Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: cosign | Distribution: SUSE Linux Enterprise 15 |
Version: 1.5.2 | Vendor: SUSE LLC <https://www.suse.com/> |
Release: 150400.1.7 | Build date: Sun May 8 01:55:40 2022 |
Group: Unspecified | Build host: nebbiolo |
Size: 277880750 | Source RPM: cosign-1.5.2-150400.1.7.src.rpm |
Packager: https://www.suse.com/ | |
Url: https://github.com/sigstore/cosign | |
Summary: Container Signing, Verification and Storage in an OCI registry |
Cosign aims to make signatures invisible infrastructure. Cosign supports: - Hardware and KMS signing - Bring-your-own PKI - Our free OIDC PKI (Fulcio) - Built-in binary transparency and timestamping service (Rekor)
Apache-2.0
* Mon Feb 21 2022 meissner@suse.com - updated to 1.5.2: - This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. (bsc#1196239) - updated to 1.5.1: - Bump sigstore/sigstore to pick up oidc login for vault. (#1377) - Bump google.golang.org/api from 0.65.0 to 0.66.0 (#1371) - expose dafaults fulcio, rekor, oidc issuer urls (#1368) - add check to make sure the go modules are in sync (#1369) - README: fix link to race conditions (#1367) - Bump cloud.google.com/go/storage from 1.18.2 to 1.19.0 (#1365) - docs: verify-attestation cue and rego policy doc (#1362) - Update verify-blob to support DSSEs (#1355) - organize, update select deps (#1358) - Bump go-containerregistry to pick up ACR keychain fix (#1357) - Bump github.com/go-openapi/runtime from 0.21.0 to 0.21.1 (#1352) - sync go modules (#1353) * Tue Jan 25 2022 meissner@suse.com - updated to 1.5.0 [#]# Highlights * enable sbom generation when releasing (https://github.com/sigstore/cosign/pull/1261) * feat: log error to stderr (https://github.com/sigstore/cosign/pull/1260) * feat: support attach attestation (https://github.com/sigstore/cosign/pull/1253) * feat: resolve --cert from URL (https://github.com/sigstore/cosign/pull/1245) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1237) * feat: vuln attest support (https://github.com/sigstore/cosign/pull/1168) * feat: add ambient credential detection with spiffe/spire (https://github.com/sigstore/cosign/pull/1220) * feat: generate/upload sbom for cosign projects (https://github.com/sigstore/cosign/pull/1236) * feat: implement cosign download attestation (https://github.com/sigstore/cosign/pull/1216) [#]# Enhancements * Don't use k8schain, statically link cloud cred helpers in cosign (https://github.com/sigstore/cosign/pull/1279) * Export function to verify individual signature (https://github.com/sigstore/cosign/pull/1334) * Add suffix with digest to signature file output for recursive signing (https://github.com/sigstore/cosign/pull/1267) * Take OIDC client secret into account (https://github.com/sigstore/cosign/pull/1310) * Add --bundle flag to sign-blob and verify-blob (https://github.com/sigstore/cosign/pull/1306) * Add flag to verify OIDC issuer in certificate (https://github.com/sigstore/cosign/pull/1308) * add OSSF scorecard action (https://github.com/sigstore/cosign/pull/1318) * Add TUF timestamp to attestation bundle (https://github.com/sigstore/cosign/pull/1316) * Provide certificate flags to all verify commands (https://github.com/sigstore/cosign/pull/1305) * Bundle TUF timestamp with signature on signing (https://github.com/sigstore/cosign/pull/1294) * Add support for importing PKCShttps://github.com/sigstore/cosign/pull/8 private keys, and add validation (https://github.com/sigstore/cosign/pull/1300) * add error message (https://github.com/sigstore/cosign/pull/1296) * Move bundle out of `oci` and into `bundle` package (https://github.com/sigstore/cosign/pull/1295) * Reorganize verify-blob code and add a unit test (https://github.com/sigstore/cosign/pull/1286) * One-to-one mapping of invocation to scan result (https://github.com/sigstore/cosign/pull/1268) * refactor common utilities (https://github.com/sigstore/cosign/pull/1266) * Importing RSA and EC keypairs (https://github.com/sigstore/cosign/pull/1050) * Refactor the tuf client code. (https://github.com/sigstore/cosign/pull/1252) * Moved certificate output before checking for upload during signing (https://github.com/sigstore/cosign/pull/1255) * Remove remaining ioutil usage (https://github.com/sigstore/cosign/pull/1256) * Update the embedded TUF metadata. (https://github.com/sigstore/cosign/pull/1251) * Add support for other public key types for SCT verification, allow override for testing. (https://github.com/sigstore/cosign/pull/1241) * Log the proper remote repo for the signatures on verify (https://github.com/sigstore/cosign/pull/1243) * Do not require multiple Fulcio certs in the TUF root (https://github.com/sigstore/cosign/pull/1230) * clean up references to 'keyless' in `ephemeral.Signer` (https://github.com/sigstore/cosign/pull/1225) * create `DSSEAttestor` interface, `payload.DSSEAttestor` implementation (https://github.com/sigstore/cosign/pull/1221) * use `mutate.Signature` in the new `Signer`s (https://github.com/sigstore/cosign/pull/1213) * create `mutate` functions for `oci.Signature` (https://github.com/sigstore/cosign/pull/1199) * add a writeable `$HOME` for the `nonroot` cosigned user (https://github.com/sigstore/cosign/pull/1209) * signing attestation should private key (https://github.com/sigstore/cosign/pull/1200) * Remove the "upload" flag for "cosign initialize" (https://github.com/sigstore/cosign/pull/1201) * create KeylessSigner (https://github.com/sigstore/cosign/pull/1189) [#]# Bug Fixes * fix: cosign verify for vault (https://github.com/sigstore/cosign/pull/1328) * fix missing goimports (https://github.com/sigstore/cosign/pull/1327) * Fix TestSignBlobBundle (https://github.com/sigstore/cosign/pull/1320) * Fix a couple bugs in cert verification for blobs (https://github.com/sigstore/cosign/pull/1287) * Fix a few bugs in cosign initialize (https://github.com/sigstore/cosign/pull/1280) * Fix the unit tests with expired TUF metadata. (https://github.com/sigstore/cosign/pull/1270) * Fix output-file flag. (https://github.com/sigstore/cosign/pull/1264) * fix: typo in the error message (https://github.com/sigstore/cosign/pull/1250) * Fix semantic bugs in attestation verifification. (https://github.com/sigstore/cosign/pull/1249) * Fix semantic bug in DSSE specification. (https://github.com/sigstore/cosign/pull/1248) - vendor.tar.bz2: go mod vendor * Tue Jan 25 2022 bwiedemann@suse.com - Fix BUILD_DATE for reproducible build results (boo#1047218) * Thu Jan 06 2022 meissner@suse.com - cosign 1.4.1 release, initial import - provides signing / verification support for sigstore
/usr/bin/cosign /usr/bin/cosigned /usr/bin/sget /usr/share/doc/packages/cosign /usr/share/doc/packages/cosign/CHANGELOG.md /usr/share/doc/packages/cosign/CODE_OF_CONDUCT.md /usr/share/doc/packages/cosign/EXAMPLES.md /usr/share/doc/packages/cosign/FUN.md /usr/share/doc/packages/cosign/IMPORT.md /usr/share/doc/packages/cosign/KEYLESS.md /usr/share/doc/packages/cosign/KMS.md /usr/share/doc/packages/cosign/PKCS11.md /usr/share/doc/packages/cosign/README.md /usr/share/doc/packages/cosign/TOKENS.md /usr/share/doc/packages/cosign/USAGE.md /usr/share/licenses/cosign /usr/share/licenses/cosign/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Apr 9 17:00:22 2024