v1.1.0

sigstore-go v1.1.0 introduces support for Rekor v2, a redesigned and modernized transparency log that's cheaper to operate, easier to scale, and simpler to maintain.

What's Changed

• Error Wrapping in TUF by @lukehinds in #482
• Avoid naked errors from other modules by @kommendorkapten in #484
• Added a parameter to the TUF options for live refresh. by @kommendorkapten in #485
• Add end to end tests by @cmurphy in #489
• Fail SigstoreTimestampingAuthority Verify early with nil Root by @dmitris in #490
• Add support for Rekor V2 for signing and verification by @cmurphy in #481
• Allow public keys to sign hashedrekord by @cmurphy in #497
• Add support for operator in SigningConfig by @haydentherapper in #494
• Add MarshalJSON to SigningConfig, fix marshaling bug by @haydentherapper in #498
• Select highest API version for SigningConfig services always by @haydentherapper in #499

Full Changelog: v1.0.0...v1.1.0

v1.0.0

We're very excited to release sigstore-go 1.0! View the blog post announcing this release for more details.

This release should contain the last set of breaking changes until version 2.0, including a few renames (such as SignedEntityVerifier -> Verifier and VerifyTimestampAuthority -> VerifySignedTimestamp). We are excited to begin a new phase of simple, stable APIs!

What's Changed

• Prevent duplicate timestamps from same TSA by @codysoyland in #472
• Update theupdateframework/go-tuf to v2.1.0 and copy in unexported repo type from theupdateframework/go-tuf/examples/repository directory by @malancas in #474
• Add verification errors to output of VerifyTimestampAuthority by @codysoyland in #473
• Use repository.Type from go-tuf in tests by @codysoyland in #475
• Rename and deprecate SignedEntityVerifier in favor of Verifier by @codysoyland in #476
• Deprecate and rename VerifyTimestampAuthority/VerifyArtifactTransparencyLog by @codysoyland in #477
• Update README for 1.0.0 release by @codysoyland in #480

Full Changelog: v0.7.3...v1.0.0

v0.7.3

Note: v0.7.3 will likely be the last release before v1.0.

What's Changed

• Add context to Rekor interactions in signer by @codysoyland in #461
• Use default Verifier for the public key contained in a certificate (closes #74) by @ret2libc in #424
• Select highest API version with multiple SigningConfig services by @haydentherapper in #459
• Fix SigningConfig ValidFor when dates are missing by @jku in #465
• correct error on unsupported TrustedRoot media type by @dmitris in #466
• Signing example improvements by @jku in #458
• Disable TUF timestamping when TUF cache disabled by @codysoyland in #470

Full Changelog: v0.7.2...v0.7.3

v0.7.2

What's Changed

• don't return error if logIndex is 0 by @bobcallaway in #452

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

• Remove installable commands by @codysoyland in #398
• Improve URLToPath by @codysoyland in #408
• expand examples documentation by @dmitris in #412
• Update staging TUF root to latest by @haydentherapper in #415
• Update TUF root to latest v12 by @haydentherapper in #414
• Support for multi-subject attestations using different hash algorithms by @codysoyland in #361
• Simplify multihasher using multiwriter by @codysoyland in #422
• pkg/root: fix typo in nolint annotation by @ret2libc in #433
• Update Keypair.SignData with context param by @bdehamer in #427
• Implement support for SigningConfig v0.2 by @haydentherapper in #434
• Add support for verifying multiple artifacts by @malancas in #431
• Fix lint errors, standardize policy language by @haydentherapper in #436
• added public key check for SCTs by @Horiodino in #428
• Added a new function to create a live trusted root from any target. by @kommendorkapten in #441
• root: Fix trusted root creation with ed25519 keys by @jku in #448

Full Changelog: v0.7.0...v0.7.1

v0.7.0

Breaking Changes

• Removed WithOnlineVerification() configuration option, and online argument to VerifyArtifactTransparencyLog() by @steiza in #344
• Add interface types for TimestampingAuthority and CertificateAuthority by @codysoyland in #300
• Simplify HasPublicKey interface method by @codysoyland in #348
• Rename GetCertificate to Certificate by @codysoyland in #349
• Verify certificate validity with only current time, bump conformance tests by @haydentherapper in #277

What's Changed

• Include URI for CA verified timestamps by @cmurphy in #270
• Add Windows to README as tested platform by @steiza in #299
• Check if entry has inclusion proof rather than entity by @adityasaky in #310
• Allow parsing of certificates from Fulcio if ctlog is disabled by @codysoyland in #288
• feat: add unit test for online tlog verification by @vishal-chdhry in #296
• update sigstore dependencies for oci-image-verification example by @dmitris in #319
• Update oci-image-verification.md by @dmitris in #320
• expand oci-image-verification example for private infra by @dmitris in #321
• Update BaseSignedEntity interface implementation by @cmurphy in #333
• ci: address zizmor's findings by @woodruffw in #336
• Adds a check to ensure SCT time is while a CT log key was valid by @steiza in #350
• Update staging TUF root to latest by @haydentherapper in #354
• Update prod TUF root to v10 by @haydentherapper in #353
• Opt into Actions CodeQL public preview by @steiza in #362
• Refactor DoS limits to separate func by @codysoyland in #364
• Fix intoto unmarshal by @codysoyland in #366
• Add custom-certificate-validator example by @codysoyland in #351
• Add support for SigningConfig by @haydentherapper in #367
• Bump conformance to latest version by @haydentherapper in #377
• Support additional SigningConfig configurations by @haydentherapper in #379
• Use multi-directory configuration for dependabot by @codysoyland in #380
• Use glob support for directories key by @codysoyland in #383
• chore: relax go directive to permit 1.22.x by @dnwe in #384
• docs: minor edits to docs by @trishankatdatadog in #370

New Contributors

• @dmitris made their first contribution in #319
• @woodruffw made their first contribution in #336
• @dnwe made their first contribution in #384
• @trishankatdatadog made their first contribution in #370

Full Changelog: v0.6.2...v0.7.0

v0.6.2

This is a minor release to enable better error handling in the gh CLI.

What's Changed

• Use sentinel errors bundle validation in validateBundle func by @malancas in #291

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

v0.6.1 resolves a security advisory for a denial of service. See GHSA-cq38-jh5f-37mq for more information.

• Add fuzz tests for bundle, tlog and verify packages by @AdamKorcz in #272
• Add the ability to contruct TrustRoot from targets by @bkabrda in #247
• add oss-fuzz build script by @AdamKorcz in #278
• Fix proof of key possession generation by @adityasaky in #283
• Add additional validation for nil elements in Bundles by @codysoyland in #285
• Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by @codysoyland in #286

Full Changelog: v0.6.0...v0.6.1

v0.6.0

As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes.

Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.

Breaking Changes

• In pkg/bundle/bundle.go
  • ProtobufBundle is now Bundle
  • NewProtobufBundle is now NewBundle
• In pkg/bundle/signature_content.go
  • Use Statement() type was from github.com/in-toto/in-toto-golang/in_toto now comes from github.com/in-toto/attestation/go/v1

What's Changed

• feat: add support for additional transparency log key types by @vishal-chdhry in #197
• feat: use GetLogEntryByIndex to query rekor by @vishal-chdhry in #188
• feat: add validation of required fields in the bundle by @vishal-chdhry in #189
• Rename ProtobufBundle to Bundle by @codysoyland in #251
• Fix verify DSSE bundles (after signing) by @steiza in #258
• Fix crash with missing checkpoint by @haydentherapper in #260
• Add file pattern to CODEOWNERS by @codysoyland in #269
• Use example.com and remove trademark from tests by @codysoyland in #267
• Add deprecation message for ProtobufBundle by @codysoyland in #271
• Switch in-toto library to github.com/in-toto/attestation by @codysoyland in #274

Full Changelog: v0.5.1...v0.6.0

v0.5.1

See release v0.5.0 for a list of breaking changes in v0.5.0.

This minor release is to correct the spelling of the new helper function in pkg/verify/certificate_identity.go, now called NewIssuerMatcher().