contributors!
Contributors
iavael and wlynch
Assets 72
v0.4.1
What's Changed
- Update README with correct TSA option values. by @wlynch in #197
- Update TSA config names to match cosign. by @wlynch in #198
Full Changelog: v0.4.0...v0.4.1
Contributors
wlynch
Assets 72
v0.4.0
Overview
- Added new sub-commands:
gitsign show- Prints out in-toto Statement for the specified commit.gitsign attest- Stores attestations for a commit / tree in the repository.
- Fixed timestamp authority verification.
- Rekor Log entry now displayed on successful sign.
- Added
fulcioRootoption for configuring private Sigstore instances.
What's Changed
- Bump github.com/sigstore/sigstore from 1.4.2 to 1.4.3 by @dependabot in #160
- Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0 by @dependabot in #159
- Bump sigstore/cosign-installer from 2.7.0 to 2.8.0 by @dependabot in #158
- Bump actions/cache from 3.0.9 to 3.0.10 by @dependabot in #157
- Bump actions/checkout from 3.0.2 to 3.1.0 by @dependabot in #156
- Change limitations section to FAQ. by @wlynch in #161
- Wire up timestamp authorities option to config. by @wlynch in #162
- Bump github.com/sigstore/sigstore from 1.4.3 to 1.4.4 by @dependabot in #165
- Bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 by @dependabot in #164
- Bump actions/cache from 3.0.10 to 3.0.11 by @dependabot in #163
- Temporarily remove TSA e2e test. by @wlynch in #168
- Refactor git commit verification into its own interface. by @wlynch in #167
- Add fulcio root config option. by @wlynch in #170
- [attest] Fix spdx generation by passing through correct attestation type by @wlynch in #171
- Remove provenance type check. by @wlynch in #172
- add logo by @bobcallaway in #173
- Bump github.com/sigstore/fulcio from 0.6.0 to 1.0.0 by @dependabot in #178
- Bump sigstore/cosign-installer from 2.8.0 to 2.8.1 by @dependabot in #177
- Bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 by @dependabot in #174
- Bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 by @dependabot in #175
- Bump github.com/sigstore/rekor from 0.12.2 to 1.0.0 by @dependabot in #179
- Bump actions/setup-go from 3.3.0 to 3.3.1 by @dependabot in #176
- Bump github.com/sigstore/cosign from 1.13.0 to 1.13.1 by @dependabot in #180
- README: fix typos. by @wlynch in #181
- Bump anchore/sbom-action from 0.12.0 to 0.13.0 by @dependabot in #182
- Print tlog entry on successful Rekor upload. by @wlynch in #183
- Bump anchore/sbom-action from 0.13.0 to 0.13.1 by @dependabot in #184
- Refactor commands with Cobra. by @wlynch in #185
- Bump github.com/sigstore/rekor from 1.0.0 to 1.0.1 by @dependabot in #188
- Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #187
- Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 by @dependabot in #186
- bump golangci-lint to 1.50.1 by @cpanato in #189
- Add
gitsign showsubcommand. by @wlynch in #191 - fix typo: ommits by @imjasonh in #193
- Generate CLI docs. by @wlynch in #192
- Fix Timestamp Authority verification by @wlynch in #196
- Port gitsign-attest to cobra subcommand. by @wlynch in #195
New Contributors
- @bobcallaway made their first contribution in #173
Full Changelog: v0.3.2...v0.4.0
Contributors
imjasonh, wlynch, and 3 other contributors
Assets 72
v0.3.2
What's Changed
- config: Fork out to git binary for config data. by @wlynch in #149
- Add tests for gitsign-attest by @wlynch in #150
Full Changelog: v0.3.1...v0.3.2
Contributors
wlynch
Assets 72
v0.3.1
What's new
- Fixes issue with out-of-band OAuth for non-browser sessions.
- Fixes issue with gitsign-attest where git objects became corrupted due to unsorted trees.
- Fixes issue with gitsign-attest where attestation history was not preserved.
Changelog
- 4902248 update sigstore dependencies (#144)
- 1d87be8 upgrade go to 1.19 (#145)
- a7cf346 Bump sigstore/cosign-installer from 2.6.0 to 2.7.0 (#146)
- 30381ea Bump s/s to latest (#141)
- 4359c71 Bump cosign to 1.12. (#140)
- c06f6fd Bump github.com/sigstore/sigstore from 1.4.0 to 1.4.1 (#139)
- a038546 Bump sigstore/cosign-installer from 2.5.1 to 2.6.0 (#133)
- 98498a6 Bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 (#135)
- 2153fb9 attest: Make sure trees are sorted. (#132)
- 06bc251 attest: preserve refs/attestations parent. (#129)
- 4ee1d4c Bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 (#130)
- bc1202a Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 (#124)
- f460b77 Bump actions/setup-go from 3.2.1 to 3.3.0 (#126)
- 9d55249 Bump actions/cache from 3.0.7 to 3.0.8 (#125)
Thanks to all contributors!
v0.3.0
What's new
-
.gitconfig support - You can now configure Gitsign with your
~/.gitconfigand/or.git/configfiles! See File Config for more details.$ git config gitsign.fulcio https://fulcio.example.com $ cat ~/.gitconfig [gitsign] fulcio = https://fulcio.example.com -
Dex connector configuration - You can now configure the Dex connector ID to use when authenticating. This can help speed up workflows by pre-selecting the identity provider to use when signing in. For example, to always sign in with GitHub:
$ git config gitsign.connectorID https://github.com/login/oauth
Supported values depend on the OIDC issuer you are using. For the public Sigstore instance (
oauth2.sigstore.dev):Provider Connector ID GitHub https://github.com/login/oauthGoogle https://accounts.google.comMicrosoft https://login.microsoftonline.com -
Experimental support for Git based attestations - store attestations about your code directly in your repository! (note: This is not yet included in the main
gitsignbinary and is not available as a downloadable release artifact - please install from source).
Changelog
- 707a2cb Recognize SIGSTORE_ prefixed environment variables. (#123)
- cff750b Add connectorID option (#122)
- 7fcbc7b Add gitsign-attest (#113)
- f215bd8 Add file based configuration. (#121)
- 7916a8b Update go modules to go1.18 (#120)
- 1eaab67 Bump anchore/sbom-action from 0.11.0 to 0.12.0 (#116)
- a22383d Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 (#117)
- a748c05 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#115)
- 0561fe8 Bump github.com/go-openapi/swag from 0.22.0 to 0.22.3 (#118)
- ec2da04 Bump github.com/sigstore/cosign from 1.10.1 to 1.11.0 (#119)
- 1d4fc64 Gitignore and verify consume (#109)
- bd39f7c Bump actions/cache from 3.0.6 to 3.0.7 (#112)
- 355fea8 Bump cosign version to 0.10.1 (#111)
- 084c46f Bump actions/cache from 3.0.5 to 3.0.6 (#106)
- f0cac92 Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (#107)
- d9a9aba Add note to credential cache docs about cache directory selection. (#102)
- edb89df Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#100)
- da368d7 Bump github.com/sigstore/rekor from 0.9.1 to 0.10.0 (#101)
- 57bdce0 Bump actions/setup-go from 3.2.0 to 3.2.1 (#95)
- be797c9 Bump actions/cache from 3.0.4 to 3.0.5 (#96)
- bf41df3 Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (#97)
- 31ae988 Bump github.com/sigstore/rekor from 0.9.0 to 0.9.1 (#93)
- 3a86508 --version: Print out relevant env variables. (#92)
Thanks to all contributors!
v0.2.0
Highlights
- Adds gitsign-credential-cache: an optional socket based credential cache binary for reusing keys for multiple signing requests without needing to reauth (e.g. rebases).
- Adds support for out-of-band interactive flows to add support for SSH and other sessions where web browsers are not directly present.
- Signing errors will now be output to the user TTY directly if available.
- Fixed Rekor Git SHA generation for tags.
Breaking changes
- Fixed Rekor Git SHA generation for tags.
Since this is fixing how the tag SHA was meant to be calculated, this breaks the rekor entry lookup for older versions that use the incorrect behavior. Those tags will be considered unverified unless they are resigned by a newer version of gitsign:git tag -f -s <tag name> <tag name>
Changelog
- 4bc492c Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 (#90)
- 319e053 Bump github.com/sigstore/rekor from 0.8.2 to 0.9.0 (#91)
- ca0cb8d Calculate correct SHA for signed Tags. (#89)
- 7fb3656 Use TTY output for errors. (#87)
- 97abf6c Bump github.com/sigstore/rekor from 0.8.1 to 0.8.2 (#85)
- c52c82e Implement out of band OAuth. (#80)
- 4fccc27 add gitsign-credential-cache to the build/release jobs (#84)
- 0fb71e6 Implement Credential Caching (#75)
- 6663b1b Typo fix (#82)
- 7bbe200 Document signing tags (#83)
- 111ffa4 Bump github.com/sigstore/rekor from 0.8.0 to 0.8.1 (#81)
- 79844de Fix casing in README (#77)
- 3c72400 Use pkg/fulcioroots from sigstore/sigstore (#67)
Thanks to all contributors!
v0.1.1
What's Changed
- Checkout pull request merge commit for e2e test. by @wlynch in #54
- e2e: select checkout ref based on event type. by @wlynch in #57
- Refactor verification to use consistent verification options. by @wlynch in #55
- Fix e2e ref expression. by @wlynch in #59
- Partially remove cosign dependencies for fulcio / rekor client creation. by @wlynch in #53
- Remove dependency on cosign/cli/fulcio. by @wlynch in #63
- Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #64
- Bump github.com/sigstore/rekor from 0.7.0 to 0.8.0 by @dependabot in #72
- Bump actions/cache from 3.0.3 to 3.0.4 by @dependabot in #71
- Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #70
- Add Homebrew install instructions to README by @jdolitsky in #73
- Export rekor package. by @wlynch in #60
- update/fix version flag by @cpanato in #66
New Contributors
- @jdolitsky made their first contribution in #73
Full Changelog: v0.1.0...v0.1.1
Thanks to all contributors!
Contributors
jdolitsky, wlynch, and 2 other contributors